Merge branch 'main' into update-egress-proxy

.github/workflows/deploy-demo.yml

@@ -49,7 +49,7 @@ jobs:
       run: poetry export --without-hashes --format=requirements.txt > requirements.txt
 
     - name: Deploy to cloud.gov
-      uses: 18f/cg-deploy-action@main
+      uses: cloud-gov/cg-cli-tools@main
       env:
         DANGEROUS_SALT: ${{ secrets.DANGEROUS_SALT }}
         SECRET_KEY: ${{ secrets.SECRET_KEY }}
@@ -64,7 +64,8 @@ jobs:
         cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
         cf_org: gsa-tts-benefits-studio
         cf_space: notify-demo
-        push_arguments: >-
+        cf_command: >-
+          push -f manifest.yml
           --vars-file deploy-config/demo.yml
           --var DANGEROUS_SALT="$DANGEROUS_SALT"
           --var SECRET_KEY="$SECRET_KEY"
@@ -73,6 +74,7 @@ jobs:
           --var NOTIFY_E2E_TEST_EMAIL="$NOTIFY_E2E_TEST_EMAIL"
           --var NOTIFY_E2E_TEST_PASSWORD="$NOTIFY_E2E_TEST_PASSWORD"
           --var LOGIN_DOT_GOV_REGISTRATION_URL="$LOGIN_DOT_GOV_REGISTRATION_URL"
+          --strategy rolling
 
     - name: Check for changes to templates.json
       id: changed-templates

.github/workflows/deploy-prod.yml

@@ -53,7 +53,7 @@ jobs:
       run: poetry export --without-hashes --format=requirements.txt > requirements.txt
 
     - name: Deploy to cloud.gov
-      uses: 18f/cg-deploy-action@main
+      uses: cloud-gov/cg-cli-tools@main
       env:
         DANGEROUS_SALT: ${{ secrets.DANGEROUS_SALT }}
         SECRET_KEY: ${{ secrets.SECRET_KEY }}
@@ -68,7 +68,8 @@ jobs:
         cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
         cf_org: gsa-tts-benefits-studio
         cf_space: notify-production
-        push_arguments: >-
+        cf_command: >-
+          push -f manifest.yml
           --vars-file deploy-config/production.yml
           --var DANGEROUS_SALT="$DANGEROUS_SALT"
           --var SECRET_KEY="$SECRET_KEY"
@@ -77,6 +78,7 @@ jobs:
           --var NOTIFY_E2E_TEST_EMAIL="$NOTIFY_E2E_TEST_EMAIL"
           --var NOTIFY_E2E_TEST_PASSWORD="$NOTIFY_E2E_TEST_PASSWORD"
           --var LOGIN_DOT_GOV_REGISTRATION_URL="$LOGIN_DOT_GOV_REGISTRATION_URL"
+          --strategy rolling
 
     - name: Check for changes to templates.json
       id: changed-templates

docs/all.md

@@ -1242,6 +1242,17 @@ Notify.gov DNS records are maintained within [the 18f/dns repository](https://gi
 - Rename to `api_static_scan_DATE.zip` and add it to 🔒 https://drive.google.com/drive/folders/1dSe9H7Ag_hLfi5hmQDB2ktWaDwWSf4_R
 - Repeat for https://github.com/GSA/notifications-admin/actions/workflows/daily_checks.yml
 
+## Rotating the DANGEROUS_SALT
+
+
+  1. Start API locally `make run-procfile`
+  2. In a separate terminal tab, navigate to the API project and run `poetry run flask command generate-salt`
+  3. A random secret will appear in the tab
+  4. Go to github->settings->secrets and variables->actions in the admin project and find the DANGEROUS_SALT secret for the admin project for    staging.   Open it and paste the result of #3 into the secret and save.  Repeat for the API project, for staging.
+  5. Repeat #3 and #4 but do it for demo
+  6. Repeat #3 and #4 but do it for production
+
+The important thing is to use the same secret for Admin and API on each tier--i.e. you only generate three secrets.
 
 ## <a name="gotcha"></a> Known Gotchas