chore: migrate to gha publishing [DX-535] (#3160)

* feat: gha test workflow

* chore: workflow files added

* fix: correct branch name in script

* test: e2e access

* test: integration:ci job

* test: integration:ci job

* test: circleci config removed

* chore: vault secret updated

* fix: node version update in check.yml

* fix: jest config update

* chore: test changes reverted

* fix: release job updated

* fix: workflow dependencies updated

* chore: package update

* test

* test

* test

* fix: sem version update

* chore: package lock

* fix: e2e parallelism denied

* test: test e2e cleanup

* feat: ready for merge

* chore: pull request trigger removed

* chore: codeql name change

Author: tylerpina

.circleci/config.yml

@@ -5,6 +5,3 @@ services:
       - dependabot
       - semantic-release
       - packages-read
-  circleci:
-    policies:
-      - semantic-release-ecosystem

.contentful/vault-secrets.yaml

@@ -0,0 +1,38 @@
+name: Build
+
+on:
+  workflow_call:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: "22"
+          cache: "npm"
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build
+        run: npm run build:package
+
+      - name: Check build artifacts
+        run: ls -la dist/
+
+      - name: Save Build folders
+        uses: actions/cache/save@v4
+        with:
+          path: |
+            dist
+            build
+          key: build-cache-${{ github.run_id }}-${{ github.run_attempt }}

.github/workflows/build.yaml

@@ -0,0 +1,58 @@
+name: Run Checks
+
+on:
+  workflow_call:
+    secrets:
+      VAULT_URL:
+        required: true
+      CONTENTFUL_INTEGRATION_TEST_CMA_TOKEN:
+        required: true
+      CLI_E2E_ORG_ID:
+        required: true
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: "22"
+          cache: "npm"
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Restore the build folders
+        uses: actions/cache/restore@v4
+        with:
+          path: |
+            dist
+            build
+          key: build-cache-${{ github.run_id }}-${{ github.run_attempt }}
+
+      # Prior ci publishing did not lint or format, commented out to preserve workflow
+      # - name: Run linter
+      #   run: npm run lint
+
+      #- name: Check formatting
+      #  run: npm run prettier:check
+      #  env:
+      #    CONTENTFUL_INTEGRATION_TEST_CMA_TOKEN: ${{ secrets.CONTENTFUL_INTEGRATION_TEST_CMA_TOKEN }}
+      #    CLI_E2E_ORG_ID: ${{ secrets.CLI_E2E_ORG_ID }}
+
+      - name: Run unit tests
+        run: npm test
+        env:
+          CONTENTFUL_INTEGRATION_TEST_CMA_TOKEN: ${{ secrets.CONTENTFUL_INTEGRATION_TEST_CMA_TOKEN }}
+          CLI_E2E_ORG_ID: ${{ secrets.CLI_E2E_ORG_ID }}
+
+      - name: Run integration tests
+        run: npm run test:integration:ci
+        env:
+          CONTENTFUL_INTEGRATION_TEST_CMA_TOKEN: ${{ secrets.CONTENTFUL_INTEGRATION_TEST_CMA_TOKEN }}
+          CLI_E2E_ORG_ID: ${{ secrets.CLI_E2E_ORG_ID }}

.github/workflows/check.yaml

@@ -5,9 +5,6 @@ on:
   push:
     branches: [main]
     paths: [".github/workflows/**"]
-  pull_request:
-    branches: [main]
-    paths: [".github/workflows/**"]
 
 jobs:
   analyze:
@@ -19,14 +16,14 @@ jobs:
       security-events: write
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@v4
         with:
           languages: actions
 
       - name: Run CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@v4
         with:
           category: actions

.github/workflows/codeql.yml renamed to .github/workflows/codeql.yaml

@@ -0,0 +1,32 @@
+name: CI
+permissions:
+  contents: read
+
+on:
+  push:
+    branches: ["*"]
+
+jobs:
+  build:
+    uses: ./.github/workflows/build.yaml
+
+  check:
+    needs: build
+    uses: ./.github/workflows/check.yaml
+    secrets: inherit
+
+  e2e-tests:
+    needs: [build, check]
+    uses: ./.github/workflows/test-e2e.yaml
+    secrets: inherit
+
+  release:
+    if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/beta')
+    needs: [build, check, e2e-tests]
+    permissions:
+      contents: write
+      id-token: write
+      actions: read
+    uses: ./.github/workflows/release.yaml
+    secrets:
+      VAULT_URL: ${{ secrets.VAULT_URL }}

.github/workflows/dependabot-approve-and-request-merge.yml renamed to .github/workflows/dependabot-approve-and-request-merge.yaml

@@ -0,0 +1,86 @@
+name: Release
+
+on:
+  workflow_call:
+    secrets:
+      VAULT_URL:
+        required: true
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write
+      id-token: write
+      actions: read
+
+    steps:
+      - name: "Retrieve Secrets from Vault"
+        id: vault
+        uses: hashicorp/[email protected]
+        with:
+          url: ${{ secrets.VAULT_URL }}
+          role: ${{ github.event.repository.name }}-github-action
+          method: jwt
+          path: github-actions
+          exportEnv: false
+          secrets: |
+            github/token/${{ github.event.repository.name }}-semantic-release token | GITHUB_TOKEN ;
+      - name: Get Automation Bot User ID
+        id: get-user-id
+        run: echo "user-id=$(gh api "/users/contentful-automation[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+        env:
+          GITHUB_TOKEN: ${{ steps.vault.outputs.GITHUB_TOKEN }}
+
+      - name: Setting up Git User Credentials
+        run: |
+          git config --global user.name 'contentful-automation[bot]'
+          git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+contentful-automation[bot]@users.noreply.github.com'
+      - name: Checkout code
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: "22"
+          cache: "npm"
+
+      - name: Install latest npm
+        run: npm install -g npm@latest
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Restore the build folders
+        uses: actions/cache/restore@v4
+        with:
+          path: |
+            dist
+            build
+          key: build-cache-${{ github.run_id }}-${{ github.run_attempt }}
+      - name: Run Release
+        run: |
+          echo "Starting Semantic Release Process"
+          echo "npm version: $(npm -v)"
+          npm run semantic-release
+        env:
+          GITHUB_TOKEN: ${{ steps.vault.outputs.GITHUB_TOKEN }}
+
+      - name: Get latest release tag
+        id: get-tag
+        run: |
+          TAG=$(gh api repos/${{ github.repository }}/releases/latest --jq .tag_name)
+          echo "tag=$TAG" >> $GITHUB_OUTPUT
+        env:
+          GITHUB_TOKEN: ${{ steps.vault.outputs.GITHUB_TOKEN }}
+
+      - name: Summary
+        run: |
+          VERSION=$(echo "${{ steps.get-tag.outputs.tag }}" | sed 's/^v//')
+          echo "## Release Summary" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "- **Version**: ${{ steps.get-tag.outputs.tag }}" >> $GITHUB_STEP_SUMMARY
+          echo "- **GitHub Release**: https://github.com/${{ github.repository }}/releases/tag/${{ steps.get-tag.outputs.tag }}" >> $GITHUB_STEP_SUMMARY