feat(TU-34343): Create a new AWS deploy workflow (#726)

tom-ridsdale · web-flow · commit 0dc8fb42bc7a · 2025-12-15T09:48:42.000Z
diff --git a/.github/workflows/deploy-aws.yml b/.github/workflows/deploy-aws.yml
@@ -0,0 +1,81 @@
+name: Deploy to AWS
+
+on:
+  release:
+    types: [ published ]
+
+jobs:
+  deploy:
+    name: Deploy Embed to AWS
+    # Only run for embed releases (not embed-react). Tag format: @typeform/embed-v5.8.0
+    if: startsWith(github.event.release.tag_name, '@typeform/embed-v')
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: Check out Git repository
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.release.tag_name }}
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version: 22
+
+      - name: Get yarn cache
+        uses: actions/cache@v4
+        id: yarn-cache
+        with:
+          path: |
+            **/node_modules
+            ~/.cache
+          key: ${{ runner.os }}-node-22-yarn-${{ hashFiles('**/yarn.lock') }}-${{ hashFiles('.github/workflows/**.yml') }}
+
+      - name: Install Node.js dependencies
+        if: steps.yarn-cache.outputs.cache-hit != 'true'
+        run: yarn install --frozen-lockfile
+
+      - run: yarn lerna bootstrap
+      - run: yarn build
+        env:
+          NODE_ENV: 'production'
+
+      # Configure registry for GitHub Packages to install jarvis
+      - run: rm ./.npmrc
+      - run: |
+          cat > .npmrc << EOF
+          //npm.pkg.github.com/:_authToken=${GH_TOKEN}
+          @typeform:registry=https://npm.pkg.github.com/
+          EOF
+        env:
+          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+
+      - run: yarn add -W @typeform/jarvis
+      - run: git checkout HEAD -- package.json # do not save jarvis dependency to package.json because it is private
+
+      # Authenticate to AWS
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: 'us-east-1'
+          mask-aws-account-id: true
+          role-to-assume: ${{ secrets.DEPLOYMENT_ROLE_ARN }}
+          role-session-name: ${{ github.run_id }}-${{ github.run_attempt }}
+          role-duration-seconds: 900
+          unset-current-credentials: true
+
+      - name: Deploy to AWS
+        run: cd packages/embed && yarn release:aws
+        env:
+          AWS_ASSETS_BUCKET: 'typeform-public-assets/embed'
+          AWS_CLOUDFRONT_DIST: 'E3IUO95IYL1RI3'
+          PUBLIC_CDN_URL: 'https://embed.typeform.com'
+
+      - uses: 8398a7/action-slack@v3
+        if: failure()
+        with:
+          status: ${{ job.status }}
+          fields: repo,message,commit,author,action
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.ACTION_MONITORING_SLACK }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -43,41 +43,18 @@ jobs:
       - run: yarn build
         env:
           NODE_ENV: 'production'
-      # Configure registry for GitHub Packages using local .npmrc to avoid npm global config corruption
+      # Configure .npmrc with auth token for GitHub Packages
       - run: rm ./.npmrc
       - run: |
           cat > .npmrc << EOF
           //npm.pkg.github.com/:_authToken=${GH_TOKEN}
-          @typeform:registry=https://npm.pkg.github.com/
           EOF
         env:
           GH_TOKEN: ${{ secrets.GH_TOKEN }}
-      - run: yarn add -W @typeform/jarvis
-      - run: git checkout HEAD -- package.json # do not save jarvis dependency to package.json because it is private (the file is committed by semantic-release to bump version)
-      # Create clean .npmrc with just auth token
-      - run: |
-          cat > .npmrc << EOF
-          //npm.pkg.github.com/:_authToken=${GH_TOKEN}
-          EOF
-        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN }}
-
-      # authenticate to AWS
-      - uses: aws-actions/configure-aws-credentials@v4
-        with:
-          aws-region: 'us-east-1'
-          mask-aws-account-id: true
-          role-to-assume: ${{ secrets.DEPLOYMENT_ROLE_ARN }}
-          role-session-name: ${{ github.run_id }}-${{ github.run_attempt }}
-          role-duration-seconds: 900
-          unset-current-credentials: true
 
       - run: yarn release
         env:
-          AWS_ASSETS_BUCKET: 'typeform-public-assets/embed'
-          AWS_CLOUDFRONT_DIST: 'E3IUO95IYL1RI3'
           GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
-          PUBLIC_CDN_URL: 'https://embed.typeform.com'
           SEGMENT_WRITE_KEY: ${{ secrets.DEPLOYMENT_SEGMENT_WRITE_KEY }}
 
       - uses: 8398a7/action-slack@v3
diff --git a/packages/embed/package.json b/packages/embed/package.json
@@ -50,7 +50,7 @@
     "test:functional": "start-server-and-test demo 9090 cy:functional",
     "test:visual": "start-server-and-test demo 9090 cy:visual",
     "release-vanilla": "yarn semantic-release",
-    "post-release": "yarn release:github && yarn release:aws",
+    "post-release": "yarn release:github",
     "release:github": "npm publish --registry https://npm.pkg.github.com/",
     "release:aws": "yarn release:aws:prepare && yarn release:aws:deploy",
     "release:aws:prepare": "sh ./scripts/prepare-release.sh",
