Jenkins UI Jobs

TL;DR — Scope: Jenkins pipelines that deploy frontends to S3 + CloudFront (not Kubernetes). Three Jenkinsfile templates cover the UI family: Jenkinsfile-UI (legacy, aws s3 sync), Jenkinsfile-UI-SST (modern React TS + Vite satellites, via SST/CDK), Jenkinsfile-UI-JP (UI variant with pnpm for the APAC/JP team). All share the same Parameter Store cascade, prod deploy queue integration, and remote QA triggering.

Scope: UI pipelines only

This page covers only Jenkins pipelines that target S3 + CloudFront. Backend pipelines (Jenkinsfile-K8S, Jenkinsfile-K8S-MIG, Jenkinsfile-K8S-SST) deploy to Kubernetes and live in jenkins-k8s-jobs.md.

Overview

CD for frontends is orchestrated by Jenkins (self-hosted — URL in databases-and-services.md). Each frontend repo has a multibranch Jenkins job whose Jenkinsfile is sourced from ops-manifest via the Remote Jenkinsfile Plugin (RJPP) — see ops-repos.md for the full Jenkinsfile catalog.

Unlike backend pipelines, UI pipelines do not use kops servers and do not run kubectl apply. They execute directly on Jenkins agents, assume-role into AWS, and upload artifacts to S3 / invalidate CloudFront (for UI and UI-JP) or invoke SST/CDK (for UI-SST).

Templates

Jenkinsfile-UI (legacy)

Used by legacy frontends that pre-date SST/CDK (e.g. vue-control-panel, securitize-id-fe). Build + deploy are scripted inline in the Jenkinsfile.

Build (default):

npm ci
npm run build

Deploy (default):

aws s3 sync ./build s3://$AWS_S3_BUCKET --no-progress --region us-east-2
aws cloudfront create-invalidation --distribution-id $DISTRIBUTION_ID --paths "/*"

Per-job variants exist for cases that need extra S3 paths or a different build output folder:

Job	Variation
ISR-vue-control-panel	Deploy uses ./dist instead of ./build
ATS-ats-web-app	Also syncs ./build to $AWS_S3_BUCKET/secondary-market/
TA-accreditation-fe	Also syncs to $AWS_S3_BUCKET/accreditation
TA-distribution-settings-client	Also syncs to $AWS_S3_BUCKET/payouts
AO-stakedrop	Deploy uses ./dist

Branches supported: dev, rc, master, apac.

Jenkinsfile-UI-SST

Used by modern React TypeScript MicroFrontends and standalone satellite apps (e.g. Stocks, Dealer, Uniswap built with Vite). Deploy is delegated to SST/CDK, which handles S3 + CloudFront.

Build (varies by team):

Team	Commands
ATS, TA	npm ci → cd infra && npm i && npx sst deploy
FR	npm ci → cd infra && npm ci && npx sst deploy
CA	npm ci → cd infra && npm i && npm run deploy
BC	npm ci → npm run deploy
Default	npm ci → npm run deploy

SST is invoked with --stage ${ENVIRONMENT} and env vars AWS_STAGE=${ENVIRONMENT} + SST_STAGE=${ENVIRONMENT}. For prod, AWS_PROFILE=prod is injected.

MUI X Premium key

For SFS-admin-fe and SFS-investor-fe, the pipeline injects the mui-x-premium-key Jenkins credential as env var MUI_X_PREMIUM_KEY during the build.

Branches supported: dev, rc, master.

Jenkinsfile-UI-JP

Variant of Jenkinsfile-UI for the APAC / JP team, with pnpm support.

Build (JP team):

([ -f pnpm-lock.yaml ] && CI=true pnpm i --frozen-lockfile) || npm ci
([ -f pnpm-lock.yaml ] && pnpm run build) || npm run build

Otherwise identical to Jenkinsfile-UI (same aws s3 sync + CloudFront invalidation deploy, same branches: dev/rc/master/apac).

Branching strategy

Branch	Default target env(s)	Per-team overrides
dev	dev	—
rc	rc	—
master	sandbox, prod, apac (default)	ATS, FR, TA: sandbox, prod only. JP: sandbox, apac. INVT: sandbox, prod (only in UI / UI-JP).
apac (UI, UI-JP only)	apac	Specific JP jobs (e.g. JP-asset-funding-domain-investor-dashboard, JP-marui-domain-investor-dashboard, JP-did-st-sonybank-jp) target apac only on master.

Region mapping: - apac env → ap-northeast-1 - All others → us-east-2

Build flow (shared across templates)

All UI pipelines follow this sequence on the Jenkins agent:

1. Initialize — read git commit info, post INPROGRESS status to Bitbucket.
2. Fetch env vars from AWS Parameter Store (cascade, later entries override earlier):
3. /secrets/{env}/ops — DevOps globals for the environment.
4. /secrets/{env}/{team}/{service} — per-service env vars.
5. /secrets/global/ops — global secrets (e.g. SECURITIZE_READ_NPM_TOKEN).
6. Detect Node version — per-team default, overridden by .nvmrc in the repo if it matches a version available on Jenkins.
7. Build + Deploy — commands vary per template (see above).
8. Post deploy status — SUCCESSFUL or FAILED back to Bitbucket.

Prod deploy queue integration (master branch)

When the master branch builds, deploys to sandbox / prod / apac go through the OPS-prod-deploy-queue mechanism (same queue as backend services — see ops-repos.md).

Per-commit state machine in the queue JSON:

queue  →  deploy  →  synced

Flow:

1. On master push, a JSON entry is created in ops-deployments/master/{TEAM_TAG}/{JOB_NAME}.json with one state per target env.
2. sandbox starts in deploy state; the pipeline deploys it immediately.
3. If the team has a QA suite (see next section), QA runs on sandbox and the results are written back to the queue JSON.
4. After sandbox QA passes (or if no QA is configured), the operator (or a deploy-queue pipeline) promotes prod / apac to deploy.
5. On a subsequent master run for the same commit, the pipeline picks up those deploy states and pushes to the remaining envs.

If the commit is already synced to sandbox and someone re-runs the pipeline, an interactive input prompts the operator to confirm re-deploy (3-minute timeout).

QA integration (remote trigger)

After deploying to rc, sandbox, or prod, the pipeline triggers remote QA jobs on the jenkins-qa instance via triggerRemoteJob. Each team has its own Sanity Suite(s):

Team	QA suites triggered
ATS	AUT421_ATS_SanitySuite_API, AUT414_ATS_SanitySuite
BC	AUT425_ST_SanitySuite_API, AUT417_ST_SanitySuite
CA	AUT427_CA_SanitySuite_API, AUT419_CA_SanitySuite
FR	AUT422_FT_SanitySuite_API, AUT415_FT_SanitySuite
INVT	AUT424_SID_SanitySuite_API, AUT412_SID_SanitySuite
ISR	AUT423_ISR_SanitySuite_API, AUT416_ISR_SanitySuite
JP	AUT650_JP_SanitySuite
TA	AUT426_TA_SanitySuite_API, AUT418_TA_SanitySuite

QA results (PASS / FAIL / SUPERSEDED) are: - Reported back to Bitbucket as commit statuses. - Appended to currentBuild.description with a link to the QA job. - For sandbox only: written to the deploy queue JSON (qa_tests field).

A FAIL on any QA job fails the pipeline stage (marks build as UNSTABLE).

Changing env vars per environment

See frontend-architecture.md → Changing configs per environment. That page is the SSOT for both modern (SST infra/.env.<env>) and legacy (Parameter Store via OPS-aws-update-secrets / OPS-aws-update-secrets-prod) flows, including the discriminator that decides which path applies.

See also

• Frontend Architecture — Frontend apps catalog, deploy paths overview, config-change workflow.
• Jenkins K8s Jobs — Backend counterpart (K8s deploys).
• Ops Repositories — ops-manifest (Jenkinsfile templates), ops-deployments (deploy queue state).
• Secrets — Parameter Store context, NPM token flow.
• Bitbucket Pipelines (CI) — What runs before Jenkins on PRs.

Tags

cd #jenkins #deploy #frontend #ui #sst #s3 #cloudfront #pnpm