Skip to content

ci(wab): add root-level AWS Marketplace release workflow#235

Open
mo-jaber wants to merge 1 commit into
mainfrom
feat/wab-marketplace-release
Open

ci(wab): add root-level AWS Marketplace release workflow#235
mo-jaber wants to merge 1 commit into
mainfrom
feat/wab-marketplace-release

Conversation

@mo-jaber

Copy link
Copy Markdown
Contributor

Why

WAB's AWS Marketplace listing (prod-67ziqtkrihz34) is stuck at v1.0.8 while the source
(infra/wab/package.json) is at 1.4.7. When WAB moved into the monorepo, its Marketplace
workflow ended up under infra/wab/.github/workflows/ — a path GitHub never executes — and even
when the old one ran it only pushed an image to ECR without registering the version on the
listing. So nothing has published a new Marketplace version since the move.

What's in this PR

  • .github/workflows/wab-marketplace-release.yml (repo ROOT). On infra/v* tags (or manual
    dispatch), it resolves the version from infra/wab/package.json, builds the image, pushes it to
    the Marketplace ECR (709825985650…/bsv-blockchain/wab), and registers the version via the
    Catalog API (StartChangeSet / AddDeliveryOptions). Idempotent — skips if the version already
    exists.
  • Remove dead nested workflows that GitHub never ran after the monorepo move:
    infra/wab/.github/workflows/build-and-push.yml (Marketplace) and image.yaml (Docker Hub —
    dropped; GHCR is the live image channel).
  • CLAUDE.md documents the release convention.

Conventions / decisions

  • Version name ↔ tag are decoupled. Published name is always from package.json; the date-based
    infra/v* tag is only the trigger. version_override is a manual escape hatch.
  • Naming matches the live listing: VersionTitle v1.4.7 (like v1.0.7/v1.0.8), ECR tag bare
    wab:1.4.7 (like wab:1.0.7).
  • OIDC auth (no static secrets): role-to-assume: ${{ vars.WAB_MP_ROLE_ARN }}. Actions SHA-pinned
    per repo convention; concurrency guard added.
  • Reads/writes use DetailsDocument (the legacy Details field returns non-strict JSON that breaks
    jq fromjson).
  • release.yaml excludes infra/v*, so no npm publish is triggered.

Validation done

  • actionlint — clean.
  • Embedded AddDeliveryOptions change-set JSON — parses, structure verified.
  • Local docker build --platform linux/amd64 infra/wab — builds standalone (amd64/linux image),
    matching the proven infra-release.yaml recipe.
  • Live-listing values reconciled via describe-entity: DeliveryOptionTitle and CompatibleServices
    match; 1.4.7 not yet present.

Required before the first publish (NOT in this PR — seller-account / AWS console)

  1. Create a GitHub OIDC provider + IAM role wab-marketplace-publisher in seller account
    381492298518 (trust scoped to this repo's refs/tags/infra/v* and refs/heads/main;
    permissions per the handover's least-privilege policy).
  2. Set repo variable WAB_MP_ROLE_ARN to that role's ARN.

After merge

  • Manual first publish: gh workflow run wab-marketplace-release.yml -f version_override=1.4.7,
    watch the change set to SUCCEEDED, verify v1.4.7 is latest on the listing.
  • Separately fix the listing's stale wab:1.0.0 usage instructions via an UpdateDeliveryOptions
    change set.

.github/ is CODEOWNER-gated — requesting review from @sirdeggen.

Publishes infra/wab to the AWS Marketplace listing (prod-67ziqtkrihz34) on
infra/v* tags, with the version name driven by infra/wab/package.json — the
same source of truth infra-release.yaml uses for GHCR. Builds the image,
pushes it to the Marketplace ECR, and registers the version via the Catalog
API (AddDeliveryOptions); idempotent on re-runs.

The old Marketplace workflow stopped firing when WAB moved into the monorepo
because GitHub does not run workflows under infra/wab/.github/workflows/.

- OIDC auth (role-to-assume vars.WAB_MP_ROLE_ARN), SHA-pinned actions,
  concurrency guard. Version name is always derived from package.json; the
  git tag is only the trigger. Titles are v-prefixed to match the live listing.
- Remove dead nested workflows: build-and-push.yml (Marketplace) and
  image.yaml (Docker Hub, dropped — GHCR is the live image channel).
- Document the release convention in CLAUDE.md.
@mo-jaber mo-jaber requested a review from sirdeggen as a code owner June 26, 2026 00:09
@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant