ci: refactor build and push workflow MAPCO-9011 (#234)

* ci: refactor build and push workflow with dynamic configuration and new jobs

* ci: enhance build and push workflow with improved job dependencies and dynamic environment handling

* style: prettier

* ci: update repository references in build and push workflow

* ci: add conditional execution for push-helm-package job based on determine-config output

* ci: update job dependencies in build and push workflow for improved execution order

* fix: correct auto-merge label for dev environment in update-site-values job

---------

Co-authored-by: michsi24 <michalby24@gmail.com>

Author: michalby24

.github/workflows/build-and-push-next.yaml

@@ -1,9 +1,15 @@
-name: Push Artifacts to Azure Registry
+name: Build and Push Artifacts
 
 on:
   push:
-    tags:
-      - 'v*'
+    branches:
+      - next
+  release:
+    types: [published]
+
+concurrency:
+  group: build-and-push-${{ github.ref }}
+  cancel-in-progress: false # false to queue, not cancel
 
 permissions:
   contents: write
@@ -13,51 +19,192 @@ env:
   DOMAIN: infra
 
 jobs:
+  # ---------------------------------------------------------------------------
+  # Determine what triggered us and resolve all config up front.
+  #
+  # Three possible paths:
+  #   1. push to next  (developer commit)   → dev,  tag = next-{sha}
+  #   2. release, prerelease=true           → qa,   tag = v0.1.2-rc.10
+  #   3. release, prerelease=false          → prod, tag = v0.1.2
+  #                                            + housekeeping: update qa & int
+  #
+  # The push-to-next path must skip commits from mapcolonies[bot]
+  # (the empty "Release-As" footer commits from smart-release-please).
+  # ---------------------------------------------------------------------------
+  determine-config:
+    runs-on: ubuntu-latest
+    outputs:
+      should_run: ${{ steps.check.outputs.should_run }}
+      image_tag: ${{ steps.config.outputs.image_tag }}
+      chart_tag: ${{ steps.config.outputs.chart_tag }}
+      environment: ${{ steps.config.outputs.environment }}
+      pr_labels: ${{ steps.config.outputs.pr_labels }}
+      update_paths: ${{ steps.config.outputs.update_paths }}
+      is_stable: ${{ steps.config.outputs.is_stable }}
+    steps:
+      - name: Check if should run
+        id: check
+        shell: bash
+        run: |
+          # Always run on release events
+          if [[ "${{ github.event_name }}" == "release" ]]; then
+            echo "should_run=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          # For push to next: skip bot commits
+          COMMIT_MSG="${{ github.event.head_commit.message }}"
+
+          # Skip if commit message contains bot indicators
+          if [[ "$COMMIT_MSG" == *"Release-As:"* ]] || \
+             [[ "$COMMIT_MSG" == "chore: enforce correct rc version"* ]] || \
+             [[ "$COMMIT_MSG" == *"chore(next): release"* ]] || \
+             [[ "$COMMIT_MSG" == *"chore: release"* ]] || \
+             [[ "$COMMIT_MSG" == "Merge branch 'master' into next"* ]]; then
+            echo "should_run=false" >> "$GITHUB_OUTPUT"
+            echo "Skipping bot commit"
+            exit 0
+          fi
+
+          echo "should_run=true" >> "$GITHUB_OUTPUT"
+
+      - name: Resolve config
+        id: config
+        if: steps.check.outputs.should_run == 'true'
+        shell: bash
+        run: |
+          if [[ "${{ github.event_name }}" == "release" ]]; then
+            TAG="${{ github.event.release.tag_name }}"
+            echo "image_tag=${TAG}" >> "$GITHUB_OUTPUT"
+            echo "chart_tag=${TAG}" >> "$GITHUB_OUTPUT"
+            if [[ "${{ github.event.release.prerelease }}" == "true" ]]; then
+              ENV="qa"
+              echo "is_stable=false" >> "$GITHUB_OUTPUT"
+            else
+              ENV="prod"
+              echo "is_stable=true" >> "$GITHUB_OUTPUT"
+            fi
+          else
+            # push to next → dev
+            ENV="dev"
+            echo "image_tag=next-${{ github.sha }}" >> "$GITHUB_OUTPUT"
+            echo "chart_tag=0.0.0-next-${{ github.sha }}" >> "$GITHUB_OUTPUT"
+            echo "is_stable=false" >> "$GITHUB_OUTPUT"
+          fi
+          # Set environment-based outputs
+          echo "environment=${ENV}" >> "$GITHUB_OUTPUT"
+          echo "update_paths=infra/environments/${ENV}.yaml" >> "$GITHUB_OUTPUT"
+
+          # Set PR labels (dev gets auto-merge)
+          if [[ "${ENV}" == "dev" ]]; then
+            echo "pr_labels=${ENV}, auto-merge" >> "$GITHUB_OUTPUT"
+          else
+            echo "pr_labels=${ENV}" >> "$GITHUB_OUTPUT"
+          fi
+  # ---------------------------------------------------------------------------
+  # Build & push Docker image
+  # ---------------------------------------------------------------------------
   push-docker-image:
     runs-on: ubuntu-latest
+    needs: determine-config
+    if: needs.determine-config.outputs.should_run == 'true'
     steps:
-      - name: Login to Azure Container Registry
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Login to ACR
         uses: docker/login-action@v3
         with:
           registry: ${{ secrets.ACR_URL }}
           username: ${{ secrets.ACR_PUSH_USER }}
           password: ${{ secrets.ACR_PUSH_TOKEN }}
 
-      - name: Build and Push Docker image
-        id: build_and_push
+      - name: Build and push
         uses: docker/build-push-action@v6
         with:
+          context: .
           push: true
-          tags: ${{ secrets.ACR_URL }}/${{ env.DOMAIN }}/${{ github.event.repository.name }}:${{ github.ref_name }}
+          tags: ${{ secrets.ACR_URL }}/${{ env.DOMAIN }}/${{ github.event.repository.name }}:${{ needs.determine-config.outputs.image_tag }}
 
+  # ---------------------------------------------------------------------------
+  # Build & push Helm chart
+  # ---------------------------------------------------------------------------
   push-helm-package:
     runs-on: ubuntu-latest
-    needs: push-docker-image
+    if: needs.determine-config.outputs.should_run == 'true'
+    needs: [determine-config]
     steps:
-      - name: Checkout Repository
+      - name: Checkout
         uses: actions/checkout@v6
 
-      - name: Login to Azure Container Registry
-        uses: docker/login-action@v3
+      - name: Setup Helm
+        uses: azure/setup-helm@v4
         with:
-          registry: ${{ secrets.ACR_URL }}
-          username: ${{ secrets.ACR_PUSH_USER }}
-          password: ${{ secrets.ACR_PUSH_TOKEN }}
+          version: v3.15.4
 
-      - name: Remove v from the tag
-        id: remove_v
-        run: |
-          TAG=${{ github.ref_name }}
-          echo "VERSION=${TAG#v}" >> $GITHUB_OUTPUT
-
-      - name: Push Chart to ACR
+      - name: Push chart to ACR
         uses: appany/helm-oci-chart-releaser@v0.5.0
         with:
           name: ${{ github.event.repository.name }}
           repository: helm/${{ env.DOMAIN }}
-          tag: ${{ steps.remove_v.outputs.version }}
+          tag: ${{ needs.determine-config.outputs.chart_tag }}
           path: ./helm
           registry: ${{ secrets.ACR_URL }}
           registry_username: ${{ secrets.ACR_PUSH_USER }}
           registry_password: ${{ secrets.ACR_PUSH_TOKEN }}
-          update_dependencies: 'true' # Defaults to false
+          update_dependencies: 'true'
+
+  # ---------------------------------------------------------------------------
+  # Open the PR in site-values for the target environment.
+  #
+  #   dev  → auto-merge (labels: "dev")
+  #   prod → manual     (labels: "prod")
+  # ---------------------------------------------------------------------------
+  update-site-values:
+    runs-on: ubuntu-latest
+    needs: [determine-config, push-docker-image, push-helm-package]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Open / update site-values PR
+        uses: MapColonies/shared-workflows/actions/update-chart-version@update-chart-version-v0.1.0
+        with:
+          tag: ${{ needs.determine-config.outputs.chart_tag }}
+          repository: site-values
+          github_token: ${{ secrets.GH_PAT }}
+          chart: ${{ github.event.repository.name }}
+          environment: ${{ needs.determine-config.outputs.environment }}
+          pr_labels: ${{ needs.determine-config.outputs.pr_labels }}
+          paths: ${{ needs.determine-config.outputs.update_paths }}
+
+  # ---------------------------------------------------------------------------
+  # Housekeeping — only on stable release.
+  # When v0.1.2 is cut, qa and integration are still pointing at v0.1.2-rc.X.
+  # This job auto-updates both to the new stable tag so they stay in sync.
+  # ---------------------------------------------------------------------------
+  housekeeping-update-qa-and-integration:
+    runs-on: ubuntu-latest
+    needs: [determine-config, push-helm-package, push-docker-image]
+    if: needs.determine-config.outputs.is_stable == 'true'
+    strategy:
+      matrix:
+        env_name: [qa, integration]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Update ${{ matrix.env_name }} to stable tag
+        uses: MapColonies/shared-workflows/actions/update-chart-version@update-chart-version-v0.1.0
+        with:
+          tag: ${{ needs.determine-config.outputs.chart_tag }}
+          repository: site-values
+          github_token: ${{ secrets.GH_PAT }}
+          chart: ${{ github.event.repository.name }}
+          environment: ${{ matrix.env_name }}
+          pr_labels: ${{ matrix.env_name }}, auto-merge
+          paths: infra/environments/${{ matrix.env_name }}.yaml