chore: setup alt dev for test

[saikumarrs]

PR Description

Please include a summary of the change along with the relevant motivation and context.

Linear task (optional)

Linear task link

Cross Browser Tests

Please confirm you have tested for the following browsers:

• Chrome
• Firefox
• IE11

Sanity Suite

• All sanity suite test cases pass locally

Security

• The code changed/added as part of this pull request won't create any security issues with how the software is being used.

Summary by CodeRabbit

• Build/Packaging
  • SDK builds can include a version suffix, enabling distinct “alternate” release identifiers.
• Chores
  • Deployment workflows now target production by default with simplified artifact paths.
  • Added alternate deployment paths for an “alternate” release channel with dedicated credentials.
• Tests
  • Temporarily disabled automated end-to-end regression runs in this pipeline.

[coderabbitai]

📝 Walkthrough

Walkthrough

Updates GitHub Actions workflows: shift deploy targets from development to production, remove merged-only gating, disable e2e regression job, add alternate deployment and sanity-suite jobs using separate secrets, and introduce an optional sdk_version_suffix input in deploy.yml. Rollup build now appends SDK_VERSION_SUFFIX to the package version when set.

Changes

Cohort / File(s)	Summary
Deploy dev workflow updates \.github/workflows/deploy-dev.yml	Switched deploy and sanity-suite jobs to production; removed PR-merged gating from deploy; added deploy-dev-alternate and deploy-sanity-suite-alternate jobs with ALT secrets and sdk_version_suffix=alternate; updated artifact S3 paths to v3 and v1.1; explicitly disabled run-e2e-regression-test-suites with if: false.
Reusable deploy workflow \.github/workflows/deploy.yml	Added optional input sdk_version_suffix; passed it to Build artifacts via env SDK_VERSION_SUFFIX.
Build config version suffix packages/analytics-js/rollup.config.mjs	Made version mutable and, when SDK_VERSION_SUFFIX is set, appended “-” to version used for PACKAGE_VERSION replacement.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Dev as Developer
  participant GH as GitHub Actions (deploy-dev.yml)
  participant Reusable as Reusable Deploy (deploy.yml)
  participant Build as Rollup Build
  participant S3 as S3/CDN
  participant Sanity as Sanity Suite WF

  Dev->>GH: Push/PR triggers workflow
  par Main deploy
    GH->>Reusable: Job: deploy (env: production, paths v3/v1.1)
    Reusable->>Build: Build artifacts (SDK_VERSION_SUFFIX: "" or "alternate")
    Build-->>Reusable: Artifacts with version (optionally suffixed)
    Reusable->>S3: Upload artifacts to v3 / v1.1
  and Alternate deploy
    GH->>Reusable: Job: deploy-dev-alternate (sdk_version_suffix=alternate)
    Reusable->>Build: Build artifacts (SDK_VERSION_SUFFIX=alternate)
    Build-->>Reusable: Artifacts with suffixed version
    Reusable->>S3: Upload artifacts to v3 / v1.1 (ALT creds)
  end

  note over GH,S3: Paths changed from dev/latest/* to v3 and v1.1

  par Sanity suites
    GH->>Sanity: deploy-sanity-suite (env: production)
    GH->>Sanity: deploy-sanity-suite-alternate (env: production, ALT secrets)
  and E2E regression
    GH--xGH: run-e2e-regression-test-suites (disabled via if: false)
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/deploy-dev.yml (1)

25-45: Disambiguate S3 path per dev job
deploy.yml uses inputs.s3_dir_path and inputs.s3_dir_path_legacy for all S3 uploads (lines 274–275) and CloudFront invalidations (lines 283–284 and 376–378). Both dev lanes currently pass the same v3/v1.1 values, so they’ll overwrite each other’s uploads and invalidate the same cache. Append a lane-specific suffix (e.g. via trigger_source or version_suffix) or supply distinct paths per job to ensure isolation.

🧹 Nitpick comments (3)

.github/workflows/deploy-dev.yml (3)

68-68: Don’t permanently hard-disable sanity suite; gate via input.

Hard if: false loses coverage unintentionally. Use the new skip_tests input so PR merges can still run sanity unless explicitly skipped on manual runs.

-    if: false
+    if: ${{ github.event_name == 'pull_request' && github.event.pull_request.merged == true && inputs.skip_tests != 'true' || github.event_name == 'workflow_dispatch' && inputs.skip_tests != 'true' }}

---

88-88: Same for E2E suites — prefer an input switch over hard disable.

Keep them off for manual PoC by default, but allow enabling when needed.

-    if: false
+    if: ${{ github.event_name == 'pull_request' && github.event.pull_request.merged == true && inputs.skip_tests != 'true' || github.event_name == 'workflow_dispatch' && inputs.skip_tests != 'true' }}

---

25-45: Minor: naming consistency vs environment choice.

Workflow and job names say “Development” while with.environment is set to “production.” Align to avoid confusion in Slack/bugsnag release notes and environment protections.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2c49e54 and 077636c.

📒 Files selected for processing (1)

• .github/workflows/deploy-dev.yml (4 hunks)

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: saikumarrs
PR: rudderlabs/rudder-sdk-js#1708
File: .github/workflows/deploy-prod.yml:10-27
Timestamp: 2024-10-08T15:52:59.819Z
Learning: The job name `deploy-tag` has been replaced with `deploy` in all relevant GitHub workflow files.

Learnt from: saikumarrs
PR: rudderlabs/rudder-sdk-js#1708
File: .github/workflows/deploy-prod.yml:10-27
Timestamp: 2024-07-27T07:02:57.329Z
Learning: The job name `deploy-tag` has been replaced with `deploy` in all relevant GitHub workflow files.

Learnt from: saikumarrs
PR: rudderlabs/rudder-sdk-js#1754
File: packages/analytics-js-service-worker/README.md:0-0
Timestamp: 2024-10-08T15:52:59.819Z
Learning: saikumarrs prefers simplified language in documentation, avoiding redundant phrases.

Learnt from: saikumarrs
PR: rudderlabs/rudder-sdk-js#1754
File: packages/analytics-js-service-worker/README.md:0-0
Timestamp: 2024-06-14T09:50:33.511Z
Learning: saikumarrs prefers simplified language in documentation, avoiding redundant phrases.

📚 Learning: 2024-10-08T15:52:59.819Z

Learnt from: saikumarrs
PR: rudderlabs/rudder-sdk-js#1708
File: .github/workflows/deploy-prod.yml:10-27
Timestamp: 2024-10-08T15:52:59.819Z
Learning: The job name `deploy-tag` has been replaced with `deploy` in all relevant GitHub workflow files.

Applied to files:

• .github/workflows/deploy-dev.yml

📚 Learning: 2025-06-26T12:33:40.146Z

Learnt from: saikumarrs
PR: rudderlabs/rudder-sdk-js#2308
File: .github/workflows/deploy-staging.yml:26-27
Timestamp: 2025-06-26T12:33:40.146Z
Learning: The `deploy-staging.yml` workflow only triggers on `pull_request` events, so the `trigger_source` variable correctly assumes PR context is always available and doesn't need guards for other event types.

Applied to files:

• .github/workflows/deploy-dev.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Get affected projects

🔇 Additional comments (1)

.github/workflows/deploy-dev.yml (1)

46-65: Ignore suggested environment/S3 path changes
The deploy-dev-alternate job intentionally mirrors the primary dev deploy (using environment: 'production' and the same v3/v1.1 S3 paths) to run the full production pipeline against the dev account. There is no inputs.target on workflow_dispatch today, so the proposed manual‐run targeting and path tweaks are not applicable.

Likely an incorrect or invalid review comment.

[coderabbitai]

🛠️ Refactor suggestion

⚠️ Potential issue

Manual trigger is a no-op and breaks PR-only assumptions in get-deploy-inputs.

• With workflow_dispatch enabled, both deploy jobs still have if: github.event.pull_request.merged == true, so a manual run will execute nothing beyond get-deploy-inputs.
• get-deploy-inputs builds trigger_source from github.event.pull_request.*; on manual runs these fields are null and will likely cause expression errors in format(...).

Recommend adding inputs for manual runs and updating job conditions + trigger_source fallback.

Apply this diff to define inputs for manual runs:

 on:
-  workflow_dispatch:
+  workflow_dispatch:
+    inputs:
+      target:
+        description: 'Where to deploy'
+        required: true
+        default: 'dev-primary'
+        type: choice
+        options: [dev-primary, dev-alt]
+      skip_tests:
+        description: 'Skip sanity and E2E suites'
+        required: false
+        default: 'true'
+        type: boolean
   pull_request:

And add a safe trigger_source fallback (outside this hunk; replace the single step with two guarded steps):

# in jobs.get-deploy-inputs.steps
- name: Set outputs (PR)
  id: set-outputs-pr
  if: ${{ github.event_name == 'pull_request' }}
  run: echo "trigger_source=${{ format('PR <{0}|#{1}> merged by <{2}|{3}>', github.event.pull_request.html_url, github.event.pull_request.number, format('{0}/{1}', github.server_url, github.actor), github.actor) }}" >> $GITHUB_OUTPUT

- name: Set outputs (manual)
  id: set-outputs-manual
  if: ${{ github.event_name == 'workflow_dispatch' }}
  run: echo "trigger_source=${{ format('Manual dispatch by <{0}/{1}|{1}>', github.server_url, github.actor) }}" >> $GITHUB_OUTPUT

Also allow manual runs to execute the jobs:

# deploy job (outside this hunk)
if: ${{ (github.event_name == 'pull_request' && github.event.pull_request.merged) || (github.event_name == 'workflow_dispatch' && inputs.target == 'dev-primary') }}

🤖 Prompt for AI Agents

.github/workflows/deploy-dev.yml lines 4-4: The workflow currently enables
workflow_dispatch but has no inputs or guarded handling, so manual runs are a
no-op and break get-deploy-inputs which expects pull_request fields; add inputs
for manual runs and change get-deploy-inputs to set trigger_source with two
guarded steps (one for pull_request when github.event_name == 'pull_request'
that builds the PR formatted string, and one for manual when github.event_name
== 'workflow_dispatch' that builds a manual dispatch formatted string) and
update downstream deploy job conditions to allow manual execution (e.g., change
the job if to allow either a merged PR or a workflow_dispatch with inputs.target
== 'dev-primary').

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Environment mismatch and prod-style S3 paths — verify intent before merging.

This is the “Development” workflow, but:

• environment: 'production'
• s3_dir_path: 'v3' and s3_dir_path_legacy: 'v1.1' (no dev/latest prefix)

If deploy.yml keys behavior off environment or S3 paths, this can deploy dev artifacts into production-style layouts or apply prod environment protections.

If this is only for the CloudFront continuous deployment PoC, consider reverting to dev settings or add an explicit toggle so accidental merges don’t flip paths.

Proposed safe defaults:

-      environment: 'production'
+      environment: 'development'
-      s3_dir_path: 'v3'
-      s3_dir_path_legacy: 'v1.1'
+      s3_dir_path: 'dev/latest/v3'
+      s3_dir_path_legacy: 'dev/latest/v1.1'

If you truly need prod-style paths for the PoC, gate them behind the new workflow_dispatch input:

# example
s3_dir_path: ${{ inputs.target == 'dev-primary' && 'dev/latest/v3' || 'v3' }}
s3_dir_path_legacy: ${{ inputs.target == 'dev-primary' && 'dev/latest/v1.1' || 'v1.1' }}

---

🏁 Script executed:

#!/bin/bash
set -e
# Locate the deploy-dev workflow file
file=$(fd --hidden --glob 'deploy-dev.yml' .github/workflows)
echo "File path: $file"

# Show workflow header to confirm its purpose
echo "Workflow header (lines 1-10):"
sed -n '1,10p' "$file"

# Show lines 31-34 for verification
echo "Lines 31-34:"
sed -n '31,34p' "$file"

Length of output: 366

---

Set environment to development and use dev-specific S3 paths
In .github/workflows/deploy-dev.yml (lines 31–34), the job currently targets the production environment and root S3 buckets. Change to the development environment and prefix S3 paths accordingly:

-      environment: 'production'
+      environment: 'development'
-      s3_dir_path: 'v3'
-      s3_dir_path_legacy: 'v1.1'
+      s3_dir_path: 'dev/latest/v3'
+      s3_dir_path_legacy: 'dev/latest/v1.1'

If you really need production-style paths for a PoC, gate them behind a workflow_dispatch input to avoid accidental misdeploys.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	environment: 'production'
	bugsnag_release_stage: 'development'
	s3_dir_path: 'dev/latest/v3'
	s3_dir_path_legacy: 'dev/latest/v1.1'
	s3_dir_path: 'v3'
	s3_dir_path_legacy: 'v1.1'
	environment: 'development'
	bugsnag_release_stage: 'development'
	s3_dir_path: 'dev/latest/v3'
	s3_dir_path_legacy: 'dev/latest/v1.1'

🤖 Prompt for AI Agents

.github/workflows/deploy-dev.yml around lines 31 to 34: the job is incorrectly
configured for production; change environment to 'development' and update S3
paths to use dev-specific prefixes (e.g., s3_dir_path -> 'dev/v3' and
s3_dir_path_legacy -> 'dev/v1.1' or similar), and if production-style paths are
ever required for a PoC, gate them behind a workflow_dispatch input flag so
accidental misdeploys are avoided.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/deploy.yml (1)

155-161: Ensure PACKAGE_VERSION matches built artifact version.

Rollup reads VERSION, but the workflow never sets it. Set VERSION and make sdk fallback to version_suffix to prevent skew.

       - name: Build artifacts
         env:
           BUGSNAG_API_KEY: ${{ secrets.BUGSNAG_API_KEY }}
           BUGSNAG_RELEASE_STAGE: ${{ inputs.bugsnag_release_stage }}
           LOCK_DEPS_VERSION: ${{ inputs.environment == 'production' && 'true' || 'false' }}
-          SDK_VERSION_SUFFIX: ${{ inputs.sdk_version_suffix }}
+          VERSION: ${{ env.CURRENT_VERSION_VALUE }}
+          SDK_VERSION_SUFFIX: ${{ inputs.sdk_version_suffix != '' && inputs.sdk_version_suffix || inputs.version_suffix }}
         run: |
           npm run build:browser
           npm run build:browser:modern

♻️ Duplicate comments (2)

.github/workflows/deploy-dev.yml (2)

21-23: Manual dispatch will break trigger_source.

On workflow_dispatch, github.event.pull_request.* is null. Use guarded steps (this was raised earlier).

-      - name: Set outputs
-        id: set-outputs
-        run: echo "trigger_source=${{ format('PR <{0}|#{1}> merged by <{2}|{3}>', github.event.pull_request.html_url, github.event.pull_request.number, format('{0}/{1}', github.server_url, github.actor), github.actor) }}" >> $GITHUB_OUTPUT
+      - name: Set outputs (PR)
+        id: set-outputs-pr
+        if: ${{ github.event_name == 'pull_request' }}
+        run: echo "trigger_source=${{ format('PR <{0}|#{1}> merged by <{2}|{3}>', github.event.pull_request.html_url, github.event.pull_request.number, format('{0}/{1}', github.server_url, github.actor), github.actor) }}" >> $GITHUB_OUTPUT
+
+      - name: Set outputs (manual)
+        id: set-outputs-manual
+        if: ${{ github.event_name == 'workflow_dispatch' }}
+        run: echo "trigger_source=${{ format('Manual dispatch by <{0}/{1}|{1}>', github.server_url, github.actor) }}" >> $GITHUB_OUTPUT

Also add workflow_dispatch inputs to guide manual runs (target/skip_tests), as previously suggested.

---

30-33: Prod gating in a “Development” workflow—confirm intent.

Setting environment: 'production' and using root S3 paths (‘v3’, ‘v1.1’) flips deploy.yml into prod-only branches (versioned copies, extra invalidations).

If unintended, revert:

-      environment: 'production'
+      environment: 'development'
-      s3_dir_path: 'v3'
-      s3_dir_path_legacy: 'v1.1'
+      s3_dir_path: 'dev/latest/v3'
+      s3_dir_path_legacy: 'dev/latest/v1.1'

🧹 Nitpick comments (5)

packages/analytics-js/rollup.config.mjs (1)

162-165: Semver-safe suffix + align defaults with package.json.

• Current logic may emit non-semver strings if SDK_VERSION_SUFFIX contains spaces/special chars.
• Also consider defaulting to pkg.version to avoid "dev-snapshot" drift.

Apply:

-  let version = process.env.VERSION || 'dev-snapshot';
-  if (process.env.SDK_VERSION_SUFFIX) {
-    version = `${version}-${process.env.SDK_VERSION_SUFFIX}`;
-  }
+  let version = process.env.VERSION || pkg.version || 'dev-snapshot';
+  const rawSuffix = process.env.SDK_VERSION_SUFFIX?.trim();
+  const safeSuffix = rawSuffix ? rawSuffix.replace(/[^0-9A-Za-z.-]/g, '-') : '';
+  if (safeSuffix) {
+    version = `${version}-${safeSuffix}`;
+  }

.github/workflows/deploy.yml (1)

45-48: Input naming overlap: version_suffix vs sdk_version_suffix.

Two suffix knobs can diverge (package.json vs PACKAGE_VERSION). Either document precedence or unify behavior.

Would you prefer sdk_version_suffix to default to version_suffix when set?

.github/workflows/deploy-dev.yml (3)

45-64: Alternate path likely needs an alternate CDN domain.

deploy-dev-alternate uses AWS_DEV_ALT_* but base_cdn_url stays https://cdn.dev.rudderlabs.com. If your alternate CloudFront distribution exposes a different domain (typical in CF continuous deployment), set base_cdn_url accordingly to avoid broken links in list.html.

Do you want me to wire a base_cdn_url_alt input and pass it here?

---

85-104: Alternate sanity suite mirrors base_cdn_url—confirm domain.

As above, verify the CDN domain matches the ALT distribution.

---

106-106: Hard-disabled E2E.

if: false masks regressions. Consider guarding via an input (skip_tests) instead, defaulting to true for the PoC and flipping later.

-  run-e2e-regression-test-suites:
-    if: false
+  run-e2e-regression-test-suites:
+    if: ${{ !inputs.skip_tests }}

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 413ea99 and 439d743.

📒 Files selected for processing (3)

• .github/workflows/deploy-dev.yml (3 hunks)
• .github/workflows/deploy.yml (2 hunks)
• packages/analytics-js/rollup.config.mjs (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

packages/*/rollup.config.mjs

📄 CodeRabbit inference engine (CLAUDE.md)

Each package should define its build configuration in packages/[package-name]/rollup.config.mjs

Files:

• packages/analytics-js/rollup.config.mjs

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: Deploy sanity suite / Deploy Sanity Suite
• GitHub Check: deploy-dev-alternate / Deploy to environment
• GitHub Check: Deploy to Development Environment / Deploy to environment
• GitHub Check: Bundle size checks
• GitHub Check: Code quality checks
• GitHub Check: Unit Tests and Lint

🔇 Additional comments (1)

.github/workflows/deploy-dev.yml (1)

70-73: Sanity suite uses production gating.

Same concern as main deploy—this will execute prod-only branches in deploy-sanity-suite.yml (if any). Confirm that’s desired for the PoC.

[github-actions]

size-limit report 📦

Name	Size	Delta	Limit check
Load Snippet	780 B	0 B (0% 🟢)	1 KB (✅)
Core - Legacy - NPM (ESM)	48.02 KB	0 B (0% 🟢)	50 KB (✅)
Core - Legacy - NPM (CJS)	48.3 KB	0 B (0% 🟢)	50 KB (✅)
Core - Legacy - NPM (UMD)	48.07 KB	0 B (0% 🟢)	50 KB (✅)
Core - Legacy - CDN	48.11 KB	0 B (0% 🟢)	50 KB (✅)
Core - Modern - NPM (ESM)	27.67 KB	0 B (0% 🟢)	28 KB (✅)
Core - Modern - NPM (CJS)	27.86 KB	0 B (0% 🟢)	28 KB (✅)
Core - Modern - NPM (UMD)	27.68 KB	0 B (0% 🟢)	28 KB (✅)
Core - Modern - CDN	27.9 KB	0 B (0% 🟢)	28 KB (✅)
Core (Bundled) - Legacy - NPM (ESM)	48.02 KB	0 B (0% 🟢)	50 KB (✅)
Core (Bundled) - Legacy - NPM (CJS)	48.25 KB	0 B (0% 🟢)	50 KB (✅)
Core (Bundled) - Legacy - NPM (UMD)	48.07 KB	0 B (0% 🟢)	50 KB (✅)
Core (Bundled) - Modern - NPM (ESM)	40.77 KB	0 B (0% 🟢)	41 KB (✅)
Core (Bundled) - Modern - NPM (CJS)	41.01 KB	0 B (0% 🟢)	41.5 KB (✅)
Core (Bundled) - Modern - NPM (UMD)	40.82 KB	0 B (0% 🟢)	41 KB (✅)
Core (Content Script) - Legacy - NPM (ESM)	47.96 KB	0 B (0% 🟢)	50 KB (✅)
Core (Content Script) - Legacy - NPM (CJS)	48.22 KB	0 B (0% 🟢)	50 KB (✅)
Core (Content Script) - Legacy - NPM (UMD)	48.01 KB	0 B (0% 🟢)	50 KB (✅)
Core (Content Script) - Modern - NPM (ESM)	40.68 KB	0 B (0% 🟢)	41 KB (✅)
Core (Content Script) - Modern - NPM (CJS)	41 KB	0 B (0% 🟢)	41 KB (✅)
Core (Content Script) - Modern - NPM (UMD)	40.71 KB	0 B (0% 🟢)	41 KB (✅)

[github-actions]

Hello! This PR has been open for 20 days without any activity. Therefore, it's considered as stale and is scheduled to be closed in 10 days. If you're still working on this, please remove the 'Stale' label or add a comment to keep it open. Thanks for your contribution!