[CERT-222] Export Bruno SIS artifacts (#112)

* [CERT-222] Workflow update - export Bruno artifacts

* docs: Added artifact readme documentation

* Update deprecated dependencies versions

* Update other workflows deprecated dependencies

* Adds per-commit artifact pre-release

* Adds on Mondays artifacts cleanup workflow - for commit tags only

* fix: commit tag name prefixed

* Release artifacts title and description updated

* fix: fix commit prerelease pattern and add detailed logging

Author: josephcampos-gap

.github/workflows/on-issue-opened.yml

@@ -19,7 +19,7 @@ jobs:
     steps:
       - name: Check if user has repository access
         id: check-repo-access
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             try {
@@ -39,7 +39,7 @@ jobs:
 
       - name: Close community issue with helpful message
         if: steps.check-repo-access.outputs.result == 'false'
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             const message = `Thank you for your interest in Ed-Fi! 

.github/workflows/on-merge-or-tags-publish-bruno-artifact.yml

@@ -0,0 +1,218 @@
+name: Publish SIS Artifact
+
+on:
+  push:
+    branches: [ main ]
+    tags:
+      - 'v*'
+  workflow_dispatch:
+
+permissions:
+  contents: write
+
+concurrency:
+  group: sis-artifact-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  publish-sis-artifact:
+    name: Build, Validate, and Publish SIS Artifact
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Use Node.js 24
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        with:
+          node-version: 24
+          cache: 'npm'
+          cache-dependency-path: bruno/package-lock.json
+
+      - name: Derive SIS metadata
+        id: meta
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          SHORT_SHA="${GITHUB_SHA::7}"
+          BUILD_TIMESTAMP="$(date -u +"%Y-%m-%dT%H:%M:%SZ")"
+
+          if [[ "${GITHUB_REF}" == refs/tags/* ]]; then
+            IS_TAG="true"
+            ARTIFACT_VERSION="${GITHUB_REF#refs/tags/}"
+            SOURCE_REF="${GITHUB_REF#refs/tags/}"
+            TARGET_DOWNLOAD_REF="${ARTIFACT_VERSION}"
+          else
+            IS_TAG="false"
+            ARTIFACT_VERSION="0.0.0-main.${GITHUB_RUN_NUMBER}+${SHORT_SHA}"
+            SOURCE_REF="${GITHUB_REF_NAME}"
+            # GitHub prohibits release tags that are bare 40-hex-char strings,
+            # so prefix with "commit-" to produce a valid tag name.
+            TARGET_DOWNLOAD_REF="commit-${GITHUB_SHA}"
+          fi
+
+          BASE_NAME="sis-${ARTIFACT_VERSION}"
+          ZIP_NAME="${BASE_NAME}.zip"
+          SHA_NAME="${BASE_NAME}.zip.sha256"
+          META_NAME="sis-${TARGET_DOWNLOAD_REF}.metadata.json"
+
+          echo "artifactVersion=${ARTIFACT_VERSION}" >> "$GITHUB_OUTPUT"
+          echo "buildTimestamp=${BUILD_TIMESTAMP}" >> "$GITHUB_OUTPUT"
+          echo "sourceRef=${SOURCE_REF}" >> "$GITHUB_OUTPUT"
+          echo "isTag=${IS_TAG}" >> "$GITHUB_OUTPUT"
+          echo "targetDownloadRef=${TARGET_DOWNLOAD_REF}" >> "$GITHUB_OUTPUT"
+          echo "zipName=${ZIP_NAME}" >> "$GITHUB_OUTPUT"
+          echo "shaName=${SHA_NAME}" >> "$GITHUB_OUTPUT"
+          echo "metaName=${META_NAME}" >> "$GITHUB_OUTPUT"
+
+          echo "--- SIS Artifact Metadata ---"
+          echo "artifactVersion   : ${ARTIFACT_VERSION}"
+          echo "targetDownloadRef : ${TARGET_DOWNLOAD_REF}"
+          echo "zipName           : ${ZIP_NAME}"
+          echo "metaName          : ${META_NAME}"
+          echo "buildTimestamp    : ${BUILD_TIMESTAMP}"
+          echo "sourceRef         : ${SOURCE_REF}"
+          echo "isTag             : ${IS_TAG}"
+
+      - name: Stage minimal content
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          rm -rf stage dist validation
+          mkdir -p stage/bruno dist
+
+          cp -R bruno/SIS stage/bruno/
+          cp bruno/package.json stage/bruno/
+          cp bruno/package-lock.json stage/bruno/
+          cp -R bruno/scripts stage/bruno/
+          cp -R bruno/schemas stage/bruno/
+          cp -R bruno/templates stage/bruno/
+          cp bruno/README-User-Manual.md stage/bruno/
+          cp bruno/README-SIS-Artifact.md stage/bruno/
+          cp bruno/README-SIS-Artifact-How-to-use-in-AdminApp.md stage/bruno/
+          cp bruno/README-SIS-Artifact-How-to-use-in-Bruno-CLI.md stage/bruno/
+
+          # Defensive exclusions in case local cache artifacts are present.
+          find stage -type d -name node_modules -prune -exec rm -rf {} +
+          find stage -type d -name .git -prune -exec rm -rf {} +
+          find stage -type f \( -name .DS_Store -o -name Thumbs.db \) -delete
+
+      - name: Build ZIP and checksum
+        id: package
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          ZIP_NAME='${{ steps.meta.outputs.zipName }}'
+          SHA_NAME='${{ steps.meta.outputs.shaName }}'
+
+          (
+            cd stage
+            zip -r "../dist/${ZIP_NAME}" bruno -x "**/node_modules/**" "**/.git/**"
+          )
+
+          (
+            cd dist
+            sha256sum "${ZIP_NAME}" > "${SHA_NAME}"
+            SHA_VALUE="$(cut -d ' ' -f1 "${SHA_NAME}")"
+            echo "sha256=${SHA_VALUE}" >> "$GITHUB_OUTPUT"
+          )
+
+      - name: Write metadata file
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          cat > "dist/${{ steps.meta.outputs.metaName }}" <<EOF
+          {
+            "artifactVersion": "${{ steps.meta.outputs.artifactVersion }}",
+            "gitCommitSha": "${GITHUB_SHA}",
+            "buildTimestamp": "${{ steps.meta.outputs.buildTimestamp }}",
+            "sourceRef": "${{ steps.meta.outputs.sourceRef }}",
+            "zipFileName": "${{ steps.meta.outputs.zipName }}",
+            "sha256": "${{ steps.package.outputs.sha256 }}"
+          }
+          EOF
+
+      - name: Contract validation (checksum, extract, required paths)
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          ZIP_NAME='${{ steps.meta.outputs.zipName }}'
+          SHA_NAME='${{ steps.meta.outputs.shaName }}'
+
+          (
+            cd dist
+            sha256sum --check "${SHA_NAME}"
+          )
+
+          mkdir -p validation/extracted
+          unzip -q "dist/${ZIP_NAME}" -d validation/extracted
+
+          test -d validation/extracted/bruno/SIS
+          test -f validation/extracted/bruno/package.json
+          test -f validation/extracted/bruno/package-lock.json
+          test -d validation/extracted/bruno/scripts
+          test -d validation/extracted/bruno/schemas
+          test -d validation/extracted/bruno/templates
+          test -f validation/extracted/bruno/README-User-Manual.md
+          test -f validation/extracted/bruno/README-SIS-Artifact.md
+          test -f validation/extracted/bruno/README-SIS-Artifact-How-to-use-in-AdminApp.md
+          test -f validation/extracted/bruno/README-SIS-Artifact-How-to-use-in-Bruno-CLI.md
+
+      - name: Consumer validation smoke test (npm ci)
+        shell: bash
+        run: |
+          set -euo pipefail
+          cd validation/extracted/bruno
+          npm ci --no-audit --no-fund
+
+      - name: Upload workflow artifact (main and tags)
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: sis-${{ steps.meta.outputs.artifactVersion }}
+          path: |
+            dist/${{ steps.meta.outputs.zipName }}
+            dist/${{ steps.meta.outputs.shaName }}
+            dist/${{ steps.meta.outputs.metaName }}
+          if-no-files-found: error
+
+      - name: Publish GitHub Release assets (tags and main)
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          IS_TAG='${{ steps.meta.outputs.isTag }}'
+          RELEASE_TAG='${{ steps.meta.outputs.targetDownloadRef }}'
+          ZIP_PATH="dist/${{ steps.meta.outputs.zipName }}"
+          SHA_PATH="dist/${{ steps.meta.outputs.shaName }}"
+          META_PATH="dist/${{ steps.meta.outputs.metaName }}"
+
+          echo "--- Publishing GitHub Release Assets ---"
+          echo "releaseTag        : ${RELEASE_TAG}"
+          echo "isTag             : ${IS_TAG}"
+          echo "zipAsset          : ${{ steps.meta.outputs.zipName }}"
+          echo "shaAsset          : ${{ steps.meta.outputs.shaName }}"
+          echo "metaAsset         : ${{ steps.meta.outputs.metaName }}"
+
+          if gh release view "${RELEASE_TAG}" >/dev/null 2>&1; then
+            echo "Release '${RELEASE_TAG}' already exists — uploading assets (clobber)."
+            gh release upload "${RELEASE_TAG}" "${ZIP_PATH}" "${SHA_PATH}" "${META_PATH}" --clobber
+          else
+            echo "Release '${RELEASE_TAG}' does not exist — creating and uploading assets."
+            if [[ "${IS_TAG}" == "true" ]]; then
+              gh release create "${RELEASE_TAG}" "${ZIP_PATH}" "${SHA_PATH}" "${META_PATH}" \
+                --title "${RELEASE_TAG}" \
+                --notes "SIS artifact release for ${RELEASE_TAG}."
+            else
+              gh release create "${RELEASE_TAG}" "${ZIP_PATH}" "${SHA_PATH}" "${META_PATH}" \
+                --title "${RELEASE_TAG:0:20}" \
+                --notes "Automated SIS artifact for ${RELEASE_TAG}." \
+                --prerelease
+            fi
+          fi

.github/workflows/on-monday-delete-old-commit-artifacts.yml

@@ -0,0 +1,86 @@
+name: Cleanup Old Commit Prereleases
+
+on:
+  schedule:
+    - cron: '0 6 * * 1'  # every Monday at 06:00 UTC
+  workflow_dispatch:
+    inputs:
+      keep_count:
+        description: 'Number of newest prereleases to keep'
+        default: '5'
+        required: false
+
+permissions:
+  contents: write
+
+jobs:
+  cleanup:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Delete old commit prereleases (keep last 5, preserve tagged releases)
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          KEEP: ${{ inputs.keep_count || '5' }}
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          echo "--- Cleanup Configuration ---"
+          echo "repository  : ${GITHUB_REPOSITORY}"
+          echo "keep_count  : ${KEEP}"
+          echo "trigger     : ${GITHUB_EVENT_NAME}"
+
+          echo "--- Fetching release list ---"
+          ALL_RELEASES="$(gh release list --repo "$GITHUB_REPOSITORY" --limit 200 --json tagName,isPrerelease,createdAt)"
+          TOTAL="$(echo "${ALL_RELEASES}" | jq 'length')"
+          echo "Total releases found : ${TOTAL}"
+
+          CANDIDATES="$(echo "${ALL_RELEASES}" | jq -r --argjson keep "$KEEP" '
+            [.[]
+              | select(.isPrerelease == true)
+              | select(.tagName | test("^commit-[0-9a-f]{40}$"))   # commit-<sha> tags only
+            ]
+            | sort_by(.createdAt)')"
+
+          CANDIDATE_COUNT="$(echo "${CANDIDATES}" | jq 'length')"
+          echo "Commit prereleases found : ${CANDIDATE_COUNT}"
+          echo "Will keep newest         : ${KEEP}"
+
+          TO_DELETE="$(echo "${CANDIDATES}" | jq -r --argjson keep "$KEEP" '.[:-$keep] | .[].tagName')"
+          DELETE_COUNT="$(echo "${TO_DELETE}" | grep -c . || true)"
+
+          if [[ -z "${TO_DELETE}" ]]; then
+            echo "--- Nothing to delete (${CANDIDATE_COUNT} prerelease(s) found, keep=${KEEP}) ---"
+            exit 0
+          fi
+
+          echo "--- Prereleases to delete: ${DELETE_COUNT} ---"
+          echo "${TO_DELETE}"
+
+          echo "--- Deleting ---"
+          DELETED=0
+          FAILED=0
+          while IFS= read -r tag; do
+            echo "[${DELETED}/${DELETE_COUNT}] Deleting release and tag: ${tag}"
+            if gh release delete "$tag" --repo "$GITHUB_REPOSITORY" --yes; then
+              git push origin --delete "refs/tags/$tag" 2>/dev/null \
+                && echo "  Tag ref deleted from remote." \
+                || echo "  Tag ref not on remote or already gone — skipping."
+              DELETED=$((DELETED + 1))
+            else
+              echo "  WARNING: Failed to delete release '${tag}' — skipping."
+              FAILED=$((FAILED + 1))
+            fi
+          done <<< "${TO_DELETE}"
+
+          echo "--- Cleanup Summary ---"
+          echo "Deleted : ${DELETED}"
+          echo "Failed  : ${FAILED}"
+          echo "Kept    : $((CANDIDATE_COUNT - DELETED))"
+          if [[ "${FAILED}" -gt 0 ]]; then
+            echo "ERROR: ${FAILED} deletion(s) failed."
+            exit 1
+          fi
+
+
+              

.github/workflows/on-pullrequest-lint-bruno.yml

@@ -24,12 +24,12 @@ jobs:
         working-directory: ./bruno
     steps:
       - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - name: Use Node.js 20
-        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 #6.0.0
+      - name: Use Node.js 24
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          node-version: 20
+          node-version: 24
           cache: 'npm'
           cache-dependency-path: bruno/package-lock.json
 
@@ -49,7 +49,7 @@ jobs:
           fi
 
       - name: Upload lint report artifact
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 #v5.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: bruno-lint-report
           path: bruno/lint-report.json

.github/workflows/on-pullrequest-run-tests.yml

@@ -38,12 +38,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - name: Use Node.js 20
-        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 #6.0.0
+      - name: Use Node.js 24
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          node-version: 20
+          node-version: 24
           cache: 'npm'
           cache-dependency-path: bruno/package-lock.json
 
@@ -81,7 +81,7 @@ jobs:
 
       - name: Upload QA artifacts
         if: always()
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 #v5.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: qa-scenarios-results
           path: |