Fix coverage link, streamline env vars in CI

.env

@@ -0,0 +1,17 @@
+# These variables are overridden in CI with GitHub Action variables if triggered from pull-request or push; 
+# Locally, fallback to the current local git status
+BRANCH="$(git branch --show-current)"
+COMMIT_SHA="$(git rev-parse HEAD)"
+
+# Read the CesiumJS version from package.json
+CESIUM_VERSION=$(npm pkg get version | tr -d '"')
+
+# Build artifact configuration
+BUILD_ARTIFACT_PATH="cesium/${BRANCH}"
+BUILD_ARTIFACT_BUCKET="s3://cesium-public-builds/${BUILD_ARTIFACT_PATH}"
+BUILD_ARTIFACT_URL="https://ci-builds.cesium.com/${BUILD_ARTIFACT_PATH}"
+
+INDEX_URL="${BUILD_ARTIFACT_URL}/index.html"
+ZIP_URL="${BUILD_ARTIFACT_URL}/Cesium-${CESIUM_VERSION}.zip"
+NPM_URL="${BUILD_ARTIFACT_URL}/cesium-${CESIUM_VERSION}.tgz"
+COVERAGE_URL="${BUILD_ARTIFACT_URL}/Build/Coverage/index.html"

.github/workflows/.env.pull_request

@@ -0,0 +1,2 @@
+BRANCH="$(jq -r .pull_request.head.ref ${GITHUB_EVENT_PATH})"
+COMMIT_SHA="$(jq -r .pull_request.head.sha ${GITHUB_EVENT_PATH})"

.github/workflows/.env.push

@@ -0,0 +1,2 @@
+BRANCH=${GITHUB_REF_NAME}
+COMMIT_SHA=${GITHUB_SHA}

.github/workflows/coverage.yml

@@ -0,0 +1,45 @@
+name: coverage
+on: 
+  pull_request:
+concurrency:
+  group: coverage-${{ github.ref }}
+  cancel-in-progress: true
+jobs:
+  coverage:
+    runs-on: ubuntu-latest
+    env:
+      AWS_ACCESS_KEY_ID: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
+      AWS_REGION: us-east-1
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    permissions:
+      statuses: write
+      contents: read
+    steps:
+      - uses: actions/checkout@v5
+      - name: install node 22
+        uses: actions/setup-node@v5
+        with:
+          node-version: "22"
+      - name: npm install
+        run: npm install
+      - name: set status pending
+        if: ${{ env.AWS_ACCESS_KEY_ID != '' }}
+        run: |
+          npx @dotenvx/dotenvx run -f ./.github/workflows/.env.pull_request -- \
+          node ./scripts/setCommitStatus.js coverage pending
+      - name: build
+        run: npm run build
+      - name: coverage (firefox)
+        run: npm run coverage -- --browsers FirefoxHeadless --webgl-stub --failTaskOnError --suppressPassed
+      - name: upload coverage artifacts
+        if: ${{ env.AWS_ACCESS_KEY_ID != '' }}
+        run: |
+          npx @dotenvx/dotenvx run -f ./.github/workflows/.env.pull_request -f .env \
+          -- sh -c \
+          'aws s3 sync ./Build/Coverage $BUILD_ARTIFACT_BUCKET/Build/Coverage --delete'
+      - name: set status success
+        if: ${{ env.AWS_ACCESS_KEY_ID != '' }}
+        run: |
+          npx @dotenvx/dotenvx run -f ./.github/workflows/.env.pull_request -- \
+          node ./scripts/setCommitStatus.js coverage ${{ job.status }}

.github/workflows/deploy.yml

@@ -2,7 +2,7 @@ name: deploy
 on:
   push:
     branches-ignore:
-      - 'cesium.com'
+      - "cesium.com"
       - production
 concurrency:
   group: deploy-${{ github.ref }}
@@ -14,26 +14,31 @@ jobs:
       statuses: write
       contents: read
     env:
-      BUILD_VERSION: ${{ github.ref_name }}.${{ github.run_number }}
       AWS_ACCESS_KEY_ID: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
       AWS_SECRET_ACCESS_KEY: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
       AWS_REGION: us-east-1
-      BRANCH: ${{ github.ref_name }}
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      GITHUB_REPO: ${{ github.repository }}
-      GITHUB_SHA: ${{ github.sha }}
       BASE_URL: /cesium/${{ github.ref_name }}/
-      DEPLOYED_URL: https://ci-builds.cesium.com/cesium/${{ github.ref_name }}/
     steps:
       - uses: actions/checkout@v5
       - name: install node 22
         uses: actions/setup-node@v5
         with:
-          node-version: '22'
+          node-version: "22"
       - name: npm install
         run: npm install
-      - name: set the version in package.json
-        run: npm run deploy-set-version -- --buildVersion $BUILD_VERSION
+      - name: set version in package.json
+        run: |
+          npx @dotenvx/dotenvx run -f ./.github/workflows/.env.push \
+          -- sh -c \
+          'npm version prerelease --preid $BRANCH --ws --include-workspace-root --no-git-tag-version'
+      - name: set status pending
+        if: ${{ env.AWS_ACCESS_KEY_ID != '' }}
+        run: |
+          npx @dotenvx/dotenvx run -f ./.github/workflows/.env.push -- \
+          node ./scripts/setCommitStatus.js zip pending && \
+          node ./scripts/setCommitStatus.js npm pending && \
+          node ./scripts/setCommitStatus.js index pending
       - name: create release zip
         run: npm run make-zip
       - name: package cesium module
@@ -48,7 +53,9 @@ jobs:
       - name: deploy to s3
         if: ${{ env.AWS_ACCESS_KEY_ID != '' }}
         run: |
-          aws s3 sync . s3://cesium-public-builds/cesium/$BRANCH/ \
+          npx @dotenvx/dotenvx run -f ./.github/workflows/.env.push -f .env \
+          -- sh -c \
+          'aws s3 sync . $BUILD_ARTIFACT_BUCKET \
           --cache-control "no-cache" \
           --exclude ".git/*" \
           --exclude ".github/*" \
@@ -61,7 +68,11 @@ jobs:
           --exclude "node_modules/*" \
           --exclude "scripts/*" \
           --exclude "Tools/*" \
-          --delete
-      - name: set status
+          --delete'
+      - name: set status success
         if: ${{ env.AWS_ACCESS_KEY_ID != '' }}
-        run: npm run deploy-status -- --status success --message Deployed
+        run: |
+          npx @dotenvx/dotenvx run -f ./.github/workflows/.env.push -- \
+          node ./scripts/setCommitStatus.js zip ${{ job.status }} && \
+          node ./scripts/setCommitStatus.js npm ${{ job.status }} && \
+          node ./scripts/setCommitStatus.js index ${{ job.status }}

.github/workflows/dev.yml

@@ -15,7 +15,7 @@ jobs:
       - name: install node 22
         uses: actions/setup-node@v5
         with:
-          node-version: '22'
+          node-version: "22"
       - name: npm install
         run: npm install
       - name: lint *.js
@@ -24,36 +24,14 @@ jobs:
         run: npm run markdownlint
       - name: format code
         run: npm run prettier-check
-  coverage:
-    runs-on: ubuntu-latest
-    env:
-      AWS_ACCESS_KEY_ID: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
-      AWS_SECRET_ACCESS_KEY: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
-      AWS_REGION: us-east-1
-      BRANCH: ${{ github.ref_name }}
-    steps:
-      - uses: actions/checkout@v5
-      - name: install node 22
-        uses: actions/setup-node@v5
-        with:
-          node-version: '22'
-      - name: npm install
-        run: npm install
-      - name: build
-        run: npm run build
-      - name: coverage (firefox)
-        run: npm run coverage -- --browsers FirefoxHeadless --webgl-stub --failTaskOnError --suppressPassed
-      - name: upload coverage artifacts
-        if: ${{ env.AWS_ACCESS_KEY_ID != '' }}
-        run: aws s3 sync ./Build/Coverage s3://cesium-public-builds/cesium/$BRANCH/Build/Coverage --delete --color on
   release-tests:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
       - name: install node 22
         uses: actions/setup-node@v5
         with:
-          node-version: '22'
+          node-version: "22"
       - name: npm install
         run: npm install
       - name: release build
@@ -69,7 +47,7 @@ jobs:
       - name: install node 20
         uses: actions/setup-node@v5
         with:
-          node-version: '20'
+          node-version: "20"
       - name: npm install
         run: npm install
       - name: release build

.github/workflows/prod.yml

@@ -29,7 +29,6 @@ jobs:
       AWS_REGION: us-east-1
       BRANCH: ${{ github.ref_name }}
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      GITHUB_REPO: ${{ github.repository }}
       GITHUB_SHA: ${{ github.sha }}
     steps:
       - uses: actions/checkout@v5

.github/workflows/sandcastle-dev.yml

@@ -13,7 +13,6 @@ jobs:
       AWS_REGION: us-east-1
       BRANCH: ${{ github.ref_name }}
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      GITHUB_REPO: ${{ github.repository }}
       GITHUB_SHA: ${{ github.sha }}
     steps:
       - uses: actions/checkout@v5

Documentation/Contributors/BuildGuide/README.md

@@ -153,6 +153,3 @@ Here's the full set of scripts and what they do.
   - `test-webgl-stub` - Runs all tests using the WebGL stub, which WebGL calls a noop and ignores related test expectations
   - `test-webgl-validation` - Runs all tests with Karma and enables low-level WebGL validation
   - `test-release` - Runs all tests on the minified release version of built Cesium
-- **Deployment scripts**
-  - `deploy-status` - Sets the deployment statuses in GitHub, for use in CI
-  - `deploy-set-version` - Sets the version of `package.json`, for use in CI

Documentation/Contributors/ContinuousIntegration/README.md

@@ -2,8 +2,9 @@
 
 - [Background](#background)
 - [Actions and workflows](#actions-and-workflows)
+  - [Environment variables](#environment-variables)
 - [Continuous deployment](#continuous-deployment)
-- [Configuration](#configuration)
+- [Configuration guide](#configuration-guide)
   - [Configure a different S3 bucket](#configure-a-different-s3-bucket)
   - [Configure S3 credentials](#configure-s3-credentials)
 
@@ -18,51 +19,52 @@ CesiumJS uses [GitHub Actions](https://docs.github.com/en/actions) for continuou
 
 Reusable actions are defined in `/.github/actions/` and workflows in `.github/workflows/`.
 
-A workflow is triggered whenever someone pushes code to the CesiumJS repository, or an external contributor opens a pull request. After the build has completed, at the bottom of the pull request page the status of the build is shown. In the dropdown menu, individual checks are displayed. Logs and deployed artifacts can be accessed by clicking the "Details" link.
+Workflows are triggered when a commit is pushed to the `cesium` repository and when a contributor opens or updates a pull request. After the build has completed, the overall status of the build is shown at the bottom of the pull request page.
+
+In the dropdown menu, individual status checks are displayed. Logs and deployed build artifacts can be accessed by clicking the link associated with the individual check.
 
 ![GitHub Action Checks](github_action_checks.png)
 
-The workflow checks for any CesiumJS branch are accessible under the [Branches](https://github.com/CesiumGS/cesium/branches/all) page by clicking the icon next to the branch name.
+The status checks for any branch are also accessible under the [Branches](https://github.com/CesiumGS/cesium/branches/all) page by clicking the icon next to the branch name.
 
 ![GitHub Branches](github_branches.png)
 
-## Continuous deployment
+### Environment variables
 
-Automated deployments make recent code changes available for testing and review without needing to fetch and build locally. We deploy each of the following on a per-branch basis.
+Any non-secret environment variables for CI and CD are managed using `.env` files and [dotenvx](https://github.com/dotenvx/dotenvx).
 
-| Artifact         | Link (`main` branch)                                                                                                                                                       |
-| ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Sandcastle       | [`https://ci-builds.cesium.com/cesium/main/Apps/Sandcastle/index.html`](https://ci-builds.cesium.com/cesium/main/Apps/Sandcastle/index.html)                               |
-| Documentation    | [`https://ci-builds.cesium.com/cesium/main/Build/Documentation/index.html`](https://ci-builds.cesium.com/cesium/main/Build/Documentation/index.html)                       |
-| Coverage results | [`https://ci-builds.cesium.com/cesium/main/Build/Coverage/index.html`](https://ci-builds.cesium.com/cesium/main/Build/Coverage/index.html)                                 |
-| Release zip      | [`https://ci-builds.cesium.com/cesium/main/<github-ref-name>.<github-run-number>.zip`](https://ci-builds.cesium.com/cesium/main/<github-ref-name>.<github-run-number>.zip) |
-| npm package      | [`https://ci-builds.cesium.com/cesium/main/<github-ref-name>.<github-run-number>.tgz`](https://ci-builds.cesium.com/cesium/main/<github-ref-name>.<github-run-number>.tgz) |
+- **Local dev**: `.env` is checked in at the repository root and provides defaults constant values and local fallbacks.
+  - To run a script or command with these variables configured locally, use `npx @dotenvx/dotenvx run -- <COMMAND>`, e.g., `npx @dotenvx/dotenvx run -- node ./scripts/setCommitStatus.js`.
+  - To expand a variable directly in a command, use a subshell command, e.g., `npx @dotenvx/dotenvx run -- sh -c 'echo "${BRANCH}"'`.
+- **GitHub Actions workflow - `push` trigger**: `.github/workflows/.env.push`
+- **GitHub Actions workflow - `pull_request` trigger**: `.github/workflows/.env.pull_request`
 
-## Configuration
+## Continuous deployment
 
-Additional set up is required for deployment if you do not have commit access to CesiumJS.
+Automated deployments make recent code changes available for convenient testing and review—No need to fetch or build locally. In the `cesium` repository, all continuous deployment artifacts are uploaded for commits authored by users with commit access.
 
-### Configure a different S3 bucket
+Each of the following are deployed on a per-branch basis.
 
-It is possible to configure your development branch of CesiumJS to deploy build artifacts to a different [AWS S3 Bucket](http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingBucket.html). If you are using the cesium-public-builds bucket and have valid credentials, skip to [Configure S3 Credentials](#configure-s3-credentials)
+| Artifact         | Link pattern (`main`)                                                                                                                                                                                                                      |
+| ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| Sandcastle       | `https://ci-builds.cesium.com/cesium/<BRANCH>/Apps/Sandcastle/index.html` (i.e., [`https://ci-builds.cesium.com/cesium/main/Apps/Sandcastle/index.html`](https://ci-builds.cesium.com/cesium/main/Apps/Sandcastle/index.html))             |
+| Documentation    | `https://ci-builds.cesium.com/cesium/<BRANCH>/Build/Documentation/index.html` (i.e., [`https://ci-builds.cesium.com/cesium/main/Build/Documentation/index.html`](https://ci-builds.cesium.com/cesium/main/Build/Documentation/index.html)) |
+| Coverage results | `https://ci-builds.cesium.com/cesium/<BRANCH>/Build/Coverage/index.html` (i.e., [`https://ci-builds.cesium.com/cesium/main/Build/Coverage/index.html`](https://ci-builds.cesium.com/cesium/main/Build/Coverage/index.html))                |
+| Release zip      | `https://ci-builds.cesium.com/cesium/<BRANCH>/Cesium-<VERSION>-<BRANCH>.0.zip` (i.e., [`https://ci-builds.cesium.com/cesium/main/Cesium-1.X.X-main.0.zip`](https://ci-builds.cesium.com/cesium/main/Cesium-1.X.X-main.0.zip))              |
+| npm package      | `https://ci-builds.cesium.com/cesium/<BRANCH>/cesium-<VERSION>-<BRANCH>.0.tgz` (i.e., [`https://ci-builds.cesium.com/cesium/main/cesium-1.X.X-main.0.tgz`](https://ci-builds.cesium.com/cesium/main/cesium-1.X.X-main.0.tgz))              |
 
-- In `.gtihub/workflows/dev.yml`, in the following lines, replace "cesium-public-builds" with the name of your S3 bucket.
+## Configuration guide
 
-```sh
-aws s3 sync ./Build/Coverage s3://cesium-public-builds/cesium/$BRANCH/Build/Coverage --delete --color on
-```
+Additional set up is required for deployment _only_ if you do not have commit access to CesiumJS.
 
-```sh
-aws s3 sync Build/unzipped/ s3://cesium-public-builds/cesium/$BRANCH/Build/ --cache-control "no-cache" --delete
-```
+### Configure a different S3 bucket
 
-- In `gulpfile.js`, edit the following line:
+It is possible to configure your development branch of CesiumJS to deploy build artifacts to a different [AWS S3 Bucket](http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingBucket.html). If you are using the default "cesium-public-builds" bucket and have valid credentials, skip to [Configure S3 Credentials](#configure-s3-credentials)
 
-```javascript
-const devDeployUrl = "https://ci-builds.cesium.com/cesium/";
-```
+In the environment file `.env`, update the following values:
 
-- Edit the URL to match the URL hosting the S3 bucket specified in the previous step.
+- Replace the value of `BUILD_ARTIFACT_BUCKET` with the name of the target S3 bucket.
+- Replace the value of `BUILD_ARTIFACT_URL` with the public URL correspondeding to the target S3 bucket.
 
 ### Configure S3 credentials