Skip to content

EPMRPP-113256 || Update CI/CD Workflow #1079

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
maria-hambardzumian merged 2 commits into from
Mar 6, 2026
Merged

EPMRPP-113256 || Update CI/CD Workflow #1079

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
faa169e
EPMRPP-113256 || Update CI/CD Workflow
Mar 6, 2026
efcf182
EMPRPP-113256 || Update AWS Amplify deployment prod branch name
Mar 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
149 changes: 149 additions & 0 deletions .github/workflows/deploy-prod-aws.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,149 @@
# Copyright 2026 EPAM Systems
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

name: Deploy to prod (AWS S3)
env:
AWS_S3_BUCKET_NAME : rpp-landing-prod
AWS_REGION_NAME : eu-central-1
BUILD_DIR : "build/"
DOCS_BASE_URL: "/docs/"

on:
push:
branches:
- master
paths-ignore:
- '.github/**'
- README.md
workflow_dispatch:

permissions:
id-token: write
contents: write

Comment on lines +14 to +33
Copy link

@coderabbitai coderabbitai bot Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat .github/workflows/deploy-prod-aws.yml

Repository: reportportal/docs

Length of output: 4545

Add a concurrency group to serialize production deployments.

Without serialization, multiple master pushes or a push combined with workflow_dispatch can run concurrently. The clean-docs-folder job removes S3 content while deploy uploads simultaneously, and merge-to-develop can perform concurrent branch merges, causing S3 state corruption and out-of-order branch synchronization in production.

🔒 Suggested guard 
 name: Deploy to prod (AWS S3)
+concurrency:
+  group: deploy-prod-aws
+  cancel-in-progress: false
+
 env:
   AWS_S3_BUCKET_NAME : rpp-landing-prod
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
name: Deploy to prod (AWS S3)
env:
AWS_S3_BUCKET_NAME : rpp-landing-prod
AWS_REGION_NAME : eu-central-1
BUILD_DIR : "build/"
DOCS_BASE_URL: "/docs/"
on:
push:
branches:
- master
paths-ignore:
- '.github/**'
- README.md
workflow_dispatch:
permissions:
id-token: write
contents: write
name: Deploy to prod (AWS S3)
concurrency:
group: deploy-prod-aws
cancel-in-progress: false
env:
AWS_S3_BUCKET_NAME : rpp-landing-prod
AWS_REGION_NAME : eu-central-1
BUILD_DIR : "build/"
DOCS_BASE_URL: "/docs/"
on:
push:
branches:
- master
paths-ignore:
- '.github/**'
- README.md
workflow_dispatch:
permissions:
id-token: write
contents: write
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/deploy-prod-aws.yml around lines 14 - 33, Add a top-level
concurrency block to serialize runs for this workflow so production jobs
(clean-docs-folder, deploy, merge-to-develop) never run in parallel;
specifically, add a concurrency entry with a stable group name (e.g.,
"deploy-prod-${{ github.ref }}" or simply "deploy-prod") and set
cancel-in-progress to false so new triggers wait for the current run to finish
rather than running concurrently or canceling; place this concurrency block at
the top level of the workflow (alongside name/env/on/permissions) so it governs
all jobs.

jobs:
sync-versions:
uses: ./.github/workflows/sync-releases.yml
with:
scope: 'last-2'
secrets:
GH_TOKEN: ${{ secrets.GH_TOKEN }}

clean-docs-folder:
runs-on: ubuntu-latest
environment: production
steps:
- name: Configure AWS credentials (OIDC)
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
aws-region: ${{ env.AWS_REGION_NAME }}

- name: Clear docs folder in S3 bucket
run: |
if aws s3 ls "s3://${{ env.AWS_S3_BUCKET_NAME }}/docs/" 2>/dev/null; then
echo "docs/ folder exists, removing it..."
aws s3 rm s3://${{ env.AWS_S3_BUCKET_NAME }}/docs/ --recursive
else
echo "docs/ folder does not exist, nothing to clean."
fi

Comment on lines +42 to +60
Copy link

@coderabbitai coderabbitai bot Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/deploy-prod-aws.yml

Repository: reportportal/docs

Length of output: 5588

Do not delete the live docs/ prefix before the new build is deployed.

The clean-docs-folder job deletes s3://rpp-landing-prod/docs/ before the deploy job builds and syncs. If any step fails after cleanup—npm ci, npm run build, aws s3 sync, or Amplify—production docs remain deleted. Remove the clean-docs-folder job and add the --delete flag to the S3 sync command at line 97 instead, ensuring old files are cleaned up atomically as part of the successful build sync.

🔧 Safer deployment approach 
-  clean-docs-folder:
-    runs-on: ubuntu-latest
-    environment: production
-    steps:
-      - name: Configure AWS credentials (OIDC)
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
-          aws-region: ${{ env.AWS_REGION_NAME }}
-
-      - name: Clear docs folder in S3 bucket
-        run: |
-          if aws s3 ls "s3://${{ env.AWS_S3_BUCKET_NAME }}/docs/" 2>/dev/null; then
-            echo "docs/ folder exists, removing it..."
-            aws s3 rm s3://${{ env.AWS_S3_BUCKET_NAME }}/docs/ --recursive
-          else
-            echo "docs/ folder does not exist, nothing to clean."
-          fi
-
   deploy:
     runs-on: ubuntu-latest
-    needs: [sync-versions, clean-docs-folder]
+    needs: [sync-versions]
     environment: production
     steps:
       - name: Checkout repository
@@ -96,7 +74,7 @@ jobs:
           aws-region: ${{ env.AWS_REGION_NAME }}
 
       - name: Deploy to AWS S3
-        run: aws s3 sync ./${{ env.BUILD_DIR }} s3://${{ env.AWS_S3_BUCKET_NAME }}/docs/
+        run: aws s3 sync ./${{ env.BUILD_DIR }} s3://${{ env.AWS_S3_BUCKET_NAME }}/docs/ --delete
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/deploy-prod-aws.yml around lines 42 - 60, Remove the
entire clean-docs-folder job (the job named clean-docs-folder that runs aws s3
rm against the docs/ prefix) and instead add the --delete flag to the existing
aws s3 sync command in the deploy job that syncs the built site to the S3 docs/
prefix so that removal of obsolete files happens atomically only on successful
sync.

deploy:
runs-on: ubuntu-latest
needs: [sync-versions, clean-docs-folder]
environment: production
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
ref: master

- name: Pull latest changes
run: git pull origin master
Comment on lines +66 to +72
Copy link

@coderabbitai coderabbitai bot Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/deploy-prod-aws.yml

Repository: reportportal/docs

Length of output: 5588

Deploy the triggering revision, not the current master head.

Checking out master and then pulling creates deployment drift. If new commits land during the workflow run, this job deploys code that never belonged to this execution. Production deployments must be pinned to the exact commit that triggered the workflow.

📌 Pin the deployment to the event SHA 
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
-          ref: master
-
-      - name: Pull latest changes
-        run: git pull origin master
+          ref: ${{ github.sha }}
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/deploy-prod-aws.yml around lines 66 - 72, The workflow
currently checks out master and runs git pull, which can drift from the
triggering commit; update the "Checkout repository" step that uses
actions/checkout@v4 to pin the checkout to the triggering revision by setting
its ref to the event SHA (use ${{ github.sha }}) instead of ref: master, and
remove the separate "Pull latest changes" step (git pull origin master) so the
job deploys the exact commit that triggered the workflow.


- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: 20

- name: Install of node dependencies
run: npm ci

- name: create env file
run: |
touch .env
echo DOCS_BASE_URL=${{ env.DOCS_BASE_URL }} >> .env

- name: Build the source code
run: npm run build

- name: Configure AWS credentials (OIDC)
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
aws-region: ${{ env.AWS_REGION_NAME }}

- name: Deploy to AWS S3
run: aws s3 sync ./${{ env.BUILD_DIR }} s3://${{ env.AWS_S3_BUCKET_NAME }}/docs/

- name: Trigger Amplify redeploy
run: |
aws s3 sync s3://${{ env.AWS_S3_BUCKET_NAME }} /tmp/full-site

DEPLOY_RESULT=$(aws amplify create-deployment \
--app-id ${{ secrets.AWS_AMPLIFY_APP_ID }} \
--branch-name main)

JOB_ID=$(echo "$DEPLOY_RESULT" | jq -r '.jobId')
ZIP_URL=$(echo "$DEPLOY_RESULT" | jq -r '.zipUploadUrl')

cd /tmp/full-site
zip -r /tmp/deploy.zip .

curl --fail -T /tmp/deploy.zip "$ZIP_URL"

aws amplify start-deployment \
--app-id ${{ secrets.AWS_AMPLIFY_APP_ID }} \
--branch-name main \
--job-id "$JOB_ID"

merge-to-develop:
needs: deploy
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
ref: master
fetch-depth: 0
token: ${{ secrets.GH_TOKEN }}

- name: Merge master into develop
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
if ! git fetch origin develop:develop 2>/dev/null; then
echo "::warning::develop branch not found, skipping merge."
exit 0
fi
if git diff --quiet develop..master; then
echo "No differences between master and develop, skipping merge."
exit 0
fi
git checkout develop
if ! git merge --no-ff master -m "Sync || merge master into develop"; then
echo "::error::Merge conflict detected when merging master into develop."
git merge --abort
exit 1
fi
git push origin develop
Comment on lines +124 to +149
Copy link

@coderabbitai coderabbitai bot Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

cd .github/workflows && cat -n deploy-prod-aws.yml | head -200

Repository: reportportal/docs

Length of output: 5588

Merge the deployed SHA into develop, not whatever master points to later.

This job re-resolves master by name after deployment. A newer push during the workflow can be merged to develop even though it was not the revision just deployed. Reuse the same immutable SHA here by using ${{ github.sha }} instead.

📌 Keep deploy and merge on the same commit 
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
-          ref: master
+          ref: ${{ github.sha }}
           fetch-depth: 0
           token: ${{ secrets.GH_TOKEN }}
@@
-          if git diff --quiet develop..master; then
+          if git diff --quiet develop.."${GITHUB_SHA}"; then
             echo "No differences between master and develop, skipping merge."
             exit 0
           fi
           git checkout develop
-          if ! git merge --no-ff master -m "Sync || merge master into develop"; then
+          if ! git merge --no-ff "${GITHUB_SHA}" -m "Sync || merge ${GITHUB_SHA} into develop"; then
             echo "::error::Merge conflict detected when merging master into develop."
             git merge --abort
             exit 1
           fi
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Checkout repository
uses: actions/checkout@v4
with:
ref: master
fetch-depth: 0
token: ${{ secrets.GH_TOKEN }}
- name: Merge master into develop
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
if ! git fetch origin develop:develop 2>/dev/null; then
echo "::warning::develop branch not found, skipping merge."
exit 0
fi
if git diff --quiet develop..master; then
echo "No differences between master and develop, skipping merge."
exit 0
fi
git checkout develop
if ! git merge --no-ff master -m "Sync || merge master into develop"; then
echo "::error::Merge conflict detected when merging master into develop."
git merge --abort
exit 1
fi
git push origin develop
- name: Checkout repository
uses: actions/checkout@v4
with:
ref: ${{ github.sha }}
fetch-depth: 0
token: ${{ secrets.GH_TOKEN }}
- name: Merge master into develop
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
if ! git fetch origin develop:develop 2>/dev/null; then
echo "::warning::develop branch not found, skipping merge."
exit 0
fi
if git diff --quiet develop.."${GITHUB_SHA}"; then
echo "No differences between master and develop, skipping merge."
exit 0
fi
git checkout develop
if ! git merge --no-ff "${GITHUB_SHA}" -m "Sync || merge ${GITHUB_SHA} into develop"; then
echo "::error::Merge conflict detected when merging master into develop."
git merge --abort
exit 1
fi
git push origin develop
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/deploy-prod-aws.yml around lines 124 - 149, The workflow
currently re-resolves "master" after deploy; instead ensure the exact deployed
commit is used by replacing references to master with the immutable commit ${{
github.sha }}: set the actions/checkout step to use ref: ${{ github.sha }}
(instead of master) and update the merge block to compare and merge the SHA (use
git diff --quiet develop..${{ github.sha }} and git merge --no-ff ${{ github.sha
}} -m "...") so the same commit deployed is the one merged into develop; keep
the existing develop fetch/checkout/abort/push logic but operate against the
GitHub SHA.