feat(ci): add Webex space notification for widgets#675
feat(ci): add Webex space notification for widgets#675vamshigovardhana merged 7 commits intowebex:nextfrom
Conversation
Add notify-webex-space job to send deployment notifications Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 4df85dd46a
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| PR_BLOCK=$(printf '%s' "**PR:** [${PR_TITLE}](${PR_LINK})") | ||
| if [ -n "${MESSAGE}" ]; then | ||
| MESSAGE=$(printf '%s\n\n%s' "${MESSAGE}" "${PR_BLOCK}") | ||
| else | ||
| MESSAGE="${PR_BLOCK}" |
There was a problem hiding this comment.
In .github/workflows/deploy.yml's notify-webex-space step, the message is populated from PR_LINK even when primary_version/changelog_url are empty, so runs with publish-npm skipped (has_changes=false) can still post a “deployment” notification that only contains a PR link. That creates false-positive release alerts for merges that did not publish anything. Gate notification sending on an actual released version (or needs.publish-npm.outputs.published == 'true') to avoid misleading messages.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
if no version is released posting the PR Link in the space useful right?
| curl -sSf \ | ||
| -H "Authorization: Bearer ${WEBEX_BOT_TOKEN}" \ | ||
| -H "Content-Type: application/json" \ | ||
| -d "${BODY}" \ | ||
| https://webexapis.com/v1/messages > /dev/null |
There was a problem hiding this comment.
The workflow calls curl -sSf against Webex without first validating WEBEX_BOT_TOKEN and WEBEX_ROOM_ID. If either secret is missing/empty (for example in a newly configured repo, fork, or after secret rotation), Webex returns an HTTP error and -f makes this step exit non-zero, causing the deploy workflow to fail after publish/tag work already completed. Add an explicit secret presence check and skip notification when they are absent to keep notification config issues from breaking deployments.
Useful? React with 👍 / 👎.
|
This pull request is automatically being deployed by Amplify Hosting (learn more). |
- Include package name in version output (e.g. @webex/cc-widgets@1.0.0) - Use bash arrays for cleaner message formatting - Add blank lines between version, PR, and changelog sections - Add debug logging for message content
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e81eae22e3
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| // Set outputs for downstream jobs | ||
| core.setOutput('primary_package', primaryPackage); | ||
| core.setOutput('primary_version', primaryVersion); | ||
| core.setOutput('changelog_url', changelogUrl); |
There was a problem hiding this comment.
This step now feeds downstream notification data via core.setOutput(...), but those calls are placed after multiple early return paths in the same script (for example when a detailed bot comment already exists). In reruns of a successful release, the script can exit before setting outputs, so notify-webex-space receives empty primary_version/changelog_url values and sends an incomplete PR-only message despite a real publish. Ensure outputs are set before any early return (or replace returns with guarded branches) so downstream jobs always receive release metadata.
Useful? React with 👍 / 👎.
Use printf with double newlines to ensure proper blank line spacing between version, PR, and changelog sections in Webex notifications
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 8fb13e4bee
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| id: post-comment | ||
| if: steps.get-pr.outputs.pr_number != '' |
There was a problem hiding this comment.
The post-comment step is gated on steps.get-pr.outputs.pr_number != '', but this same step is the only place that sets primary_package, primary_version, and changelog_url outputs. If Get PR Number hits a transient GitHub API error (it catches and sets an empty PR number), this step is skipped, those outputs remain empty, and notify-webex-space exits without sending any deployment details even when npm publish succeeded. Release metadata generation should not depend on PR discovery.
Useful? React with 👍 / 👎.
vamshigovardhana
changed the title
|
|
||
| notify-webex-space: | ||
| name: Send Webex Space Notification | ||
| needs: [publish-tag, publish-npm, comment-on-pr] |
There was a problem hiding this comment.
Duplicate Webex notifications on workflow re-runs
There is no idempotency key; re-running a successful Deploy CD can post the same Webex message again. If that is undesirable, document it as accepted behavior or add a guard (for example only when github.run_attempt == 1, or a stronger “already notified this version” signal if you add state).
| notify-webex-space: | ||
| name: Send Webex Space Notification | ||
| needs: [publish-tag, publish-npm, comment-on-pr] | ||
| runs-on: ubuntu-latest |
There was a problem hiding this comment.
Consider least-privilege permissions for this job
If this job only posts to Webex via curl (no extra GitHub writes), you can usually tighten permissions at the job level so future edits cannot accidentally expand token scope beyond what notification needs.
There was a problem hiding this comment.
The job currently only posts to Webex via curl and doesn't need write permissions.
| name: Send Webex Space Notification | ||
| needs: [publish-tag, publish-npm, comment-on-pr] | ||
| runs-on: ubuntu-latest | ||
| if: always() |
There was a problem hiding this comment.
Pair if: always() with explicit guards
always() helps run after mixed upstream results, but combined with needs it can be surprising when dependencies are skipped/failed. Consider explicit checks in the shell (or job if:) for “publish actually happened”, secrets present, and a non-misleading message so partial failures do not evolve into noisy/incorrect notifications as the graph changes.
There was a problem hiding this comment.
I'd like to keep the notification logic simple - the job will attempt to send whatever information is available from upstream jobs. The existing check at line 587 (if [ ${#MESSAGE_PARTS[@]} -eq 0 ]) will skip notification when there's no content to send.
|
|
||
| echo "Sending message to Webex Space..." | ||
| echo "Message content:" | ||
| echo "${MESSAGE}" |
There was a problem hiding this comment.
Message content / logging
Echoing the full markdown can be useful while iterating, but confirm this matches your logging policy. The “PR title” is derived from the first line of head_commit.message, which can include ticket IDs or wording you may not want duplicated into a space; if needed, trim/sanitize or use PR metadata via API instead.
There was a problem hiding this comment.
The message content logging is intentional for debugging and visibility.
| echo "${MESSAGE}" | ||
|
|
||
| BODY=$(jq -n --arg room "${WEBEX_ROOM_ID}" --arg md "${MESSAGE}" '{roomId: $room, markdown: $md}') | ||
| curl -sSf \ |
There was a problem hiding this comment.
Add timeouts to curl
Without --connect-timeout / --max-time, a hung TLS connection can consume the runner until the job timeout. Recommend a bounded request (for example --max-time 30).
There was a problem hiding this comment.
The curl request doesn't have explicit timeout, but GitHub Actions jobs have built-in timeouts
| curl -sSf \ | ||
| -H "Authorization: Bearer ${WEBEX_BOT_TOKEN}" \ | ||
| -H "Content-Type: application/json" \ | ||
| -d "${BODY}" \ |
There was a problem hiding this comment.
Runner egress to Webex
This step requires outbound HTTPS to webexapis.com. In locked-down environments (proxies, egress allowlists), failures can look like mysterious CI flakes—worth a short ops note in workflow comments or internal runbooks.
There was a problem hiding this comment.
GitHub runners have outbound HTTPS access to webexapis.com configured.
Add github.run_attempt == 1 condition to only send notifications on the first workflow run attempt, preventing duplicate messages when workflows are manually re-run.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 40756aa831
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| needs: [publish-tag, publish-npm, comment-on-pr] | ||
| runs-on: ubuntu-latest | ||
| if: always() && github.run_attempt == 1 |
There was a problem hiding this comment.
notify-webex-space currently depends only on publish-tag, publish-npm, and comment-on-pr, so it can send a “deployment complete” message even when publish-documentation is still running or has failed. In that case the notification may point to a changelog/docs state that is not yet published, which is a false-positive release signal for downstream teams. Add publish-documentation to this job’s needs (and gate on successful completion) so Webex messages are emitted only after the full deploy pipeline finishes.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: c588310224
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| curl -sSf \ | ||
| -H "Authorization: Bearer ${WEBEX_BOT_TOKEN}" \ | ||
| -H "Content-Type: application/json" \ | ||
| -d "${BODY}" \ | ||
| https://webexapis.com/v1/messages > /dev/null |
There was a problem hiding this comment.
This step calls curl -sSf unconditionally, so if WEBEX_BOT_TOKEN or WEBEX_ROOM_ID is unset (for example after secret rotation or in a newly configured environment), Webex returns an HTTP error and -f makes the job fail. Because this runs after publish/tag jobs, a notification configuration issue can incorrectly mark an otherwise successful deployment workflow as failed.
Useful? React with 👍 / 👎.
|
|
||
| notify-webex-space: | ||
| name: Send Webex Space Notification | ||
| needs: [publish-tag, publish-npm, comment-on-pr] |
There was a problem hiding this comment.
The notification job does not depend on publish-documentation, so it can run (and post release/changelog links) while docs publication is still running or has failed. This creates a false completion signal where teams see a deployment notification before the documentation/changelog side of the deploy pipeline has actually succeeded.
Useful? React with 👍 / 👎.
| primary_package: ${{ steps.post-comment.outputs.primary_package }} | ||
| primary_version: ${{ steps.post-comment.outputs.primary_version }} | ||
| changelog_url: ${{ steps.post-comment.outputs.changelog_url }} |
There was a problem hiding this comment.
These job outputs are sourced only from steps.post-comment, but that step is skipped when PR lookup fails (get-pr catches errors and sets an empty PR number). In that case npm publish can still succeed, yet primary_package/primary_version/changelog_url stay empty and downstream notification loses release details. Compute metadata independently of PR lookup or provide a fallback source.
Useful? React with 👍 / 👎.
|
✅ Your changes have been merged! Thank you for your contribution! 🤖 This is an automated message. For queries, please contact support. |
3 participants
Summary
Adds automated Webex space notifications to the Deploy CD workflow. When deployments complete, a notification is sent to a configured Webex space with deployment details.
Changes
notify-webex-spacejob that sends notifications after deploymentcomment-on-prjob to expose outputs:pr_number,primary_version,changelog_urlSetup Required
The following GitHub secrets need to be added to the repository:
WEBEX_BOT_TOKEN: Bot access token for authenticationWEBEX_ROOM_ID: ID of the Webex space where notifications should be sentTest Plan
Vidcast Link:https://app.vidcast.io/share/355ed39e-f66b-4ee5-93df-964db27f72c3
Example Notification
Version: webex@ 1.2.3-next.4
PR: fix: update contact center integration
Changelog: https://widgets.webex.com/changelog/?package=@webex/cc-widgets&version=1.2.3-next.4