ci(github): connect release reorder

.github/workflows/release-connect-bump-versions.yml

@@ -0,0 +1,45 @@
+name: "[Release] connect bump versions"
+
+on:
+  workflow_dispatch:
+    inputs:
+      semver:
+        type: choice
+        description: semver
+        options:
+          - patch
+          - minor
+          - prerelease
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  bump-versions:
+    if: github.repository == 'trezor/trezor-suite'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          # Number of commits to fetch. 0 indicates all history for all branches and tags.
+          fetch-depth: 0
+          submodules: true
+
+      - name: Setup node
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: ".nvmrc"
+
+      - name: Install dependencies
+        run: yarn install
+
+      - name: Set git for trezor-ci
+        run: |
+          git config --global user.name "trezor-ci"
+          git config --global user.email "${{ secrets.TREZOR_BOT_EMAIL }}"
+
+      - name: Check dependencies to update
+        run: |
+          node ./ci/scripts/connect-bump-versions.js ${{ github.event.inputs.semver }}

.github/workflows/release-connect-init.yml

@@ -0,0 +1,98 @@
+name: "[Release] connect NPM and v9"
+
+permissions:
+  id-token: write # for fetching the OIDC token
+  contents: read # for actions/checkout
+
+on:
+  workflow_dispatch:
+    inputs:
+      commit_sha:
+        description: "The commit SHA to checkout"
+        required: true
+        type: string
+      deploymentType:
+        description: "Select the deployment type. (example: canary, stable)"
+        required: true
+        type: choice
+        options:
+          - canary
+          - stable
+
+jobs:
+  # Version should have been bumped by now thanks to ./ci/scripts/connect-release-init-npm.js
+  extract-version:
+    runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.set-version.outputs.version }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          # Number of commits to fetch. 0 indicates all history for all branches and tags.
+          fetch-depth: 0
+          # Checkout the specified commit
+          ref: ${{ github.event.inputs.commit_sha }}
+
+      - name: Setup node
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: ".nvmrc"
+
+      - name: Extract connect version
+        id: set-version
+        run: echo "version=$(node ./ci/scripts/get-connect-version.js)" >> $GITHUB_OUTPUT
+
+  create-push-release-branch:
+    needs: [extract-version]
+    name: "Create release branch for version ${{ needs.extract-version.outputs.version }}"
+    runs-on: ubuntu-latest
+    outputs:
+      branch_name: ${{ steps.push-branch.outputs.branch_name }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.TREZOR_BOT_TOKEN }}
+          fetch-depth: 0
+          # Checkout the specified commit
+          ref: ${{ github.event.inputs.commit_sha }}
+
+      - name: Setup Git config
+        run: |
+          git config --global user.name "trezor-ci"
+          git config --global user.email "${{ secrets.TREZOR_BOT_EMAIL }}"
+
+      - name: Create and push new branch
+        env:
+          GITHUB_TOKEN: ${{ secrets.TREZOR_BOT_TOKEN }}
+          BRANCH_NAME: "release/connect/${{ needs.extract-version.outputs.version }}"
+        run: |
+          echo ${{ env.BRANCH_NAME }}
+          git checkout -b ${{ env.BRANCH_NAME }}
+          git push origin ${{ env.BRANCH_NAME }}
+          echo "branch_name=${{ env.BRANCH_NAME }}" >> $GITHUB_OUTPUT
+
+  trigger-v9-staging-release:
+    runs-on: ubuntu-latest
+    steps:
+      - run: gh workflow run .github/workflows/release-connect-v9-staging.yml --ref $BRANCH_NAME
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          BRANCH_NAME: ${{ needs.create-push-release-branch.outputs.branch_name }}
+
+  trigger-v9-production-release:
+    runs-on: ubuntu-latest
+    steps:
+      - run: gh workflow run .github/workflows/release-connect-v9-production.yml --ref $BRANCH_NAME
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          BRANCH_NAME: ${{ needs.create-push-release-branch.outputs.branch_name }}
+
+  trigger-npm-release:
+    runs-on: ubuntu-latest
+    steps:
+      - run: gh workflow run .github/workflows/release-connect-npm-init.yml --ref $BRANCH_NAME --field deploymentType=${{ github.event.inputs.deploymentType }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          BRANCH_NAME: ${{ needs.create-push-release-branch.outputs.branch_name }}

.github/workflows/release-connect-npm-init.yml

@@ -3,21 +3,50 @@ name: "[Release] connect npm init"
 on:
   workflow_dispatch:
     inputs:
-      semver:
+      deploymentType:
+        description: "Select the deployment type. (example: canary, stable)"
+        required: true
         type: choice
-        description: semver
         options:
-          - patch
-          - minor
-          - prerelease
+          - canary
+          - stable
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
 jobs:
-  pre-release:
-    if: github.repository == 'trezor/trezor-suite'
+  extract-version-from-package-json:
+    runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.set-version.outputs.version }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          # Number of commits to fetch. 0 indicates all history for all branches and tags.
+          fetch-depth: 0
+
+      - name: Setup node
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: ".nvmrc"
+
+      - name: Extract connect version
+        id: set-version
+        run: echo "version=$(node ./ci/scripts/get-connect-version.js)" >> $GITHUB_OUTPUT
+
+  check-version-match:
+    runs-on: ubuntu-latest
+    needs: [extract-version]
+    uses: ./.github/workflows/template-check-connect-version-match.yml
+    with:
+      branch_ref: "${{ github.ref }}"
+      extracted_version: "${{ needs.extract-version.outputs.version }}"
+
+  trigger-npm-release:
+    needs: [check-version-match]
+    if: startsWith(github.ref, 'refs/heads/release/connect/')
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -43,8 +72,6 @@ jobs:
         run: |
           git config --global user.name "trezor-ci"
           git config --global user.email "${{ secrets.TREZOR_BOT_EMAIL }}"
-          gh config set prompt disabled
-          gh api /user --jq .login
-          node ./ci/scripts/connect-release-init-npm.js ${{ github.event.inputs.semver }}
+          node ./ci/scripts/connect-release-npm-init.js ${{ github.event.inputs.deploymentType }} release/connect/${{ needs.extract-version.outputs.version }}
         env:
           GITHUB_TOKEN: ${{ secrets.TREZOR_BOT_TOKEN }}

.github/workflows/release-connect-npm.yml

@@ -16,6 +16,7 @@ on:
 
 jobs:
   deploy-npm:
+    name: Deploy NPM ${{ inputs.deploymentType }}
     environment: production-connect
     runs-on: ubuntu-latest
     strategy:

.github/workflows/release-connect-v9-poduction.yml → .github/workflows/release-connect-v9-production.yml

@@ -36,8 +36,17 @@ jobs:
         id: set-version
         run: echo "version=$(node ./ci/scripts/get-connect-version.js)" >> $GITHUB_OUTPUT
 
+  check-version-match:
+    runs-on: ubuntu-latest
+    needs: [extract-version]
+    uses: ./.github/workflows/template-check-connect-version-match.yml
+    with:
+      branch_ref: "${{ github.ref }}"
+      extracted_version: "${{ needs.extract-version.outputs.version }}"
+
   # set the rollback
   sync-rollback-connect-v9:
+    needs: [extract-version, check-version-match]
     if: startsWith(github.ref, 'refs/heads/release/connect/')
     environment: production-connect
     name: "Backing up current production version ${{ needs.extract-version.outputs.version }} to rollback bucket"
@@ -48,14 +57,15 @@ jobs:
       - name: Configure aws credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
-          role-to-assume: arn:aws:iam::538326561891:role/gh_actions_trezor_suite_prod_deploy
+          role-to-assume: arn:aws:iam::538326561891:role/gh_actions_connect_prod_deploy
           aws-region: eu-central-1
 
       - name: Synching rollback bucket with current production
         run: |
           aws s3 sync "s3://connect.trezor.io/${{ env.LATEST_VERSION }}/" "s3://rollback-connect.trezor.io/${{ env.LATEST_VERSION }}/"
 
   deploy-production-semantic-version:
+    needs: [extract-version, check-version-match]
     if: startsWith(github.ref, 'refs/heads/release/connect/')
     environment: production-connect
     name: "Deploying to connect.trezor.io/9.x.x"
@@ -66,7 +76,7 @@ jobs:
       - name: Configure aws credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
-          role-to-assume: arn:aws:iam::538326561891:role/gh_actions_trezor_suite_prod_deploy
+          role-to-assume: arn:aws:iam::538326561891:role/gh_actions_connect_prod_deploy
           aws-region: eu-central-1
 
       - name: Synching production bucket with current staging
@@ -77,7 +87,7 @@ jobs:
   # From staging move it to production
   deploy-production-v9:
     # We deploy to production only if rollback sync was successful.
-    needs: [sync-rollback-connect-v9]
+    needs: [extract-version, check-version-match, sync-rollback-connect-v9]
     if: startsWith(github.ref, 'refs/heads/release/connect/') && github.event.inputs.deploymentType == 'stable'
     environment: production-connect
     name: "Deploying to connect.trezor.io/9/"

.github/workflows/release-connect-v9-staging.yml

@@ -32,20 +32,10 @@ jobs:
   check-version-match:
     runs-on: ubuntu-latest
     needs: [extract-version]
-    steps:
-      - name: Check if version in package.json matches the one in branch name
-        run: |
-          # Extract the version from the branch name, assuming format 'refs/heads/release/connect/9.2.4-beta.1'
-          BRANCH_VERSION="${GITHUB_REF#*release/connect/}" # This strips everything before and including 'release/connect/'
-          EXTRACTED_VERSION="${{ needs.extract-version.outputs.version }}"
-          echo "Branch Version: $BRANCH_VERSION"
-          echo "Extracted Version: $EXTRACTED_VERSION"
-          if [[ "$BRANCH_VERSION" != "$EXTRACTED_VERSION" ]]; then
-            echo "The extracted version ($EXTRACTED_VERSION) does not match the version in the branch name ($BRANCH_VERSION)"
-            exit 1 # Fail the job if versions don't match
-          else
-            echo "Version check passed: $BRANCH_VERSION matches $EXTRACTED_VERSION"
-          fi
+    uses: ./.github/workflows/template-check-connect-version-match.yml
+    with:
+      branch_ref: "${{ github.ref }}"
+      extracted_version: "${{ needs.extract-version.outputs.version }}"
 
   # This job deploys to staging-connect.trezor.io/9.x.x
   deploy-staging-semantic-version:
@@ -68,7 +58,7 @@ jobs:
       - name: Build and deploy to staging-connect.trezor.io/9.x.x
         uses: ./.github/actions/release-connect
         with:
-          awsRoleToAssume: "arn:aws:iam::538326561891:role/gh_actions_trezor_suite_prod_deploy"
+          awsRoleToAssume: "arn:aws:iam::538326561891:role/gh_actions_connect_staging_deploy"
           awsRegion: "eu-central-1"
           serverHostname: "staging-connect.trezor.io"
           serverPath: ${{ needs.extract-version.outputs.version }}
@@ -94,7 +84,7 @@ jobs:
       - name: Build and deploy to staging-connect.trezor.io/9
         uses: ./.github/actions/release-connect
         with:
-          awsRoleToAssume: "arn:aws:iam::538326561891:role/gh_actions_trezor_suite_prod_deploy"
+          awsRoleToAssume: "arn:aws:iam::538326561891:role/gh_actions_connect_staging_deploy"
           awsRegion: "eu-central-1"
           serverHostname: "staging-connect.trezor.io"
           serverPath: "9"

.github/workflows/template-check-connect-version-match.yml

@@ -0,0 +1,37 @@
+name: Check connect version match with branch
+
+on:
+  workflow_call:
+    inputs:
+      branch_ref:
+        description: "The full ref of the branch"
+        required: true
+        type: string
+      extracted_version:
+        description: "The version extracted from the package.json or other source"
+        required: true
+        type: string
+
+jobs:
+  check-version-match:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Extract branch version
+        id: extract-branch-version
+        run: |
+          BRANCH_REF="${{ inputs.branch_ref }}"
+          BRANCH_VERSION="${BRANCH_REF#refs/heads/release/connect/}"
+          echo "branch_version=$BRANCH_VERSION" >> $GITHUB_OUTPUT
+
+      - name: Check if version in package.json matches the one in branch name
+        run: |
+          BRANCH_VERSION="${{ steps.extract-branch-version.outputs.branch_version }}"
+          EXTRACTED_VERSION="${{ inputs.extracted_version }}"
+          echo "Branch Version: $BRANCH_VERSION"
+          echo "Extracted Version: $EXTRACTED_VERSION"
+          if [[ "$BRANCH_VERSION" != "$EXTRACTED_VERSION" ]]; then
+            echo "The extracted version ($EXTRACTED_VERSION) does not match the version in the branch name ($BRANCH_VERSION)"
+            exit 1 # Fail the job if versions don't match
+          else
+            echo "Version check passed: $BRANCH_VERSION matches $EXTRACTED_VERSION"
+          fi

ci/scripts/check-npm-and-local.js

@@ -2,7 +2,6 @@ const { execSync } = require('child_process');
 
 const fs = require('fs');
 const util = require('util');
-const https = require('https');
 const fetch = require('cross-fetch');
 const tar = require('tar');
 const path = require('path');