mirror of
https://github.com/GSA/notifications-admin.git
synced 2026-02-06 11:23:48 -05:00
705952cc30
- Remove socket.io-client npm package - Remove Socket.IO from gulpfile.js - Remove API_PUBLIC_WS_URL config variable from all environments - Remove Socket CSP directives (cdn.socket.io, wss:// URLs) - Remove unused data-host attribute from job template - Update test_headers.py to remove Socket.IO assertions - Update deployment configs (manifest.yml, deploy-config/*.yml, .github/workflows/*.yml)
103 lines
4.8 KiB
YAML
103 lines
4.8 KiB
YAML
name: Deploy to production environment
|
|
|
|
on:
|
|
push:
|
|
branches: [ production ]
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
deploy:
|
|
runs-on: ubuntu-latest
|
|
environment: production
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 2
|
|
|
|
# Looks like we need to install Terraform ourselves now!
|
|
# https://github.com/actions/runner-images/issues/10796#issuecomment-2417064348
|
|
- name: Setup Terraform
|
|
uses: hashicorp/setup-terraform@v3
|
|
with:
|
|
terraform_version: "^1.7.5"
|
|
terraform_wrapper: false
|
|
|
|
- name: Terraform init
|
|
working-directory: terraform/production
|
|
env:
|
|
AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
|
|
AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
|
|
run: terraform init
|
|
- name: Terraform apply
|
|
working-directory: terraform/production
|
|
env:
|
|
AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
|
|
AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
|
|
TF_VAR_cf_user: ${{ secrets.CLOUDGOV_USERNAME }}
|
|
TF_VAR_cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
|
|
run: terraform apply -auto-approve -input=false
|
|
|
|
- uses: ./.github/actions/setup-project
|
|
|
|
- name: Create requirements.txt
|
|
run: poetry export --output requirements.txt
|
|
|
|
- name: Deploy to cloud.gov
|
|
uses: cloud-gov/cg-cli-tools@main
|
|
env:
|
|
DANGEROUS_SALT: ${{ secrets.DANGEROUS_SALT }}
|
|
SECRET_KEY: ${{ secrets.SECRET_KEY }}
|
|
ADMIN_CLIENT_SECRET: ${{ secrets.ADMIN_CLIENT_SECRET }}
|
|
ADMIN_CLIENT_USERNAME: "notify-admin"
|
|
NEW_RELIC_LICENSE_KEY: ${{ secrets.NEW_RELIC_LICENSE_KEY }}
|
|
NR_BROWSER_KEY: ${{ secrets.NR_BROWSER_KEY }}
|
|
COMMIT_HASH: ${{ github.sha }}
|
|
LOGIN_PEM: ${{ secrets.LOGIN_PEM }}
|
|
LOGIN_DOT_GOV_CLIENT_ID: "urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:notify-gov"
|
|
LOGIN_DOT_GOV_USER_INFO_URL: "https://secure.login.gov/api/openid_connect/userinfo"
|
|
LOGIN_DOT_GOV_ACCESS_TOKEN_URL: "https://secure.login.gov/api/openid_connect/token"
|
|
LOGIN_DOT_GOV_LOGOUT_URL: "https://secure.login.gov/openid_connect/logout?client_id=urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:notify-gov&post_logout_redirect_uri=https://beta.notify.gov/sign-out"
|
|
LOGIN_DOT_GOV_BASE_LOGOUT_URL: "https://secure.login.gov/openid_connect/logout?"
|
|
LOGIN_DOT_GOV_SIGNOUT_REDIRECT: "https://beta.notify.gov/sign-out"
|
|
LOGIN_DOT_GOV_INITIAL_SIGNIN_URL: "https://secure.login.gov/openid_connect/authorize?acr_values=http%3A%2F%2Fidmanagement.gov%2Fns%2Fassurance%2Fial%2F1&client_id=urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:notify-gov&nonce=NONCE&prompt=select_account&redirect_uri=https://beta.notify.gov/sign-in&response_type=code&scope=openid+email&state=STATE"
|
|
LOGIN_DOT_GOV_CERTS_URL: "https://secure.login.gov/api/openid_connect/certs"
|
|
API_PUBLIC_URL: ${{ secrets.API_PUBLIC_URL }}
|
|
with:
|
|
cf_username: ${{ secrets.CLOUDGOV_USERNAME }}
|
|
cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
|
|
cf_org: gsa-tts-benefits-studio
|
|
cf_space: notify-production
|
|
cf_command: >-
|
|
push -f manifest.yml
|
|
--vars-file deploy-config/production.yml
|
|
--var DANGEROUS_SALT="$DANGEROUS_SALT"
|
|
--var SECRET_KEY="$SECRET_KEY"
|
|
--var ADMIN_CLIENT_SECRET="$ADMIN_CLIENT_SECRET"
|
|
--var ADMIN_CLIENT_USERNAME="$ADMIN_CLIENT_USERNAME"
|
|
--var NEW_RELIC_LICENSE_KEY="$NEW_RELIC_LICENSE_KEY"
|
|
--var NR_BROWSER_KEY="$NR_BROWSER_KEY"
|
|
--var COMMIT_HASH="$COMMIT_HASH"
|
|
--var LOGIN_DOT_GOV_CLIENT_ID="$LOGIN_DOT_GOV_CLIENT_ID"
|
|
--var LOGIN_DOT_GOV_USER_INFO_URL="$LOGIN_DOT_GOV_USER_INFO_URL"
|
|
--var LOGIN_DOT_GOV_ACCESS_TOKEN_URL="$LOGIN_DOT_GOV_ACCESS_TOKEN_URL"
|
|
--var LOGIN_DOT_GOV_LOGOUT_URL="$LOGIN_DOT_GOV_LOGOUT_URL"
|
|
--var LOGIN_DOT_GOV_BASE_LOGOUT_URL="$LOGIN_DOT_GOV_BASE_LOGOUT_URL"
|
|
--var LOGIN_DOT_GOV_SIGNOUT_REDIRECT="$LOGIN_DOT_GOV_SIGNOUT_REDIRECT"
|
|
--var LOGIN_DOT_GOV_INITIAL_SIGNIN_URL="$LOGIN_DOT_GOV_INITIAL_SIGNIN_URL"
|
|
--var LOGIN_DOT_GOV_CERTS_URL="$LOGIN_DOT_GOV_CERTS_URL"
|
|
--var LOGIN_PEM="$LOGIN_PEM"
|
|
--var API_PUBLIC_URL="$API_PUBLIC_URL"
|
|
--strategy rolling
|
|
|
|
- name: Deploy egress proxy
|
|
uses: ./.github/actions/deploy-proxy
|
|
env:
|
|
CF_USERNAME: ${{ secrets.CLOUDGOV_USERNAME }}
|
|
CF_PASSWORD: ${{ secrets.CLOUDGOV_PASSWORD }}
|
|
with:
|
|
cf_org: gsa-tts-benefits-studio
|
|
cf_space: notify-production
|
|
app: notify-admin-production
|