feat: add NPM frontend deployment workflow and update license workflow (#14)

This PR introduces a new NPM frontend deployment workflow and updates the license management workflow, along with corresponding documentation updates in the README.

    Adds a new workflow to deploy NPM-based frontend applications to AWS S3 and CloudFront.
    Updates the license management workflow to leverage GitHub App credentials for secure license updates.
    Revises the README to reflect the new workflows and changes.

Author: stefano-franco

.github/CODEOWNERS

@@ -4,13 +4,4 @@
 # More details are here: https://help.github.com/articles/about-codeowners/
 
 # The '*' pattern is global owners.
-
-# Order is important. The last matching pattern has the most precedence.
-# The folders are ordered as follows:
-
-# In each subsection folders are ordered first by depth, then alphabetically.
-# This should make it easy to add new rules without breaking existing ones.
-
-# Workflows
-/.github/*              @stefano-franco @nuvibit-team
-/.github/workflows/*    @stefano-franco @nuvibit-team
+# There are currently no codeowners defined.

.github/workflows/drawio-export.yml

@@ -8,6 +8,16 @@ on:
         default: "."
         required: false
         type: string
+      commit_user:
+        description: 'Username which should be used for commits by github action'
+        default: 'github-actions'
+        required: false
+        type: string
+      commit_email:
+        description: 'Email which should be used for commits by github action'
+        default: 'noreply@github.com'
+        required: false
+        type: string
 
 concurrency:
   group: drawio-export-${{ github.ref }}
@@ -35,15 +45,20 @@ jobs:
           quality: 95
           uncompressed: true
 
-      - name: Get author and committer info from HEAD commit
-        uses: rlespinasse/git-commit-data-action@v1.x
-        if: github.ref == 'refs/heads/main'
+      - name: Commit Changes
+        run: |
+          git config --local user.name "${{ inputs.commit_user }}"
+          git config --local user.email "${{ inputs.commit_email }}"
+          git add .
+          if [[ -z $(git status -s) ]]; then
+            echo "diff=false" >> $GITHUB_OUTPUT
+          else
+            echo "diff=true" >> $GITHUB_OUTPUT
+          fi
+          git diff-index --quiet HEAD || git commit -m "docs: sync draw.io exported files" -a
 
-      - name: Commit changed files
-        uses: stefanzweifel/git-auto-commit-action@v5
+      - name: Push Changes
+        uses: ad-m/github-push-action@v0.8.0
         with:
-          commit_message: "docs: sync draw.io exported files"
-          commit_user_name: "${{ env.GIT_COMMIT_COMMITTER_NAME }}"
-          commit_user_email: "${{ env.GIT_COMMIT_COMMITTER_EMAIL }}"
-          commit_author: "${{ env.GIT_COMMIT_AUTHOR }}"
-        if: github.ref == 'refs/heads/main'
+          github_token: ${{ steps.github_app_token.outputs.token }}
+          branch: ${{ github.ref }}

.github/workflows/ntc-workflow.yml .github/workflows/license-update.yml.github/workflows/ntc-workflow.yml renamed to .github/workflows/license-update.yml

@@ -1,18 +1,22 @@
-name: NTC WORKFLOW
+name: LICENSE UPDATE
 
 on:
   workflow_call:
     inputs:
       license_file_source_repo:
-        description: 'Repository where license file is stored.'
-        default: "nuvibit-terraform-collection/module.tpl"
-        required: false
+        description: 'Repository where license file is stored (needs to be public or in the same Github organization).'
+        required: true
         type: string
       license_file_name:
         description: 'License file name.'
         default: "LICENSE"
         required: false
         type: string
+      company_name:
+        description: 'Company name to use in license header.'
+        default: "Nuvibit AG"
+        required: false
+        type: string
       insert_header_file_extension:
         description: 'File extension of files where license header should be added.'
         default: ".tf"
@@ -29,30 +33,45 @@ on:
         required: false
         type: string
     secrets:
-      GHE_API_TOKEN:
+      # GitHub App credentials to avoid using GITHUB_TOKEN
+      GH_APP_ID:
+        required: true
+      GH_APP_PRIVATE_KEY:
         required: true
 
 jobs:
-  ntc-license:
+  license-update:
     runs-on: ubuntu-latest
 
     steps:
+      - name: Get Github Access Token
+        id: github_app_token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ secrets.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          # if owner and repositories are empty, access will be scoped to only the current repository
+          owner: ${{ github.repository_owner }}
+          repositories: |
+            ${{ inputs.license_file_source_repo }}
+            ${{ github.event.repository.name }}
+
       - name: Checkout
         uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.ref }}
-          token: ${{ secrets.GHE_API_TOKEN }}
+          token: ${{ steps.github_app_token.outputs.token }}
 
       - name: Checkout License File
         uses: actions/checkout@v4
         with:
-          repository: ${{ inputs.license_file_source_repo }}
+          repository: ${{ github.repository_owner }}/${{ inputs.license_file_source_repo }}
           path: remote_repo
           persist-credentials: false
           sparse-checkout: |
             ${{ inputs.license_file_name }}
           sparse-checkout-cone-mode: false
-          token: ${{ secrets.GHE_API_TOKEN }}
+          token: ${{ steps.github_app_token.outputs.token }}
 
       - name: Update License File
         run: |
@@ -68,7 +87,7 @@ jobs:
             sed -i '/^# Copyright/d' $file
             sed -i '/^# SPDX-License-Identifier/d' $file
             sed -i '/./,$!d' $file
-            sed -i '1s/^/# Copyright (c) Nuvibit AG\n# SPDX-License-Identifier: see terms and conditions in the LICENSE file\n\n/' $file
+            sed -i '1s/^/# Copyright (c) ${{ inputs.company_name }}\n# SPDX-License-Identifier: see terms and conditions in the LICENSE file\n\n/' $file
           done
 
       - name: Commit Changes
@@ -86,5 +105,5 @@ jobs:
       - name: Push Changes
         uses: ad-m/github-push-action@v0.8.0
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+          github_token: ${{ steps.github_app_token.outputs.token }}
           branch: ${{ github.event.pull_request.head.ref }}

.github/workflows/npm-frontend-deploy.yml

@@ -0,0 +1,130 @@
+name: NPM FRONTEND DEPLOYMENT
+
+on:
+  workflow_call:
+    inputs:
+      node_version:
+        description: 'Node.js version to use for the build (default: lts/*)'
+        default: 'lts/*'
+        required: false
+        type: string
+      aws_default_region:
+        description: 'AWS region to use for deployment (default: eu-central-1)'
+        default: 'eu-central-1'
+        required: false
+        type: string
+      aws_oidc_role_arn:
+        description: 'AWS OIDC IAM role ARN to assume for deployment (e.g. arn:aws:iam::111111111111:role/oidc-deployment-role)'
+        required: true
+        type: string
+      domain_name:
+        description: 'Domain name used for the frontend application (e.g. docs.nuvibit.com)'
+        required: true
+        type: string 
+      s3_deployment_dir:
+        description: 'S3 directory where the build artifacts will be uploaded (default: build)'
+        default: 'build'
+        required: false
+        type: string
+      local_build_dir:
+        description: 'Local directory where the build artifacts are located (default: build)'
+        default: 'build'
+        required: false
+        type: string
+      cloudfront_invalidate_paths:
+        description: 'Paths to invalidate in CloudFront after deployment (ALL, UPDATED, NONE)'
+        required: true
+        type: string
+        # ALL: Invalidate all paths (default)
+        # UPDATED: Invalidate only paths that were updated
+        # NONE: Do not invalidate any paths
+        default: 'ALL'
+
+jobs:
+  npm-frontend-deploy:
+    name: Deploy Frontend
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: ${{ inputs.node_version }}
+
+      - name: Install dependencies
+        run: npm install
+
+      - name: Build website
+        run: npm run build
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ inputs.aws_oidc_role_arn }}
+          aws-region: ${{ inputs.aws_default_region }}
+
+      - name: Upload to S3 and track changed files
+        id: sync
+        run: |
+          # First identify which files will be synced
+          SYNC_OUTPUT=$(aws s3 sync ./${{ inputs.local_build_dir }} s3://${{ inputs.domain_name }}/${{ inputs.s3_deployment_dir }} --dryrun)
+          echo "Found changes to sync."
+          
+          # Extract file paths that will be uploaded/updated
+          PATHS_TO_INVALIDATE=$(echo "$SYNC_OUTPUT" | grep -E 'upload:|update:' | sed -E 's/^\(dryrun\) (upload:|update:) (.*) to ([^ ]+).*/\3/' | sed 's|s3://${{ inputs.domain_name }}/${{ inputs.s3_deployment_dir }}||')
+          echo "Paths to be updated:"
+          echo "$PATHS_TO_INVALIDATE"
+          
+          # Save paths for invalidation, adjust format for JSON array
+          if [ -n "$PATHS_TO_INVALIDATE" ]; then
+            PATHS_JSON=$(echo "$PATHS_TO_INVALIDATE" | sed 's/^/"/' | sed 's/$/"/' | paste -sd, -)
+            echo "paths_json=[$PATHS_JSON]" >> $GITHUB_OUTPUT
+            echo "has_changes=true" >> $GITHUB_OUTPUT
+          else
+            echo "No changes to invalidate"
+            echo "has_changes=false" >> $GITHUB_OUTPUT
+          fi
+          
+          # Perform the actual sync
+          aws s3 sync ./${{ inputs.local_build_dir }} s3://${{ inputs.domain_name }}/${{ inputs.s3_deployment_dir }}
+
+      - name: Find CloudFront distribution ID
+        id: cloudfront
+        if: steps.sync.outputs.has_changes == 'true'
+        run: |
+          # Find the CloudFront distribution that has our S3 bucket as origin
+          DISTRIBUTION_ID=$(aws cloudfront list-distributions --query "DistributionList.Items[?contains(Origins.Items[].DomainName, '${{ inputs.domain_name }}.s3.${{ inputs.aws_default_region }}.amazonaws.com')].Id" --output text)
+          
+          if [ -z "$DISTRIBUTION_ID" ]; then
+            echo "::error::Could not find CloudFront distribution for ${{ inputs.domain_name }}"
+            exit 1
+          fi
+          
+          echo "Found CloudFront distribution: $DISTRIBUTION_ID"
+          echo "distribution_id=$DISTRIBUTION_ID" >> $GITHUB_OUTPUT
+
+      - name: Invalidate CloudFront cache for ALL PATHS
+        if: steps.sync.outputs.has_changes == 'true' && inputs.cloudfront_invalidate_paths == 'ALL'
+        run: |
+          # Create CloudFront invalidation for all paths
+          DISTRIBUTION_ID=${{ steps.cloudfront.outputs.distribution_id }}
+          
+          echo "Creating CloudFront invalidation for paths: /*"
+          aws cloudfront create-invalidation --distribution-id $DISTRIBUTION_ID --paths "/*"
+
+      - name: Invalidate CloudFront cache for UPDATED PATHS
+        if: steps.sync.outputs.has_changes == 'true' && inputs.cloudfront_invalidate_paths == 'UPDATED'
+        run: |
+          # Create CloudFront invalidation for the paths that were updated
+          PATHS=${{ toJSON(steps.sync.outputs.paths_json) }}
+          DISTRIBUTION_ID=${{ steps.cloudfront.outputs.distribution_id }}
+      
+          echo "Creating Invalidation batch file"
+          echo "{\"Paths\": {\"Quantity\": $(echo $PATHS | jq length), \"Items\": $PATHS}, \"CallerReference\": \"$(date +%s)\"}" > inv-batch.json
+          echo "Creating CloudFront invalidation for paths: $PATHS"
+          aws cloudfront create-invalidation --distribution-id $DISTRIBUTION_ID --invalidation-batch file://inv-batch.json