ci(finalize_rollout): compose existing CLI commands in workflow (#75238)

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>

Author: aaronsteers

.github/workflows/finalize_rollout.yml

@@ -1,12 +1,11 @@
-name: Finalize connector rollout
-# This workflow is called by the backend Temporal workflow "finalizeRollout"
-# as a part of its response to calls to `/connector_rollout/manual_finalize`,
-# or in response to automatic fallback/finalization.
+name: Finalize Progressive Rollout
+# Dispatched by the platform's Temporal connector-rollout worker
+# (PromoteOrRollbackActivityImpl) after a promote/rollback decision.
+# After this workflow completes, verifyDefaultVersionActivity polls
+# for up to 3 hours for the GA version to become default, then
+# finalizeRolloutActivity unpins actors.
 #
-# The workflow performs these tasks:
-# 1. Generate an `auto-merge/bypass`-labeled PR to version-bump forward
-#    the named connector, including changelog entry.
-# 2. Delete the `.../release_candidate` subdirectory in the GCS Registry Store.
+# See: airbyte-platform-internal/.../connector-rollout-worker/
 
 on:
   repository_dispatch:
@@ -19,40 +18,41 @@ on:
       action:
         description: "Action to perform"
         required: true
+        type: choice
         options: ["promote", "rollback"]
+
+permissions:
+  contents: write
+  pull-requests: write
+
+# ---------------------------------------------------------------------------
+# Job 1: Registry cleanup (runs for both promote and rollback)
+# ---------------------------------------------------------------------------
 jobs:
-  finalize_rollout:
-    name: Finalize connector rollout for ${{ github.event.inputs.connector_name }}
+  rc-registry-cleanup:
+    name: "Registry cleanup (${{ github.event_name == 'workflow_dispatch' && github.event.inputs.action || github.event.client_payload.action }})"
     runs-on: ubuntu-24.04
     env:
       ACTION: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.action || github.event.client_payload.action }}
       CONNECTOR_NAME: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.connector_name || github.event.client_payload.connector_name }}
     steps:
-      - name: Check action value
+      - name: Validate action
         run: |
           if [[ "${ACTION}" != "promote" && "${ACTION}" != "rollback" ]]; then
-            echo "Invalid action: ${ACTION}"
+            echo "::error::Invalid action: '${ACTION}'. Must be 'promote' or 'rollback'."
             exit 1
           fi
         shell: bash
 
-      - name: Checkout Airbyte repo
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 1
-
       - name: Install uv
         uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0
 
       - name: Install Ops CLI
         run: uv tool install airbyte-internal-ops
 
-      # Delete the release_candidate/ metadata marker from GCS.
-      # This is the same operation for both promote and rollback:
-      # it removes the RC pointer so the platform knows the rollout
-      # is finalized.  The versioned blob (e.g. 1.2.3-rc.1/) is
-      # intentionally preserved as an audit trail.
-      - name: "GCS cleanup: delete RC metadata marker"
+      # Deletes the release_candidate/ metadata marker from GCS.
+      # The versioned blob (e.g. 1.2.3-rc.1/) is preserved as audit trail.
+      - name: "Delete RC metadata marker"
         shell: bash
         env:
           GCS_CREDENTIALS: ${{ secrets.METADATA_SERVICE_PROD_GCS_CREDENTIALS }}
@@ -61,3 +61,189 @@ jobs:
           airbyte-ops registry rc cleanup
           --name "${CONNECTOR_NAME}"
           --store "${REGISTRY_STORE}"
+
+      # Recompile the registry JSON indexes so the RC entry is removed.
+      - name: "Recompile registry for connector"
+        shell: bash
+        env:
+          GCS_CREDENTIALS: ${{ secrets.METADATA_SERVICE_PROD_GCS_CREDENTIALS }}
+          REGISTRY_STORE: "coral:prod"
+        run: >
+          airbyte-ops registry store compile
+          --store "${REGISTRY_STORE}"
+          --connector-name "${CONNECTOR_NAME}"
+
+      # --- Notifications ---
+      - name: Notify Slack on rollback success
+        if: success() && env.ACTION == 'rollback'
+        uses: slackapi/slack-github-action@70cd7be8e40a46e8b0eced40b0de447bdb42f68e # v1.26.0
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.PUBLISH_ON_MERGE_SLACK_WEBHOOK }}
+        with:
+          payload: |
+            {
+              "channel": "#connector-publish-failures",
+              "username": "Connectors CI/CD Bot",
+              "text": "↩️ Successfully rolled back RC for `${{ env.CONNECTOR_NAME }}` — GCS marker deleted:\n${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+            }
+
+      - name: Notify Slack on failure
+        if: failure()
+        uses: slackapi/slack-github-action@70cd7be8e40a46e8b0eced40b0de447bdb42f68e # v1.26.0
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.PUBLISH_ON_MERGE_SLACK_WEBHOOK }}
+        with:
+          payload: |
+            {
+              "channel": "#connector-publish-failures",
+              "username": "Connectors CI/CD Bot",
+              "text": "🚨 Registry cleanup failed for `${{ env.CONNECTOR_NAME }}` (${{ env.ACTION }}):\n${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+            }
+
+  # ---------------------------------------------------------------------------
+  # Job 2: Create and merge cleanup PR (promote only)
+  # ---------------------------------------------------------------------------
+  create-promotion-pr:
+    name: "Create and Merge Promotion PR"
+    needs: rc-registry-cleanup
+    if: >-
+      github.event.inputs.action == 'promote'
+      || github.event.client_payload.action == 'promote'
+    runs-on: ubuntu-24.04
+    env:
+      CONNECTOR_NAME: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.connector_name || github.event.client_payload.connector_name }}
+    steps:
+      # Authenticate as OCTAVIA_BOT so PRs trigger downstream CI.
+      - name: Authenticate as GitHub App
+        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
+        id: get-app-token
+        with:
+          owner: "airbytehq"
+          repositories: "airbyte"
+          app-id: ${{ secrets.OCTAVIA_BOT_APP_ID }}
+          private-key: ${{ secrets.OCTAVIA_BOT_PRIVATE_KEY }}
+
+      - name: Configure git identity
+        run: |
+          git config --global user.name "Octavia Squidington III"
+          git config --global user.email "octavia-squidington-iii@users.noreply.github.com"
+
+      - name: Checkout Airbyte repo
+        uses: actions/checkout@v4
+        with:
+          token: ${{ steps.get-app-token.outputs.token }}
+          fetch-depth: 1
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0
+
+      - name: Install Ops CLI
+        run: uv tool install airbyte-internal-ops
+
+      # bump-version --bump-type promote strips -rc.N suffix, sets
+      # enableProgressiveRollout to false, and bumps the version.
+      # --no-changelog because we don't have a PR number yet.
+      - name: "Version bump and cleanup"
+        shell: bash
+        run: >
+          airbyte-ops local connector bump-version
+          --name "${CONNECTOR_NAME}"
+          --repo-path "${{ github.workspace }}"
+          --bump-type promote
+          --no-changelog
+
+      # Commits cleanup changes (version bump + progressive rollout
+      # flag removal) and opens a draft PR.  This gives us a PR
+      # number for the changelog entry.
+      - name: Create cleanup PR
+        id: create-pr
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
+        with:
+          token: ${{ steps.get-app-token.outputs.token }}
+          commit-message: "chore: finalize promote for ${{ env.CONNECTOR_NAME }}"
+          branch: "finalize-rollout/promote/${{ env.CONNECTOR_NAME }}"
+          base: ${{ github.event.repository.default_branch }}
+          delete-branch: true
+          title: "chore: finalize promote for ${{ env.CONNECTOR_NAME }}"
+          body: |
+            Automated cleanup after connector rollout **promote** for `${{ env.CONNECTOR_NAME }}`.
+
+            Generated by [`finalize_rollout` workflow](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}).
+          labels: |
+            area/connectors
+            auto-merge/bypass-ci-checks
+          draft: true
+
+      # changelog add reads the current version from metadata.yaml
+      # (already bumped to GA by the promote step above) and writes
+      # a changelog entry — no version files are modified.
+      - name: "Add changelog entry"
+        if: steps.create-pr.outputs.pull-request-number
+        shell: bash
+        run: >
+          airbyte-ops local connector changelog add
+          --connector-name "${CONNECTOR_NAME}"
+          --repo-path "${{ github.workspace }}"
+          --message "Promoted release candidate to GA"
+          --pr-number "${{ steps.create-pr.outputs.pull-request-number }}"
+
+      # Second create-pull-request call pushes the changelog commit
+      # to the existing PR branch.
+      - name: "Push changelog to PR"
+        if: steps.create-pr.outputs.pull-request-number
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
+        with:
+          token: ${{ steps.get-app-token.outputs.token }}
+          commit-message: "chore: add changelog for ${{ env.CONNECTOR_NAME }}"
+          branch: "finalize-rollout/promote/${{ env.CONNECTOR_NAME }}"
+          base: ${{ github.event.repository.default_branch }}
+          title: "chore: finalize promote for ${{ env.CONNECTOR_NAME }}"
+          body: |
+            Automated cleanup after connector rollout **promote** for `${{ env.CONNECTOR_NAME }}`.
+
+            Generated by [`finalize_rollout` workflow](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}).
+
+      # The merge triggers the publish pipeline that
+      # verifyDefaultVersionActivity is waiting for.
+      - name: Mark PR ready for review
+        if: steps.create-pr.outputs.pull-request-number
+        env:
+          GH_TOKEN: ${{ steps.get-app-token.outputs.token }}
+        run: gh pr ready "${{ steps.create-pr.outputs.pull-request-number }}"
+
+      - name: Force-merge cleanup PR
+        if: steps.create-pr.outputs.pull-request-number
+        env:
+          GH_TOKEN: ${{ steps.get-app-token.outputs.token }}
+        run: |
+          gh pr merge "${{ steps.create-pr.outputs.pull-request-number }}" \
+            --repo "${{ github.repository }}" \
+            --squash \
+            --admin
+
+      # --- Notifications ---
+      - name: Notify Slack on promote success
+        if: success() && steps.create-pr.outputs.pull-request-number
+        uses: slackapi/slack-github-action@70cd7be8e40a46e8b0eced40b0de447bdb42f68e # v1.26.0
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.PUBLISH_ON_MERGE_SLACK_WEBHOOK }}
+        with:
+          payload: |
+            {
+              "channel": "#connector-publish-failures",
+              "username": "Connectors CI/CD Bot",
+              "text": "↗️ Successfully promoted `${{ env.CONNECTOR_NAME }}` — cleanup PR merged:\n${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+            }
+
+      - name: Notify Slack on failure
+        if: failure()
+        uses: slackapi/slack-github-action@70cd7be8e40a46e8b0eced40b0de447bdb42f68e # v1.26.0
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.PUBLISH_ON_MERGE_SLACK_WEBHOOK }}
+        with:
+          payload: |
+            {
+              "channel": "#connector-publish-failures",
+              "username": "Connectors CI/CD Bot",
+              "text": "🚨 Promote PR failed for `${{ env.CONNECTOR_NAME }}`:\n${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+            }