chore: dynamically pack the circleci pipeline configuration (#32618)

* chore: dynamically pack the circleci pipeline configuration

The ./scripts/pack-ci.sh is the first workhorse, here. It uses the circleci
cli to pack any subdirectory of `.circleci/src` into a circleci config
using FYAML format. It can pack every subdirectory, a subsection of
subdirs that include changes, and use circleci cli to validate the
packed yml files.

Husky is set up to validate the packed yml file(s) on commit.

The packed yml file(s) should not be committed to source control. They
are build artifacts. They are configured to be ignored by git in
./.circleci/.gitignore.

./.circleci/config.yml is the second major change. This workflow is
modified such that:
- it uses workflow filtering to prevent the workflow from triggering unless at least
one of the following is true:
  - the workflow was triggered via api (the 'trigger workflows' button in circleci)
  - the branch is `develop`
  - the branch is `release/*`
  - the branch has an open pull request, and the pull request is not draft
- checks out the repository from the HEAD ref of the pr (the branch with the changes),
and calculates a checksum of the contents of ./.circleci/src. Packed workflow files
are cached by the checksum of the source files that were used to generate the packed
workflow. If the cache is restored, the packed pipeline.yml file is continued. If there
is no cache for the checksum, it uses ./scripts/pack-ci to pack the source yml files
and triggers a continuation with the resulting packed yml file.

* rm packed yml file

* revert to old draft detection :( other way is only avail on github app

* just fail instead of cancelling on drafts, more reliable even if not correct

* just halt, since draft->ready does not already trigger a ci run

* circleci agent -> circleci-agent

* validate main circleci yml file; correct entrypoint for pack workflows job

* workflows -> pipeline

* Update pack-ci.sh - newline at eof

Author: cacieprins

.circleci/.gitignore

@@ -0,0 +1 @@
+packed

.circleci/README.md

@@ -1,12 +1,12 @@
 # CircleCI Configuration
 
-This directory contains CircleCI configuration files that are automatically generated and updated.
+This directory contains CircleCI configuration files that use a dynamic workflow packing system for efficient CI development and execution.
 
 ## Prerequisites
 
 ### CircleCI Local CLI
 
-The CircleCI Local CLI is required to generate the `pull-request.yml` file from the source configuration.
+The CircleCI Local CLI is required to pack the source configurations.
 
 **Installation:**
 
@@ -30,28 +30,31 @@ The CircleCI Local CLI is required to generate the `pull-request.yml` file from
 
 For more detailed installation instructions, see the [CircleCI Local CLI documentation](https://circleci.com/docs/2.0/local-cli/).
 
-## Lint-Staged Rules
+## Pre-commit Validation
 
-When files in this directory are modified, the following lint-staged rule will automatically run:
+When files in `.circleci/src/` are modified, the pre-commit hook automatically runs:
 
 ```bash
-circleci config pack .circleci/workflows-src > .circleci/workflows.yml
+yarn pack-ci --verify
 ```
 
 This command:
-1. Takes the source configuration from `./.circleci/workflows-src/`
-2. Packs it into a single YAML file
-3. Outputs the result to `./circleci/workflows.yml`
+1. Scans all directories in `./.circleci/src/` for modifications
+2. Packs only the modified directories (e.g., `workflows/` → `workflows.yml`)
+3. Validates the packed configurations
+4. Exits with error if validation fails
 
 ## File Structure
 
-- `workflows-src/` - Source configuration files (modify these)
-- `workflows.yml` - Generated configuration file (auto-generated, do not edit manually)
+- `src/` - Source configuration directories (modify these)
+- `packed/` - Generated configuration files (ignored by git)
 
 ## Development Workflow
 
-1. Make changes to files in `workflows-src/`
-2. The lint-staged hook will automatically regenerate `workflows.yml` and stage it
-3. Commit both the source changes and the generated file
+1. Make changes to files in `src/` directories
+2. Stage and commit changes - pre-commit hook automatically validates and packs configurations
+3. The jobs defined in `config.yml` will pack these source directories on-the-fly when CI gets kicked off.
 
-**Note:** Always commit both the source files and the generated `workflows.yml` file together to ensure the CircleCI configuration stays in sync. 
+## `config.yml`
+
+This is the main entrypoint to Cypress CI. It loads packed workflow files from cache, or builds them if necessary. Then it continues to the primary workflow. The main entrypoint to our CI must be available in source control and not packed on-the-fly.

.circleci/cache-version.txt

@@ -1,2 +1,2 @@
 # Bump this version to force CI to re-create the cache from scratch.
-9-30-2025
+9-30-2026

.circleci/config.yml

@@ -1,60 +1,159 @@
-jobs:
-    verify-ci-should-run:
-        docker:
-            - image: cimg/node:current
-        resource_class: small
-        steps:
+orbs:
+    continuation: circleci/[email protected]
+    circleci-cli: circleci/[email protected]
+setup: true
+version: 2.1
+
+workflows:
+    setup-workflow:
+        jobs:
+            - pack-workflows
+            - launch-primary-workflow:
+                requires:
+                  - pack-workflows
+
+commands:
+  persist:
+    steps:
+      - persist_to_workspace:
+          root: .
+          paths:
+            - .circleci/packed
+  persist-to-workspace-and-exit-early:
+    steps:
+      - run:
+          name: Check cache status and exit early if needed
+          command: |
+            if [[ -d ".circleci/packed" ]] && [[ "$(ls -A .circleci/packed 2>/dev/null)" ]]; then
+              echo "📦 Cache hit - packed configurations exist"
+              echo "✅ Persisting packed configurations to workspace and halting job"
+              echo "CACHE_HIT=true" >> $BASH_ENV
+            else
+              echo "📦 Cache miss - continuing with packaging"
+              echo "CACHE_HIT=false" >> $BASH_ENV
+              mkdir -p .circleci/packed # persist empty dir to workspace
+            fi
+      - persist
+      - run:
+          name: End job if cache hit
+          command: |
+            if [[ "$CACHE_HIT" == "true" ]] && [[ "$(ls -A .circleci/packed 2>/dev/null)" ]]; then
+              echo "✅ Cache hit - packed configurations exist"
+              circleci-agent step halt
+            else
+              echo "📦 Cache miss - continuing with packaging"
+            fi
+  pack-workflows:
+    steps:
+      - circleci-cli/install
+      - run:
+          name: Pack workflows
+          command: |
+            ./scripts/pack-ci.sh --all
+  validate-workflows:
+    steps:
+      - run:
+          name: Validate workflows
+          command: |
+            ./scripts/pack-ci.sh --validate --pack=false
+
+  # Retrieving and saving packed workflows based on the checksum of the hash
+  # of the yml files in ./.circleci/src
+  calc-src-checksum:
+    steps:
+      - run:
+          name: Generate config checksum for cache lookup
+          # this is saved to a file, so that we can use {{ checksum }} - which
+          # can only operate on the contents of a single file, not a list of
+          # files or a directory.
+          command: |
+            find .circleci/src -name "*.yml" -type f | \
+              sort | \
+              xargs cat | \
+              md5sum | \
+              cut -d' ' -f1 > /tmp/config_checksum.txt
+  restore-src-checksum-cache:
+    steps:
+      - calc-src-checksum
+      - restore_cache:
+            keys:
+              - circleci-packed-pipelines-{{ checksum "/tmp/config_checksum.txt" }}
+            paths:
+                - .circleci/packed
+  save-src-checksum-cache:
+    steps:
+      - calc-src-checksum
+      - save_cache:
+          key: circleci-packed-pipelines-{{ checksum "/tmp/config_checksum.txt" }}
+          paths:
+            - .circleci/packed
+
+  cancel-draft-prs:
+    steps:
+      - when:
+          condition:
+            not:
+              or:
+                - equal: [<<pipeline.trigger_source>>, 'api']
+                - equal: [<<pipeline.git.branch>>, 'develop']
+                - matches:
+                    pattern: /^release\/.*/
+                    value: <<pipeline.git.branch>>
+          steps:
             - run:
+                name: Cancel CI
                 command: |
-                    # run CI when manually triggers via CircleCi Dashboard
-                    if [ <<pipeline.trigger_source>> == 'api' ]; then
-                      echo "Always run CI when manually triggered from the UI."
-                      exit 0
-                    fi
-
-                    if [[ "$CIRCLE_BRANCH" == "develop" || "$CIRCLE_BRANCH" == "release/"* ]]; then
-                      echo "Always run CI for develop and for release candidate branches."
-                      exit 0
-                    fi
+                  cancel_build() {
+                    circleci-agent step halt
+                  }
 
-                    LAST_COMMIT_MESSAGE=$(curl --silent "https://api.github.com/repos/${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}/commits/${CIRCLE_BRANCH}" | jq '.commit.message')
+                  if [ ! -z "${CIRCLE_PULL_REQUEST##*/}" ]; then
+                    DRAFT=$(curl --silent "https://api.github.com/repos/${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}/pulls/${CIRCLE_PULL_REQUEST##*/}" | jq '.draft')
 
-                    if [[ "$LAST_COMMIT_MESSAGE" =~ "run ci" ]]; then
-                      echo "Always run CI when the commit message includes 'run ci'."
-                      exit 0
+                    if [[ "${DRAFT}" == true ]]; then
+                      echo "Skipping CI; PR is in draft - to trigger CI , click the 'Trigger Pipeline' button in the CircleCI UI."
+                      cancel_build
                     fi
 
-                    cancel_build () {
-                      echo "Canceling the CI build..."
-                      circleci-agent step halt
-                    }
+                    echo "Always run CI for PR that is ready for review."
+                    exit 0
+                  fi
 
-                    TRIGGER_INSTRUCTIONS="to trigger CI , include 'run ci' in the commit message or click the 'Trigger Pipeline' button in the CircleCI UI."
+                  # otherwise, the build is not a PR so we cancel it 
+                  cancel_build
 
-                    if [ ! -z "${CIRCLE_PULL_REQUEST##*/}" ]; then
-                      DRAFT=$(curl --silent "https://api.github.com/repos/${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}/pulls/${CIRCLE_PULL_REQUEST##*/}" | jq '.draft')
+jobs:
+  pack-workflows:
+    docker:
+        - image: cimg/base:stable
+    resource_class: small
+    steps:
+        - cancel-draft-prs
+        - checkout
+        - restore-src-checksum-cache
+        - persist-to-workspace-and-exit-early
+        - pack-workflows
+        - save-src-checksum-cache
+        - persist
 
-                      if [[ "${DRAFT}" == true ]]; then
-                        echo "Skipping CI; PR is in draft - $TRIGGER_INSTRUCTIONS"
-                        cancel_build
-                      fi
+  launch-primary-workflow:
+      docker:
+          - image: cimg/base:stable
+      resource_class: small
+      steps:
+          - cancel-draft-prs
+          - attach_workspace:
+              at: .
+          - run:
+              name: Check for primary workflow definition
+              command: |
+                if [ ! -f .circleci/packed/pipeline.yml ]; then
+                    echo "❌ Primary workflow definition not found in .circleci/packed/pipeline.yml!"
+                    exit 1
+                fi
+          - continuation/continue:
+              configuration_path: .circleci/packed/pipeline.yml
 
-                      echo "Always run CI for PR that is ready for review."
-                      exit 0
-                    fi
 
-                    echo "Skipping CI; branch in progress - $TRIGGER_INSTRUCTIONS"
-                    cancel_build
-                name: Verify CI should run
-            - checkout
-            - continuation/continue:
-                configuration_path: .circleci/workflows.yml
-orbs:
-    continuation: circleci/[email protected]
-setup: true
-version: 2.1
-workflows:
-    setup-workflow:
-        jobs:
-            - verify-ci-should-run
+