chore: fix-slackbot

[ryanbas21]

JIRA Ticket

N/A

Description

bad interpolation fix in 2ba62e4

the other two commits are me refactoring the workflows to use composite actions. I felt they were getting unmaintainbly long. just wanted to make it easier to parse through.

We can hold off on merging these until i'm back if preferred, they look like they all work fine but i'd hate for them not to and someone have to debug and fix it.

@spetrov maybe can review

Summary by CodeRabbit

• Chores
  • Centralized CI setup and caching for faster, more reliable builds; snapshot job migrated to the centralized setup and Codecov removed from the primary publish path. Added a CI workflow to build/test forked PRs.
• New Features
  • Automated beta publish flow that creates PRs and deploys beta API docs.
  • Automated release flow that deploys API docs and posts reformatted release notifications to Slack.
• Notes
  • No user-facing app functionality changes.

[changeset-bot]

⚠️ No Changeset found

Latest commit: b4a3a82

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

Replaces inline CI setup, caching, and publish steps with three local composite GitHub Actions: Setup Project, Publish Beta Steps, and Publish Release Steps. The top-level publish workflow and snapshot job now invoke these actions and pass inputs like pnpm-cache-folder and publishedPackages.

Changes

Cohort / File(s)	Summary of Changes
Top-level publish workflow .github/workflows/publish.yml	Replaced inlined setup/cache/publish steps with calls to local composite actions; added pnpm-cache-folder input and CODECOV_TOKEN exposure; removed pnpm/action-setup, actions/setup-node, npm cache, and direct Codecov/pack/docs steps; reorganized release vs beta flows to call new actions.
Setup action .github/actions/setup/action.yml	Added Setup Project composite action centralizing checkout, pnpm/node setup, npm update, dependency install, Nx Cloud start, Playwright cache/install, pnpm store configuration, nx affected tasks (build/lint/test/e2e), and artifact upload. Inputs: fetch-depth, token, node-version-file, pnpm-cache-folder.
Publish beta action .github/actions/publish-beta/action.yml	Added Publish Beta Steps composite action that runs a pnpm command to create a PR for beta publishing and deploys API docs to the beta target using JamesIves/github-pages-deploy-action.
Publish release action .github/actions/publish-release/action.yml	Added Publish Release Steps composite action with required inputs publishedPackages and slackWebhook; formats publishedPackages for Slack (GitHub output), posts Slack notification via slackapi/[email protected], and deploys API docs via JamesIves/[email protected].
Fork CI workflow .github/workflows/ci-fork.yml	New workflow for fork PRs using pull_request_target; sets up pnpm/Node, installs deps, caches Playwright browsers, sets NX SHAs, creates local main tracking branch, and runs format, build, typecheck, lint, test, and e2e-ci tasks.

Sequence Diagram(s)

sequenceDiagram
  participant Workflow as publish.yml
  participant Setup as .github/actions/setup
  participant PublishRelease as .github/actions/publish-release
  participant PublishBeta as .github/actions/publish-beta
  participant Slack as slackapi/slack-github-action
  participant Pages as github-pages-deploy-action

  rect rgb(245,250,255)
  Workflow->>Setup: call "Setup Project" (inputs: token, pnpm-cache-folder, node-version-file)
  Setup-->>Workflow: setup complete
  end

  alt release path (published == true)
    Workflow->>PublishRelease: call "Publish Release Steps" (publishedPackages, slackWebhook)
    PublishRelease->>PublishRelease: format publishedPackages -> GitHub output
    PublishRelease->>Slack: post formatted payload (webhook)
    PublishRelease->>Pages: deploy api docs (chore: release-api-docs)
    PublishRelease-->>Workflow: release done
  else beta path
    Workflow->>PublishBeta: call "Publish Beta Steps"
    PublishBeta->>PublishBeta: run pnpm PR publish command (create PR)
    PublishBeta->>Pages: deploy beta docs (beta commit message)
    PublishBeta-->>Workflow: beta done
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• ci: use-trusted-publishers #418 — Similar migration of publish workflow to reusable actions and changes to snapshot/publish logic.
• chore: add-continuous-publish #399 — Related adjustments to pnpm-based publishing and continuous/beta publish orchestration.

Suggested reviewers

• cerebrl

Poem

I hop through CI with a cheerful cheer,
I bundle steps so the path is clear.
Docs take flight and Slack gets a bell,
Beta and release rung from one shell.
Carrots for build — hoppity hooray! 🥕🐇

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title Check	⚠️ Warning	The PR title "fix-slackbot" refers to a real part of the changeset (the bad interpolation fix in the Slack integration), but it does not represent the main scope of the pull request. According to the author's description and the raw summary, this PR contains three commits: one bad interpolation fix and two commits refactoring workflows to use composite actions. The refactoring is the more extensive change, introducing three new composite GitHub Actions (.github/actions/setup/action.yml, .github/actions/publish-beta/action.yml, and .github/actions/publish-release/action.yml) and significantly reorganizing existing workflows. A teammate scanning the commit history would misunderstand the primary scope of this change, expecting only a minor Slackbot fix rather than substantial workflow refactoring.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	The PR description follows the required template structure with both JIRA Ticket and Description sections properly filled out. The description clearly explains what was changed (a bad interpolation fix and workflow refactoring into composite actions), provides context (the author notes the changes appear to work and offers to delay merging if preferred), and appropriately suggests a reviewer. While the description could include more technical detail about the composite actions themselves, it provides sufficient information to understand the main objectives and intent of the pull request.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix-publish-packages-slack

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[nx-cloud]

View your CI Pipeline Execution ↗ for commit b4a3a82

Command	Status	Duration	Result
nx affected -t build typecheck lint test e2e-ci	❌ Failed	1m 8s	View ↗
nx-cloud record -- nx format:check	✅ Succeeded	1s	View ↗

---

☁️ Nx Cloud last updated this comment at 2025-10-20 17:49:17 UTC

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6b110df and 2ba62e4.

📒 Files selected for processing (1)

• .github/workflows/publish.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: pr

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 18.75%. Comparing base (6b110df) to head (f932124).

❌ Your project status has failed because the head coverage (18.75%) is below the target coverage (40.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #427   +/-   ##
=======================================
  Coverage   18.75%   18.75%           
=======================================
  Files         138      138           
  Lines       27368    27368           
  Branches      951      951           
=======================================
  Hits         5132     5132           
  Misses      22236    22236           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[pkg-pr-new]

Open in StackBlitz

@forgerock/davinci-client

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/davinci-client@427

@forgerock/oidc-client

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/oidc-client@427

@forgerock/protect

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/protect@427

@forgerock/sdk-types

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-types@427

@forgerock/sdk-utilities

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-utilities@427

@forgerock/iframe-manager

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/iframe-manager@427

@forgerock/sdk-logger

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-logger@427

@forgerock/sdk-oidc

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-oidc@427

@forgerock/sdk-request-middleware

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-request-middleware@427

@forgerock/storage

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/storage@427

commit: f932124

[github-actions]

Deployed e0cab0c to https://ForgeRock.github.io/ping-javascript-sdk/pr-427/e0cab0c7f97ced3abfc7073f691879eabf5eb944 branch gh-pages in ForgeRock/ping-javascript-sdk

[github-actions]

📦 Bundle Size Analysis

📦 Bundle Size Analysis

🚨 Significant Changes

🔻 @forgerock/journey-client - 0.0 KB (-82.0 KB, -100.0%)

📊 Minor Changes

📈 @forgerock/journey-client - 82.0 KB (+0.0 KB)

➖ No Changes

➖ @forgerock/device-client - 9.2 KB
➖ @forgerock/oidc-client - 23.0 KB
➖ @forgerock/protect - 150.1 KB
➖ @forgerock/sdk-utilities - 7.5 KB
➖ @forgerock/sdk-types - 8.0 KB
➖ @forgerock/storage - 1.4 KB
➖ @forgerock/sdk-logger - 1.6 KB
➖ @forgerock/iframe-manager - 2.4 KB
➖ @forgerock/sdk-request-middleware - 4.4 KB
➖ @forgerock/sdk-oidc - 2.5 KB
➖ @forgerock/davinci-client - 34.5 KB

---

13 packages analyzed • Baseline from latest main build

Legend

🆕 New package
🔺 Size increased
🔻 Size decreased
➖ No change

ℹ️ How bundle sizes are calculated

• Current Size: Total gzipped size of all files in the package's dist directory
• Baseline: Comparison against the latest build from the main branch
• Files included: All build outputs except source maps and TypeScript build cache
• Exclusions: .map, .tsbuildinfo, and .d.ts.map files

---

_{🔄 Updated automatically on each push to this PR}

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (1)

.github/actions/publish-beta/action.yml (1)

4-7: Remove the dead branch input (or actually use it).

The action exposes a branch input but never consumes it, so callers pass data that’s silently ignored. Please either wire the input into the action logic or drop it from the interface.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2ba62e4 and 63871b1.

📒 Files selected for processing (4)

• .github/actions/publish-beta/action.yml (1 hunks)
• .github/actions/publish-release/action.yml (1 hunks)
• .github/actions/setup/action.yml (1 hunks)
• .github/workflows/publish.yml (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: pr

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Slack payload missing required text (webhook rejects it).

Incoming webhooks expect a text or blocks field; sending { "publishedPackages": "…" } results in invalid_payload, so the notification never lands. Wrap the formatted string under text (or build a proper block) before calling the Slack action.

🤖 Prompt for AI Agents

In .github/actions/publish-release/action.yml around lines 27 to 29, the JSON
payload currently sends { "publishedPackages": "${{
steps.slackify.outputs.message }}" } which Slack incoming webhooks reject
because they require a top-level text or blocks field; replace the payload so it
wraps the message under a "text" key (or construct a "blocks" array) e.g. set
the payload to { "text": "${{ steps.slackify.outputs.message }}" } and ensure
any escaping/quoting matches the YAML/step input format.

[ryanbas21]

are you sure? this is a slack workflow builder setup

[coderabbitai]

🧩 Analysis chain

🌐 Web query:

Slack Workflow Builder webhook custom variables payload

💡 Result:

Short answer

• Workflow Builder webhook expects a JSON (HTTP POST) body with top-level string key→value pairs for custom variables (no nested objects/arrays). Up to 20 custom variables may be defined (types: text, channel ID, user ID, user email). Nested payloads must be flattened/stringified before sending. [1][2][3]

Example (POST application/json)
{
"alert_title": "Database outage",
"severity": "critical",
"channel_id": "C01234567",
"owner_email": "[email protected]"
}

Notes

• The webhook URL is generated by Workflow Builder and looks like https://hooks.slack.com/workflows/.... Use that URL as the POST target. [1][2]
• If you have nested JSON, flatten or stringify keys (tools/approach examples: Slack’s guidance and community tools that flatten JSON). Many integrations (and slackapi’s GitHub Action) flatten payloads using a delimiter. [2][3]
• Webhook workflows are limited to ~1 request/sec; missing expected variables will cause an error. [1]

Sources
[1] Slack Help: Build a workflow — Create a workflow that starts outside of Slack.
[2] Slack Developer Docs: Sending data via a webhook to start a Slack workflow (and slackapi slack-github-action docs).
[3] “Flatten JSON for Workflow Builder” (guidance + community tooling).

---

@ryanbas21 You're absolutely right—I apologize for the confusion!

Since you're using webhook-type: webhook-trigger, this is indeed a Slack Workflow Builder webhook, not a standard incoming webhook. Workflow Builder webhooks accept custom variables as top-level key-value pairs (like "publishedPackages"), and they don't require the text or blocks fields that standard incoming webhooks do.

Your payload structure is correct for a Workflow Builder setup:

payload: >
  {
    "publishedPackages": "${{ steps.slackify.outputs.message }}"
  }

The custom variable publishedPackages should map to whatever variable name you've configured in your Workflow Builder workflow. My earlier comment was based on standard incoming webhook requirements, which don't apply here. Thank you for catching that! 👍

[ryanbas21]

There should be nothing different, i just refactored this to be more "clean" and use a composite action that can be reused across steps.

[ryanbas21]

removed this b/c unneccessary

[ryanbas21]

Broke this branching out into reusable composite actions

just to clean up this workflow

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 63871b1 and 54f42cf.

📒 Files selected for processing (2)

• .github/actions/setup/action.yml (1 hunks)
• .github/workflows/publish.yml (3 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: pr

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (6)

.github/actions/publish-beta/action.yml (3)

3-7: Remove empty inputs block or define real inputs

An empty inputs: is noise. Either remove it or add explicit inputs (e.g., token, docs-folder, branch) you plan to consume.

---

8-11: Ensure auth for PR creation (GITHUB_TOKEN) is wired

pnpm pkg-pr-new publish … will need a token to open PRs. Composite actions don’t auto-inject inputs; rely on GITHUB_TOKEN from the caller job and ensure permissions: contents: write, pull-requests: write are set, or accept a token input and pass it as env.

Example adjustment within this action:

 inputs:
+  token:
+    description: 'GitHub token with contents & pull-requests write'
+    required: false

   steps:
     - name: Create PR for beta publish
       shell: bash
-      run: pnpm pkg-pr-new publish './packages/*' './packages/sdk-effects/*' --packageManager=pnpm --comment=off
+      run: pnpm pkg-pr-new publish './packages/*' './packages/sdk-effects/*' --packageManager=pnpm --comment=off
+      env:
+        GITHUB_TOKEN: ${{ inputs.token || env.GITHUB_TOKEN }}

Optionally confirm the caller workflow sets:

• job permissions: contents: write, pull-requests: write
• env: GITHUB_TOKEN provided by GitHub

---

12-17: Pin action to a commit SHA and set target branch explicitly

For supply‑chain safety, pin JamesIves/github-pages-deploy-action to a commit SHA. Also set branch explicitly (usually gh-pages) to avoid environment drift.

-    - name: Publish api docs [beta]
-      uses: JamesIves/[email protected]
+    - name: Publish api docs [beta]
+      uses: JamesIves/github-pages-deploy-action@9dc5b8d3b75f3cc1b1b5a7eaa63a6a5c9e1d2b48 # v4.7.3
       with:
-        folder: docs
+        branch: gh-pages
+        folder: docs
         commit-message: 'chore: release-api-docs-beta'
         target-folder: 'beta'

Also ensure the caller job has pages: write or contents: write permissions as required by the action and that docs/ is built before invoking this step.

.github/actions/setup/action.yml (3)

22-26: Pin third‑party actions to commit SHAs

Pin all marketplace actions to immutable SHAs (checkout, pnpm/action-setup, setup-node, actions/cache, nrwl/nx-set-shas, upload-artifact) to reduce supply‑chain risk.

Example:

• actions/checkout@v4 → actions/checkout@b4ffde6
• pnpm/action-setup@v4 → pnpm/action-setup@
• actions/setup-node@v4 → actions/setup-node@
• actions/cache@v4 → actions/cache@
• nrwl/nx-set-shas@v4 → nrwl/nx-set-shas@
• actions/upload-artifact@v4 → actions/upload-artifact@

Also applies to: 27-29, 31-36, 56-62, 67-67, 73-80

---

37-39: Updating npm globally may be unnecessary and adds time

Unless you hit a specific npm bug, consider omitting npm install -g npm@latest to speed up CI and keep npm aligned with the selected Node version.

---

63-66: Playwright install nuances

If using GitHub-hosted runners, browsers are often preinstalled/restored via cache; consider skipping install for non-e2e jobs, or gate with a boolean input to reduce time. Use --with-deps only when needed on self-hosted Linux.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 54f42cf and f932124.

📒 Files selected for processing (3)

• .github/actions/publish-beta/action.yml (1 hunks)
• .github/actions/publish-release/action.yml (1 hunks)
• .github/actions/setup/action.yml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/actions/publish-release/action.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: pr

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/ci-fork.yml (1)

1-45: ci-fork.yml is missing critical setup steps from the new Setup Project composite action.

The workflow cannot directly use the composite action due to fork-specific requirements (head SHA checkout, git branch tracking for nx affected, custom nx tasks), but it is missing important setup optimizations present in .github/actions/setup/action.yml:

• Nx Cloud initialization (pnpm dlx nx-cloud start-ci-run...) — required for distributed testing and CI metrics
• pnpm store-dir config — improves cache efficiency
• npm registry-url setup — ensures correct npm resolution
• npm upgrade to latest — maintains tool currency
• Playwright report artifact upload — enables debugging of failed e2e tests

The different nx affected task list (ci-fork includes typecheck and format:check separately) is appropriate for fork PRs, but the foundational setup gaps should be addressed.

Consider backfilling these setup steps into ci-fork.yml or creating a fork-specific composite action that wraps the core setup with fork requirements.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 61b5dbf and b4a3a82.

📒 Files selected for processing (1)

• .github/workflows/ci-fork.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: pr

[nx-cloud]

Nx Cloud has identified a possible root cause for your failed CI:

The PR makes changes exclusively to GitHub Actions workflow files and composite action definitions. The changes refactor CI/CD pipeline configuration by extracting repeated setup and publish steps into reusable composite actions.

The failing task is @forgerock/davinci-suites:e2e-ci--src/protect.test.ts, which runs Playwright end-to-end tests for the DaVinci Protect functionality. Two tests are failing:

1. "Test Protect collector with Custom HTML component" - fails at line 42
2. "Test Protect collector with P1 Forms component" - fails at line 79

Both tests fail because the expected text (indicating a bot was blocked by PingOne Risk protection) is not appearing on the page within the 5-second timeout. The tests are looking for specific text patterns that should appear when risk-based protection blocks access.

Classification: flaky_task

This is classified as a flaky test for the following reasons:

1. The PR diff contains zero changes to application code, test code, or any code that would affect the behavior of the Protect collector functionality
2. All changes are limited to GitHub Actions workflow YAML files (.github/actions/ and .github/workflows/)
3. The failing tests are integration/e2e tests that depend on external services (PingOne Risk protection service)
4. The test failures involve timing issues (5-second timeout waiting for text to appear)
5. There is no causal relationship between refactoring CI/CD workflow configuration and the runtime behavior of the Protect risk evaluation system

The failures are likely due to:

• Network latency or connectivity issues with the PingOne Risk service
• The external risk service being temporarily unavailable or slow to respond
• Environmental conditions affecting the e2e test execution environment
• Timing-sensitive race conditions in the test environment

Since the PR changes only affect how CI/CD pipelines are structured and do not modify any application logic, test logic, or dependencies, these test failures are environmentally induced and unrelated to the code changes.

A code change would likely not resolve this issue, so no action was taken.

View in Nx Cloud ↗

_{🎓 To learn more about Self Healing CI, please visit nx.dev}