chore: add the ability update cache policy (#1971)

* chore: create workflow for cache policy updates (#1970)

* chore: clean up deployment workflow to organize and cache invalidation blocking

* chore: reusue validator actor workflow in other places

* chore: set default cache control policy for different paths

* chore: add session and page visit id to error report payload

* chore: fix artifacts copy sequence

* chore: determine cache policy based on the environment

.github/workflows/draft-new-release.yml

@@ -11,10 +11,17 @@ env:
   NODE_OPTIONS: '--no-warnings'
 
 jobs:
+  validate-actor:
+    # Only allow to draft a new release from develop and hotfix branches
+    if: github.ref == 'refs/heads/develop' || startsWith(github.ref, 'refs/heads/hotfix/')
+    uses: ./.github/workflows/validate-actor.yml
+    secrets:
+      PAT: ${{ secrets.PAT }}
+
   draft-new-release:
+    needs: validate-actor
     name: Draft a new release
     runs-on: [self-hosted, Linux, X64]
-    if: github.ref == 'refs/heads/develop' || startsWith(github.ref, 'refs/heads/hotfix/')
     steps:
       - name: Checkout
         uses: actions/checkout@v4

.github/workflows/rollback.yml

@@ -4,9 +4,16 @@ on:
   workflow_dispatch:
 
 jobs:
+  validate-actor:
+    # Only allow to be deployed from tags and main branch
+    if: startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main'
+    uses: ./.github/workflows/validate-actor.yml
+    secrets:
+      PAT: ${{ secrets.PAT }}
+
   deploy:
+    needs: validate-actor
     name: Rollback production deployment
-    if: startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main'
     uses: ./.github/workflows/deploy.yml
     with:
       environment: 'production'

.github/workflows/update-cache-policy.yml

@@ -0,0 +1,68 @@
+name: Update cache control policy
+
+on:
+  workflow_dispatch:
+    inputs:
+      policy_type:
+        type: choice
+        description: Select the cache control policy type
+        required: true
+        options:
+          - no-store
+          - max-age=3600
+
+permissions:
+  id-token: write # allows the JWT to be requested from GitHub's OIDC provider
+  contents: read # This is required for actions/checkout
+
+jobs:
+  validate-actor:
+    # Only allow to be deployed from tags and main branch
+    if: startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main'
+    uses: ./.github/workflows/validate-actor.yml
+    secrets:
+      PAT: ${{ secrets.PAT }}
+
+  update-cache-policy:
+    needs: validate-actor
+    name: Update cache control policy for SDK artifacts
+    runs-on: [self-hosted, Linux, X64]
+
+    steps:
+      - name: Install AWS CLI
+        uses: unfor19/install-aws-cli-action@master
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_PROD_ACCOUNT_ID }}:role/${{ secrets.AWS_PROD_S3_SYNC_ROLE }}
+          aws-region: us-east-1
+
+      - name: Determine the cache control policy
+        id: determine_policy
+        run: |
+          echo "cache_control_policy=${{ github.event.inputs.policy_type || inputs.policy_type }}" >> $GITHUB_ENV
+
+      - name: Update cache control policy
+        run: |
+          # Get the number of CPU cores in the runner and leave one core free
+          num_cores=$(nproc --ignore=1 || echo 1) # Default to 1 if nproc is unavailable
+          # Use a factor to set the parallel jobs (e.g., number of cores or slightly lower)
+          parallel_jobs=$((num_cores * 2))
+          echo "Detected $num_cores cores. Using $parallel_jobs parallel jobs."
+
+          prefixes=("adobe-analytics-js" "v3" "v1.1")
+          
+          for prefix in "${prefixes[@]}"; do
+            echo "Processing prefix: $prefix"
+            
+            aws s3api list-objects --bucket ${{ secrets.AWS_PROD_S3_BUCKET_NAME }} --prefix "$prefix" --query "Contents[].Key" --output text | tr '\t' '\n' | \
+            parallel --retries 10 -j "$parallel_jobs" "aws s3api copy-object \
+                --bucket ${{ secrets.AWS_PROD_S3_BUCKET_NAME }} \
+                --copy-source ${{ secrets.AWS_PROD_S3_BUCKET_NAME }}/{} \
+                --key {} \
+                --metadata-directive REPLACE \
+                --cache-control '${{ env.cache_control_policy }}'"
+          done
+
+

.github/workflows/validate-actor.yml

@@ -0,0 +1,30 @@
+name: Validate Actor
+
+on:
+  workflow_call:
+    secrets:
+      PAT:
+        required: true
+
+jobs:
+  validate-actor:
+    runs-on: [self-hosted, Linux, X64]
+    steps:
+      - name: Validate if actor is allowed to trigger the workflow
+        env:
+          ORG_NAME: rudderlabs
+          TEAM_NAME: js-sdk
+        run: |
+          actor=${{ github.actor || github.triggering_actor }}
+          response=$(curl -L \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer ${{ secrets.PAT }}" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            https://api.github.com/orgs/${{ env.ORG_NAME }}/teams/${{ env.TEAM_NAME }}/memberships/$actor)
+          
+          if echo "$response" | grep -q '"state": "active"'; then
+            echo "$actor is a member of $TEAM_NAME team"
+          else
+            echo "$actor is NOT a member of $TEAM_NAME team"
+            exit 1
+          fi

packages/analytics-js-plugins/__tests__/errorReporting/index.test.ts

@@ -24,6 +24,14 @@ describe('Plugin - ErrorReporting', () => {
       id: 'test-source-id',
       config: {},
     }),
+    session: {
+      sessionInfo: signal({ id: 'test-session-id' }),
+    },
+    autoTrack: {
+      pageLifecycle: {
+        visitId: signal('test-visit-id'),
+      },
+    },
   };
 
   let state: any;

packages/analytics-js-plugins/__tests__/errorReporting/utils.test.ts

@@ -319,6 +319,14 @@ describe('Error Reporting utilities', () => {
           breadcrumbs: signal([]),
         },
         source: signal({ id: 'sample_source_id' }),
+        session: {
+          sessionInfo: signal({ id: 'test-session-id' }),
+        },
+        autoTrack: {
+          pageLifecycle: {
+            visitId: signal('test-visit-id'),
+          },
+        },
       };
       (window as any).RudderSnippetVersion = 'sample_snippet_version';
       const enhancedError = getBugsnagErrorEvent(errorPayload, errorState, appState);
@@ -392,13 +400,23 @@ describe('Error Reporting utilities', () => {
                 source: {
                   id: 'sample_source_id',
                 },
+                session: {
+                  sessionInfo: {
+                    id: 'test-session-id',
+                  },
+                },
+                autoTrack: {
+                  pageLifecycle: {
+                    visitId: 'test-visit-id',
+                  },
+                },
               },
               source: {
                 snippetVersion: 'sample_snippet_version',
               },
             },
             user: {
-              id: 'sample_source_id',
+              id: 'sample_source_id - test-session-id - test-visit-id',
             },
           },
         ],

packages/analytics-js-plugins/src/errorReporting/utils.ts

@@ -132,7 +132,8 @@ const getBugsnagErrorEvent = (
         },
       },
       user: {
-        id: state.source.value?.id ?? (state.lifecycle.writeKey.value as string),
+        // Combination of source, session and visit ids
+        id: `${state.source.value?.id ?? (state.lifecycle.writeKey.value as string)} - ${state.session.sessionInfo.value?.id ?? 'NA'} - ${state.autoTrack.pageLifecycle.visitId.value ?? 'NA'}`,
       },
     },
   ],