Added API_PUBLIC_URL to GitHub Secrets and updated deploy workflows with new API_PUBLIC_URL

2025-12-10 15:13:40 -05:00 · 2025-05-19 17:22:28 -07:00
parent 3c1574d070
commit bc2738a97a
3 changed files with 106 additions and 102 deletions
--- a/.github/workflows/deploy-demo.yml
+++ b/.github/workflows/deploy-demo.yml
@@ -2,7 +2,7 @@ name: Deploy to demo environment

 on:
  push:
-    branches: [ production ]
+    branches: [production]

 permissions:
  contents: read
@@ -21,7 +21,7 @@ jobs:
      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v3
        with:
-          terraform_version: "^1.7.5"
+          terraform_version: '^1.7.5'
          terraform_wrapper: false

      - name: Terraform init
@@ -50,19 +50,20 @@ jobs:
          DANGEROUS_SALT: ${{ secrets.DANGEROUS_SALT }}
          SECRET_KEY: ${{ secrets.SECRET_KEY }}
          ADMIN_CLIENT_SECRET: ${{ secrets.ADMIN_CLIENT_SECRET }}
-          ADMIN_CLIENT_USERNAME: "notify-admin"
+          ADMIN_CLIENT_USERNAME: 'notify-admin'
          NEW_RELIC_LICENSE_KEY: ${{ secrets.NEW_RELIC_LICENSE_KEY }}
          NR_BROWSER_KEY: ${{ secrets.NR_BROWSER_KEY }}
          COMMIT_HASH: ${{ github.sha }}
          LOGIN_PEM: ${{ secrets.LOGIN_PEM }}
-          LOGIN_DOT_GOV_CLIENT_ID: "urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:notify-gov"
-          LOGIN_DOT_GOV_USER_INFO_URL: "https://secure.login.gov/api/openid_connect/userinfo"
-          LOGIN_DOT_GOV_ACCESS_TOKEN_URL: "https://secure.login.gov/api/openid_connect/token"
-          LOGIN_DOT_GOV_LOGOUT_URL: "https://secure.login.gov/openid_connect/logout?client_id=urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:notify-gov&post_logout_redirect_uri=https://notify-demo.app.cloud.gov/sign-out"
-          LOGIN_DOT_GOV_BASE_LOGOUT_URL: "https://secure.login.gov/openid_connect/logout?"
-          LOGIN_DOT_GOV_SIGNOUT_REDIRECT: "https://notify-demo.app.cloud.gov/sign-out"
-          LOGIN_DOT_GOV_INITIAL_SIGNIN_URL: "https://secure.login.gov/openid_connect/authorize?acr_values=http%3A%2F%2Fidmanagement.gov%2Fns%2Fassurance%2Fial%2F1&client_id=urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:notify-gov&nonce=NONCE&prompt=select_account&redirect_uri=https://notify-demo.app.cloud.gov/sign-in&response_type=code&scope=openid+email&state=STATE"
-          LOGIN_DOT_GOV_CERTS_URL: "https://secure.login.gov/api/openid_connect/certs"
+          LOGIN_DOT_GOV_CLIENT_ID: 'urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:notify-gov'
+          LOGIN_DOT_GOV_USER_INFO_URL: 'https://secure.login.gov/api/openid_connect/userinfo'
+          LOGIN_DOT_GOV_ACCESS_TOKEN_URL: 'https://secure.login.gov/api/openid_connect/token'
+          LOGIN_DOT_GOV_LOGOUT_URL: 'https://secure.login.gov/openid_connect/logout?client_id=urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:notify-gov&post_logout_redirect_uri=https://notify-demo.app.cloud.gov/sign-out'
+          LOGIN_DOT_GOV_BASE_LOGOUT_URL: 'https://secure.login.gov/openid_connect/logout?'
+          LOGIN_DOT_GOV_SIGNOUT_REDIRECT: 'https://notify-demo.app.cloud.gov/sign-out'
+          LOGIN_DOT_GOV_INITIAL_SIGNIN_URL: 'https://secure.login.gov/openid_connect/authorize?acr_values=http%3A%2F%2Fidmanagement.gov%2Fns%2Fassurance%2Fial%2F1&client_id=urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:notify-gov&nonce=NONCE&prompt=select_account&redirect_uri=https://notify-demo.app.cloud.gov/sign-in&response_type=code&scope=openid+email&state=STATE'
+          LOGIN_DOT_GOV_CERTS_URL: 'https://secure.login.gov/api/openid_connect/certs'
+          API_PUBLIC_URL: ${{ secrets.API_PUBLIC_URL }}
        with:
          cf_username: ${{ secrets.CLOUDGOV_USERNAME }}
          cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
@@ -87,6 +88,7 @@ jobs:
            --var LOGIN_DOT_GOV_INITIAL_SIGNIN_URL="$LOGIN_DOT_GOV_INITIAL_SIGNIN_URL"
            --var LOGIN_DOT_GOV_CERTS_URL="$LOGIN_DOT_GOV_CERTS_URL"
            --var LOGIN_PEM="$LOGIN_PEM"
+            --var API_PUBLIC_URL="$API_PUBLIC_URL"
            --strategy rolling

      - name: Deploy egress proxy
--- a/.github/workflows/deploy-prod.yml
+++ b/.github/workflows/deploy-prod.yml
@@ -2,7 +2,7 @@ name: Deploy to production environment

 on:
  push:
-    branches: [ production ]
+    branches: [production]

 permissions:
  contents: read
@@ -21,7 +21,7 @@ jobs:
      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v3
        with:
-          terraform_version: "^1.7.5"
+          terraform_version: '^1.7.5'
          terraform_wrapper: false

      - name: Terraform init
@@ -50,19 +50,20 @@ jobs:
          DANGEROUS_SALT: ${{ secrets.DANGEROUS_SALT }}
          SECRET_KEY: ${{ secrets.SECRET_KEY }}
          ADMIN_CLIENT_SECRET: ${{ secrets.ADMIN_CLIENT_SECRET }}
-          ADMIN_CLIENT_USERNAME: "notify-admin"
+          ADMIN_CLIENT_USERNAME: 'notify-admin'
          NEW_RELIC_LICENSE_KEY: ${{ secrets.NEW_RELIC_LICENSE_KEY }}
          NR_BROWSER_KEY: ${{ secrets.NR_BROWSER_KEY }}
          COMMIT_HASH: ${{ github.sha }}
          LOGIN_PEM: ${{ secrets.LOGIN_PEM }}
-          LOGIN_DOT_GOV_CLIENT_ID: "urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:notify-gov"
-          LOGIN_DOT_GOV_USER_INFO_URL: "https://secure.login.gov/api/openid_connect/userinfo"
-          LOGIN_DOT_GOV_ACCESS_TOKEN_URL: "https://secure.login.gov/api/openid_connect/token"
-          LOGIN_DOT_GOV_LOGOUT_URL: "https://secure.login.gov/openid_connect/logout?client_id=urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:notify-gov&post_logout_redirect_uri=https://beta.notify.gov/sign-out"
-          LOGIN_DOT_GOV_BASE_LOGOUT_URL: "https://secure.login.gov/openid_connect/logout?"
-          LOGIN_DOT_GOV_SIGNOUT_REDIRECT: "https://beta.notify.gov/sign-out"
-          LOGIN_DOT_GOV_INITIAL_SIGNIN_URL: "https://secure.login.gov/openid_connect/authorize?acr_values=http%3A%2F%2Fidmanagement.gov%2Fns%2Fassurance%2Fial%2F1&client_id=urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:notify-gov&nonce=NONCE&prompt=select_account&redirect_uri=https://beta.notify.gov/sign-in&response_type=code&scope=openid+email&state=STATE"
-          LOGIN_DOT_GOV_CERTS_URL: "https://secure.login.gov/api/openid_connect/certs"
+          LOGIN_DOT_GOV_CLIENT_ID: 'urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:notify-gov'
+          LOGIN_DOT_GOV_USER_INFO_URL: 'https://secure.login.gov/api/openid_connect/userinfo'
+          LOGIN_DOT_GOV_ACCESS_TOKEN_URL: 'https://secure.login.gov/api/openid_connect/token'
+          LOGIN_DOT_GOV_LOGOUT_URL: 'https://secure.login.gov/openid_connect/logout?client_id=urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:notify-gov&post_logout_redirect_uri=https://beta.notify.gov/sign-out'
+          LOGIN_DOT_GOV_BASE_LOGOUT_URL: 'https://secure.login.gov/openid_connect/logout?'
+          LOGIN_DOT_GOV_SIGNOUT_REDIRECT: 'https://beta.notify.gov/sign-out'
+          LOGIN_DOT_GOV_INITIAL_SIGNIN_URL: 'https://secure.login.gov/openid_connect/authorize?acr_values=http%3A%2F%2Fidmanagement.gov%2Fns%2Fassurance%2Fial%2F1&client_id=urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:notify-gov&nonce=NONCE&prompt=select_account&redirect_uri=https://beta.notify.gov/sign-in&response_type=code&scope=openid+email&state=STATE'
+          LOGIN_DOT_GOV_CERTS_URL: 'https://secure.login.gov/api/openid_connect/certs'
+          API_PUBLIC_URL: ${{ secrets.API_PUBLIC_URL }}
        with:
          cf_username: ${{ secrets.CLOUDGOV_USERNAME }}
          cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
@@ -87,6 +88,7 @@ jobs:
            --var LOGIN_DOT_GOV_INITIAL_SIGNIN_URL="$LOGIN_DOT_GOV_INITIAL_SIGNIN_URL"
            --var LOGIN_DOT_GOV_CERTS_URL="$LOGIN_DOT_GOV_CERTS_URL"
            --var LOGIN_PEM="$LOGIN_PEM"
+            --var API_PUBLIC_URL="$API_PUBLIC_URL"
            --strategy rolling

      - name: Deploy egress proxy
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -17,94 +17,94 @@ jobs:

    environment: staging
    steps:
-    - uses: actions/checkout@v4
-      with:
-        fetch-depth: 2
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 2

-    # Looks like we need to install Terraform ourselves now!
-    # https://github.com/actions/runner-images/issues/10796#issuecomment-2417064348
-    - name: Setup Terraform
-      uses: hashicorp/setup-terraform@v3
-      with:
-        terraform_version: "^1.7.5"
-        terraform_wrapper: false
+      # Looks like we need to install Terraform ourselves now!
+      # https://github.com/actions/runner-images/issues/10796#issuecomment-2417064348
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: '^1.7.5'
+          terraform_wrapper: false

-    - name: Terraform init
-      working-directory: terraform/staging
-      env:
-        AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
-        AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
-      run: terraform init
-    - name: Terraform apply
-      working-directory: terraform/staging
-      env:
-        AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
-        AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
-        TF_VAR_cf_user: ${{ secrets.CLOUDGOV_USERNAME }}
-        TF_VAR_cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
-      run: terraform apply -auto-approve -input=false
+      - name: Terraform init
+        working-directory: terraform/staging
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
+        run: terraform init
+      - name: Terraform apply
+        working-directory: terraform/staging
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
+          TF_VAR_cf_user: ${{ secrets.CLOUDGOV_USERNAME }}
+          TF_VAR_cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
+        run: terraform apply -auto-approve -input=false

-    - uses: ./.github/actions/setup-project
+      - uses: ./.github/actions/setup-project

-    - name: Create requirements.txt
-      run: poetry export --without-hashes --format=requirements.txt > requirements.txt
+      - name: Create requirements.txt
+        run: poetry export --without-hashes --format=requirements.txt > requirements.txt

+      - name: Deploy to cloud.gov
+        uses: cloud-gov/cg-cli-tools@main
+        env:
+          DANGEROUS_SALT: ${{ secrets.DANGEROUS_SALT }}
+          SECRET_KEY: ${{ secrets.SECRET_KEY }}
+          ADMIN_CLIENT_SECRET: ${{ secrets.ADMIN_CLIENT_SECRET }}
+          ADMIN_CLIENT_USERNAME: 'notify-admin'
+          NEW_RELIC_LICENSE_KEY: ${{ secrets.NEW_RELIC_LICENSE_KEY }}
+          NR_BROWSER_KEY: ${{ secrets.NR_BROWSER_KEY }}
+          COMMIT_HASH: ${{ github.sha }}
+          LOGIN_PEM: ${{ secrets.LOGIN_PEM }}
+          LOGIN_DOT_GOV_CLIENT_ID: 'urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:notify-gov'
+          LOGIN_DOT_GOV_USER_INFO_URL: 'https://secure.login.gov/api/openid_connect/userinfo'
+          LOGIN_DOT_GOV_ACCESS_TOKEN_URL: 'https://secure.login.gov/api/openid_connect/token'
+          LOGIN_DOT_GOV_LOGOUT_URL: 'https://secure.login.gov/openid_connect/logout?client_id=urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:notify-gov&post_logout_redirect_uri=https://notify-staging.app.cloud.gov/sign-out'
+          LOGIN_DOT_GOV_BASE_LOGOUT_URL: 'https://secure.login.gov/openid_connect/logout?'
+          LOGIN_DOT_GOV_SIGNOUT_REDIRECT: 'https://notify-staging.app.cloud.gov/sign-out'
+          LOGIN_DOT_GOV_INITIAL_SIGNIN_URL: 'https://secure.login.gov/openid_connect/authorize?acr_values=http%3A%2F%2Fidmanagement.gov%2Fns%2Fassurance%2Fial%2F1&client_id=urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:notify-gov&nonce=NONCE&prompt=select_account&redirect_uri=https://notify-staging.app.cloud.gov/sign-in&response_type=code&scope=openid+email&state=STATE'
+          LOGIN_DOT_GOV_CERTS_URL: 'https://secure.login.gov/api/openid_connect/certs'
+          API_PUBLIC_URL: ${{ secrets.API_PUBLIC_URL }}
+        with:
+          cf_username: ${{ secrets.CLOUDGOV_USERNAME }}
+          cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
+          cf_org: gsa-tts-benefits-studio
+          cf_space: notify-staging
+          cf_command: >-
+            push -f manifest.yml
+            --vars-file deploy-config/staging.yml
+            --var DANGEROUS_SALT="$DANGEROUS_SALT"
+            --var SECRET_KEY="$SECRET_KEY"
+            --var ADMIN_CLIENT_SECRET="$ADMIN_CLIENT_SECRET"
+            --var ADMIN_CLIENT_USERNAME="$ADMIN_CLIENT_USERNAME"
+            --var NEW_RELIC_LICENSE_KEY="$NEW_RELIC_LICENSE_KEY"
+            --var NR_BROWSER_KEY="$NR_BROWSER_KEY"
+            --var COMMIT_HASH="$COMMIT_HASH"
+            --var LOGIN_DOT_GOV_CLIENT_ID="$LOGIN_DOT_GOV_CLIENT_ID"
+            --var LOGIN_DOT_GOV_USER_INFO_URL="$LOGIN_DOT_GOV_USER_INFO_URL"
+            --var LOGIN_DOT_GOV_ACCESS_TOKEN_URL="$LOGIN_DOT_GOV_ACCESS_TOKEN_URL"
+            --var LOGIN_DOT_GOV_LOGOUT_URL="$LOGIN_DOT_GOV_LOGOUT_URL"
+            --var LOGIN_DOT_GOV_BASE_LOGOUT_URL="$LOGIN_DOT_GOV_BASE_LOGOUT_URL"
+            --var LOGIN_DOT_GOV_SIGNOUT_REDIRECT="$LOGIN_DOT_GOV_SIGNOUT_REDIRECT"
+            --var LOGIN_DOT_GOV_INITIAL_SIGNIN_URL="$LOGIN_DOT_GOV_INITIAL_SIGNIN_URL"
+            --var LOGIN_DOT_GOV_CERTS_URL="$LOGIN_DOT_GOV_CERTS_URL"
+            --var LOGIN_PEM="$LOGIN_PEM"
+            --var API_PUBLIC_URL="$API_PUBLIC_URL"
+            --strategy rolling

-    - name: Deploy to cloud.gov
-      uses: cloud-gov/cg-cli-tools@main
-      env:
-        DANGEROUS_SALT: ${{ secrets.DANGEROUS_SALT }}
-        SECRET_KEY: ${{ secrets.SECRET_KEY }}
-        ADMIN_CLIENT_SECRET: ${{ secrets.ADMIN_CLIENT_SECRET }}
-        ADMIN_CLIENT_USERNAME: "notify-admin"
-        NEW_RELIC_LICENSE_KEY: ${{ secrets.NEW_RELIC_LICENSE_KEY }}
-        NR_BROWSER_KEY: ${{ secrets.NR_BROWSER_KEY }}
-        COMMIT_HASH: ${{ github.sha }}
-        LOGIN_PEM: ${{ secrets.LOGIN_PEM }}
-        LOGIN_DOT_GOV_CLIENT_ID: "urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:notify-gov"
-        LOGIN_DOT_GOV_USER_INFO_URL: "https://secure.login.gov/api/openid_connect/userinfo"
-        LOGIN_DOT_GOV_ACCESS_TOKEN_URL: "https://secure.login.gov/api/openid_connect/token"
-        LOGIN_DOT_GOV_LOGOUT_URL: "https://secure.login.gov/openid_connect/logout?client_id=urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:notify-gov&post_logout_redirect_uri=https://notify-staging.app.cloud.gov/sign-out"
-        LOGIN_DOT_GOV_BASE_LOGOUT_URL: "https://secure.login.gov/openid_connect/logout?"
-        LOGIN_DOT_GOV_SIGNOUT_REDIRECT: "https://notify-staging.app.cloud.gov/sign-out"
-        LOGIN_DOT_GOV_INITIAL_SIGNIN_URL: "https://secure.login.gov/openid_connect/authorize?acr_values=http%3A%2F%2Fidmanagement.gov%2Fns%2Fassurance%2Fial%2F1&client_id=urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:notify-gov&nonce=NONCE&prompt=select_account&redirect_uri=https://notify-staging.app.cloud.gov/sign-in&response_type=code&scope=openid+email&state=STATE"
-        LOGIN_DOT_GOV_CERTS_URL: "https://secure.login.gov/api/openid_connect/certs"
-      with:
-        cf_username: ${{ secrets.CLOUDGOV_USERNAME }}
-        cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
-        cf_org: gsa-tts-benefits-studio
-        cf_space: notify-staging
-        cf_command: >-
-          push -f manifest.yml
-          --vars-file deploy-config/staging.yml
-          --var DANGEROUS_SALT="$DANGEROUS_SALT"
-          --var SECRET_KEY="$SECRET_KEY"
-          --var ADMIN_CLIENT_SECRET="$ADMIN_CLIENT_SECRET"
-          --var ADMIN_CLIENT_USERNAME="$ADMIN_CLIENT_USERNAME"
-          --var NEW_RELIC_LICENSE_KEY="$NEW_RELIC_LICENSE_KEY"
-          --var NR_BROWSER_KEY="$NR_BROWSER_KEY"
-          --var COMMIT_HASH="$COMMIT_HASH"
-          --var LOGIN_DOT_GOV_CLIENT_ID="$LOGIN_DOT_GOV_CLIENT_ID"
-          --var LOGIN_DOT_GOV_USER_INFO_URL="$LOGIN_DOT_GOV_USER_INFO_URL"
-          --var LOGIN_DOT_GOV_ACCESS_TOKEN_URL="$LOGIN_DOT_GOV_ACCESS_TOKEN_URL"
-          --var LOGIN_DOT_GOV_LOGOUT_URL="$LOGIN_DOT_GOV_LOGOUT_URL"
-          --var LOGIN_DOT_GOV_BASE_LOGOUT_URL="$LOGIN_DOT_GOV_BASE_LOGOUT_URL"
-          --var LOGIN_DOT_GOV_SIGNOUT_REDIRECT="$LOGIN_DOT_GOV_SIGNOUT_REDIRECT"
-          --var LOGIN_DOT_GOV_INITIAL_SIGNIN_URL="$LOGIN_DOT_GOV_INITIAL_SIGNIN_URL"
-          --var LOGIN_DOT_GOV_CERTS_URL="$LOGIN_DOT_GOV_CERTS_URL"
-          --var LOGIN_PEM="$LOGIN_PEM"
-          --strategy rolling
-
-
-    - name: Deploy egress proxy
-      uses: ./.github/actions/deploy-proxy
-      env:
+      - name: Deploy egress proxy
+        uses: ./.github/actions/deploy-proxy
+        env:
          CF_USERNAME: ${{ secrets.CLOUDGOV_USERNAME }}
          CF_PASSWORD: ${{ secrets.CLOUDGOV_PASSWORD }}
-      with:
-        cf_org: gsa-tts-benefits-studio
-        cf_space: notify-staging
-        app: notify-admin-staging
+        with:
+          cf_org: gsa-tts-benefits-studio
+          cf_space: notify-staging
+          app: notify-admin-staging

  bail:
    runs-on: ubuntu-latest