name: Deploy to staging environment

on:
  workflow_run:
    workflows: [Run checks]
    types:
      - completed
    branches: [main] # Redundant, workflow_run events are only triggered on default branch (`main`)

permissions:
  contents: read

jobs:
  deploy:
    runs-on: ubuntu-latest
    if: ${{ github.event.workflow_run.conclusion == 'success' }}

    environment: staging
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 2

      - name: Check for changes to Terraform
        id: changed-terraform-files
        uses: tj-actions/changed-files@v44
        with:
          files: |
            terraform/staging
            terraform/shared
            .github/workflows/deploy.yml
      - name: Terraform init
        if: steps.changed-terraform-files.outputs.any_changed == 'true'
        working-directory: terraform/staging
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
        run: terraform init
      - name: Terraform apply
        if: steps.changed-terraform-files.outputs.any_changed == 'true'
        working-directory: terraform/staging
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
          TF_VAR_cf_user: ${{ secrets.CLOUDGOV_USERNAME }}
          TF_VAR_cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
        run: terraform apply -auto-approve -input=false

      - uses: ./.github/actions/setup-project

      - name: Create requirements.txt
        run: poetry export --without-hashes --format=requirements.txt > requirements.txt


      - name: Deploy to cloud.gov
        uses: 18f/cg-deploy-action@main
        env:
          DANGEROUS_SALT: ${{ secrets.DANGEROUS_SALT }}
          SECRET_KEY: ${{ secrets.SECRET_KEY }}
          ADMIN_CLIENT_SECRET: ${{ secrets.ADMIN_CLIENT_SECRET }}
          NEW_RELIC_LICENSE_KEY: ${{ secrets.NEW_RELIC_LICENSE_KEY }}
          NR_BROWSER_KEY: ${{ secrets.NR_BROWSER_KEY }}
          COMMIT_HASH: ${{ github.sha }}
          LOGIN_PEM: ${{ secrets.LOGIN_PEM }}
          LOGIN_DOT_GOV_CLIENT_ID: "urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:notify-gov"
          LOGIN_DOT_GOV_USER_INFO_URL: "https://secure.login.gov/api/openid_connect/userinfo"
          LOGIN_DOT_GOV_ACCESS_TOKEN_URL: "https://secure.login.gov/api/openid_connect/token"
          LOGIN_DOT_GOV_LOGOUT_URL: "https://secure.login.gov/openid_connect/logout?client_id=urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:notify-gov&post_logout_redirect_uri=https://notify-staging.app.cloud.gov/sign-out"
          LOGIN_DOT_GOV_BASE_LOGOUT_URL: "https://secure.login.gov/openid_connect/logout?"
          LOGIN_DOT_GOV_SIGNOUT_REDIRECT: "https://notify-staging.app.cloud.gov/sign-out"
          LOGIN_DOT_GOV_INITIAL_SIGNIN_URL: "https://secure.login.gov/openid_connect/authorize?acr_values=http%3A%2F%2Fidmanagement.gov%2Fns%2Fassurance%2Fial%2F1&client_id=urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:notify-gov&nonce=NONCE&prompt=select_account&redirect_uri=https://notify-staging.app.cloud.gov/sign-in&response_type=code&scope=openid+email&state=STATEE"
        with:
          cf_username: ${{ secrets.CLOUDGOV_USERNAME }}
          cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
          cf_org: gsa-tts-benefits-studio
          cf_space: notify-staging
          push_arguments: >-
            --vars-file deploy-config/staging.yml
            --var DANGEROUS_SALT="$DANGEROUS_SALT"
            --var SECRET_KEY="$SECRET_KEY"
            --var ADMIN_CLIENT_USERNAME="notify-admin"
            --var ADMIN_CLIENT_SECRET="$ADMIN_CLIENT_SECRET"
            --var NEW_RELIC_LICENSE_KEY="$NEW_RELIC_LICENSE_KEY"
            --var NR_BROWSER_KEY="$NR_BROWSER_KEY"
            --var COMMIT_HASH="$COMMIT_HASH"
            --var LOGIN_PEM="$LOGIN_PEM"
            --var LOGIN_DOT_GOV_CLIENT_ID="$LOGIN_DOT_GOV_CLIENT_ID"
            --var LOGIN_DOT_GOV_USER_INFO_URL="$LOGIN_DOT_GOV_USER_INFO_URL"
            --var LOGIN_DOT_GOV_ACCESS_TOKEN_URL="$LOGIN_DOT_GOV_ACCESS_TOKEN_URL"
            --var LOGIN_DOT_GOV_LOGOUT_URL="$LOGIN_DOT_GOV_LOGOUT_URL"
            --var LOGIN_DOT_GOV_BASE_LOGOUT_URL="$LOGIN_DOT_GOV_BASE_LOGOUT_URL"
            --var LOGIN_DOT_GOV_SIGNOUT_REDIRECT="$LOGIN_DOT_GOV_SIGNOUT_REDIRECT"
            --var LOGIN_DOT_GOV_INITIAL_SIGNIN_URL="$LOGIN_DOT_GOV_INITIAL_SIGNIN_URL"


      - name: Check for changes to egress config
        id: changed-egress-config
        uses: tj-actions/changed-files@v44
        with:
          files: |
            deploy-config/egress_proxy/notify-admin-staging.*.acl
            .github/actions/deploy-proxy/action.yml
            .github/workflows/deploy.yml
      - name: Deploy egress proxy
        if: steps.changed-egress-config.outputs.any_changed == 'true'
        uses: ./.github/actions/deploy-proxy
        with:
          cf_space: notify-staging
          app: notify-admin-staging

  bail:
    runs-on: ubuntu-latest
    if: ${{ github.event.workflow_run.conclusion == 'failure' }}
    steps:
      - uses: actions/github-script@v6
        with:
          script: core.setFailed('Checks failed, not deploying')