name: Deploy to staging environment on: workflow_run: workflows: [ Run checks ] types: - completed branches: [ main ] # Redundant, workflow_run events are only triggered on default branch (`main`) permissions: contents: read jobs: deploy: runs-on: ubuntu-latest if: ${{ github.event.workflow_run.conclusion == 'success' }} environment: staging steps: - uses: actions/checkout@v4 with: fetch-depth: 2 # Looks like we need to install Terraform ourselves now! # https://github.com/actions/runner-images/issues/10796#issuecomment-2417064348 - name: Setup Terraform uses: hashicorp/setup-terraform@v3 with: terraform_version: "^1.7.5" terraform_wrapper: false - name: Terraform init working-directory: terraform/staging env: AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }} AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }} run: terraform init - name: Terraform apply working-directory: terraform/staging env: AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }} AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }} TF_VAR_cf_user: ${{ secrets.CLOUDGOV_USERNAME }} TF_VAR_cf_password: ${{ secrets.CLOUDGOV_PASSWORD }} run: terraform apply -auto-approve -input=false - uses: ./.github/actions/setup-project - name: Install application dependencies run: make bootstrap - name: Create requirements.txt run: poetry export --without-hashes --format=requirements.txt > requirements.txt - name: Deploy to cloud.gov uses: cloud-gov/cg-cli-tools@main env: DANGEROUS_SALT: ${{ secrets.DANGEROUS_SALT }} SECRET_KEY: ${{ secrets.SECRET_KEY }} ADMIN_CLIENT_SECRET: ${{ secrets.ADMIN_CLIENT_SECRET }} NEW_RELIC_LICENSE_KEY: ${{ secrets.NEW_RELIC_LICENSE_KEY }} NOTIFY_E2E_TEST_EMAIL: ${{ secrets.NOTIFY_E2E_TEST_EMAIL }} NOTIFY_E2E_TEST_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_PASSWORD }} LOGIN_DOT_GOV_REGISTRATION_URL: "https://secure.login.gov/openid_connect/authorize?acr_values=http%3A%2F%2Fidmanagement.gov%2Fns%2Fassurance%2Fial%2F1&client_id=urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:notify-gov&nonce=NONCE&prompt=select_account&redirect_uri=https://notify-staging.app.cloud.gov/set-up-your-profile&response_type=code&scope=openid+email&state=STATE" with: cf_username: ${{ secrets.CLOUDGOV_USERNAME }} cf_password: ${{ secrets.CLOUDGOV_PASSWORD }} cf_org: gsa-tts-benefits-studio cf_space: notify-staging cf_command: >- push -f manifest.yml --vars-file deploy-config/staging.yml --var DANGEROUS_SALT="$DANGEROUS_SALT" --var SECRET_KEY="$SECRET_KEY" --var ADMIN_CLIENT_SECRET="$ADMIN_CLIENT_SECRET" --var NEW_RELIC_LICENSE_KEY="$NEW_RELIC_LICENSE_KEY" --var NOTIFY_E2E_TEST_EMAIL="$NOTIFY_E2E_TEST_EMAIL" --var NOTIFY_E2E_TEST_PASSWORD="$NOTIFY_E2E_TEST_PASSWORD" --var LOGIN_DOT_GOV_REGISTRATION_URL="$LOGIN_DOT_GOV_REGISTRATION_URL" --strategy rolling # TODO FIX # - name: Update templates # run: cf run-task notify-api-staging --command "flask command update-templates" - name: Deploy egress proxy uses: ./.github/actions/deploy-proxy env: CF_USERNAME: ${{ secrets.CLOUDGOV_USERNAME }} CF_PASSWORD: ${{ secrets.CLOUDGOV_PASSWORD }} with: cf_org: gsa-tts-benefits-studio cf_space: notify-staging app: notify-api-staging bail: runs-on: ubuntu-latest if: ${{ github.event.workflow_run.conclusion == 'failure' }} steps: - uses: actions/github-script@v6 with: script: core.setFailed('Checks failed, not deploying')