Deploy to staging environment #1006
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy to staging environment | |
| on: | |
| workflow_run: | |
| workflows: [ Run checks ] | |
| types: | |
| - completed | |
| branches: [ main ] # Redundant, workflow_run events are only triggered on default branch (`main`) | |
| permissions: | |
| contents: read | |
| jobs: | |
| deploy: | |
| runs-on: ubuntu-latest | |
| if: ${{ github.event.workflow_run.conclusion == 'success' }} | |
| environment: staging | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 2 | |
| # Looks like we need to install Terraform ourselves now! | |
| # https://github.com/actions/runner-images/issues/10796#issuecomment-2417064348 | |
| - name: Setup Terraform | |
| uses: hashicorp/setup-terraform@v3 | |
| with: | |
| terraform_version: "^1.7.5" | |
| terraform_wrapper: false | |
| - name: Terraform init | |
| working-directory: terraform/staging | |
| env: | |
| AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }} | |
| run: terraform init | |
| - name: Terraform apply | |
| working-directory: terraform/staging | |
| env: | |
| AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }} | |
| TF_VAR_cf_user: ${{ secrets.CLOUDGOV_USERNAME }} | |
| TF_VAR_cf_password: ${{ secrets.CLOUDGOV_PASSWORD }} | |
| run: terraform apply -auto-approve -input=false | |
| - uses: ./.github/actions/setup-project | |
| - name: Install application dependencies | |
| run: make bootstrap | |
| - name: Create requirements.txt | |
| run: poetry export --output requirements.txt | |
| - name: Deploy to cloud.gov | |
| uses: cloud-gov/cg-cli-tools@main | |
| env: | |
| DANGEROUS_SALT: ${{ secrets.DANGEROUS_SALT }} | |
| SECRET_KEY: ${{ secrets.SECRET_KEY }} | |
| ADMIN_CLIENT_SECRET: ${{ secrets.ADMIN_CLIENT_SECRET }} | |
| NEW_RELIC_LICENSE_KEY: ${{ secrets.NEW_RELIC_LICENSE_KEY }} | |
| NOTIFY_E2E_TEST_EMAIL: ${{ secrets.NOTIFY_E2E_TEST_EMAIL }} | |
| NOTIFY_E2E_TEST_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_PASSWORD }} | |
| LOGIN_DOT_GOV_REGISTRATION_URL: "https://secure.login.gov/openid_connect/authorize?acr_values=http%3A%2F%2Fidmanagement.gov%2Fns%2Fassurance%2Fial%2F1&client_id=urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:notify-gov&nonce=NONCE&prompt=select_account&redirect_uri=https://notify-staging.app.cloud.gov/set-up-your-profile&response_type=code&scope=openid+email&state=STATE" | |
| with: | |
| cf_username: ${{ secrets.CLOUDGOV_USERNAME }} | |
| cf_password: ${{ secrets.CLOUDGOV_PASSWORD }} | |
| cf_org: gsa-tts-benefits-studio | |
| cf_space: notify-staging | |
| cf_command: >- | |
| push -f manifest.yml | |
| --vars-file deploy-config/staging.yml | |
| --var DANGEROUS_SALT="$DANGEROUS_SALT" | |
| --var SECRET_KEY="$SECRET_KEY" | |
| --var ADMIN_CLIENT_SECRET="$ADMIN_CLIENT_SECRET" | |
| --var NEW_RELIC_LICENSE_KEY="$NEW_RELIC_LICENSE_KEY" | |
| --var NOTIFY_E2E_TEST_EMAIL="$NOTIFY_E2E_TEST_EMAIL" | |
| --var NOTIFY_E2E_TEST_PASSWORD="$NOTIFY_E2E_TEST_PASSWORD" | |
| --var LOGIN_DOT_GOV_REGISTRATION_URL="$LOGIN_DOT_GOV_REGISTRATION_URL" | |
| --strategy rolling | |
| - name: Update templates | |
| uses: cloud-gov/cg-cli-tools@main | |
| env: | |
| DANGEROUS_SALT: ${{ secrets.DANGEROUS_SALT }} | |
| SECRET_KEY: ${{ secrets.SECRET_KEY }} | |
| ADMIN_CLIENT_SECRET: ${{ secrets.ADMIN_CLIENT_SECRET }} | |
| NEW_RELIC_LICENSE_KEY: ${{ secrets.NEW_RELIC_LICENSE_KEY }} | |
| NOTIFY_E2E_TEST_EMAIL: ${{ secrets.NOTIFY_E2E_TEST_EMAIL }} | |
| NOTIFY_E2E_TEST_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_PASSWORD }} | |
| LOGIN_DOT_GOV_REGISTRATION_URL: "https://secure.login.gov/openid_connect/authorize?acr_values=http%3A%2F%2Fidmanagement.gov%2Fns%2Fassurance%2Fial%2F1&client_id=urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:notify-gov&nonce=NONCE&prompt=select_account&redirect_uri=https://notify-staging.app.cloud.gov/set-up-your-profile&response_type=code&scope=openid+email&state=STATE" | |
| with: | |
| cf_username: ${{ secrets.CLOUDGOV_USERNAME }} | |
| cf_password: ${{ secrets.CLOUDGOV_PASSWORD }} | |
| cf_org: gsa-tts-benefits-studio | |
| cf_space: notify-staging | |
| cf_command: >- | |
| run-task notify-api-staging --command "flask command update-templates" | |
| - name: Deploy egress proxy | |
| uses: ./.github/actions/deploy-proxy | |
| env: | |
| CF_USERNAME: ${{ secrets.CLOUDGOV_USERNAME }} | |
| CF_PASSWORD: ${{ secrets.CLOUDGOV_PASSWORD }} | |
| with: | |
| cf_org: gsa-tts-benefits-studio | |
| cf_space: notify-staging | |
| app: notify-api-staging | |
| bail: | |
| runs-on: ubuntu-latest | |
| if: ${{ github.event.workflow_run.conclusion == 'failure' }} | |
| steps: | |
| - uses: actions/github-script@v6 | |
| with: | |
| script: core.setFailed('Checks failed, not deploying') |