From 7898aaa9c1cc55517fce22dc2cba873a8c611cb9 Mon Sep 17 00:00:00 2001
From: alinarublea <alina.rublea@gmail.com>
Date: Tue, 10 Mar 2026 14:28:51 +0100
Subject: [PATCH 1/2] feat: add VPC configuration support via helix-deploy 13.4

Add declarative VPC attachment configuration to package.json using new helix-deploy 13.4+ CLI flags. This replaces manual AWS console VPC setup with infrastructure-as-code approach.

Changes:
- Add awsVpcSubnetIds with VPC_SUBNET_1 and VPC_SUBNET_2 env var references
- Add awsVpcSecurityGroupIds with VPC_SG_ID env var reference

Note: GitHub repo secrets need to be configured for each environment (dev/stage/prod) with values from Terraform outputs before deployment.

Related: adobe/helix-deploy#898

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 package.json | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/package.json b/package.json
index c16bc06..532914e 100755
--- a/package.json
+++ b/package.json
@@ -43,6 +43,13 @@
     "fastlyServiceId!important": "",
     "timeout": 900000,
     "nodeVersion": 24,
+    "awsVpcSubnetIds": [
+      "${env.VPC_SUBNET_1}",
+      "${env.VPC_SUBNET_2}"
+    ],
+    "awsVpcSecurityGroupIds": [
+      "${env.VPC_SG_ID}"
+    ],
     "static": [
       "static/prompts/",
       "static/cls1.md",

From 5dadb4b4884b1af54ecf3338b12b78b2386ee26b Mon Sep 17 00:00:00 2001
From: alinarublea <alina.rublea@gmail.com>
Date: Mon, 20 Apr 2026 16:34:54 +0200
Subject: [PATCH 2/2] ci: migrate to mysticat-ci@v2 reusable workflow with
 vpc-enabled

Replaces the standalone ci.yaml with a thin caller of
adobe/mysticat-ci/service-ci.yaml@v2. vpc-enabled: true activates the
declarative VPC attachment path using package.json hlx awsVpcSubnetIds
/ awsVpcSecurityGroupIds already in this PR. v2 adds the pre-deploy
sanity check (catches missing secrets or missing hlx fields),
aws lambda wait function-updated (closes the ENI eventual-consistency
race), and the Verify Lambda VPC attachment step.

Notes:
- upload-build-artifacts (S3 artifact upload that existed in the
  previous standalone ci.yaml) is not part of the reusable workflow
  and is dropped here, matching the api-service and jobs-dispatcher
  migrations already landed on main. If a downstream consumer needs
  the artifact, restore it in a separate workflow.
- Pilot validation of the v2 flow was completed on
  spacecat-jobs-dispatcher (branch-deploy in dev) and
  spacecat-api-service (deploy-stage + semantic-release to prod).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/ci.yaml | 196 ++------------------------------------
 1 file changed, 8 insertions(+), 188 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 7a327c0..49adf9b 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -1,200 +1,20 @@
-name: Build
+name: CI
 
 permissions:
   id-token: write
   contents: write
   issues: read
+  pull-requests: read
 
 on:
   push:
   pull_request:
     types: [opened, synchronize, ready_for_review, reopened]
 
-env:
-  CI_BUILD_NUM: ${{ github.run_id }}
-  CI_BRANCH: ${{ github.ref_name }}
-  HLX_AWS_REGION: ${{ secrets.AWS_REGION }}
 jobs:
-  protect-nyc-config:
-    if: github.event_name == 'pull_request'
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      pull-requests: read
-    steps:
-      - name: Check out
-        uses: actions/checkout@v6
-        with:
-          persist-credentials: 'false'
-
-      - name: Protect NYC config
-        uses: ./.github/actions/protect-nyc-config
-
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out
-        uses: actions/checkout@v6
-        with:
-          persist-credentials: 'false'
-      - name: Setup Node & NPM
-        uses: ./.github/actions/setup-node-npm
-        env:
-          MYSTICAT_DATA_SERVICE_REPO_READ_TOKEN: ${{ secrets.MYSTICAT_DATA_SERVICE_REPO_READ_TOKEN }}
-
-      - name: Lint, Test, Coverage Upload
-        uses: ./.github/actions/lint-test-coverage
-        with:
-          upload_coverage: "true"
-          codecov_token: ${{ secrets.CODECOV_TOKEN }}
-
-      - name: Semantic Release (Dry Run)
-        if: github.event_name == 'push' && github.ref != 'refs/heads/main'
-        run: npm run semantic-release-dry
-        env:
-          GITHUB_TOKEN: ${{ secrets.ADOBE_BOT_GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.ADOBE_BOT_NPM_TOKEN }}
-
-      - name: Print npm debug log if build fails
-        if: failure()
-        run: |
-          if [ -f /home/runner/.npm/_logs/*.log ]; then
-            echo "==== NPM DEBUG LOG ===="
-            find /home/runner/.npm/_logs -name '*.log' -exec cat {} \;
-            echo "==== END NPM DEBUG LOG ===="
-          else
-            echo "No npm debug log found."
-          fi
-
-      - name: Clean npm cache
-        run: npm cache clean --force
-
-      - name: Create empty cache directory
-        run: mkdir -p /tmp/empty-cache
-
-      - name: Install dependencies
-        run: npm ci --cache /tmp/empty-cache
-
-  semantic-release:
-    runs-on: ubuntu-latest
-    needs: build
-    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
-    steps:
-      - name: Check out
-        uses: actions/checkout@v6
-        with:
-          persist-credentials: 'false'
-
-      - name: Configure Environment
-        run: echo -e "LOG_LEVEL=info\n" > .env
-
-      - name: Setup Node & NPM
-        uses: ./.github/actions/setup-node-npm
-        env:
-          MYSTICAT_DATA_SERVICE_REPO_READ_TOKEN: ${{ secrets.MYSTICAT_DATA_SERVICE_REPO_READ_TOKEN }}
-
-      - name: Configure AWS
-        uses: ./.github/actions/configure-aws
-        with:
-          aws_role_to_assume: 'arn:aws:iam::${{secrets.AWS_ACCOUNT_ID_PROD}}:role/spacecat-role-github-actions'
-
-      - name: Semantic Release
-        run: npm run semantic-release
-        env:
-          GITHUB_TOKEN: ${{ secrets.ADOBE_BOT_GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.ADOBE_BOT_NPM_TOKEN }}
-          AWS_REGION: us-east-1
-          AWS_ACCOUNT_ID: ${{secrets.AWS_ACCOUNT_ID_PROD}}
-
-  deploy-stage:
-    runs-on: ubuntu-latest
-    needs: build
-    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
-    steps:
-      - name: Check out
-        uses: actions/checkout@v6
-        with:
-          persist-credentials: 'false'
-
-      - name: Setup Node & NPM
-        uses: ./.github/actions/setup-node-npm
-        env:
-          MYSTICAT_DATA_SERVICE_REPO_READ_TOKEN: ${{ secrets.MYSTICAT_DATA_SERVICE_REPO_READ_TOKEN }}
-
-      - name: Configure AWS for STAGE
-        uses: ./.github/actions/configure-aws
-        with:
-          aws_role_to_assume: 'arn:aws:iam::${{secrets.AWS_ACCOUNT_ID_STAGE}}:role/spacecat-role-github-actions'
-
-      - name: Branch Deployment
-        run: npm run deploy-stage
-        env:
-          AWS_REGION: us-east-1
-          AWS_ACCOUNT_ID: ${{secrets.AWS_ACCOUNT_ID_STAGE}}
-
-  upload-build-artifacts:
-    runs-on: ubuntu-latest
-    needs: build
-    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
-    steps:
-      - name: Check out
-        uses: actions/checkout@v6
-        with:
-          persist-credentials: 'false'
-
-      - name: Setup Node & NPM
-        uses: ./.github/actions/setup-node-npm
-        env:
-          MYSTICAT_DATA_SERVICE_REPO_READ_TOKEN: ${{ secrets.MYSTICAT_DATA_SERVICE_REPO_READ_TOKEN }}
-
-      - name: Configure AWS for DEV
-        uses: ./.github/actions/configure-aws
-        with:
-          aws_role_to_assume: 'arn:aws:iam::${{secrets.AWS_ACCOUNT_ID_DEV}}:role/spacecat-role-github-actions'
-
-      - name: Create Build Artifacts
-        run: npm run build
-        env:
-          AWS_REGION: us-east-1
-          AWS_ACCOUNT_ID: ${{secrets.AWS_ACCOUNT_ID_DEV}}
-
-      - name: Copy Build Artifact
-        run: cp dist/spacecat-services/task-processor@*.zip spacecat-services--task-processor-latest.zip
-        env:
-          AWS_REGION: us-east-1
-          AWS_ACCOUNT_ID: ${{secrets.AWS_ACCOUNT_ID_DEV}}
-
-      - name: Upload Build Artifact
-        run: aws s3 cp spacecat-services--task-processor-latest.zip s3://spacecat-artifacts-dev/spacecat-services--task-processor-latest.zip
-        env:
-          AWS_REGION: us-east-1
-          AWS_ACCOUNT_ID: ${{secrets.AWS_ACCOUNT_ID_DEV}}
-
-  branch-deploy:
-    runs-on: ubuntu-latest
-    needs: build
-    if: github.event_name == 'push' && github.ref != 'refs/heads/main'
-    steps:
-      - name: Check out
-        uses: actions/checkout@v6
-        with:
-          persist-credentials: 'false'
-
-      - name: Setup Node & NPM
-        uses: ./.github/actions/setup-node-npm
-        env:
-          MYSTICAT_DATA_SERVICE_REPO_READ_TOKEN: ${{ secrets.MYSTICAT_DATA_SERVICE_REPO_READ_TOKEN }}
-
-      - name: Configure AWS
-        uses: ./.github/actions/configure-aws
-        with:
-          aws_role_to_assume: 'arn:aws:iam::${{secrets.AWS_ACCOUNT_ID_DEV}}:role/spacecat-role-github-actions'
-
-      - name: Branch Deployment
-        run: npm run deploy-dev
-        env:
-          AWS_REGION: us-east-1
-          AWS_ACCOUNT_ID: ${{secrets.AWS_ACCOUNT_ID_DEV}}
-
-      - name: Post-Deployment Integration Test
-        run: npm run test-postdeploy
+  ci:
+    uses: adobe/mysticat-ci/.github/workflows/service-ci.yaml@v2
+    with:
+      service-name: task-processor
+      vpc-enabled: true
+    secrets: inherit