EPMRPP-113256 || Update CI/CD Workflow

[maria-hambardzumian]

Summary by CodeRabbit

• Chores
  • Introduced an automated production deployment pipeline for AWS: nightly/manual triggers build and publishes site documentation to the production hosting environment, initiates hosting service deployment, synchronizes versioned releases, and attempts to propagate changes back to the development branch to keep branches aligned.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d687e25d-998a-4a85-9305-9a715b305b16

📥 Commits

Reviewing files that changed from the base of the PR and between faa169e and efcf182.

📒 Files selected for processing (1)

• .github/workflows/deploy-prod-aws.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/deploy-prod-aws.yml

---

Walkthrough

Adds a new GitHub Actions workflow (.github/workflows/deploy-prod-aws.yml) that builds the site on pushes to master (or manual dispatch), syncs versions, cleans the S3 docs folder, deploys built docs to S3, triggers an Amplify manual deployment, and attempts to merge master into develop.

Changes

Cohort / File(s)

Summary

Production Deployment Workflow ​.github/workflows/deploy-prod-aws.yml

New workflow "Deploy to prod (AWS S3)". Adds jobs: sync-versions (reuses ./.github/workflows/sync-releases.yml), clean-docs-folder (OIDC AWS creds, remove docs/ in S3), deploy (checkout, Node 20 build, sync to S3, create+upload Amplify deployment zip, start deployment), and merge-to-develop (merge master → develop if needed). Defines env vars, top-level permissions, triggers on master and workflow_dispatch.

Sequence Diagram

sequenceDiagram
    participant GH as GitHub Actions
    participant SyncWF as Sync-Releases WF
    participant Runner as Runner (build)
    participant S3 as AWS S3
    participant Amplify as AWS Amplify
    participant Git as Git Repo

    GH->>GH: trigger on push to master / manual
    par parallel
      GH->>SyncWF: run sync-versions (reuse workflow)
      GH->>S3: run clean-docs-folder (OIDC creds)\nremove `docs/` from bucket
    end
    GH->>Runner: deploy job (depends on above)\ncheckout master, setup Node 20, install, build
    Runner->>S3: sync build to `docs/` path
    Runner->>S3: copy site to /tmp/full-site
    Runner->>Amplify: create deployment -> {jobId, zipUploadUrl}
    Runner->>Amplify: upload deployment zip to zipUploadUrl
    Runner->>Amplify: start deployment with jobId
    GH->>Git: merge-to-develop job\nfetch develop, merge master, push if changed

Loading

Estimated Code Review Effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly Related PRs

• EPMRPP-113065 || Amplify manual deployment #1076 — Implements the same Amplify manual deployment flow (create deployment, receive jobId/zipUploadUrl, upload zip, start deployment).
• EPMRPP-89449 || Load release versions from GitHub #1068 — Adds overlapping workflow patterns: sync-versions reuse, deploy steps, and merge-to-develop logic.
• EPMRPP-113065 || Testing ci/cd update #1072 — Adds a related CI/CD workflow that cleans docs/ and syncs site to S3.

Suggested Reviewers

• AmsterGet
• pressayuliya

Poem

🐇✨ A master push, a build takes flight,
I zip and hop through S3 tonight.
Amplify hums, the jobId sings,
Then I nudge develop on tiny springy things. 🥕🚀

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title is partially related to the changeset; it refers to CI/CD workflow updates but is overly broad and lacks specificity about the primary change (introducing prod AWS S3 deployment pipeline).	Consider a more specific title such as 'Add production AWS S3 deployment workflow' to clearly highlight the main addition and improve clarity for future reference.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/EPMRPP-113256-Update-Prod-cicd

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/deploy-prod-aws.yml:
- Around line 66-72: The workflow currently checks out master and runs git pull,
which can drift from the triggering commit; update the "Checkout repository"
step that uses actions/checkout@v4 to pin the checkout to the triggering
revision by setting its ref to the event SHA (use ${{ github.sha }}) instead of
ref: master, and remove the separate "Pull latest changes" step (git pull origin
master) so the job deploys the exact commit that triggered the workflow.
- Around line 14-33: Add a top-level concurrency block to serialize runs for
this workflow so production jobs (clean-docs-folder, deploy, merge-to-develop)
never run in parallel; specifically, add a concurrency entry with a stable group
name (e.g., "deploy-prod-${{ github.ref }}" or simply "deploy-prod") and set
cancel-in-progress to false so new triggers wait for the current run to finish
rather than running concurrently or canceling; place this concurrency block at
the top level of the workflow (alongside name/env/on/permissions) so it governs
all jobs.
- Around line 124-149: The workflow currently re-resolves "master" after deploy;
instead ensure the exact deployed commit is used by replacing references to
master with the immutable commit ${{ github.sha }}: set the actions/checkout
step to use ref: ${{ github.sha }} (instead of master) and update the merge
block to compare and merge the SHA (use git diff --quiet develop..${{ github.sha
}} and git merge --no-ff ${{ github.sha }} -m "...") so the same commit deployed
is the one merged into develop; keep the existing develop
fetch/checkout/abort/push logic but operate against the GitHub SHA.
- Around line 42-60: Remove the entire clean-docs-folder job (the job named
clean-docs-folder that runs aws s3 rm against the docs/ prefix) and instead add
the --delete flag to the existing aws s3 sync command in the deploy job that
syncs the built site to the S3 docs/ prefix so that removal of obsolete files
happens atomically only on successful sync.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8bfd2499-bc9a-41be-b917-614dbc350248

📥 Commits

Reviewing files that changed from the base of the PR and between 5f07709 and faa169e.

📒 Files selected for processing (1)

• .github/workflows/deploy-prod-aws.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat .github/workflows/deploy-prod-aws.yml

Repository: reportportal/docs

Length of output: 4545

---

Add a concurrency group to serialize production deployments.

Without serialization, multiple master pushes or a push combined with workflow_dispatch can run concurrently. The clean-docs-folder job removes S3 content while deploy uploads simultaneously, and merge-to-develop can perform concurrent branch merges, causing S3 state corruption and out-of-order branch synchronization in production.

🔒 Suggested guard

 name: Deploy to prod (AWS S3)
+concurrency:
+  group: deploy-prod-aws
+  cancel-in-progress: false
+
 env:
   AWS_S3_BUCKET_NAME : rpp-landing-prod

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	name: Deploy to prod (AWS S3)
	env:
	AWS_S3_BUCKET_NAME : rpp-landing-prod
	AWS_REGION_NAME : eu-central-1
	BUILD_DIR : "build/"
	DOCS_BASE_URL: "/docs/"
	on:
	push:
	branches:
	- master
	paths-ignore:
	- '.github/**'
	- README.md
	workflow_dispatch:
	permissions:
	id-token: write
	contents: write
	name: Deploy to prod (AWS S3)
	concurrency:
	group: deploy-prod-aws
	cancel-in-progress: false
	env:
	AWS_S3_BUCKET_NAME : rpp-landing-prod
	AWS_REGION_NAME : eu-central-1
	BUILD_DIR : "build/"
	DOCS_BASE_URL: "/docs/"
	on:
	push:
	branches:
	- master
	paths-ignore:
	- '.github/**'
	- README.md
	workflow_dispatch:
	permissions:
	id-token: write
	contents: write

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/deploy-prod-aws.yml around lines 14 - 33, Add a top-level
concurrency block to serialize runs for this workflow so production jobs
(clean-docs-folder, deploy, merge-to-develop) never run in parallel;
specifically, add a concurrency entry with a stable group name (e.g.,
"deploy-prod-${{ github.ref }}" or simply "deploy-prod") and set
cancel-in-progress to false so new triggers wait for the current run to finish
rather than running concurrently or canceling; place this concurrency block at
the top level of the workflow (alongside name/env/on/permissions) so it governs
all jobs.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/deploy-prod-aws.yml

Repository: reportportal/docs

Length of output: 5588

---

Do not delete the live docs/ prefix before the new build is deployed.

The clean-docs-folder job deletes s3://rpp-landing-prod/docs/ before the deploy job builds and syncs. If any step fails after cleanup—npm ci, npm run build, aws s3 sync, or Amplify—production docs remain deleted. Remove the clean-docs-folder job and add the --delete flag to the S3 sync command at line 97 instead, ensuring old files are cleaned up atomically as part of the successful build sync.

🔧 Safer deployment approach

-  clean-docs-folder:
-    runs-on: ubuntu-latest
-    environment: production
-    steps:
-      - name: Configure AWS credentials (OIDC)
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
-          aws-region: ${{ env.AWS_REGION_NAME }}
-
-      - name: Clear docs folder in S3 bucket
-        run: |
-          if aws s3 ls "s3://${{ env.AWS_S3_BUCKET_NAME }}/docs/" 2>/dev/null; then
-            echo "docs/ folder exists, removing it..."
-            aws s3 rm s3://${{ env.AWS_S3_BUCKET_NAME }}/docs/ --recursive
-          else
-            echo "docs/ folder does not exist, nothing to clean."
-          fi
-
   deploy:
     runs-on: ubuntu-latest
-    needs: [sync-versions, clean-docs-folder]
+    needs: [sync-versions]
     environment: production
     steps:
       - name: Checkout repository
@@ -96,7 +74,7 @@ jobs:
           aws-region: ${{ env.AWS_REGION_NAME }}
 
       - name: Deploy to AWS S3
-        run: aws s3 sync ./${{ env.BUILD_DIR }} s3://${{ env.AWS_S3_BUCKET_NAME }}/docs/
+        run: aws s3 sync ./${{ env.BUILD_DIR }} s3://${{ env.AWS_S3_BUCKET_NAME }}/docs/ --delete

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/deploy-prod-aws.yml around lines 42 - 60, Remove the
entire clean-docs-folder job (the job named clean-docs-folder that runs aws s3
rm against the docs/ prefix) and instead add the --delete flag to the existing
aws s3 sync command in the deploy job that syncs the built site to the S3 docs/
prefix so that removal of obsolete files happens atomically only on successful
sync.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/deploy-prod-aws.yml

Repository: reportportal/docs

Length of output: 5588

---

Deploy the triggering revision, not the current master head.

Checking out master and then pulling creates deployment drift. If new commits land during the workflow run, this job deploys code that never belonged to this execution. Production deployments must be pinned to the exact commit that triggered the workflow.

📌 Pin the deployment to the event SHA

       - name: Checkout repository
         uses: actions/checkout@v4
         with:
-          ref: master
-
-      - name: Pull latest changes
-        run: git pull origin master
+          ref: ${{ github.sha }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/deploy-prod-aws.yml around lines 66 - 72, The workflow
currently checks out master and runs git pull, which can drift from the
triggering commit; update the "Checkout repository" step that uses
actions/checkout@v4 to pin the checkout to the triggering revision by setting
its ref to the event SHA (use ${{ github.sha }}) instead of ref: master, and
remove the separate "Pull latest changes" step (git pull origin master) so the
job deploys the exact commit that triggered the workflow.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

cd .github/workflows && cat -n deploy-prod-aws.yml | head -200

Repository: reportportal/docs

Length of output: 5588

---

Merge the deployed SHA into develop, not whatever master points to later.

This job re-resolves master by name after deployment. A newer push during the workflow can be merged to develop even though it was not the revision just deployed. Reuse the same immutable SHA here by using ${{ github.sha }} instead.

📌 Keep deploy and merge on the same commit

       - name: Checkout repository
         uses: actions/checkout@v4
         with:
-          ref: master
+          ref: ${{ github.sha }}
           fetch-depth: 0
           token: ${{ secrets.GH_TOKEN }}
@@
-          if git diff --quiet develop..master; then
+          if git diff --quiet develop.."${GITHUB_SHA}"; then
             echo "No differences between master and develop, skipping merge."
             exit 0
           fi
           git checkout develop
-          if ! git merge --no-ff master -m "Sync || merge master into develop"; then
+          if ! git merge --no-ff "${GITHUB_SHA}" -m "Sync || merge ${GITHUB_SHA} into develop"; then
             echo "::error::Merge conflict detected when merging master into develop."
             git merge --abort
             exit 1
           fi

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Checkout repository
	uses: actions/checkout@v4
	with:
	ref: master
	fetch-depth: 0
	token: ${{ secrets.GH_TOKEN }}
	- name: Merge master into develop
	run: |
	git config user.name "github-actions[bot]"
	git config user.email "github-actions[bot]@users.noreply.github.com"
	if ! git fetch origin develop:develop 2>/dev/null; then
	echo "::warning::develop branch not found, skipping merge."
	exit 0
	fi
	if git diff --quiet develop..master; then
	echo "No differences between master and develop, skipping merge."
	exit 0
	fi
	git checkout develop
	if ! git merge --no-ff master -m "Sync || merge master into develop"; then
	echo "::error::Merge conflict detected when merging master into develop."
	git merge --abort
	exit 1
	fi
	git push origin develop
	- name: Checkout repository
	uses: actions/checkout@v4
	with:
	ref: ${{ github.sha }}
	fetch-depth: 0
	token: ${{ secrets.GH_TOKEN }}
	- name: Merge master into develop
	run: |
	git config user.name "github-actions[bot]"
	git config user.email "github-actions[bot]@users.noreply.github.com"
	if ! git fetch origin develop:develop 2>/dev/null; then
	echo "::warning::develop branch not found, skipping merge."
	exit 0
	fi
	if git diff --quiet develop.."${GITHUB_SHA}"; then
	echo "No differences between master and develop, skipping merge."
	exit 0
	fi
	git checkout develop
	if ! git merge --no-ff "${GITHUB_SHA}" -m "Sync || merge ${GITHUB_SHA} into develop"; then
	echo "::error::Merge conflict detected when merging master into develop."
	git merge --abort
	exit 1
	fi
	git push origin develop

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/deploy-prod-aws.yml around lines 124 - 149, The workflow
currently re-resolves "master" after deploy; instead ensure the exact deployed
commit is used by replacing references to master with the immutable commit ${{
github.sha }}: set the actions/checkout step to use ref: ${{ github.sha }}
(instead of master) and update the merge block to compare and merge the SHA (use
git diff --quiet develop..${{ github.sha }} and git merge --no-ff ${{ github.sha
}} -m "...") so the same commit deployed is the one merged into develop; keep
the existing develop fetch/checkout/abort/push logic but operate against the
GitHub SHA.