Merge pull request #1280 from GSA/main #38
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy to demo environment | |
| on: | |
| push: | |
| branches: [ production ] | |
| permissions: | |
| contents: read | |
| jobs: | |
| deploy: | |
| runs-on: ubuntu-latest | |
| environment: demo | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 2 | |
| - name: Check for changes to Terraform | |
| id: changed-terraform-files | |
| uses: tj-actions/[email protected] | |
| with: | |
| files: | | |
| terraform/demo | |
| terraform/shared | |
| .github/workflows/deploy-demo.yml | |
| - name: Terraform init | |
| if: steps.changed-terraform-files.outputs.any_changed == 'true' | |
| working-directory: terraform/demo | |
| env: | |
| AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }} | |
| run: terraform init | |
| - name: Terraform apply | |
| if: steps.changed-terraform-files.outputs.any_changed == 'true' | |
| working-directory: terraform/demo | |
| env: | |
| AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }} | |
| TF_VAR_cf_user: ${{ secrets.CLOUDGOV_USERNAME }} | |
| TF_VAR_cf_password: ${{ secrets.CLOUDGOV_PASSWORD }} | |
| run: terraform apply -auto-approve -input=false | |
| - uses: ./.github/actions/setup-project | |
| - name: Create requirements.txt | |
| run: poetry export --without-hashes --format=requirements.txt > requirements.txt | |
| - name: Deploy to cloud.gov | |
| uses: 18f/cg-deploy-action@main | |
| env: | |
| DANGEROUS_SALT: ${{ secrets.DANGEROUS_SALT }} | |
| SECRET_KEY: ${{ secrets.SECRET_KEY }} | |
| ADMIN_CLIENT_SECRET: ${{ secrets.ADMIN_CLIENT_SECRET }} | |
| NEW_RELIC_LICENSE_KEY: ${{ secrets.NEW_RELIC_LICENSE_KEY }} | |
| NR_BROWSER_KEY: ${{ secrets.NR_BROWSER_KEY }} | |
| LOGIN_PEM: ${{ secrets.LOGIN_PEM }} | |
| LOGIN_DOT_GOV_CLIENT_ID: "urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:notify-gov" | |
| LOGIN_DOT_GOV_USER_INFO_URL: "https://secure.login.gov/api/openid_connect/userinfo" | |
| LOGIN_DOT_GOV_ACCESS_TOKEN_URL: "https://secure.login.gov/api/openid_connect/token" | |
| LOGIN_DOT_GOV_LOGOUT_URL: "https://secure.login.gov/openid_connect/logout?client_id=urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:notify-gov&post_logout_redirect_uri=https://notify-demo.app.cloud.gov/sign-out" | |
| LOGIN_DOT_GOV_BASE_LOGOUT_URL: "https://secure.login.gov/openid_connect/logout?" | |
| LOGIN_DOT_GOV_SIGNOUT_REDIRECT: "https://notify-demo.app.cloud.gov/sign-out" | |
| LOGIN_DOT_GOV_INITIAL_SIGNIN_URL: "https://secure.login.gov/openid_connect/authorize?acr_values=http%3A%2F%2Fidmanagement.gov%2Fns%2Fassurance%2Fial%2F1&client_id=urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:notify-gov&nonce=01234567890123456789012345&prompt=select_account&redirect_uri=https://notify-demo.app.cloud.gov/sign-in&response_type=code&scope=openid+email&state=abcdefghijklmnopabcdefghijklmnop" | |
| with: | |
| cf_username: ${{ secrets.CLOUDGOV_USERNAME }} | |
| cf_password: ${{ secrets.CLOUDGOV_PASSWORD }} | |
| cf_org: gsa-tts-benefits-studio | |
| cf_space: notify-demo | |
| push_arguments: >- | |
| --vars-file deploy-config/demo.yml | |
| --var DANGEROUS_SALT="$DANGEROUS_SALT" | |
| --var SECRET_KEY="$SECRET_KEY" | |
| --var ADMIN_CLIENT_USERNAME="notify-admin" | |
| --var ADMIN_CLIENT_SECRET="$ADMIN_CLIENT_SECRET" | |
| --var NEW_RELIC_LICENSE_KEY="$NEW_RELIC_LICENSE_KEY" | |
| --var NR_BROWSER_KEY="$NR_BROWSER_KEY" | |
| --var LOGIN_PEM="$LOGIN_PEM" | |
| --var LOGIN_DOT_GOV_CLIENT_ID="$LOGIN_DOT_GOV_CLIENT_ID" | |
| --var LOGIN_DOT_GOV_USER_INFO_URL="$LOGIN_DOT_GOV_USER_INFO_URL" | |
| --var LOGIN_DOT_GOV_ACCESS_TOKEN_URL="$LOGIN_DOT_GOV_ACCESS_TOKEN_URL" | |
| --var LOGIN_DOT_GOV_LOGOUT_URL="$LOGIN_DOT_GOV_LOGOUT_URL" | |
| --var LOGIN_DOT_GOV_BASE_LOGOUT_URL="$LOGIN_DOT_GOV_BASE_LOGOUT_URL" | |
| --var LOGIN_DOT_GOV_SIGNOUT_REDIRECT="$LOGIN_DOT_GOV_SIGNOUT_REDIRECT" | |
| --var LOGIN_DOT_GOV_INITIAL_SIGNIN_URL="$LOGIN_DOT_GOV_INITIAL_SIGNIN_URL" | |
| - name: Check for changes to egress config | |
| id: changed-egress-config | |
| uses: tj-actions/[email protected] | |
| with: | |
| files: | | |
| deploy-config/egress_proxy/notify-admin-demo.*.acl | |
| .github/actions/deploy-proxy/action.yml | |
| .github/workflows/deploy-demo.yml | |
| - name: Deploy egress proxy | |
| if: steps.changed-egress-config.outputs.any_changed == 'true' | |
| uses: ./.github/actions/deploy-proxy | |
| with: | |
| cf_space: notify-demo | |
| app: notify-admin-demo |