Seperate .env per environment, docs

Author: ggetz

.env

@@ -1,15 +1,15 @@
-# Get the current git values from GitHub Action variables if triggered from pull-reqest or push; otherwise fallback to the current local git branch
+# These variables are ovveridden in CI with GitHub Action variables if triggered from pull-reqest or push; 
+# Locally, fallback to the current local git status
 BRANCH="$(git branch --show-current)"
-BRANCH=${PULL_REQUEST_HEAD_REF:-${GITHUB_REF_NAME:-${BRANCH}}}
 COMMIT_SHA="$(git rev-parse HEAD)"
-COMMIT_SHA=${PULL_REQUEST_HEAD_SHA:-${GITHUB_SHA:-${COMMIT_SHA}}}
 
 # Read the CesiumJS version from package.json
 CESIUM_VERSION=$(npm pkg get version | tr -d '"')
 
 # Build artifact configuration
-BUILD_ARTIFACT_BUCKET="cesium-public-builds"
-BUILD_ARTIFACT_URL="https://ci-builds.cesium.com/cesium/${BRANCH}"
+BUILD_ARTIFACT_PATH="cesium/${BRANCH}"
+BUILD_ARTIFACT_BUCKET="s3://cesium-public-builds/${BUILD_ARTIFACT_PATH}"
+BUILD_ARTIFACT_URL="https://ci-builds.cesium.com/${BUILD_ARTIFACT_PATH}"
 
 INDEX_URL="${BUILD_ARTIFACT_URL}/index.html"
 ZIP_URL="${BUILD_ARTIFACT_URL}/Cesium-${CESIUM_VERSION}.zip"

.github/workflows/.env.pull_request

@@ -0,0 +1,2 @@
+BRANCH="$(jq -r .pull_request.head.ref ${GITHUB_EVENT_PATH})"
+COMMIT_SHA="$(jq -r .pull_request.head.sha ${GITHUB_EVENT_PATH})"

.github/workflows/.env.push

@@ -0,0 +1,2 @@
+BRANCH=${GITHUB_REF_NAME}
+COMMIT_SHA=${GITHUB_SHA}

.github/workflows/coverage.yml

@@ -0,0 +1,45 @@
+name: coverage
+on: 
+  pull_request:
+concurrency:
+  group: coverage-${{ github.ref }}
+  cancel-in-progress: true
+jobs:
+  coverage:
+    runs-on: ubuntu-latest
+    env:
+      AWS_ACCESS_KEY_ID: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
+      AWS_REGION: us-east-1
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    permissions:
+      statuses: write
+      contents: read
+    steps:
+      - uses: actions/checkout@v5
+      - name: install node 22
+        uses: actions/setup-node@v5
+        with:
+          node-version: "22"
+      - name: npm install
+        run: npm install
+      - name: set status pending
+        if: ${{ env.AWS_ACCESS_KEY_ID != '' }}
+        run: |
+          npx @dotenvx/dotenvx run -f ./.github/workflows/.env.pull_request -- \
+          node ./scripts/setCommitStatus.js coverage pending
+      - name: build
+        run: npm run build
+      - name: coverage (firefox)
+        run: npm run coverage -- --browsers FirefoxHeadless --webgl-stub --failTaskOnError --suppressPassed
+      - name: upload coverage artifacts
+        if: ${{ env.AWS_ACCESS_KEY_ID != '' }}
+        run: |
+          npx @dotenvx/dotenvx run -f ./.github/workflows/.env.pull_request -f .env \
+          -- sh -c \
+          'aws s3 sync ./Build/Coverage $BUILD_ARTIFACT_BUCKET/Build/Coverage --delete'
+      - name: set status success
+        if: ${{ env.AWS_ACCESS_KEY_ID != '' }}
+        run: |
+          npx @dotenvx/dotenvx run -f ./.github/workflows/.env.pull_request -- \
+          node ./scripts/setCommitStatus.js coverage ${{ job.status }}

.github/workflows/deploy.yml

@@ -2,7 +2,7 @@ name: deploy
 on:
   push:
     branches-ignore:
-      - 'cesium.com'
+      - "cesium.com"
       - production
 concurrency:
   group: deploy-${{ github.ref }}
@@ -18,26 +18,27 @@ jobs:
       AWS_SECRET_ACCESS_KEY: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
       AWS_REGION: us-east-1
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      GITHUB_SHA: ${{ github.sha }}
       BASE_URL: /cesium/${{ github.ref_name }}/
     steps:
       - uses: actions/checkout@v5
       - name: install node 22
         uses: actions/setup-node@v5
         with:
-          node-version: '22'
+          node-version: "22"
       - name: npm install
         run: npm install
       - name: set version in package.json
         run: |
-          npx @dotenvx/dotenvx run -- sh -c \
+          npx @dotenvx/dotenvx run -f ./.github/workflows/.env.push \
+          -- sh -c \
           'npm version prerelease --preid $BRANCH --ws --include-workspace-root --no-git-tag-version'
       - name: set status pending
         if: ${{ env.AWS_ACCESS_KEY_ID != '' }}
         run: |
-          node ./scripts/setDeployStatus.js zip pending
-          node ./scripts/setDeployStatus.js npm pending
-          node ./scripts/setDeployStatus.js index pending
+          npx @dotenvx/dotenvx run -f ./.github/workflows/.env.push -- \
+          node ./scripts/setCommitStatus.js zip pending && \
+          node ./scripts/setCommitStatus.js npm pending && \
+          node ./scripts/setCommitStatus.js index pending
       - name: create release zip
         run: npm run make-zip
       - name: package cesium module
@@ -52,8 +53,9 @@ jobs:
       - name: deploy to s3
         if: ${{ env.AWS_ACCESS_KEY_ID != '' }}
         run: |
-          npx @dotenvx/dotenvx run -- sh -c \
-          'aws s3 sync . s3://$BUILD_ARTIFACT_BUCKET/cesium/$BRANCH/ \
+          npx @dotenvx/dotenvx run -f ./.github/workflows/.env.push -f .env \
+          -- sh -c \
+          'aws s3 sync . $BUILD_ARTIFACT_BUCKET \
           --cache-control "no-cache" \
           --exclude ".git/*" \
           --exclude ".github/*" \
@@ -70,6 +72,7 @@ jobs:
       - name: set status success
         if: ${{ env.AWS_ACCESS_KEY_ID != '' }}
         run: |
-          node ./scripts/setDeployStatus.js zip ${{ job.status }}
-          node ./scripts/setDeployStatus.js npm ${{ job.status }}
-          node ./scripts/setDeployStatus.js index ${{ job.status }}
+          npx @dotenvx/dotenvx run -f ./.github/workflows/.env.push -- \
+          node ./scripts/setCommitStatus.js zip ${{ job.status }} && \
+          node ./scripts/setCommitStatus.js npm ${{ job.status }} && \
+          node ./scripts/setCommitStatus.js index ${{ job.status }}

.github/workflows/dev.yml

@@ -15,7 +15,7 @@ jobs:
       - name: install node 22
         uses: actions/setup-node@v5
         with:
-          node-version: '22'
+          node-version: "22"
       - name: npm install
         run: npm install
       - name: lint *.js
@@ -24,47 +24,14 @@ jobs:
         run: npm run markdownlint
       - name: format code
         run: npm run prettier-check
-  coverage:
-    runs-on: ubuntu-latest
-    env:
-      AWS_ACCESS_KEY_ID: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
-      AWS_SECRET_ACCESS_KEY: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
-      AWS_REGION: us-east-1
-      PULL_REQUEST_HEAD_SHA: ${{ github.event.pull_request && github.event.pull_request.head.sha || '' }}
-      PULL_REQUEST_HEAD_REF: ${{ github.event.pull_request && github.event.pull_request.head.ref || '' }}
-      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    permissions:
-      statuses: write
-      contents: read
-    steps:
-      - uses: actions/checkout@v5
-      - name: install node 22
-        uses: actions/setup-node@v5
-        with:
-          node-version: '22'
-      - name: npm install
-        run: npm install
-      - name: set status pending
-        if: ${{ env.AWS_ACCESS_KEY_ID != '' }}
-        run: node ./scripts/setDeployStatus.js coverage pending
-      - name: build
-        run: npm run build
-      - name: coverage (firefox)
-        run: npm run coverage -- --browsers FirefoxHeadless --webgl-stub --failTaskOnError --suppressPassed
-      - name: upload coverage artifacts
-        if: ${{ env.AWS_ACCESS_KEY_ID != '' }}
-        run: npx @dotenvx/dotenvx run -- sh -c 'aws s3 sync ./Build/Coverage s3://$BUILD_ARTIFACT_BUCKET/cesium/$BRANCH/Build/Coverage --delete --color on'
-      - name: set status success
-        if: ${{ env.AWS_ACCESS_KEY_ID != '' }}
-        run: node ./scripts/setDeployStatus.js coverage ${{ job.status }}
   release-tests:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
       - name: install node 22
         uses: actions/setup-node@v5
         with:
-          node-version: '22'
+          node-version: "22"
       - name: npm install
         run: npm install
       - name: release build
@@ -80,7 +47,7 @@ jobs:
       - name: install node 20
         uses: actions/setup-node@v5
         with:
-          node-version: '20'
+          node-version: "20"
       - name: npm install
         run: npm install
       - name: release build

Documentation/Contributors/ContinuousIntegration/README.md

@@ -2,8 +2,9 @@
 
 - [Background](#background)
 - [Actions and workflows](#actions-and-workflows)
+  - [Environment variables](#environment-variables)
 - [Continuous deployment](#continuous-deployment)
-- [Configuration](#configuration)
+- [Configuration guide](#configuration-guide)
   - [Configure a different S3 bucket](#configure-a-different-s3-bucket)
   - [Configure S3 credentials](#configure-s3-credentials)
 
@@ -28,6 +29,16 @@ The status checks for any branch are also accessible under the [Branches](https:
 
 ![GitHub Branches](github_branches.png)
 
+### Environment variables
+
+Any non-secret environment variables for CI and CD are managed using `.env` files and [dotenvx](https://github.com/dotenvx/dotenvx).
+
+- **Local dev**: `.env` is checked in at the repository root and provides defaults constant values and local fallbacks.
+  - To run a script or command with these variables configured locally, use `npx @dotenvx/dotenvx run -- <COMMAND>`, e.g., `npx @dotenvx/dotenvx run -- node ./scripts/setCommitStatus.js`.
+  - To expand a variable directly in a command, use a subshell command, e.g., `npx @dotenvx/dotenvx run -- sh -c 'echo "${BRANCH}"'`.
+- **GitHub Actions workflow - `push` trigger**: `.github/workflows/.env.push`
+- **GitHub Actions workflow - `pull_request` trigger**: `.github/workflows/.env.pull_request`
+
 ## Continuous deployment
 
 Automated deployments make recent code changes available for convenient testing and review—No need to fetch or build locally. In the `cesium` repository, all continuous deployment artifacts are uploaded for commits authored by users with commit access.
@@ -42,7 +53,7 @@ Each of the following are deployed on a per-branch basis.
 | Release zip      | `https://ci-builds.cesium.com/cesium/<BRANCH>/Cesium-<VERSION>-<BRANCH>.0.zip` (i.e., [`https://ci-builds.cesium.com/cesium/main/Cesium-1.X.X-main.0.zip`](https://ci-builds.cesium.com/cesium/main/Cesium-1.X.X-main.0.zip))              |
 | npm package      | `https://ci-builds.cesium.com/cesium/<BRANCH>/cesium-<VERSION>-<BRANCH>.0.tgz` (i.e., [`https://ci-builds.cesium.com/cesium/main/cesium-1.X.X-main.0.tgz`](https://ci-builds.cesium.com/cesium/main/cesium-1.X.X-main.0.tgz))              |
 
-## Configuration
+## Configuration guide
 
 Additional set up is required for deployment _only_ if you do not have commit access to CesiumJS.
 

scripts/setDeployStatus.js renamed to scripts/setCommitStatus.js

@@ -8,7 +8,7 @@ const GITHUB_WORKFLOW = process.env.GITHUB_WORKFLOW;
 const COMMIT_SHA = process.env.COMMIT_SHA;
 const CESIUM_VERSION = process.env.CESIUM_VERSION;
 
-export async function setDeployStatus({ status, url, context, message }) {
+export async function setCommitStatus({ status, url, context, message }) {
   if (!GITHUB_TOKEN || GITHUB_TOKEN === "") {
     throw new Error(`Environment variable is not defined: "GITHUB_TOKEN"`);
   }
@@ -63,7 +63,7 @@ const getArtifactContext = (artifact) => {
 await yargs()
   .command(
     "* <status> [context] [url] [message]",
-    "set deploy status of a build artifact",
+    "set commit status, for example, to link to a build artifact",
     (yargs) =>
       yargs
         .positional("status", {
@@ -81,49 +81,49 @@ await yargs()
         })
         .positional("message", {
           type: "string",
-          describe: "A short description of the status.",
+          describe: "A short description of this status.",
         }),
-    setDeployStatus,
+    setCommitStatus,
   )
   .command(
     "coverage <status>",
-    "set deploy status of a build artifact",
+    "set deployment status of coverage results",
     () => {},
     async ({ status }) =>
-      setDeployStatus({
+      setCommitStatus({
         status,
         url: process.env.COVERAGE_URL,
         context: getArtifactContext("coverage report"),
       }),
   )
   .command(
     "zip <status>",
-    "set deploy status of the zip file",
+    "set deployment status of the release zip file",
     () => {},
     async ({ status }) =>
-      setDeployStatus({
+      setCommitStatus({
         status,
         url: process.env.ZIP_URL,
         context: getArtifactContext(`Cesium-${CESIUM_VERSION}.zip`),
       }),
   )
   .command(
     "npm <status>",
-    "set deploy status of the npm package",
+    "set deployment status of the npm package",
     () => {},
     async ({ status }) =>
-      setDeployStatus({
+      setCommitStatus({
         status,
         url: process.env.NPM_URL,
         context: getArtifactContext(`cesium-${CESIUM_VERSION}.tgz`),
       }),
   )
   .command(
     "index <status>",
-    "set deploy status of the static build",
+    "set deployment status of the static build",
     () => {},
     async ({ status }) =>
-      setDeployStatus({
+      setCommitStatus({
         status,
         url: process.env.INDEX_URL,
         context: getArtifactContext("index.html"),