1.1.0

### Added
- New primary workflow `.github/workflows/deploy.yaml` that materializes branch-specific mesh secrets, computes CLI flags automatically, and waits for mesh provisioning with retry logic.
- Reusable Newman regression workflow `.github/workflows/tests.yaml` plus a dependent `tests` job so deployments can trigger API smoke tests per branch.

### Changed
- Deployment job now emits `secrets.yaml` at runtime from encrypted GitHub secrets (`MESH_SECRETS_STAGE` / `MESH_SECRETS_PROD`) to keep sensitive resolver credentials out of the repository.
- Mesh commands (`aio api-mesh:create` / `update`) automatically include `--env .env` and `--secrets secrets.yaml` when those files exist, reducing manual flag drift.
- Mesh provisioning phase now polls `aio api-mesh:status` with clearer logging and early-failure handling if the mesh never reaches a healthy state.

Author: nuzil

.github/workflows/deployMesh.yaml .github/workflows/deploy.yaml.github/workflows/deployMesh.yaml renamed to .github/workflows/deploy.yaml

@@ -35,13 +35,23 @@ jobs:
             echo "TECHNICALACCID=${{ secrets.TECHNICALACCID_STAGE }}" >> "$GITHUB_ENV"
             echo "TECHNICALACCEMAIL=${{ secrets.TECHNICALACCEMAIL_STAGE }}" >> "$GITHUB_ENV"
             echo "WORKSPACEID=${{ secrets.WORKSPACEID_STAGE }}" >> "$GITHUB_ENV"
+            {
+              printf '%s\n' 'MESH_SECRETS<<__MESH_SECRETS__'
+              printf '%s\n' "${{ secrets.MESH_SECRETS_STAGE }}"
+              printf '%s\n' '__MESH_SECRETS__'
+            } >> "$GITHUB_ENV"
           elif [ "$BRANCH_NAME" = "production" ]; then
             echo "TARGET_ENV=production" >> "$GITHUB_ENV"
             echo "CLIENTID=${{ secrets.CLIENTID_PROD }}" >> "$GITHUB_ENV"
             echo "CLIENTSECRET=${{ secrets.CLIENTSECRET_PROD }}" >> "$GITHUB_ENV"
             echo "TECHNICALACCID=${{ secrets.TECHNICALACCID_PROD }}" >> "$GITHUB_ENV"
             echo "TECHNICALACCEMAIL=${{ secrets.TECHNICALACCEMAIL_PROD }}" >> "$GITHUB_ENV"
             echo "WORKSPACEID=${{ secrets.WORKSPACEID_PROD }}" >> "$GITHUB_ENV"
+            {
+              printf '%s\n' 'MESH_SECRETS<<__MESH_SECRETS__'
+              printf '%s\n' "${{ secrets.MESH_SECRETS_PROD }}"
+              printf '%s\n' '__MESH_SECRETS__'
+            } >> "$GITHUB_ENV"
           else
             echo "Unsupported branch '$BRANCH_NAME'. Only staging and production are allowed." >&2
             exit 1
@@ -60,6 +70,17 @@ jobs:
             echo "Please set all required secrets: CLIENTID, CLIENTSECRET, TECHNICALACCID, TECHNICALACCEMAIL, IMSORGID, ORGID, PROJECTID, WORKSPACEID"
             exit 1
           fi
+          if [ -n "${MESH_SECRETS:-}" ]; then
+            echo "Mesh secrets detected in environment"
+          else
+            echo "Warning: MESH_SECRETS not provided; secrets.yaml will not be generated" >&2
+          fi
+      - name: Materialize mesh secrets file
+        if: ${{ env.MESH_SECRETS != '' }}
+        run: |
+          set -euo pipefail
+          printf '%s\n' "$MESH_SECRETS" > secrets.yaml
+          chmod 600 secrets.yaml
       - name: Setup CLI
         uses: adobe/aio-cli-setup-action@1.3.0
         with:
@@ -100,15 +121,59 @@ jobs:
       - name: Debug Get Mesh Output
         continue-on-error: true
         run: echo "Get Mesh Output - ${{ steps.get_mesh.outputs.mesh_output }}"
+      - name: Compute Mesh Credential Flags
+        id: mesh_args
+        run: |
+          set -euo pipefail
+          MESH_ARGS="-c mesh.json"
+          if [ -f ".env" ]; then
+            MESH_ARGS="$MESH_ARGS --env .env"
+          fi
+          if [ -f "secrets.yaml" ]; then
+            MESH_ARGS="$MESH_ARGS --secrets secrets.yaml"
+          fi
+          echo "args=$MESH_ARGS" >> "$GITHUB_OUTPUT"
       - name: Create Mesh
         if: ${{ contains(steps.get_mesh.outputs.mesh_output, 'No mesh found') }}
-        run: aio api-mesh:create -c mesh.json --env .env
+        run: aio api-mesh:create ${{ steps.mesh_args.outputs.args }}
       - name: Update Mesh
         if: ${{ !contains(steps.get_mesh.outputs.mesh_output, 'No mesh found') }}
-        run: aio api-mesh:update -c mesh.json --env .env
-      - name: Wait for 30 seconds
-        run: sleep 30
+        run: aio api-mesh:update ${{ steps.mesh_args.outputs.args }}
+      - name: Wait for Mesh Provisioning
+        run: |
+          set -euo pipefail
+          max_attempts=60
+          attempt=1
+          while [ "$attempt" -le "$max_attempts" ]; do
+            echo "Polling mesh status (attempt $attempt/$max_attempts)..."
+            status_output=$(aio api-mesh:status 2>&1 || true)
+            echo "$status_output"
+
+            if echo "$status_output" | grep -F "Mesh provisioned successfully." >/dev/null; then
+              echo "Mesh provisioned successfully."
+              break
+            elif echo "$status_output" | grep -Eq "Mesh is currently building|Your mesh is being provisioned.|Currently provisioning your mesh|Wait a few minutes and try again.|Unable to get mesh status"; then
+              echo "Mesh is currently building. Waiting 10 seconds before next check."
+              sleep 10
+            else
+              echo "Unexpected status output. Treating as failure."
+              exit 1
+            fi
+
+            attempt=$((attempt + 1))
+          done
+
+          if [ "$attempt" -gt "$max_attempts" ]; then
+            echo "Mesh provisioning did not finish within the allotted time."
+            exit 1
+          fi
       - name: Describe Mesh
         run: aio api-mesh:describe
       - name: Get Mesh Status
         run: aio api-mesh:status
+
+  tests:
+      name: Execute Tests
+      needs: [deploy]
+      # Use the path to the reusable workflow file
+      uses: ./.github/workflows/tests.yaml

.github/workflows/tests.yaml

@@ -0,0 +1,38 @@
+name: Run Tests
+
+on:
+  workflow_call:
+
+jobs:
+  newman:
+    name: Run Newman Tests
+    runs-on: ubuntu-latest
+    env:
+      BRANCH_NAME: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_branch || github.ref_name }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_sha || github.sha }}
+      - name: Run Newman Tests
+        run: |
+          set -euo pipefail
+          COLLECTION_PATH="tests/newman/collection.json"
+          ENV_PATH="tests/newman/environment_${BRANCH_NAME}.json"
+
+          if [ ! -f "$COLLECTION_PATH" ]; then
+            echo "Skipping Newman tests: collection not found at $COLLECTION_PATH."
+            exit 0
+          fi
+
+          if [ ! -f "$ENV_PATH" ]; then
+            echo "Skipping Newman tests: environment file not found for branch $BRANCH_NAME."
+            exit 0
+          fi
+
+          echo "Running Newman tests for branch $BRANCH_NAME..."
+          docker run --rm \
+            -v "$PWD":/etc/newman \
+            -w /etc/newman \
+            postman/newman_alpine33 \
+            run "$COLLECTION_PATH" -e "$ENV_PATH"

CHANGELOG.md

@@ -0,0 +1,17 @@
+# Changelog
+
+All notable changes to this project will be documented in this file. The format loosely follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) and the repository uses [Semantic Versioning](https://semver.org/).
+
+## [1.1.0] - 2025-11-25
+### Added
+- New primary workflow `.github/workflows/deploy.yaml` that materializes branch-specific mesh secrets, computes CLI flags automatically, and waits for mesh provisioning with retry logic.
+- Reusable Newman regression workflow `.github/workflows/tests.yaml` plus a dependent `tests` job so deployments can trigger API smoke tests per branch.
+
+### Changed
+- Deployment job now emits `secrets.yaml` at runtime from encrypted GitHub secrets (`MESH_SECRETS_STAGE` / `MESH_SECRETS_PROD`) to keep sensitive resolver credentials out of the repository.
+- Mesh commands (`aio api-mesh:create` / `update`) automatically include `--env .env` and `--secrets secrets.yaml` when those files exist, reducing manual flag drift.
+- Mesh provisioning phase now polls `aio api-mesh:status` with clearer logging and early-failure handling if the mesh never reaches a healthy state.
+
+## [1.0.0] - 2025-11-19
+### Added
+- Initial Adobe API Mesh CI/CD template with a GitHub Actions workflow for staging/production deployments, README-based setup guidance, and secret validation.

README.md

@@ -6,16 +6,24 @@ This repository is a lightweight starting point for teams that want a repeatable
 
 ## What You Get
 
-- **Workflow automation** – `.github/workflows/deployMesh.yaml` handles checkout, authentication via the Adobe I/O CLI, mesh creation (or update), and post-deploy validation.
+- **Workflow automation** – `.github/workflows/deploy.yaml` handles checkout, authentication via the Adobe I/O CLI, mesh creation (or update), and post-deploy validation.
 - **Environment awareness** – pushes to `staging` or `production` automatically pull the corresponding credential set and workspace identifiers.
 - **Manual control** – trigger the workflow with `workflow_dispatch` whenever you need an ad-hoc deployment.
 - **Extensibility** – add new environments, steps, linters, or notifications by extending the single workflow file.
 
+### Key Capabilities
+
+- **Secret materialization** – branch-specific secrets can include encrypted mesh credentials (`MESH_SECRETS_*`) that the workflow writes to `secrets.yaml` on the fly and passes through `--secrets` so sensitive resolvers stay out of Git history.
+- **Auto-flag builder** – the workflow inspects the repo for `.env` and `secrets.yaml` and automatically appends the correct `aio api-mesh:*` flags, helping you wire runtime configuration consistently.
+- **Provisioning watchdog** – mesh deployments poll `aio api-mesh:status` for up to 10 minutes with friendly logging, failing early if provisioning stalls or ends unexpectedly.
+- **Reusable testing workflow** – `.github/workflows/tests.yaml` defines a Newman-based regression suite that runs after deployment (via the `tests` job in `deploy.yaml`) and selects the right Postman environment per branch.
+
 Repository layout (expected):
 
 ```
 .
-├── .github/workflows/deployMesh.yaml   # Main CI/CD pipeline
+├── .github/workflows/deploy.yaml       # Main CI/CD pipeline
+├── .github/workflows/tests.yaml        # Reusable Newman regression tests
 ├── mesh.json                          # API Mesh definition (commit your own)
 ├── .env                               # Optional runtime variables used by mesh.json
 └── README.md                          # This documentation
@@ -70,7 +78,7 @@ Once the workflow succeeds, your Adobe API Mesh instance will be created (if mis
 
 ---
 
-## Workflow Walkthrough (`deployMesh.yaml`)
+## Workflow Walkthrough (`deploy.yaml`)
 
 1. **Checkout & Node setup** – pulls repository code and provisions Node 20 on `ubuntu-latest`.
 2. **Branch-aware env mapping** – resolves GitHub secrets to runtime variables (`TARGET_ENV`, `CLIENTID`, etc.). Only `staging` and `production` are allowed to prevent accidental deployments from other branches.
@@ -90,7 +98,7 @@ Extend or reorder steps as needed (e.g., run linting/tests before deployment, se
 - **Multiple meshes** – add extra steps to iterate over multiple `mesh.json` files or parameterize the mesh name via `.env` values.
 - **Observability** – append steps that push deployment metadata to your logging/monitoring stack.
 
-When editing `deployMesh.yaml`, keep the secret-validation step up to date so failures happen quickly.
+When editing `deploy.yaml`, keep the secret-validation step up to date so failures happen quickly.
 
 ---