feat(ci): add Webex space notification for widgets#675
feat(ci): add Webex space notification for widgets#675vamshigovardhana wants to merge 4 commits intowebex:nextfrom
Conversation
Add notify-webex-space job to send deployment notifications Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 4df85dd46a
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| PR_BLOCK=$(printf '%s' "**PR:** [${PR_TITLE}](${PR_LINK})") | ||
| if [ -n "${MESSAGE}" ]; then | ||
| MESSAGE=$(printf '%s\n\n%s' "${MESSAGE}" "${PR_BLOCK}") | ||
| else | ||
| MESSAGE="${PR_BLOCK}" |
There was a problem hiding this comment.
In .github/workflows/deploy.yml's notify-webex-space step, the message is populated from PR_LINK even when primary_version/changelog_url are empty, so runs with publish-npm skipped (has_changes=false) can still post a “deployment” notification that only contains a PR link. That creates false-positive release alerts for merges that did not publish anything. Gate notification sending on an actual released version (or needs.publish-npm.outputs.published == 'true') to avoid misleading messages.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
if no version is released posting the PR Link in the space useful right?
| curl -sSf \ | ||
| -H "Authorization: Bearer ${WEBEX_BOT_TOKEN}" \ | ||
| -H "Content-Type: application/json" \ | ||
| -d "${BODY}" \ | ||
| https://webexapis.com/v1/messages > /dev/null |
There was a problem hiding this comment.
The workflow calls curl -sSf against Webex without first validating WEBEX_BOT_TOKEN and WEBEX_ROOM_ID. If either secret is missing/empty (for example in a newly configured repo, fork, or after secret rotation), Webex returns an HTTP error and -f makes this step exit non-zero, causing the deploy workflow to fail after publish/tag work already completed. Add an explicit secret presence check and skip notification when they are absent to keep notification config issues from breaking deployments.
Useful? React with 👍 / 👎.
|
This pull request is automatically being deployed by Amplify Hosting (learn more). |
- Include package name in version output (e.g. @webex/cc-widgets@1.0.0) - Use bash arrays for cleaner message formatting - Add blank lines between version, PR, and changelog sections - Add debug logging for message content
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e81eae22e3
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| // Set outputs for downstream jobs | ||
| core.setOutput('primary_package', primaryPackage); | ||
| core.setOutput('primary_version', primaryVersion); | ||
| core.setOutput('changelog_url', changelogUrl); |
There was a problem hiding this comment.
This step now feeds downstream notification data via core.setOutput(...), but those calls are placed after multiple early return paths in the same script (for example when a detailed bot comment already exists). In reruns of a successful release, the script can exit before setting outputs, so notify-webex-space receives empty primary_version/changelog_url values and sends an incomplete PR-only message despite a real publish. Ensure outputs are set before any early return (or replace returns with guarded branches) so downstream jobs always receive release metadata.
Useful? React with 👍 / 👎.
Use printf with double newlines to ensure proper blank line spacing between version, PR, and changelog sections in Webex notifications
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 8fb13e4bee
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| id: post-comment | ||
| if: steps.get-pr.outputs.pr_number != '' |
There was a problem hiding this comment.
The post-comment step is gated on steps.get-pr.outputs.pr_number != '', but this same step is the only place that sets primary_package, primary_version, and changelog_url outputs. If Get PR Number hits a transient GitHub API error (it catches and sets an empty PR number), this step is skipped, those outputs remain empty, and notify-webex-space exits without sending any deployment details even when npm publish succeeded. Release metadata generation should not depend on PR discovery.
Useful? React with 👍 / 👎.
vamshigovardhana
changed the title
|
|
||
| notify-webex-space: | ||
| name: Send Webex Space Notification | ||
| needs: [publish-tag, publish-npm, comment-on-pr] |
There was a problem hiding this comment.
Duplicate Webex notifications on workflow re-runs
There is no idempotency key; re-running a successful Deploy CD can post the same Webex message again. If that is undesirable, document it as accepted behavior or add a guard (for example only when github.run_attempt == 1, or a stronger “already notified this version” signal if you add state).
| notify-webex-space: | ||
| name: Send Webex Space Notification | ||
| needs: [publish-tag, publish-npm, comment-on-pr] | ||
| runs-on: ubuntu-latest |
There was a problem hiding this comment.
Consider least-privilege permissions for this job
If this job only posts to Webex via curl (no extra GitHub writes), you can usually tighten permissions at the job level so future edits cannot accidentally expand token scope beyond what notification needs.
| name: Send Webex Space Notification | ||
| needs: [publish-tag, publish-npm, comment-on-pr] | ||
| runs-on: ubuntu-latest | ||
| if: always() |
There was a problem hiding this comment.
Pair if: always() with explicit guards
always() helps run after mixed upstream results, but combined with needs it can be surprising when dependencies are skipped/failed. Consider explicit checks in the shell (or job if:) for “publish actually happened”, secrets present, and a non-misleading message so partial failures do not evolve into noisy/incorrect notifications as the graph changes.
|
|
||
| echo "Sending message to Webex Space..." | ||
| echo "Message content:" | ||
| echo "${MESSAGE}" |
There was a problem hiding this comment.
Message content / logging
Echoing the full markdown can be useful while iterating, but confirm this matches your logging policy. The “PR title” is derived from the first line of head_commit.message, which can include ticket IDs or wording you may not want duplicated into a space; if needed, trim/sanitize or use PR metadata via API instead.
| echo "${MESSAGE}" | ||
|
|
||
| BODY=$(jq -n --arg room "${WEBEX_ROOM_ID}" --arg md "${MESSAGE}" '{roomId: $room, markdown: $md}') | ||
| curl -sSf \ |
There was a problem hiding this comment.
Add timeouts to curl
Without --connect-timeout / --max-time, a hung TLS connection can consume the runner until the job timeout. Recommend a bounded request (for example --max-time 30).
| curl -sSf \ | ||
| -H "Authorization: Bearer ${WEBEX_BOT_TOKEN}" \ | ||
| -H "Content-Type: application/json" \ | ||
| -d "${BODY}" \ |
There was a problem hiding this comment.
Runner egress to Webex
This step requires outbound HTTPS to webexapis.com. In locked-down environments (proxies, egress allowlists), failures can look like mysterious CI flakes—worth a short ops note in workflow comments or internal runbooks.
2 participants
Summary
Adds automated Webex space notifications to the Deploy CD workflow. When deployments complete, a notification is sent to a configured Webex space with deployment details.
Changes
notify-webex-spacejob that sends notifications after deploymentcomment-on-prjob to expose outputs:pr_number,primary_version,changelog_urlSetup Required
The following GitHub secrets need to be added to the repository:
WEBEX_BOT_TOKEN: Bot access token for authenticationWEBEX_ROOM_ID: ID of the Webex space where notifications should be sentTest Plan
Vidcast Link:https://app.vidcast.io/share/355ed39e-f66b-4ee5-93df-964db27f72c3
Example Notification
Version: webex@ 1.2.3-next.4
PR: fix: update contact center integration
Changelog: https://widgets.webex.com/changelog/?package=@webex/cc-widgets&version=1.2.3-next.4