chore: deployment v2 (#7297)

* feat: add release-branch-sync workflow

* refactor: split repeated parts into a composite action

* feat: update production release flow

* feat: notify on slack once approval is pending

* feat: set concurrency so it triggers only once per release

* feat: collect tag metadata

* feat: notify also when develop sync PR is ready

* feat: rename workflow to deployment v2

* fix: force checkout branch in case it's already present locally

* chore: replace main with main-copy for testing

REVERT ME!

Author: alfetopito

.github/actions/setup-release-sync/action.yml

@@ -0,0 +1,65 @@
+name: Setup Release Sync
+description: Create a GitHub App token, resolve the app bot identity, and checkout the repository
+
+inputs:
+  app-id:
+    description: GitHub App ID
+    required: true
+  private-key:
+    description: GitHub App private key
+    required: true
+  owner:
+    description: Repository owner
+    required: true
+  repository:
+    description: Repository name
+    required: true
+  checkout-ref:
+    description: Optional git ref to checkout
+    required: false
+    default: ''
+  pull-requests-write:
+    description: Whether the app token should include pull request write permission
+    required: false
+    default: 'false'
+
+outputs:
+  token:
+    description: GitHub App installation token
+    value: ${{ steps.app-token.outputs.token }}
+  app-slug:
+    description: GitHub App slug
+    value: ${{ steps.app-token.outputs.app-slug }}
+  app-user-id:
+    description: Numeric GitHub App bot user id
+    value: ${{ steps.app-user.outputs.user-id }}
+
+runs:
+  using: composite
+  steps:
+    - name: Create GitHub App token
+      id: app-token
+      uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
+      with:
+        app-id: ${{ inputs.app-id }}
+        private-key: ${{ inputs.private-key }}
+        owner: ${{ inputs.owner }}
+        repositories: ${{ inputs.repository }}
+        permission-contents: write
+        permission-pull-requests: ${{ inputs.pull-requests-write == 'true' && 'write' || '' }}
+
+    - name: Get GitHub App user ID
+      id: app-user
+      shell: bash
+      run: echo "user-id=$(gh api "/users/${APP_SLUG}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+      env:
+        APP_SLUG: ${{ steps.app-token.outputs.app-slug }}
+        GH_TOKEN: ${{ steps.app-token.outputs.token }}
+
+    - name: Checkout code
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        fetch-depth: 0
+        persist-credentials: true
+        token: ${{ steps.app-token.outputs.token }}
+        ref: ${{ inputs.checkout-ref != '' && inputs.checkout-ref || github.ref }}

.github/workflows/deployment-v2.yml

@@ -0,0 +1,192 @@
+name: Deployment v2
+
+on:
+  push:
+    branches: [main-copy]
+    tags: [cowswap-*, explorer-*]
+
+concurrency:
+  group: release-branch-sync
+  cancel-in-progress: false
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  collect-release-metadata:
+    name: Collect release metadata
+    if: startsWith(github.ref, 'refs/tags/')
+    runs-on: ubuntu-latest
+    outputs:
+      release-tags: ${{ steps.collect.outputs.release-tags }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Collect tags for release commit
+        id: collect
+        run: |
+          set -euo pipefail
+
+          git fetch --tags origin
+
+          release_commit="$(git rev-list -n 1 "${GITHUB_REF}")"
+          release_tags="$(
+            git tag --points-at "${release_commit}" \
+              | sort \
+              | paste -sd ', ' -
+          )"
+
+          if [ -z "${release_tags}" ]; then
+            release_tags="${GITHUB_REF_NAME}"
+          fi
+
+          echo "release-tags=${release_tags}" >> "$GITHUB_OUTPUT"
+
+  sync-develop:
+    name: Sync main-copy to develop
+    if: github.ref == 'refs/heads/main-copy'
+    runs-on: ubuntu-latest
+    env:
+      TARGET_BRANCH: develop
+      SYNC_BRANCH: automation/sync-main-copy-to-develop
+      PR_TITLE: 'chore(sync): merge main-copy into develop'
+      PR_BODY: |
+        This PR contains an automated merge commit from `main-copy` into `develop`.
+
+        Requested reviewers:
+        - @cowprotocol/frontend
+    steps:
+      - name: Setup release sync
+        id: setup
+        uses: ./.github/actions/setup-release-sync
+        with:
+          app-id: ${{ vars.COWSWAP_RELEASE_SYNC_APP_ID }}
+          private-key: ${{ secrets.COWSWAP_RELEASE_SYNC_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repository: ${{ github.event.repository.name }}
+          pull-requests-write: 'true'
+
+      - name: Prepare merge branch
+        id: prepare
+        run: |
+          set -euo pipefail
+
+          git config user.name "${APP_SLUG}[bot]"
+          git config user.email "${APP_USER_ID}+${APP_SLUG}[bot]@users.noreply.github.com"
+
+          git fetch origin main-copy "${TARGET_BRANCH}"
+          git checkout -B "${SYNC_BRANCH}" "origin/${TARGET_BRANCH}"
+
+          before_sha="$(git rev-parse HEAD)"
+          git merge --no-ff --no-edit -m "${PR_TITLE}" origin/main-copy
+          after_sha="$(git rev-parse HEAD)"
+
+          if [ "${before_sha}" = "${after_sha}" ]; then
+            echo "has_changes=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          echo "has_changes=true" >> "$GITHUB_OUTPUT"
+        env:
+          APP_SLUG: ${{ steps.setup.outputs.app-slug }}
+          APP_USER_ID: ${{ steps.setup.outputs.app-user-id }}
+
+      - name: Create or update pull request
+        if: steps.prepare.outputs.has_changes == 'true'
+        id: create-pr
+        uses: peter-evans/create-pull-request@v8
+        with:
+          token: ${{ steps.setup.outputs.token }}
+          branch: ${{ env.SYNC_BRANCH }}
+          base: ${{ env.TARGET_BRANCH }}
+          title: ${{ env.PR_TITLE }}
+          body: ${{ env.PR_BODY }}
+          commit-message: ${{ env.PR_TITLE }}
+          delete-branch: false
+          draft: false
+          reviewers: ''
+          team-reviewers: |
+            frontend
+            qa
+
+      - name: Notify Slack for develop review
+        if: steps.prepare.outputs.has_changes == 'true'
+        run: |
+          curl -X POST -H "Content-type: application/json" \
+            --data "{\"text\": \"➡️ Develop sync PR is ready for review. <$PR_URL|Open pull request>.\"}" \
+            "$SLACK_WEBHOOK_URL"
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+          PR_URL: ${{ steps.create-pr.outputs.pull-request-url }}
+
+  sync-staging:
+    name: Fast-forward staging to main-copy
+    if: startsWith(github.ref, 'refs/tags/cowswap-') || startsWith(github.ref, 'refs/tags/explorer-')
+    needs: collect-release-metadata
+    runs-on: ubuntu-latest
+    steps:
+      - name: Setup release sync
+        id: setup
+        uses: ./.github/actions/setup-release-sync
+        with:
+          app-id: ${{ vars.COWSWAP_RELEASE_SYNC_APP_ID }}
+          private-key: ${{ secrets.COWSWAP_RELEASE_SYNC_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repository: ${{ github.event.repository.name }}
+
+      - name: Fast-forward staging
+        run: |
+          set -euo pipefail
+
+          git fetch origin main-copy staging
+          git checkout -B staging origin/staging
+          git merge --ff-only origin/main-copy
+          git push origin staging
+
+  notify-production-approval:
+    name: Notify Slack for production approval
+    if: startsWith(github.ref, 'refs/tags/cowswap-') || startsWith(github.ref, 'refs/tags/explorer-')
+    needs: [collect-release-metadata, sync-staging]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Notify Slack
+        run: |
+          curl -X POST -H "Content-type: application/json" \
+            --data "{\"text\": \"⏳ Production release for tag(s) \`${RELEASE_TAGS}\` is waiting for approval. <$SERVER_URL/$REPOSITORY/actions/runs/$RUN_ID|Review the workflow run>.\"}" \
+            "$SLACK_WEBHOOK_URL"
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+          RELEASE_TAGS: ${{ needs.collect-release-metadata.outputs.release-tags }}
+          SERVER_URL: ${{ github.server_url }}
+          REPOSITORY: ${{ github.repository }}
+          RUN_ID: ${{ github.run_id }}
+
+  sync-production:
+    name: Fast-forward production to main-copy
+    if: startsWith(github.ref, 'refs/tags/cowswap-') || startsWith(github.ref, 'refs/tags/explorer-')
+    needs: [collect-release-metadata, notify-production-approval]
+    runs-on: ubuntu-latest
+    environment: production # Env configured in GitHub UI. Requires manual approval before this job can run
+    steps:
+      - name: Setup release sync
+        id: setup
+        uses: ./.github/actions/setup-release-sync
+        with:
+          app-id: ${{ vars.COWSWAP_RELEASE_SYNC_APP_ID }}
+          private-key: ${{ secrets.COWSWAP_RELEASE_SYNC_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repository: ${{ github.event.repository.name }}
+
+      - name: Fast-forward production
+        run: |
+          set -euo pipefail
+
+          git fetch origin main-copy production
+          git checkout -B production origin/production
+          git merge --ff-only origin/main-copy
+          git push origin production