chore: update moratorium check and change management workflows (#3107)

* chore: move tps checks to separate workflow files

* chore: update release workflows to check for moratorium

* chore: update promote workflow to use record release workflow

* chore: yet another fix for the devcenter-doc-update job

* chore: allow tps workflows to inherit secrets

* chore: add git checkout to moratorium check

.github/workflows/create-cli-release.yml

@@ -18,13 +18,12 @@ on:
 
 jobs:
   check-for-moratorium:
-    if: fromJSON(inputs.isStableCandidate)
-    run: ./scripts/release/tps_check_lock cli ${{ github.sha }}
-    environment: ChangeManagement
-    env:
-      TPS_API_TOKEN: ${{ secrets.TPS_API_TOKEN_PARAM }}
+    if: ${{ fromJSON(inputs.isStableCandidate) }}
+    uses: ./.github/workflows/tps-check-lock.yml
+    secrets: inherit
 
   get-version-channel:
+    needs: [check-for-moratorium]
     runs-on: ubuntu-latest
     outputs:
       channel: ${{ steps.getVersion.outputs.channel }}
@@ -39,7 +38,7 @@ jobs:
           path: './packages/cli/package.json'
 
   publish-npm:
-    needs: [get-version-channel]
+    needs: [get-version-channel, check-for-moratorium]
     # if NOT isStableCandidate confirm dist tag is in package.json version
     if: fromJSON(needs.get-version-channel.outputs.isStableRelease) || (!fromJSON(inputs.isStableCandidate) && !!needs.get-version-channel.outputs.channel)
     uses: ./.github/workflows/publish-npm.yml
@@ -49,12 +48,12 @@ jobs:
     secrets: inherit
 
   pack-upload:
-    needs: [ publish-npm ]
+    needs: [publish-npm, check-for-moratorium]
     uses: ./.github/workflows/pack-upload.yml
     secrets: inherit
 
   promote:
-    needs: [get-version-channel, pack-upload]
+    needs: [get-version-channel, pack-upload, check-for-moratorium]
     if: needs.pack-upload.result == 'success'
     uses: ./.github/workflows/promote-release.yml
     with:
@@ -64,8 +63,8 @@ jobs:
     secrets: inherit
 
   publish-docs:
-    needs: [ get-version-channel, promote ]
+    needs: [get-version-channel, promote, check-for-moratorium]
     uses: ./.github/workflows/devcenter-doc-update.yml
     with:
-      isStableRelease: ${{ fromJSON(needs.get-version-channel.outputs.isStableRelease) }}
+      isStableRelease: ${{ fromJSON(inputs.isStableCandidate) }}
     secrets: inherit

.github/workflows/devcenter-doc-update.yml

@@ -20,7 +20,7 @@ jobs:
   update-devcenter-command-docs:
     name: Update Devcenter command docs
     runs-on: ubuntu-latest
-    if: fromJSON(inputs.isStableRelease)
+    if: ${{ fromJSON(inputs.isStableRelease) }}
     steps:
       - uses: actions/checkout@v3
       - name: Use Node.js 16.x

.github/workflows/promote-release.yml

@@ -58,16 +58,10 @@ jobs:
   change-management:
     needs: [ promote ]
     if: fromJSON(inputs.isStableRelease)
-    # Failure to record the release should not fail the workflow
-    continue-on-error: true
-    steps:
-      # Checkout required to get github.sha
-      - uses: actions/checkout@v3
-      - run: ./scripts/postrelease/tps_record_release cli ${{ github.sha }}
-    environment: ChangeManagement
-    env:
-      ACTOR_EMAIL: ${{ secrets.TPS_API_RELEASE_ACTOR_EMAIL }}
-      TPS_API_TOKEN: ${{ secrets.TPS_API_TOKEN_PARAM }}
+    uses: ./.github/workflows/tps-record-release.yml
+    secrets: inherit
+    with:
+      isStableRelease: ${{ fromJSON(inputs.isStableRelease) }}
 
   create-fig-autocomplete-pr:
     if: fromJSON(inputs.isStableRelease)

.github/workflows/start-gh-release.yml

@@ -8,7 +8,12 @@ on:
       - closed
 
 jobs:
+  check-for-moratorium:
+    uses: ./.github/workflows/tps-check-lock.yml
+    secrets: inherit
+
   get-source-branch-name:
+    needs: [check-for-moratorium]
     # GHA does not provide short name for branch being merged in. This shortens it so we can validate it with startsWith()
     if: github.event.pull_request.merged == true
     runs-on: ubuntu-latest
@@ -22,7 +27,7 @@ jobs:
         run: echo "sourceName=${GITHUB_HEAD_REF#refs/heads/}" >> $GITHUB_OUTPUT
 
   start-release:
-    needs: [ get-source-branch-name ]
+    needs: [get-source-branch-name, check-for-moratorium]
     if: startsWith(needs.get-source-branch-name.outputs.sourceName, 'release-')
     uses: ./.github/workflows/tag-create-github-release.yml
     secrets: inherit

.github/workflows/tps-check-lock.yml

@@ -0,0 +1,14 @@
+name: Check for moratorium
+
+on: [workflow_dispatch, workflow_call]
+
+jobs:
+  moratoriumCheck:
+    runs-on: ubuntu-latest
+    environment: ChangeManagement
+    steps:
+      # checkout required to get github.sha
+      - uses: actions/checkout@v3
+      - env:
+          TPS_API_TOKEN: ${{ secrets.TPS_API_TOKEN_PARAM }}
+        run: ./scripts/release/tps_check_lock cli ${{ github.sha }}

.github/workflows/tps-record-release.yml

@@ -0,0 +1,30 @@
+name: Publish release to Change Management
+
+on:
+  workflow_dispatch:
+    inputs:
+      isStableCandidate:
+        type: boolean
+        description: Is this a stable/prod candidate?
+        required: true
+        default: false
+  workflow_call:
+    inputs:
+      isStableCandidate:
+        type: boolean
+        description: Is this a stable/prod candidate?
+        required: true
+        default: false
+
+jobs:
+  publishToChangeManagement:
+    runs-on: ubuntu-latest
+    if: ${{ fromJSON(inputs.isStableCandidate) }}
+    environment: ChangeManagement
+    steps:
+      # checkout required to get github.sha
+      - uses: actions/checkout@v3
+      - env:
+          ACTOR_EMAIL: ${{ secrets.TPS_API_RELEASE_ACTOR_EMAIL
+          TPS_API_TOKEN: ${{ secrets.TPS_API_TOKEN_PARAM }}
+        run: ./scripts/postrelease/tps_record_release cli ${{ github.sha }}