Deploy to staging environment #307
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy to staging environment | |
| on: | |
| workflow_run: | |
| workflows: [Run checks] | |
| types: | |
| - completed | |
| branches: [main] # Redundant, workflow_run events are only triggered on default branch (`main`) | |
| permissions: | |
| contents: read | |
| jobs: | |
| deploy: | |
| runs-on: ubuntu-latest | |
| if: ${{ github.event.workflow_run.conclusion == 'success' }} | |
| environment: staging | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 2 | |
| - name: Check for changes to Terraform | |
| id: changed-terraform-files | |
| uses: tj-actions/[email protected] | |
| with: | |
| files: | | |
| terraform/staging | |
| terraform/shared | |
| .github/workflows/deploy.yml | |
| - name: Terraform init | |
| if: steps.changed-terraform-files.outputs.any_changed == 'true' | |
| working-directory: terraform/staging | |
| env: | |
| AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }} | |
| run: terraform init | |
| - name: Terraform apply | |
| if: steps.changed-terraform-files.outputs.any_changed == 'true' | |
| working-directory: terraform/staging | |
| env: | |
| AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }} | |
| TF_VAR_cf_user: ${{ secrets.CLOUDGOV_USERNAME }} | |
| TF_VAR_cf_password: ${{ secrets.CLOUDGOV_PASSWORD }} | |
| run: terraform apply -auto-approve -input=false | |
| - uses: ./.github/actions/setup-project | |
| - name: Create requirements.txt | |
| run: poetry export --without-hashes --format=requirements.txt > requirements.txt | |
| - name: Deploy to cloud.gov | |
| uses: 18f/cg-deploy-action@main | |
| env: | |
| DANGEROUS_SALT: ${{ secrets.DANGEROUS_SALT }} | |
| SECRET_KEY: ${{ secrets.SECRET_KEY }} | |
| ADMIN_CLIENT_SECRET: ${{ secrets.ADMIN_CLIENT_SECRET }} | |
| NEW_RELIC_LICENSE_KEY: ${{ secrets.NEW_RELIC_LICENSE_KEY }} | |
| NR_BROWSER_KEY: ${{ secrets.NR_BROWSER_KEY }} | |
| with: | |
| cf_username: ${{ secrets.CLOUDGOV_USERNAME }} | |
| cf_password: ${{ secrets.CLOUDGOV_PASSWORD }} | |
| cf_org: gsa-tts-benefits-studio | |
| cf_space: notify-staging | |
| push_arguments: >- | |
| --vars-file deploy-config/staging.yml | |
| --var DANGEROUS_SALT="$DANGEROUS_SALT" | |
| --var SECRET_KEY="$SECRET_KEY" | |
| --var ADMIN_CLIENT_USERNAME="notify-admin" | |
| --var ADMIN_CLIENT_SECRET="$ADMIN_CLIENT_SECRET" | |
| --var NEW_RELIC_LICENSE_KEY="$NEW_RELIC_LICENSE_KEY" | |
| --var NR_BROWSER_KEY="$NR_BROWSER_KEY" | |
| - name: Check for changes to egress config | |
| id: changed-egress-config | |
| uses: tj-actions/changed-files@v34 | |
| with: | |
| files: | | |
| deploy-config/egress_proxy/notify-admin-staging.*.acl | |
| .github/actions/deploy-proxy/action.yml | |
| .github/workflows/deploy.yml | |
| - name: Deploy egress proxy | |
| if: steps.changed-egress-config.outputs.any_changed == 'true' | |
| uses: ./.github/actions/deploy-proxy | |
| with: | |
| cf_space: notify-staging | |
| app: notify-admin-staging | |
| bail: | |
| runs-on: ubuntu-latest | |
| if: ${{ github.event.workflow_run.conclusion == 'failure' }} | |
| steps: | |
| - uses: actions/github-script@v6 | |
| with: | |
| script: core.setFailed('Checks failed, not deploying') |