Add doc previews (v2)

Author: zastrowm

.github/workflows/docs-preview-build.yml

@@ -0,0 +1,49 @@
+name: Build Docs Preview
+
+on:
+  pull_request:
+    types: [opened, reopened, synchronize]
+    branches:
+      # TODO once we merge to main, adjust this
+      - 'workstream/cms-migration'
+
+concurrency:
+  group: preview-build-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: '20'
+
+      - name: Build CMS
+        run: npm run cms:build
+
+      - name: Upload build artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: docs-preview-${{ github.event.pull_request.number }}
+          path: dist/
+          retention-days: 1
+
+      - name: Save PR metadata
+        run: |
+          mkdir -p pr-metadata
+          echo "${{ github.event.pull_request.number }}" > pr-metadata/pr_number
+          echo "${{ github.event.pull_request.head.sha }}" > pr-metadata/pr_sha
+
+      - name: Upload PR metadata
+        uses: actions/upload-artifact@v4
+        with:
+          name: pr-metadata-${{ github.event.pull_request.number }}
+          path: pr-metadata/
+          retention-days: 1

.github/workflows/docs-preview-deploy.yml

@@ -0,0 +1,180 @@
+name: Deploy Docs Preview
+
+on:
+  workflow_run:
+    workflows: ["Build Docs Preview"]
+    types:
+      - completed
+
+jobs:
+  authorization-check:
+    if: github.event.workflow_run.conclusion == 'success'
+    permissions:
+      contents: read
+      actions: read
+    runs-on: ubuntu-latest
+    outputs:
+      approval-env: ${{ steps.auth.outputs.result }}
+      pr_number: ${{ steps.get-pr.outputs.pr_number }}
+      pr_sha: ${{ steps.get-pr.outputs.pr_sha }}
+    steps:
+      - name: Download PR metadata
+        uses: actions/download-artifact@v4
+        with:
+          name: pr-metadata-${{ github.event.workflow_run.pull_requests[0].number }}
+          path: pr-metadata
+          run-id: ${{ github.event.workflow_run.id }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Get PR info
+        id: get-pr
+        run: |
+          echo "pr_number=$(cat pr-metadata/pr_number)" >> $GITHUB_OUTPUT
+          echo "pr_sha=$(cat pr-metadata/pr_sha)" >> $GITHUB_OUTPUT
+
+      - name: Get PR author
+        id: get-author
+        uses: actions/github-script@v8
+        with:
+          result-encoding: string
+          script: |
+            const { data: pr } = await github.rest.pulls.get({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: ${{ steps.get-pr.outputs.pr_number }},
+            });
+            return pr.user.login;
+
+      - name: Check Authorization
+        id: auth
+        uses: strands-agents/devtools/authorization-check@main
+        with:
+          username: ${{ steps.get-author.outputs.result }}
+          allowed-roles: 'write,maintain,admin'
+
+  approval-gate:
+    runs-on: ubuntu-latest
+    needs: [authorization-check]
+    if: always() && needs.authorization-check.result == 'success'
+    environment: ${{ needs.authorization-check.outputs.approval-env }}
+    steps:
+      - run: echo "Deployment approved"
+
+  deploy:
+    runs-on: ubuntu-latest
+    needs: [authorization-check, approval-gate]
+    if: always() && needs.approval-gate.result == 'success'
+
+    permissions:
+      contents: read
+      issues: write
+      pull-requests: write
+      id-token: write
+      actions: read
+
+    env:
+      PR_NUMBER: ${{ needs.authorization-check.outputs.pr_number }}
+      PR_HEAD_SHA: ${{ needs.authorization-check.outputs.pr_sha }}
+      RUN_ID: ${{ github.run_id }}
+      AWS_DEPLOY_ROLE: ${{ secrets.STRANDS_DOCS_DEPLOY_ROLE }}
+      S3_BUCKET: ${{ secrets.STRANDS_DOCS_BUCKET }}
+      CLOUDFRONT_DISTRIBUTION_ID: ${{ vars.CLOUDFRONT_DISTRIBUTION_ID }}
+      CLOUDFRONT_DOMAIN: ${{ vars.CLOUDFRONT_DOMAIN }}
+
+    steps:
+      - name: Download build artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: docs-preview-${{ env.PR_NUMBER }}
+          path: dist
+          run-id: ${{ github.event.workflow_run.id }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v5
+        with:
+          role-to-assume: ${{ env.AWS_DEPLOY_ROLE }}
+          role-session-name: GitHubActions-Docs-${{ env.RUN_ID }}
+          aws-region: us-east-1
+          mask-aws-account-id: true
+
+      - name: Deploy to S3
+        run: |
+          aws s3 sync dist/ s3://${{ env.S3_BUCKET }}/pr-local-cms-${{ env.PR_NUMBER }}/ \
+            --cache-control "public, max-age=3600"
+
+      - name: Invalidate CloudFront cache for PR preview
+        run: |
+          aws cloudfront create-invalidation \
+            --distribution-id ${{ env.CLOUDFRONT_DISTRIBUTION_ID }} \
+            --invalidation-batch '{"Paths":{"Quantity":1,"Items":["/pr-local-cms-${{ env.PR_NUMBER }}/*"]},"CallerReference":"'$(date +%s)'"}'
+
+      - name: Comment on PR (success)
+        if: success()
+        uses: actions/github-script@v8
+        env:
+          PREVIEW_URL: https://${{ vars.CLOUDFRONT_DOMAIN }}/pr-local-cms-${{ needs.authorization-check.outputs.pr_number }}/
+        with:
+          script: |
+            const prNumber = ${{ env.PR_NUMBER }};
+            const previewUrl = process.env.PREVIEW_URL;
+
+            const comments = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: prNumber,
+            });
+
+            const botComment = comments.data.find(comment =>
+              comment.user.type === 'Bot' &&
+              comment.body.includes('Documentation Preview')
+            );
+
+            const body = [
+              '## Documentation Preview Ready',
+              '',
+              'Your documentation preview has been successfully deployed!',
+              '',
+              `**Preview URL**: ${previewUrl}`,
+              '',
+              `_Updated at: ${new Date().toISOString()}_`
+            ].join('\n');
+
+            if (botComment) {
+              await github.rest.issues.updateComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: botComment.id,
+                body: body
+              });
+            } else {
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: prNumber,
+                body: body
+              });
+            }
+
+      - name: Comment on PR (failure)
+        if: failure()
+        uses: actions/github-script@v8
+        env:
+          RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+        with:
+          script: |
+            const prNumber = ${{ env.PR_NUMBER }};
+            const runUrl = process.env.RUN_URL;
+
+            const body = [
+              '## Documentation Preview Failed',
+              '',
+              `The documentation deployment encountered an error. Please check the [deployment logs](${runUrl}) for more details.`
+            ].join('\n');
+
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: prNumber,
+              body: body
+            });