name: Deploy to staging environment

on:
  workflow_run:
    workflows: [ Run checks ]
    types:
      - completed
    branches: [ main ] # Redundant, workflow_run events are only triggered on default branch (`main`)

permissions:
  contents: read

jobs:
  deploy:
    runs-on: ubuntu-latest
    if: ${{ github.event.workflow_run.conclusion == 'success' }}

    environment: staging
    steps:
    - uses: actions/checkout@v3
      with:
        fetch-depth: 2

    - name: Check for changes to Terraform
      id: changed-terraform-files
      uses: tj-actions/changed-files@v41
      with:
        files: |
          terraform/staging
          terraform/shared
          .github/workflows/deploy.yml
    - name: Terraform init
      if: steps.changed-terraform-files.outputs.any_changed == 'true'
      working-directory: terraform/staging
      env:
        AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
        AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
      run: terraform init
    - name: Terraform apply
      if: steps.changed-terraform-files.outputs.any_changed == 'true'
      working-directory: terraform/staging
      env:
        AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
        AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
        TF_VAR_cf_user: ${{ secrets.CLOUDGOV_USERNAME }}
        TF_VAR_cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
      run: terraform apply -auto-approve -input=false

    - uses: ./.github/actions/setup-project
    - name: Install application dependencies
      run: make bootstrap

    - name: Create requirements.txt
      run: poetry export --without-hashes --format=requirements.txt > requirements.txt

    - name: Deploy to cloud.gov
      uses: 18f/cg-deploy-action@main
      env:
        DANGEROUS_SALT: ${{ secrets.DANGEROUS_SALT }}
        SECRET_KEY: ${{ secrets.SECRET_KEY }}
        ADMIN_CLIENT_SECRET: ${{ secrets.ADMIN_CLIENT_SECRET }}
        NEW_RELIC_LICENSE_KEY: ${{ secrets.NEW_RELIC_LICENSE_KEY }}
        NOTIFY_E2E_TEST_EMAIL: ${{ secrets.NOTIFY_E2E_TEST_EMAIL }}
        NOTIFY_E2E_TEST_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_PASSWORD }}
      with:
        cf_username: ${{ secrets.CLOUDGOV_USERNAME }}
        cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
        cf_org: gsa-tts-benefits-studio
        cf_space: notify-staging
        push_arguments: >-
          --vars-file deploy-config/staging.yml
          --var DANGEROUS_SALT="$DANGEROUS_SALT"
          --var SECRET_KEY="$SECRET_KEY"
          --var ADMIN_CLIENT_SECRET="$ADMIN_CLIENT_SECRET"
          --var NEW_RELIC_LICENSE_KEY="$NEW_RELIC_LICENSE_KEY"
          --var NOTIFY_E2E_TEST_EMAIL="$NOTIFY_E2E_TEST_EMAIL"
          --var NOTIFY_E2E_TEST_PASSWORD="$NOTIFY_E2E_TEST_PASSWORD"

    - name: Check for changes to egress config
      id: changed-egress-config
      uses: tj-actions/changed-files@v41
      with:
        files: |
          deploy-config/egress_proxy/notify-api-staging.*.acl
          .github/actions/deploy-proxy/action.yml
          .github/workflows/deploy.yml
    - name: Deploy egress proxy
      if: steps.changed-egress-config.outputs.any_changed == 'true'
      uses: ./.github/actions/deploy-proxy
      with:
        cf_space: notify-staging
        app: notify-api-staging

  bail:
    runs-on: ubuntu-latest
    if: ${{ github.event.workflow_run.conclusion == 'failure' }}
    steps:
      - uses: actions/github-script@v6
        with:
          script: core.setFailed('Checks failed, not deploying')