feat(init): adds release please

Author: Ti8m-BigA

.github/examples/frontend_default_workflow.yml

@@ -0,0 +1,47 @@
+name: "default workflow"
+
+permissions:
+  contents: write
+  pull-requests: write
+  id-token: write
+  issues: write
+
+on:
+  pull_request:
+    branches: [main, develop]
+  push:
+    branches: [main, develop]
+  merge_group:
+    branches: [main, develop]
+jobs:
+  resolve-env:
+    runs-on: ubuntu-latest
+    environment: ${{ github.ref == 'refs/heads/develop' && 'develop' || 'integration' }}
+    outputs:
+      frontend_s3_bucket: ${{ steps.out.outputs.frontend_s3_bucket }}
+      cloudfront_distribution_id: ${{ steps.out.outputs.cloudfront_distribution_id }}
+      aws_region: ${{ steps.out.outputs.aws_region }}
+    steps:
+      - id: out
+        run: |
+          echo "resolving environment specific variables for environment $environment setting outputs for frontend_s3_bucket to ${{ vars.FRONTEND_S3_BUCKET }}"
+          echo "frontend_s3_bucket=${{ vars.FRONTEND_S3_BUCKET }}" >> "$GITHUB_OUTPUT"
+          echo "cloudfront_distribution_id=${{ vars.CLOUDFRONT_DISTRIBUTION_ID }}" >> "$GITHUB_OUTPUT"
+
+  frontend-workflow:
+    name: '.'
+    uses: ./.github/workflows/frontend_workflow.yml
+    needs: resolve-env
+    secrets:
+      GH_ORG_PRIVATE_KEY: ${{ secrets.GH_ORG_PRIVATE_KEY }}
+      GH_ORG_GITLEAKS_PRIVATE_KEY: ${{ secrets.GH_ORG_GITLEAKS_PRIVATE_KEY }}
+      LICENSE_KEY_GITLEAKS: ${{ secrets.LICENSE_KEY_GITLEAKS }}
+      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+      AWS_OIDC_ROLE_ARN: ${{ secrets.AWS_OIDC_ROLE_ARN }}
+      AWS_DEPLOYMENT_ROLE_ARN: ${{ secrets.AWS_DEPLOYMENT_ROLE_ARN }}
+    with:
+      app-id: ${{ vars.GH_ORG_APP_ID }}
+      gitleaks-app-id: ${{ vars.GH_ORG_GITLEAKS_APP_ID }}
+      aws-region: ${{ vars.AWS_REGION }}
+      frontend-s3-bucket: ${{ needs.resolve-env.outputs.frontend_s3_bucket }}
+      cloudfront-distribution-id: ${{ needs.resolve-env.outputs.cloudfront_distribution_id }}

.github/workflows/default_workflow.yml

@@ -0,0 +1,15 @@
+name: Release
+
+on:
+  push:
+    branches: [main]
+
+jobs:
+  release:
+    uses: ./.github/workflows/release-please.yml
+    with:
+      release-type: simple
+      target-branch: main
+      app-id: ${{ vars.GH_ORG_APP_ID }}
+    secrets:
+      GH_ORG_PRIVATE_KEY: ${{ secrets.GH_ORG_PRIVATE_KEY }}

.github/workflows/frontend_build_deploy_s3.yml

@@ -9,6 +9,18 @@ on:
         type: string
         required: true
         description: "environment to deploy to, used for selecting correct AWS credentials and CloudFront distribution based on environment specific secrets and variables"
+      aws-region:
+        type: string
+        required: true
+        description: "AWS region for deployment and AWS CLI commands"
+      frontend-s3-bucket:
+        type: string
+        required: true
+        description: "S3 bucket name for frontend deployment"
+      cloudfront-distribution-id:
+        type: string
+        required: true
+        description: "CloudFront distribution ID for cache invalidation"
     secrets:
       AWS_OIDC_ROLE_ARN:
         description: "OIDC role ARN for AWS credentials"
@@ -24,8 +36,11 @@ jobs:
     runs-on: ubuntu-latest
     environment: ${{ inputs.environment }}
     timeout-minutes: 5
-    # todo activate once requried
-    #FONTAWESOME_PACKAGE_TOKEN: ${{ secrets.FONTAWESOME_PACKAGE_TOKEN }}
+    env:
+      AWS_REGION: ${{ inputs.aws-region }}
+      FRONTEND_S3_BUCKET: ${{ inputs.frontend-s3-bucket }}
+      CLOUDFRONT_DISTRIBUTION_ID: ${{ inputs.cloudfront-distribution-id }}
+
     permissions:
       id-token: write
       contents: read
@@ -59,17 +74,28 @@ jobs:
         # todo maybe adjust with env specific config eg: pnpm build -- --configuration=${{ steps.resolve-inputs.outputs.configuration }}
         run: pnpm build
 
+      - name: Validate deployment inputs
+        env:
+          VERSION: ${{ inputs.version }}
+        run: |
+          set -euo pipefail
+
+          [[ "$VERSION" =~ ^[0-9]+(\.[0-9]+){2}([.-][0-9A-Za-z]+)*$ ]] || { echo "Invalid version"; exit 1; }
+          [[ "$AWS_REGION" =~ ^[a-z]{2}-[a-z]+-[0-9]+$ ]] || { echo "Invalid AWS region"; exit 1; }
+          [[ "$FRONTEND_S3_BUCKET" =~ ^[a-z0-9][a-z0-9.-]{1,61}[a-z0-9]$ ]] || { echo "Invalid S3 bucket"; exit 1; }
+          [[ "$CLOUDFRONT_DISTRIBUTION_ID" =~ ^[A-Z0-9]{10,32}$ ]] || { echo "Invalid CloudFront distribution ID"; exit 1; }
+
       - name: Configure AWS credentials (OIDC)
         uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
-          aws-region: ${{ vars.AWS_REGION }}
+          aws-region: ${{ env.AWS_REGION }}
 
       - name: Assume deployment role
         uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: ${{ secrets.AWS_DEPLOYMENT_ROLE_ARN }}
-          aws-region: ${{ vars.AWS_REGION }}
+          aws-region: ${{ env.AWS_REGION }}
           role-chaining: true
           role-skip-session-tagging: true
 
@@ -79,21 +105,17 @@ jobs:
         run: |
           set -euo pipefail
 
-          # Allowlist validation (adjust to your conventions)
-          [[ "$VERSION"   =~ ^[0-9]+(\.[0-9]+){2}([.-][0-9A-Za-z]+)*$ ]] || { echo "Invalid version"; exit 1; }
-
-
           echo "Deploying version: v${VERSION}"
 
-          aws s3 sync "dist/atlas-agate-frontend/browser/" "s3://${{vars.FRONTEND_S3_BUCKET}}/" \
+          aws s3 sync "dist/atlas-agate-frontend/browser/" "s3://${FRONTEND_S3_BUCKET}/" \
             --region "$AWS_REGION" \
             --delete
 
       - name: Invalidate CloudFront cache
         run: |
-          echo "Creating CloudFront invalidation for distribution: ${{ vars.CLOUDFRONT_DISTRIBUTION_ID }}"
+          echo "Creating CloudFront invalidation for distribution: ${CLOUDFRONT_DISTRIBUTION_ID}"
           aws cloudfront create-invalidation \
-            --distribution-id ${{ vars.CLOUDFRONT_DISTRIBUTION_ID }} \
+            --distribution-id "$CLOUDFRONT_DISTRIBUTION_ID" \
             --paths "/*"
 
       - name: Display deployment URL

.github/workflows/frontend_unit_test_sonarqube.yml

@@ -11,9 +11,6 @@ jobs:
     timeout-minutes: 10
     env:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-      #env:
-      #todo activate once needed
-      #FONTAWESOME_PACKAGE_TOKEN: ${{ secrets.FONTAWESOME_PACKAGE_TOKEN }}
     steps:
       - name: Checkout
         uses: actions/checkout@v6

.github/workflows/frontend_workflow.yml

@@ -10,15 +10,31 @@ on:
   workflow_call:
     inputs:
       app-id:
-        description: "GitHub App ID used for downstream workflows"
+        description: "GitHub App ID used for downstream workflows (like semantic versioning), must have write permissions to the repo"
+        required: true
+        type: string
+      gitleaks-app-id:
+        description: "GitHub App ID used by gitleaks to authenticate with the GitHub API (must have read permissions to the repo and prs"
+        required: true
+        type: string
+      aws-region:
+        description: "AWS region for deployment"
+        required: true
+        type: string
+      frontend-s3-bucket:
+        description: "S3 bucket name for frontend deployment"
+        required: true
+        type: string
+      cloudfront-distribution-id:
+        description: "CloudFront distribution ID for cache invalidation"
         required: true
         type: string
     secrets:
       GH_ORG_PRIVATE_KEY:
-        description: "GitHub App private key used for downstream workflows"
+        description: "GitHub App private key matching the app-id inputs"
         required: true
       GH_ORG_GITLEAKS_PRIVATE_KEY:
-        description: "GitHub App private key used for gitleaks token"
+        description: "GitHub App private key matching the gitleaks-app-id input, used for gitleaks authentication"
         required: true
       LICENSE_KEY_GITLEAKS:
         description: "Gitleaks license key"
@@ -45,6 +61,8 @@ jobs:
     secrets:
       GH_ORG_GITLEAKS_PRIVATE_KEY: ${{ secrets.GH_ORG_GITLEAKS_PRIVATE_KEY }}
       LICENSE_KEY_GITLEAKS: ${{ secrets.LICENSE_KEY_GITLEAKS }}
+    with:
+      gitleaks-app-id: ${{ inputs.gitleaks-app-id }}
 
   vulnerability-scan:
     name: '.'
@@ -53,7 +71,7 @@ jobs:
 
   unit-test-sonarqube:
     name: '.'
-    uses: frontend_unit_test_sonarqube.yml
+    uses: ./.github/workflows/frontend_unit_test_sonarqube.yml
     needs: [ vulnerability-scan, gitleaks ]
     secrets:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
@@ -79,6 +97,9 @@ jobs:
     with:
       version: ${{ needs.semantic-release.outputs.version }}
       environment: ${{ github.ref == 'refs/heads/develop' && 'develop' || 'integration' }}
+      aws-region: ${{ inputs.aws-region }}
+      frontend-s3-bucket: ${{ inputs.frontend-s3-bucket }}
+      cloudfront-distribution-id: ${{ inputs.cloudfront-distribution-id }}
 
   merge-main-develop:
     name: '.'
@@ -87,3 +108,5 @@ jobs:
     needs: [ semantic-release ]
     secrets:
       GH_ORG_PRIVATE_KEY: ${{ secrets.GH_ORG_PRIVATE_KEY }}
+    with:
+      app-id: ${{ inputs.app-id }}

.github/workflows/gitleaks.yml

@@ -1,8 +1,13 @@
 on:
   workflow_call:
+    inputs:
+      gitleaks-app-id:
+        description: "GitHub App ID used by gitleaks to authenticate with the GitHub API (must have read permissions to the repo and prs)"
+        required: true
+        type: string
     secrets:
       GH_ORG_GITLEAKS_PRIVATE_KEY:
-        description: "GitHub App private key used for gitleaks token"
+        description: "GitHub App private key used for the gitleaks-app-id"
         required: true
       LICENSE_KEY_GITLEAKS:
         description: "Gitleaks license key"
@@ -28,7 +33,7 @@ jobs:
       - uses: actions/create-github-app-token@v2
         id: app-token
         with:
-          app-id: ${{ vars.GH_ORG_GITLEAKS_APP_ID }}
+          app-id: ${{ inputs.gitleaks-app-id }}
           private-key: ${{ secrets.GH_ORG_GITLEAKS_PRIVATE_KEY }}
 
       - name: Run Gitleaks Scan

.github/workflows/merge_main_develop.yml

@@ -1,8 +1,13 @@
 on:
   workflow_call:
+    inputs:
+      app-id:
+        description: "GitHub App ID used to create merge commit , must have write permissions to the repo"
+        required: true
+        type: string
     secrets:
       GH_ORG_PRIVATE_KEY:
-        description: "GitHub App private key used to create the merge token"
+        description: "GitHub App private key of the app specified in app-id, used to create the merge token"
         required: true
 
 jobs:
@@ -14,7 +19,7 @@ jobs:
       - uses: actions/create-github-app-token@v2
         id: app-token
         with:
-          app-id: ${{ vars.GH_ORG_APP_ID }}
+          app-id: ${{ inputs.app-id }}
           private-key: ${{ secrets.GH_ORG_PRIVATE_KEY }}
 
       - name: Set up Git user for GitHub App

.github/workflows/release-please.yml

@@ -0,0 +1,69 @@
+on:
+  workflow_call:
+    inputs:
+      release-type:
+        description: "Release Please release type (node, java, go, python, etc.)"
+        required: false
+        type: string
+        default: node
+      target-branch:
+        description: "Branch to open release PRs against (usually main)"
+        required: false
+        type: string
+        default: main
+      config-file:
+        description: "Optional Release Please config file path"
+        required: false
+        type: string
+        default: ""
+      manifest-file:
+        description: "Optional Release Please manifest file path"
+        required: false
+        type: string
+        default: ""
+      app-id:
+        description: "GitHub App ID used to create the release token"
+        required: true
+        type: string
+    secrets:
+        GH_ORG_PRIVATE_KEY:
+        description: "GitHub App private key used to create the release token"
+        required: true
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+
+  release-please:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/create-github-app-token@v2
+        id: app-token
+        env:
+          GH_ORG_APP_ID: ${{ inputs.app-id }}
+          GH_ORG_PRIVATE_KEY: ${{ secrets.GH_ORG_PRIVATE_KEY }}
+        with:
+          app-id: ${{ env.GH_ORG_APP_ID }}
+          private-key: ${{ env.GH_ORG_PRIVATE_KEY }}
+
+      - name: Release Please
+        id: rp
+        uses: googleapis/release-please-action@v4
+        with:
+          # Use provided token if present, otherwise default to GITHUB_TOKEN
+          token: ${{ steps.app-token.outputs.token }}
+          release-type: ${{ inputs.release-type }}
+          target-branch: ${{ inputs.target-branch }}
+
+          # Only pass these when set (empty string is fine; action ignores missing files if not used)
+          config-file: ${{ inputs.config-file }}
+          manifest-file: ${{ inputs.manifest-file }}
+
+      - name: Output summary
+        if: ${{ always() }}
+        run: |
+          echo "release_created=${{ steps.rp.outputs.release_created }}"
+          echo "pr_created=${{ steps.rp.outputs.pr_created }}"
+          echo "tag_name=${{ steps.rp.outputs.tag_name }}"

.github/workflows/sample_frontend_default_workflow.yml

@@ -56,4 +56,14 @@ jobs:
         id: semantic-release
         env:
           GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
-        run: pnpm --package=semantic-release@24.2.0 --package=@semantic-release/git@10.0.1 --package=@semantic-release/changelog@6.0.3 --package=@semantic-release/github@11.0.2 --package=@semantic-release/exec@7.0.3 --package=@semantic-release/commit-analyzer@13.0.1 --package=@semantic-release/release-notes-generator@14.0.3 --package=conventional-changelog-conventionalcommits@8.0.0 --package=@semantic-release/exec@7.0.3 dlx semantic-release
+        run: |
+          pnpm dlx \
+            --package=semantic-release@25.0.3 \
+            --package=@semantic-release/git@^10.0.1 \
+            --package=@semantic-release/changelog@6.0.3 \
+            --package=@semantic-release/github@12.0.6 \
+            --package=@semantic-release/exec@7.1.0 \
+            --package=@semantic-release/commit-analyzer@13.0.1 \
+            --package=@semantic-release/release-notes-generator@14.1.0 \
+            --package=conventional-changelog-conventionalcommits@9.2.0 \
+            semantic-release