chore(ci): pull up update_layer_arn_docs and scope contents permissions (#2043)

* add contents read top level permission

* remove double doc update, we will update doc after layer ARN PR merge

* pull up layer ARN docs update

* remove contents write for npm publish step

* add pull-requests write permission from parnet call

Author: am29d

.github/workflows/make-release.yml

@@ -39,7 +39,6 @@ jobs:
     # Needed as recommended by npm docs on publishing with provenance https://docs.npmjs.com/generating-provenance-statements
     permissions:
       id-token: write
-      contents: write
     environment: Release
     runs-on: ubuntu-latest
     outputs:
@@ -98,6 +97,7 @@ jobs:
       id-token: write
       contents: write
       pages: write
+      pull-requests: write
     uses: ./.github/workflows/publish_layer.yml
     with:
       latest_published_version: ${{ needs.publish-npm.outputs.RELEASE_VERSION }}

.github/workflows/make-version.yml

@@ -3,6 +3,9 @@ name: Make Version
 on:
   workflow_dispatch: { }
 
+permissions:
+  contents: read
+
 
 jobs:
   bump-version:

.github/workflows/publish_layer.yml

@@ -78,29 +78,36 @@ jobs:
     secrets:
       target-account-role: ${{ secrets.AWS_LAYERS_PROD_ROLE_ARN }}
 
-  prepare_docs_alias:
+  update_layer_arn_docs:
+    needs: [deploy-prod]
+    # Force Github action to run only a single job at a time (based on the group name)
+    # This is to prevent race-condition and inconsistencies with changelog push
+    concurrency:
+      group: changelog-build
     runs-on: ubuntu-latest
     permissions:
-      contents: read
-    outputs:
-      DOCS_ALIAS: ${{ steps.set-alias.outputs.DOCS_ALIAS }}
+      contents: write
+      pull-requests: write
+      id-token: none
     steps:
-      - name: Set docs alias
-        id: set-alias
+      - name: Checkout repository # reusable workflows start clean, so we need to checkout again
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
+        with:
+          ref: ${{ github.sha }}
+      - name: Download CDK layer artifact
+        uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
+        with:
+          name: cdk-layer-stack
+          path: cdk-layer-stack/
+      - name: Replace layer versions in documentation
         run: |
-          DOCS_ALIAS=latest
-          if [[ "${{ inputs.pre_release }}" == true ]] ; then
-            DOCS_ALIAS=alpha
-          fi
-          echo DOCS_ALIAS="$DOCS_ALIAS" >> "$GITHUB_OUTPUT"
-
-  release-docs:
-    needs: [ deploy-prod, prepare_docs_alias ]
-    permissions:
-      id-token: write
-    secrets: inherit
-    uses: ./.github/workflows/reusable_publish_docs.yml
-    with:
-      version: ${{ inputs.latest_published_version }}
-      alias: ${{ needs.prepare_docs_alias.outputs.DOCS_ALIAS }}
-      detached_mode: true
+          ls -la cdk-layer-stack/
+          ./.github/scripts/update_layer_arn.sh cdk-layer-stack
+      - name: Create PR
+        id: create-pr
+        uses: ./.github/actions/create-pr
+        with: 
+          files: 'docs/index.md'
+          temp_branch_prefix: 'ci-layer-docs'
+          pull_request_title: 'chore(ci): update layer ARN on documentation'
+          github_token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/reusable_deploy_layer_stack.yml

@@ -100,11 +100,3 @@ jobs:
           overwrite: true
       - name: CDK deploy canary
         run: npm run cdk -w layers -- deploy --app cdk.out --context region=${{ matrix.region }} 'CanaryStack' --require-approval never --verbose --outputs-file cdk-outputs.json
-  update_layer_arn_docs:
-    needs: deploy-cdk-stack
-    permissions:
-      contents: write
-    if: ${{ inputs.stage == 'PROD' }}
-    uses: ./.github/workflows/reusable_update_layer_arn_docs.yml
-    with:
-      latest_published_version: ${{ inputs.latest_published_version }}