chore: update and fix rollback workflow

.github/workflows/promote.yml

@@ -35,7 +35,7 @@ on:
 
 jobs:
   promote:
-    name: Promote ${{ inputs.version }} to ${{ fromJSON(inputs.isStableRelease) && 'stable' || inputs.channel }}
+    name: Promote ${{ inputs.version }} to ${{ inputs.channel }}
     runs-on: ubuntu-latest
     env:
       CLOUDFRONT_DISTRIBUTION: ${{ secrets.CLOUDFRONT_DISTRIBUTION }}

.github/workflows/rollback.yml

@@ -1,51 +1,93 @@
-name: Rollback release
+name: Rollback latest release
 
 on:
   workflow_dispatch:
     inputs:
-      version-to-roll-back:
-        description: version number that needs to be rolled back (format x.x.x)
-        type: string
+      rollbackChannel:
+        description: Which channel needs to be rolled back?
+        type: choice
         required: true
+        options:
+        - stable
+        - beta
+        - alpha
 
 jobs:
-  determine-target-tag:
-    name: Determine target tag for rollback
+  get-target-and-rollback-tags:
+    name: Get target tag and rollback tags
     runs-on: ubuntu-latest
     outputs:
-      targetTag: ${{ github.ref_name }}
-      isStableRelease: ${{ steps.isStableRelease.outputs.isStableRelease }}
+      targetTag: ${{ steps.getRollbackTargetTags.outputs.targetTag }}
+      rollbackTag: ${{ steps.getRollbackTargetTags.outputs.rollbackTag }}
     steps:
-      - name: is input a tag
-        if: github.ref_type != 'tag'
-        run: exit 1
-      - name: Get target version
-        id: isStableRelease
-        shell: bash
+      - name: install apt-get dependencies
         run: |
-          if [[ ${{ github.ref_name }} =~"beta" ]]
-          then
-            echo "isStableRelease=true" >> $GITHUB_OUTPUT
+          sudo apt-get update
+          sudo apt-get install -y awscli jq
+      - name: get rollback and target tags
+        id: getRollbackTargetTags
+        run: |
+          VERSION_LIST=$(npm view heroku versions --json)
+          CHANNEL_VERSION_LIST=[]
+          if [[ ${{ inputs.rollbackChannel }} == 'stable' ]]; then
+            CHANNEL_VERSION_LIST=$(echo ${VERSION_LIST} | jq '[.[] | select(test("-") | not )]')
           else
-            echo "isStableRelease=false" >> $GITHUB_OUTPUT
+            CHANNEL_VERSION_LIST=$(echo ${VERSION_LIST} | jq '[.[] | select(test("'${{ inputs.rollbackChannel }}'"))]')
           fi
+          ROLLBACK_VERSION=$(echo ${CHANNEL_VERSION_LIST} | jq '.[-1]')
+          echo "rollbackTag=${ROLLBACK_VERSION}" >> $GITHUB_OUTPUT
+          TARGET_VERSION=$(echo ${CHANNEL_VERSION_LIST} | jq '.[-2]')
+          echo "targetTag=${TARGET_VERSION}" >> $GITHUB_OUTPUT
 
-  promote-previous-tag:
-    needs: determine-target-tag
-    name: Promote ${{ needs.determine-target-tag.outputs.targetTag }} to ${{ needs.determine-target-tag.outputs.isStableRelease && 'stable' || 'beta' }}
+  validate-stable-tags:
+    name: Validate rollback tag
+    # pub-hk-ubuntu-22.04- due to IP allow list issues with public repos: https://salesforce.quip.com/bu6UA0KImOxJ
+    runs-on: pub-hk-ubuntu-22.04-small
+    needs: [get-target-and-rollback-tags]
+    env:
+      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+      - if: ${{ inputs.rollbackChannel == 'stable' }}
+        run: |
+          GITHUB_LATEST_RELEASE=$(gh release view --repo heroku/cli --json tagName -q '.tagName.[1:]')
+          if [[ "${GITHUB_LATEST_RELEASE}" != "'${{ needs.get-target-and-rollback-tags.outputs.rollbackTag }}'"* ]]; then
+            echo "The Github latest release (${GITHUB_LATEST_RELEASE}) and the NPM latest release ("${{ needs.get-target-and-rollback-tags.outputs.rollbackTag }}") do not match."
+            exit 1
+          fi
+
+  # This job needs to go before the promote job, as the promote job looks for the current channel release on NPM.
+  deprecate-npm-rollback-tag:
+    needs: [get-target-and-rollback-tags, validate-stable-tags]
+    name: Deprecate rollback version on NPM
     # if statement only here to protect our prod release while we test this functionality
-    if: ${{ !fromJSON(needs.determine-target-tag.outputs.isStableRelease) }}
+    if: ${{ inputs.rollbackChannel != 'stable' }}
+    # pub-hk-ubuntu-22.04- due to IP allow list issues with public repos: https://salesforce.quip.com/bu6UA0KImOxJ
+    runs-on: pub-hk-ubuntu-22.04-small
+    steps:
+      - name: set NPM auth
+        run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_PUBLISH_KEY }}" > ~/.npmrc
+      - name: deprecate NPM release and set previous release to latest/prerelease channel
+        run: |
+          npm dist-tag add heroku@${{ needs.get-target-and-rollback-tags.outputs.targetTag }} ${{ inputs.rollbackChannel }}
+          npm deprecate heroku@${{ needs.get-target-and-rollback-tags.outputs.rollbackTag }} "Version is deprecated due to problems with the release"
+
+  promote-target-tag:
+    needs: [get-target-and-rollback-tags, validate-stable-tags, deprecate-npm-rollback-tag]
+    name: Promote ${{ needs.get-target-and-rollback-tags.outputs.targetTag }} to ${{ inputs.rollbackChannel }}
+    # if statement only here to protect our prod release while we test this functionality
+    if: ${{ inputs.rollbackChannel != 'stable' }}
     uses: ./.github/workflows/promote.yml
     with:
-      version: ${{ needs.determine-target-tag.outputs.targetTag }}
-      isStableRelease: ${{ needs.determine-target-tag.outputs.isStableRelease }}
+      version: ${{ needs.get-target-and-rollback-tags.outputs.targetTag }}
+      isStableRelease: ${{ inputs.rollbackChannel == 'stable' }}
+      channel: ${{ inputs.rollbackChannel }}
     secrets: inherit
 
   invalidate-cdn-cache:
-    needs: [determine-target-tag, promote-previous-tag]
+    needs: [get-target-and-rollback-tags, validate-stable-tags, promote-target-tag]
     name: Invalidate Cloudfront cache
     # if statement only here to protect our prod release while we test this functionality
-    if: ${{ !fromJSON(needs.determine-target-tag.outputs.isStableRelease) }}
+    if: ${{ inputs.rollbackChannel != 'stable' }}
     runs-on: ubuntu-latest
     env:
       CLOUDFRONT_DISTRIBUTION: ${{ secrets.CLOUDFRONT_DISTRIBUTION }}
@@ -60,32 +102,17 @@ jobs:
           aws configure set preview.cloudfront true
       - run: ./scripts/postrelease/invalidate_cdn_cache
 
-  deprecate-npm-version:
-    needs: determine-target-tag
-    name: Deprecate rollback version on NPM
-    # if statement only here to protect our prod release while we test this functionality
-    if: ${{ !fromJSON(needs.determine-target-tag.outputs.isStableRelease) }}
-    # pub-hk-ubuntu-22.04- due to IP allow list issues with public repos: https://salesforce.quip.com/bu6UA0KImOxJ
-    runs-on: pub-hk-ubuntu-22.04-small
-    steps:
-      - name: set NPM auth
-        run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_PUBLISH_KEY }}" > ~/.npmrc
-      - name: deprecate release
-        run: |
-          npm dist-tag add heroku@${{ needs.determine-target-tag.outputs.targetTag }} ${{ needs.determine-target-tag.outputs.isStableRelease && 'latest' || 'beta' }}
-          npm deprecate heroku@${{ inputs.version-to-roll-back }} "Version is deprecated due to problems with the release"
-
   rollback-brew:
     name: Rollback brew release
-    needs: determine-target-tag
-    if: ${{ !fromJSON(needs.determine-target-tag.outputs.isStableRelease) }}
+    needs: [get-target-and-rollback-tags, validate-stable-tags]
+    if: ${{ inputs.rollbackChannel != 'stable' }}
     # pub-hk-ubuntu-22.04- due to IP allow list issues with public repos: https://salesforce.quip.com/bu6UA0KImOxJ
     runs-on: pub-hk-ubuntu-22.04-small
     environment: ReleaseHomebrew
     steps:
       - name: yarn install
         run: yarn --immutable --network-timeout 1000000
       - name: rollback homebrew
-        run: node ./scripts/rollback/homebrew.js
+        run: ./scripts/rollback/homebrew.js
     env:
-      ROLLBACK_VERSION: ${{ inputs.version-to-roll-back }}
+      ROLLBACK_VERSION: ${{ needs.get-target-and-rollback-tags.outputs.rollbackTag }}