ci(github): connect release reorder

.github/actions/check-connect-version-match/action.yml

@@ -0,0 +1,34 @@
+name: "Check Connect Version Match with Branch"
+description: "Check if the version in package.json matches the version in the branch name"
+inputs:
+ branch_ref:
+    description: "The full ref of the branch"
+    required: true
+    type: string
+  extracted_version:
+    description: "The version extracted from the package.json or other source"
+    required: true
+    type: string
+
+runs:
+  using: "composite"
+  steps:
+    - name: Extract branch version
+      id: extract-branch-version
+      run: |
+        BRANCH_REF="${{ inputs.branch_ref }}"
+        BRANCH_VERSION="${BRANCH_REF#refs/heads/release/connect/}"
+        echo "branch_version=$BRANCH_VERSION" >> $GITHUB_OUTPUT
+
+    - name: Check if version in package.json matches the one in branch name
+      run: |
+        BRANCH_VERSION="${{ steps.extract-branch-version.outputs.branch_version }}"
+        EXTRACTED_VERSION="${{ inputs.extracted_version }}"
+        echo "Branch Version: $BRANCH_VERSION"
+        echo "Extracted Version: $EXTRACTED_VERSION"
+        if [[ "$BRANCH_VERSION" != "$EXTRACTED_VERSION" ]]; then
+          echo "The extracted version ($EXTRACTED_VERSION) does not match the version in the branch name ($BRANCH_VERSION)"
+          exit 1 # Fail the job if versions don't match
+        else
+          echo "Version check passed: $BRANCH_VERSION matches $EXTRACTED_VERSION"
+        fi

.github/workflows/release-connect-bump-versions.yml

@@ -0,0 +1,37 @@
+name: "[Release] connect bump versions"
+
+on:
+  workflow_dispatch:
+    inputs:
+      semver:
+        type: choice
+        description: semver
+        options:
+          - patch
+          - minor
+          - prerelease
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  bump-versions:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          submodules: true
+
+      - name: Setup node
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: ".nvmrc"
+
+      - name: Install dependencies
+        run: yarn install
+
+      - name: Check dependencies to update
+        run: |
+          yarn tsx ./ci/scripts/connect-bump-versions.ts ${{ github.event.inputs.semver }}

.github/workflows/release-connect-v9-init.yml → .github/workflows/release-connect-init.yml

@@ -1,11 +1,16 @@
-name: "[Release] connect v9 init"
+name: "[Release] connect NPM and v9"
 
 permissions:
   id-token: write # for fetching the OIDC token
   contents: read # for actions/checkout
 
 on:
   workflow_dispatch:
+    inputs:
+      commit_sha:
+        description: "The commit SHA to checkout"
+        required: true
+        type: string
 
 jobs:
   # Version should have been bumped by now thanks to ./ci/scripts/connect-release-init-npm.js
@@ -19,6 +24,8 @@ jobs:
         with:
           # Number of commits to fetch. 0 indicates all history for all branches and tags.
           fetch-depth: 0
+          # Checkout the specified commit
+          ref: ${{ github.event.inputs.commit_sha }}
 
       - name: Setup node
         uses: actions/setup-node@v4
@@ -33,10 +40,16 @@ jobs:
     needs: [extract-version]
     name: "Create release branch for version ${{ needs.extract-version.outputs.version }}"
     runs-on: ubuntu-latest
+    outputs:
+      branch_name: ${{ steps.push-branch.outputs.branch_name }}
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
+          # Ensure the full commit history is available is required to get specific `ref`.
+          fetch-depth: 0
+          # Checkout the specified commit
+          ref: ${{ github.event.inputs.commit_sha }}
           token: ${{ secrets.TREZOR_BOT_TOKEN }}
 
       - name: Setup Git config
@@ -46,7 +59,6 @@ jobs:
 
       - name: Create and push new branch
         env:
-          GITHUB_TOKEN: ${{ secrets.TREZOR_BOT_TOKEN }}
           BRANCH_NAME: "release/connect/${{ needs.extract-version.outputs.version }}"
         run: |
           echo ${{ env.BRANCH_NAME }}

.github/workflows/release-connect-npm.yml

@@ -16,6 +16,7 @@ on:
 
 jobs:
   deploy-npm:
+    name: Deploy NPM ${{ inputs.deploymentType }}
     environment: production-connect
     runs-on: ubuntu-latest
     strategy:

.github/workflows/release-connect-v9-poduction.yml → .github/workflows/release-connect-v9-production.yml

@@ -36,8 +36,21 @@ jobs:
         id: set-version
         run: echo "version=$(node ./ci/scripts/get-connect-version.js)" >> $GITHUB_OUTPUT
 
+  check-version-match:
+    runs-on: ubuntu-latest
+    needs: [extract-version]
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Check connect version match
+        uses: ./.github/actions/check-connect-version-match
+        with:
+          branch_ref: "${{ github.ref }}"
+          extracted_version: "${{ needs.extract-version.outputs.version }}"
+
   # set the rollback
   sync-rollback-connect-v9:
+    needs: [extract-version, check-version-match]
     if: startsWith(github.ref, 'refs/heads/release/connect/')
     environment: production-connect
     name: "Backing up current production version ${{ needs.extract-version.outputs.version }} to rollback bucket"
@@ -48,14 +61,15 @@ jobs:
       - name: Configure aws credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
-          role-to-assume: arn:aws:iam::538326561891:role/gh_actions_trezor_suite_prod_deploy
+          role-to-assume: arn:aws:iam::538326561891:role/gh_actions_connect_prod_deploy
           aws-region: eu-central-1
 
       - name: Synching rollback bucket with current production
         run: |
           aws s3 sync "s3://connect.trezor.io/${{ env.LATEST_VERSION }}/" "s3://rollback-connect.trezor.io/${{ env.LATEST_VERSION }}/"
 
   deploy-production-semantic-version:
+    needs: [extract-version, check-version-match]
     if: startsWith(github.ref, 'refs/heads/release/connect/')
     environment: production-connect
     name: "Deploying to connect.trezor.io/9.x.x"
@@ -66,7 +80,7 @@ jobs:
       - name: Configure aws credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
-          role-to-assume: arn:aws:iam::538326561891:role/gh_actions_trezor_suite_prod_deploy
+          role-to-assume: arn:aws:iam::538326561891:role/gh_actions_connect_prod_deploy
           aws-region: eu-central-1
 
       - name: Synching production bucket with current staging
@@ -77,7 +91,7 @@ jobs:
   # From staging move it to production
   deploy-production-v9:
     # We deploy to production only if rollback sync was successful.
-    needs: [sync-rollback-connect-v9]
+    needs: [extract-version, check-version-match, sync-rollback-connect-v9]
     if: startsWith(github.ref, 'refs/heads/release/connect/') && github.event.inputs.deploymentType == 'stable'
     environment: production-connect
     name: "Deploying to connect.trezor.io/9/"

.github/workflows/release-connect-v9-staging.yml

@@ -33,19 +33,13 @@ jobs:
     runs-on: ubuntu-latest
     needs: [extract-version]
     steps:
-      - name: Check if version in package.json matches the one in branch name
-        run: |
-          # Extract the version from the branch name, assuming format 'refs/heads/release/connect/9.2.4-beta.1'
-          BRANCH_VERSION="${GITHUB_REF#*release/connect/}" # This strips everything before and including 'release/connect/'
-          EXTRACTED_VERSION="${{ needs.extract-version.outputs.version }}"
-          echo "Branch Version: $BRANCH_VERSION"
-          echo "Extracted Version: $EXTRACTED_VERSION"
-          if [[ "$BRANCH_VERSION" != "$EXTRACTED_VERSION" ]]; then
-            echo "The extracted version ($EXTRACTED_VERSION) does not match the version in the branch name ($BRANCH_VERSION)"
-            exit 1 # Fail the job if versions don't match
-          else
-            echo "Version check passed: $BRANCH_VERSION matches $EXTRACTED_VERSION"
-          fi
+      - uses: actions/checkout@v4
+
+      - name: Check connect version match
+        uses: ./.github/actions/check-connect-version-match
+        with:
+          branch_ref: "${{ github.ref }}"
+          extracted_version: "${{ needs.extract-version.outputs.version }}"
 
   # This job deploys to staging-connect.trezor.io/9.x.x
   deploy-staging-semantic-version:
@@ -68,7 +62,7 @@ jobs:
       - name: Build and deploy to staging-connect.trezor.io/9.x.x
         uses: ./.github/actions/release-connect
         with:
-          awsRoleToAssume: "arn:aws:iam::538326561891:role/gh_actions_trezor_suite_prod_deploy"
+          awsRoleToAssume: "arn:aws:iam::538326561891:role/gh_actions_connect_staging_deploy"
           awsRegion: "eu-central-1"
           serverHostname: "staging-connect.trezor.io"
           serverPath: ${{ needs.extract-version.outputs.version }}
@@ -94,7 +88,7 @@ jobs:
       - name: Build and deploy to staging-connect.trezor.io/9
         uses: ./.github/actions/release-connect
         with:
-          awsRoleToAssume: "arn:aws:iam::538326561891:role/gh_actions_trezor_suite_prod_deploy"
+          awsRoleToAssume: "arn:aws:iam::538326561891:role/gh_actions_connect_staging_deploy"
           awsRegion: "eu-central-1"
           serverHostname: "staging-connect.trezor.io"
           serverPath: "9"

ci/scripts/check-npm-and-local.js

@@ -2,7 +2,6 @@ const { execSync } = require('child_process');
 
 const fs = require('fs');
 const util = require('util');
-const https = require('https');
 const fetch = require('cross-fetch');
 const tar = require('tar');
 const path = require('path');