Deploy to staging environment #820

Summary
Jobs
- deploy
- bail
Run details
- Usage
- Workflow file

Workflow file for this run

	name: Deploy to staging environment

	on:
	workflow_run:
	workflows: [Run checks]
	types:
	- completed
	branches: [main] # Redundant, workflow_run events are only triggered on default branch (`main`)

	permissions:
	contents: read

	jobs:
	deploy:
	runs-on: ubuntu-latest
	if: ${{ github.event.workflow_run.conclusion == 'success' }}

	environment: staging
	steps:
	- uses: actions/checkout@v4
	with:
	fetch-depth: 2

	- name: Check for changes to Terraform
	id: changed-terraform-files
	uses: tj-actions/changed-files@v44
	with:
	files: \|
	terraform/staging/**
	terraform/shared/**
	.github/workflows/deploy.yml
	- name: Terraform init
	if: steps.changed-terraform-files.outputs.any_changed == 'true'
	working-directory: terraform/staging
	env:
	AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
	AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
	run: terraform init
	- name: Terraform apply
	if: steps.changed-terraform-files.outputs.any_changed == 'true'
	working-directory: terraform/staging
	env:
	AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
	AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
	TF_VAR_cf_user: ${{ secrets.CLOUDGOV_USERNAME }}
	TF_VAR_cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
	run: terraform apply -auto-approve -input=false

	- uses: ./.github/actions/setup-project

	- name: Create requirements.txt
	run: poetry export --without-hashes --format=requirements.txt > requirements.txt


	- name: Deploy to cloud.gov
	uses: cloud-gov/cg-cli-tools@main
	env:
	DANGEROUS_SALT: ${{ secrets.DANGEROUS_SALT }}
	SECRET_KEY: ${{ secrets.SECRET_KEY }}
	ADMIN_CLIENT_SECRET: ${{ secrets.ADMIN_CLIENT_SECRET }}
	ADMIN_CLIENT_USERNAME: "notify-admin"
	NEW_RELIC_LICENSE_KEY: ${{ secrets.NEW_RELIC_LICENSE_KEY }}
	NR_BROWSER_KEY: ${{ secrets.NR_BROWSER_KEY }}
	COMMIT_HASH: ${{ github.sha }}
	LOGIN_PEM: ${{ secrets.LOGIN_PEM }}
	LOGIN_DOT_GOV_CLIENT_ID: "urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:notify-gov"
	LOGIN_DOT_GOV_USER_INFO_URL: "https://secure.login.gov/api/openid_connect/userinfo"
	LOGIN_DOT_GOV_ACCESS_TOKEN_URL: "https://secure.login.gov/api/openid_connect/token"
	LOGIN_DOT_GOV_LOGOUT_URL: "https://secure.login.gov/openid_connect/logout?client_id=urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:notify-gov&post_logout_redirect_uri=https://notify-staging.app.cloud.gov/sign-out"
	LOGIN_DOT_GOV_BASE_LOGOUT_URL: "https://secure.login.gov/openid_connect/logout?"
	LOGIN_DOT_GOV_SIGNOUT_REDIRECT: "https://notify-staging.app.cloud.gov/sign-out"
	LOGIN_DOT_GOV_INITIAL_SIGNIN_URL: "https://secure.login.gov/openid_connect/authorize?acr_values=http%3A%2F%2Fidmanagement.gov%2Fns%2Fassurance%2Fial%2F1&client_id=urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:notify-gov&nonce=NONCE&prompt=select_account&redirect_uri=https://notify-staging.app.cloud.gov/sign-in&response_type=code&scope=openid+email&state=STATE"
	LOGIN_DOT_GOV_CERTS_URL: "https://secure.login.gov/api/openid_connect/certs"
	with:
	cf_username: ${{ secrets.CLOUDGOV_USERNAME }}
	cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
	cf_org: gsa-tts-benefits-studio
	cf_space: notify-staging
	cf_command: >-
	push -f manifest.yml
	--vars-file deploy-config/staging.yml
	--var DANGEROUS_SALT="$DANGEROUS_SALT"
	--var SECRET_KEY="$SECRET_KEY"
	--var ADMIN_CLIENT_SECRET="$ADMIN_CLIENT_SECRET"
	--var ADMIN_CLIENT_USERNAME="$ADMIN_CLIENT_USERNAME"
	--var NEW_RELIC_LICENSE_KEY="$NEW_RELIC_LICENSE_KEY"
	--var NR_BROWSER_KEY="$NR_BROWSER_KEY"
	--var COMMIT_HASH="$COMMIT_HASH"
	--var LOGIN_DOT_GOV_CLIENT_ID="$LOGIN_DOT_GOV_CLIENT_ID"
	--var LOGIN_DOT_GOV_USER_INFO_URL="$LOGIN_DOT_GOV_USER_INFO_URL"
	--var LOGIN_DOT_GOV_ACCESS_TOKEN_URL="$LOGIN_DOT_GOV_ACCESS_TOKEN_URL"
	--var LOGIN_DOT_GOV_LOGOUT_URL="$LOGIN_DOT_GOV_LOGOUT_URL"
	--var LOGIN_DOT_GOV_BASE_LOGOUT_URL="$LOGIN_DOT_GOV_BASE_LOGOUT_URL"
	--var LOGIN_DOT_GOV_SIGNOUT_REDIRECT="$LOGIN_DOT_GOV_SIGNOUT_REDIRECT"
	--var LOGIN_DOT_GOV_INITIAL_SIGNIN_URL="$LOGIN_DOT_GOV_INITIAL_SIGNIN_URL"
	--var LOGIN_DOT_GOV_CERTS_URL="$LOGIN_DOT_GOV_CERTS_URL"
	--var LOGIN_PEM="$LOGIN_PEM"
	--strategy rolling


	- name: Check for changes to egress config
	id: changed-egress-config
	uses: tj-actions/changed-files@v44
	with:
	files: \|
	deploy-config/egress_proxy/notify-admin-staging.*.acl
	.github/actions/deploy-proxy/action.yml
	.github/workflows/deploy.yml
	- name: Deploy egress proxy
	if: steps.changed-egress-config.outputs.any_changed == 'true'
	uses: ./.github/actions/deploy-proxy
	env:
	CF_USERNAME: ${{ secrets.CLOUDGOV_USERNAME }}
	CF_PASSWORD: ${{ secrets.CLOUDGOV_PASSWORD }}
	with:
	cf_org: gsa-tts-benefits-studio
	cf_space: notify-staging
	app: notify-admin-staging

	bail:
	runs-on: ubuntu-latest
	if: ${{ github.event.workflow_run.conclusion == 'failure' }}
	steps:
	- uses: actions/github-script@v6
	with:
	script: core.setFailed('Checks failed, not deploying')

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Deploy to staging environment #820

Workflow file

Deploy to staging environment #820

Jobs

Run details

Workflow file for this run