Nightly CI checks

.github/actions/build-service/action.yml

@@ -0,0 +1,20 @@
+name: 'build-service'
+inputs:
+  service:
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Build service
+      shell: bash
+      run: |
+        set -Eeuo pipefail
+
+        if [ -e "${{ inputs.service }}/gradlew" ]; then
+          # Need to explicitly cd into each service, otherwise we get concurrent yarn cache clashes
+          cd ${{ inputs.service }}
+          ./gradlew --no-daemon assemble
+          cd ..
+        else
+          echo "Skipping step as required file doesn't exist"
+        fi

.github/actions/detect-changed-services/action.yml

@@ -0,0 +1,35 @@
+name: 'detect-changed-services'
+outputs:
+  changed_services:
+    value: ${{ steps.changed-services.outputs.changed_services }}
+runs:
+  using: "composite"
+  steps:
+    - name: Collect all changed root directories
+      id: changed-root-directories
+      uses: tj-actions/changed-files@v45
+      with:
+        dir_names: true
+        dir_names_max_depth: '1'
+    - name: Collect all changed services
+      shell: bash
+      id: changed-services
+      env:
+        all_changed_files: ${{ steps.changed-root-directories.outputs.all_changed_files }}
+      run: |
+        set -Eeuo pipefail
+
+        CHANGED_SERVICES=()
+        for file in ${all_changed_files}; do
+          if [ -e "$file/infra/Pulumi.yaml" ]; then
+            CHANGED_SERVICES+=("$file")
+          fi
+        done
+
+        if [ ${#CHANGED_SERVICES[@]} -eq 0 ]; then
+          echo "No services changed"
+        else
+          joined=$(printf ",\"%s\"" "${CHANGED_SERVICES[@]}")
+          echo "changed_services=[${joined:1}]"
+          echo "changed_services=[${joined:1}]" >> "$GITHUB_OUTPUT"
+        fi

.github/actions/infra/action.yml

@@ -0,0 +1,21 @@
+name: 'infra'
+inputs:
+  command:
+    required: true
+  service:
+    required: true
+  access-token:
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Set up infrastructure
+      uses: pulumi/actions@v5
+      with:
+        command: ${{ inputs.command }}
+        stack-name: prod
+        work-dir: ${{ inputs.service }}/infra
+        edit-pr-comment: false
+        pulumi-version: "3.136.1"
+      env:
+        PULUMI_ACCESS_TOKEN: ${{ inputs.access-token }}

.github/actions/setup-gradle/action.yml

@@ -0,0 +1,16 @@
+name: 'setup-gradle'
+runs:
+  using: "composite"
+  steps:
+    - name: Set up Java
+      uses: actions/setup-java@v4
+      with:
+        distribution: "zulu"
+        java-version: "15"
+    - name: Set up Gradle
+      uses: gradle/actions/setup-gradle@v3 # By default, cache is only saved on the 'master' branch
+    - name: Set up secrets
+      shell: bash
+      run: |
+        set -Eeuo pipefail 
+        bash tools/scripts/secrets.sh

.github/actions/unit-test/action.yml

@@ -0,0 +1,28 @@
+name: 'unit-test'
+runs:
+  using: "composite"
+  steps:
+    - name: Set up Gradle
+      uses: ./.github/actions/setup-gradle
+    - name: Test
+      shell: bash
+      run: |
+        set -Eeuo pipefail 
+        # This Gradle task runs across all compisite build projects and because it's invoked from 
+        # the root it'll try to use concurrent yarn instances that all try to write to the same output
+        # folder. A single Gradle worker avoids this at the cost of a slower build but this is okay for now.
+        ./gradlew --no-daemon --continue --max-workers=1 jsTest
+    - name: Generate test report
+      uses: mikepenz/action-junit-report@v4
+      if: always() # Ensure all test reports are collected, even after errors
+      with:
+        report_paths: |
+          **/TEST-*.xml
+        check_name: unit-test-results
+    - name: Artifacts
+      uses: actions/upload-artifact@v4
+      if: always() # Ensure all artifacts are collected, even after errors
+      with:
+        name: Tests
+        path: |
+          **/TEST-*.xml

.github/workflows/deploy-check.yml

@@ -5,9 +5,6 @@ on:
     branches: [ master ]
 
 env:
-  JAVA_VERSION: "15"
-  JAVA_DISTRIBUTION: "zulu"
-  PULUMI_VERSION: "3.136.1"
   GCP_SA_KEY_INFRA: ${{ secrets.GCP_SA_KEY_INFRA }}
 
 jobs:
@@ -19,81 +16,37 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
-      - name: Collect all changed root directories
-        id: changed-root-directories
-        uses: tj-actions/changed-files@v45
-        with:
-          dir_names: true
-          dir_names_max_depth: '1'
       - name: Collect all changed services
+        uses: ./.github/actions/detect-changed-services
         id: changed-services
-        env:
-          all_changed_files: ${{ steps.changed-root-directories.outputs.all_changed_files }}
-        run: |
-          CHANGED_SERVICES=()
-          for file in ${all_changed_files}; do
-            if [ -e "$file/infra/Pulumi.yaml" ]; then
-              CHANGED_SERVICES+=("$file")
-            fi
-          done
-
-          if [ ${#CHANGED_SERVICES[@]} -eq 0 ]; then
-            echo "No services changed"
-          else
-            joined=$(printf ",\"%s\"" "${CHANGED_SERVICES[@]}")
-            echo "changed_services=[${joined:1}]"
-            echo "changed_services=[${joined:1}]" >> "$GITHUB_OUTPUT"
-          fi
-
     outputs:
       changed_services: ${{ steps.changed-services.outputs.changed_services }}
 
-  deploy-service-build:
+  deploy-service:
     if: needs.detect-changed-services.outputs.changed_services != ''
     runs-on: ubuntu-24.04
     strategy:
       matrix:
         service: ${{ fromJSON(needs.detect-changed-services.outputs.changed_services) }}
     concurrency:
-      group: ${{ github.ref }}-${{ matrix.service }}-deploy-service-build
+      group: ${{ github.ref }}-${{ matrix.service }}-deploy-service
       cancel-in-progress: true
     needs: detect-changed-services
     steps:
       - name: Checkout
         uses: actions/checkout@v4
-      - name: Set up Java
-        uses: actions/setup-java@v4
-        with:
-          distribution: ${{ env.JAVA_DISTRIBUTION }}
-          java-version: ${{ env.JAVA_VERSION }}
       - name: Set up Gradle
-        uses: gradle/actions/setup-gradle@v3 # By default, cache is only saved on the 'master' branch
-      - name: Set up secrets
-        run: |
-          set -Eeuo pipefail
-          bash tools/scripts/secrets.sh
+        uses: ./.github/actions/setup-gradle
       - name: Build service
-        run: |
-          set -Eeuo pipefail
-
-          if [ -e "${{ matrix.service }}/gradlew" ]; then
-            # Need to explicitly cd into each service, otherwise we get yarn cache clashes
-            cd ${{ matrix.service }}
-            ./gradlew --no-daemon assemble
-            cd ..
-          else
-            echo "Skipping step as required file doesn't exist"
-          fi
+        uses: ./.github/actions/build-service
+        with:
+          service: ${{ matrix.service }}
       - name: Deploy infrastructure
-        uses: pulumi/actions@v5
+        uses: ./.github/actions/infra
         with:
           command: up
-          stack-name: prod
-          work-dir: ${{ matrix.service }}/infra
-          edit-pr-comment: false
-          pulumi-version: ${{ env.PULUMI_VERSION }}
-        env:
-          PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
+          service: ${{ matrix.service }}
+          access-token: ${{ secrets.PULUMI_ACCESS_TOKEN }}
       - name: Artifacts
         uses: actions/upload-artifact@v4
         if: always() # Ensure all artifacts are collected, even after errors
@@ -103,40 +56,13 @@ jobs:
             **/build
             ${{ matrix.service }}/infra
 
-  deploy-test:
+  unit-test:
     runs-on: ubuntu-24.04
     concurrency:
-      group: ${{ github.ref }}-deploy-test
+      group: ${{ github.ref }}-unit-test
       cancel-in-progress: true
     steps:
       - name: Checkout
         uses: actions/checkout@v4
-      - name: Set up Java
-        uses: actions/setup-java@v4
-        with:
-          distribution: ${{ env.JAVA_DISTRIBUTION }}
-          java-version: ${{ env.JAVA_VERSION }}
-      - name: Set up Gradle
-        uses: gradle/actions/setup-gradle@v3 # By default, cache is only saved on the 'master' branch
-      - name: Set up secrets
-        run: |
-          set -Eeuo pipefail 
-          bash tools/scripts/secrets.sh
       - name: Test
-        run: |
-          set -Eeuo pipefail 
-          ./gradlew --no-daemon --continue jsTest
-      - name: Generate test report
-        uses: mikepenz/action-junit-report@v4
-        if: always() # Ensure all test reports are collected, even after errors
-        with:
-          report_paths: |
-            **/TEST-*.xml
-          check_name: deploy-test-results
-      - name: Artifacts
-        uses: actions/upload-artifact@v4
-        if: always() # Ensure all artifacts are collected, even after errors
-        with:
-          name: Tests
-          path: |
-            **/TEST-*.xml
+        uses: ./.github/actions/unit-test

.github/workflows/nightly-check.yml

@@ -0,0 +1,75 @@
+name: nightly-check
+
+on:
+  schedule:
+    - cron: '0 0 * * *'
+
+env:
+  GCP_SA_KEY_INFRA: ${{ secrets.GCP_SA_KEY_INFRA }}
+  MONITORING_SLACK_URL: ${{ secrets.MONITORING_SLACK_URL }}
+
+jobs:
+  build:
+    runs-on: ubuntu-24.04
+    concurrency:
+      group: ${{ github.ref }}-build
+      cancel-in-progress: true
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Set up Gradle
+        uses: ./.github/actions/setup-gradle
+      - name: Build services
+        run: |
+          set -Eeuo pipefail
+          # This Gradle task runs across all compisite build projects and because it's invoked from 
+          # the root it'll try to use concurrent yarn instances that all try to write to the same output
+          # folder. A single Gradle worker avoids this at the cost of a slower build but this is okay for now.
+          ./gradlew --no-daemon --max-workers=1 assemble
+      - name: Preview infrastructure
+        uses: ./.github/actions/infra
+        with:
+          command: preview
+          service: common
+          access-token: ${{ secrets.PULUMI_ACCESS_TOKEN }}
+      - name: Artifacts
+        uses: actions/upload-artifact@v4
+        if: always() # Ensure all artifacts are collected, even after errors
+        with:
+          name: Build
+          path: |
+            **/build
+            **/infra
+      - name: Slack report
+        uses: slackapi/[email protected]
+        if: always() # Ensure report is sent, even after errors
+        with:
+          payload: |
+            {
+              "text": "🌓️️ Nightly job <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.job }}> ${{ job.status }}"
+            }
+        env:
+          SLACK_WEBHOOK_URL: ${{ env.MONITORING_SLACK_URL }}
+          SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
+
+  unit-test:
+    runs-on: ubuntu-24.04
+    concurrency:
+      group: ${{ github.ref }}-unit-test
+      cancel-in-progress: true
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Test
+        uses: ./.github/actions/unit-test
+      - name: Slack report
+        uses: slackapi/[email protected]
+        if: always() # Ensure report is sent, even after errors
+        with:
+          payload: |
+            {
+              "text": "🌓️️ Nightly job <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.job }}> ${{ job.status }}"
+            }
+        env:
+          SLACK_WEBHOOK_URL: ${{ env.MONITORING_SLACK_URL }}
+          SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK