.github/workflows/continuous-integration.yml

name: Continuous Integration

on:
  push:
    branches:
      - '**'
    tags-ignore:
      - '**'

env:
  CHROMEDRIVER_FILEPATH: /usr/local/share/chrome_driver/chromedriver
  DEVOPS_CHANNEL_ID: C37M86Y8G #devops-deploys
  PLATFORM_BUILD_CHANNEL_ID: C0MQ281DJ #vfs-platform-builds
  CONTENT_BUILD_CHANNEL_ID: C02VD909V08 #status-content-build
  BROKEN_LINKS_SLACK: C030F5WV2TF # content-broken-links
  INSTANCE_TYPE: m5.4xlarge
  # Sandbox Drupal address, username, and password is used on branches other than main.
  DRUPAL_ADDRESS: https://main-medc0xjkxm4jmpzxl3tfbcs7qcddsivh.ci.cms.va.gov
  # This is a test credential and is not used on any production instances.
  DRUPAL_PASSWORD: drupal8

concurrency:
  group: ${{ github.ref != 'refs/heads/main' && github.ref || github.sha }}
  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}

jobs:
  build:
    name: Build
    runs-on: [self-hosted, asg]
    timeout-minutes: 120

    defaults:
      run:
        working-directory: content-build

    outputs:
      vagovdev_buildtime: ${{ env.vagovdev_buildtime }}
      vagovstaging_buildtime: ${{ env.vagovstaging_buildtime }}

    env:
      NODE_EXTRA_CA_CERTS: /etc/ssl/certs/ca-certificates.crt

    strategy:
      fail-fast: true
      matrix:
        buildtype: [vagovdev, vagovstaging, vagovprod]
        include:
          - buildtype: vagovdev
            drupal-address: https://main-medc0xjkxm4jmpzxl3tfbcs7qcddsivh.ci.cms.va.gov
          - buildtype: vagovstaging
            drupal-address: https://main-medc0xjkxm4jmpzxl3tfbcs7qcddsivh.ci.cms.va.gov
          - buildtype: vagovprod
            drupal-address: https://prod.cms.va.gov

    steps:
      - name: Checkout vagov-content
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          repository: department-of-veterans-affairs/vagov-content
          path: vagov-content

      - name: Checkout content-build
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          path: content-build

      - name: Get Node version
        id: get-node-version
        run: echo NODE_VERSION=$(cat .nvmrc) >> $GITHUB_OUTPUT

      - name: Setup Node
        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
        with:
          node-version: ${{ steps.get-node-version.outputs.NODE_VERSION }}

      - name: Setup Yarn
        run: npm i -g yarn@1.19.1

      - name: Cache dependencies
        id: cache-dependencies
        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
        with:
          path: |
            .cache/yarn
            **/node_modules
          key: ${{ steps.get-node-version.outputs.NODE_VERSION }}-on-demand-runner-${{ hashFiles('**/yarn.lock') }}
          restore-keys: ${{ steps.get-node-version.outputs.NODE_VERSION }}-on-demand-runner-

      - name: Install dependencies
        uses: nick-invision/retry@943e742917ac94714d2f408a0e8320f2d1fcafcd # v2.8.3
        with:
          command: cd content-build && yarn install --frozen-lockfile --prefer-offline
          max_attempts: 3
          timeout_minutes: 7
        env:
          YARN_CACHE_FOLDER: .cache/yarn

      - name: Configure AWS Credentials (1)
        uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-gov-west-1

      - name: Set Drupal address
        if: ${{ github.ref == 'refs/heads/main' }}
        run: echo "DRUPAL_ADDRESS=${{ matrix.drupal-address }}" >> $GITHUB_ENV

      - name: Set Drupal prod password
        if: ${{ matrix.buildtype == 'vagovprod' && github.ref == 'refs/heads/main' }}
        uses: department-of-veterans-affairs/action-inject-ssm-secrets@d8e6de3bde4dd728c9d732baef58b3c854b8c4bb # latest
        with:
          ssm_parameter: /cms/prod/drupal_api_users/content_build_api/password
          env_variable_name: DRUPAL_PASSWORD

      - name: Set Drupal prod username
        uses: department-of-veterans-affairs/action-inject-ssm-secrets@d8e6de3bde4dd728c9d732baef58b3c854b8c4bb # latest
        with:
          ssm_parameter: /cms/prod/drupal_api_users/content_build_api/username
          env_variable_name: DRUPAL_USERNAME

      - name: Get buildtime
        id: buildtime
        run: |
          BUILDTIME=$(date +%s)
          echo buildtime=$BUILDTIME >> $GITHUB_OUTPUT
          echo "${{ matrix.buildtype }}_buildtime=$BUILDTIME" >> $GITHUB_ENV

      - name: Wait for the CMS to be ready
        uses: ./content-build/.github/workflows/wait-for-cms-ready
        with:
          base_url: ${{ env.DRUPAL_ADDRESS }}

      - name: Build
        run: yarn build --buildtype=${{ matrix.buildtype }} --asset-source=local --drupal-address=${{ env.DRUPAL_ADDRESS }} --drupal-user=${{ env.DRUPAL_USERNAME }} --drupal-password="${{ env.DRUPAL_PASSWORD }}" --pull-drupal --drupal-max-parallel-requests=15 --no-drupal-proxy --verbose
        env:
          NODE_ENV: production
          DEBUG: ${{ secrets.ACTIONS_RUNNER_DEBUG }}

      - name: Check broken links
        id: get-broken-link-info
        if: ${{ matrix.buildtype == 'vagovprod' }}
        run: node ./script/github-actions/check-broken-links-blocks.js ${{ matrix.buildtype }}

      - name: Generate build details
        run: |
          cat > build/${{ matrix.buildtype }}/BUILD.txt << EOF
          BUILDTYPE=${{ matrix.buildtype }}
          NODE_ENV=production
          BRANCH_NAME=$(echo "${GITHUB_REF#refs/heads/}")
          CHANGE_TARGET=null
          RUN_ID=${{ github.run_id }}
          RUN_NUMBER=${{ github.run_number }}
          REF=${{ github.sha }}
          BUILDTIME=${{ steps.buildtime.outputs.buildtime }}
          EOF

      - name: Prearchive
        run: node ./script/prearchive.js --buildtype=${{ matrix.buildtype }}

      - name: Compress build
        run: tar -C build/${{ matrix.buildtype }} -cvf ${{ matrix.buildtype }}.tar.bz2 .

      - name: Cache Drupal content
        if: github.ref == 'refs/heads/main'
        run: node ./script/drupal-aws-cache.js --buildtype=${{ matrix.buildtype }}

      - name: Get role from Parameter Store
        uses: department-of-veterans-affairs/action-inject-ssm-secrets@d8e6de3bde4dd728c9d732baef58b3c854b8c4bb # latest
        with:
          ssm_parameter: /frontend-team/github-actions/parameters/AWS_FRONTEND_NONPROD_ROLE
          env_variable_name: AWS_FRONTEND_NONPROD_ROLE

      - name: Configure AWS Credentials (2)
        uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-gov-west-1
          role-to-assume: ${{ env.AWS_FRONTEND_NONPROD_ROLE }}
          role-duration-seconds: 900
          role-session-name: vsp-frontendteam-githubaction

      - name: Upload build
        run: aws s3 cp ${{ matrix.buildtype }}.tar.bz2 s3://vetsgov-website-builds-s3-upload/content-build/${{ github.sha }}/${{ matrix.buildtype }}.tar.bz2 --acl public-read --region us-gov-west-1 --no-progress

      - name: Upload Drupal cache
        if: github.ref == 'refs/heads/main'
        run: aws s3 sync .cache/content s3://vetsgov-website-builds-s3-upload/content/ --acl public-read --region us-gov-west-1 --quiet

      # Only will get called if error in workflow
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0
        if: ${{ steps.get-broken-link-info.outputs.UPLOAD_AND_NOTIFY == '1' && always() }}
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-gov-west-1

      - name: Get Slack app token
        uses: department-of-veterans-affairs/action-inject-ssm-secrets@d8e6de3bde4dd728c9d732baef58b3c854b8c4bb # latest
        if: ${{ steps.get-broken-link-info.outputs.UPLOAD_AND_NOTIFY == '1' && always() }}
        with:
          ssm_parameter: /devops/github_actions_slack_socket_token
          env_variable_name: SLACK_APP_TOKEN

      - name: Get Slack bot token
        uses: department-of-veterans-affairs/action-inject-ssm-secrets@d8e6de3bde4dd728c9d732baef58b3c854b8c4bb # latest
        if: ${{ steps.get-broken-link-info.outputs.UPLOAD_AND_NOTIFY == '1' && always() }}
        with:
          ssm_parameter: /devops/github_actions_slack_bot_user_token
          env_variable_name: SLACK_BOT_TOKEN

      - name: Get role from Parameter Store
        uses: department-of-veterans-affairs/action-inject-ssm-secrets@d8e6de3bde4dd728c9d732baef58b3c854b8c4bb # latest
        if: ${{ steps.get-broken-link-info.outputs.UPLOAD_AND_NOTIFY == '1' && always() }}
        with:
          ssm_parameter: /frontend-team/github-actions/parameters/AWS_FRONTEND_NONPROD_ROLE
          env_variable_name: AWS_FRONTEND_NONPROD_ROLE

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0
        if: ${{ steps.get-broken-link-info.outputs.UPLOAD_AND_NOTIFY == '1' && always() }}
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-gov-west-1
          role-to-assume: ${{ env.AWS_FRONTEND_NONPROD_ROLE }}
          role-duration-seconds: 900
          role-session-name: vsp-frontendteam-githubaction

      - name: Upload broken links file
        if: ${{ steps.get-broken-link-info.outputs.UPLOAD_AND_NOTIFY == '1' && always() }}
        run: aws s3 cp ./logs/${{ matrix.buildtype }}-broken-links.json s3://vetsgov-website-builds-s3-upload/broken-link-reports/${{ matrix.buildtype }}-broken-links.json --acl public-read --region us-gov-west-1

      - name: Notify Slack about broken links
        uses: slackapi/slack-github-action@007b2c3c751a190b6f0f040e47ed024deaa72844 # v1.23.0
        if: ${{ steps.get-broken-link-info.outputs.UPLOAD_AND_NOTIFY == '1' && always() }}
        continue-on-error: true
        env:
          SSL_CERT_DIR: /etc/ssl/certs
          SLACK_BOT_TOKEN: ${{ env.SLACK_BOT_TOKEN }}
        with:
          payload: ${{ steps.get-broken-link-info.outputs.SLACK_BLOCKS }}
          channel-id: ${{ env.BROKEN_LINKS_SLACK }}

  validate-registry:
    name: Validate App Registry
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

      - name: Install dependencies
        uses: ./.github/workflows/install
        timeout-minutes: 30
        with:
          key: ${{ hashFiles('yarn.lock') }}
          yarn_cache_folder: .cache/yarn
          path: |
            .cache/yarn
            node_modules

      - name: Run registry validation
        run: yarn validate:registry

  unit-tests:
    name: Unit Tests
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

      - name: Install dependencies
        uses: ./.github/workflows/install
        timeout-minutes: 30
        with:
          key: ${{ hashFiles('yarn.lock') }}
          yarn_cache_folder: .cache/yarn
          path: |
            .cache/yarn
            node_modules

      - name: Create test results folder
        run: mkdir -p test-results

      - name: Run unit tests
        run: yarn test:unit --coverage
        env:
          MOCHA_FILE: test-results/unit-tests.xml

      - name: Generate coverage report by app
        run: node script/app-coverage-report.js > test-results/coverage_report.txt

      - name: Get code coverage
        if: ${{ always() }}
        id: code-coverage
        run: echo MARKDOWN=$(node ./script/github-actions/code-coverage-format-report.js) >> $GITHUB_OUTPUT

      - name: Publish test results
        if: ${{ always() }}
        continue-on-error: true
        uses: mikepenz/action-junit-report@959aefb7f095e717eb407fe917238d61ca323ff3 # v3.7.6
        with:
          check_name: 'Unit Tests Summary'
          github_token: ${{ secrets.GITHUB_TOKEN }}
          report_paths: 'test-results/unit-tests.xml'
          summary: ${{ steps.code-coverage.outputs.MARKDOWN }}
          fail_on_failure: 'true'

  linting:
    name: Linting
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

      - name: Install dependencies
        uses: ./.github/workflows/install
        timeout-minutes: 30
        with:
          key: ${{ hashFiles('yarn.lock') }}
          yarn_cache_folder: .cache/yarn
          path: |
            .cache/yarn
            node_modules

      - name: Update browserslist
        run: yarn exec -- browserslist --update-db

      - name: Annotate ESLint results
        run: yarn run eslint --ext .js --ext .jsx  --format ./script/github-actions/eslint-annotation-format.js .

  security-audit:
    name: Security Audit
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

      - name: Install dependencies
        uses: ./.github/workflows/install
        timeout-minutes: 30
        with:
          key: ${{ hashFiles('yarn.lock') }}
          yarn_cache_folder: .cache/yarn
          path: |
            .cache/yarn
            node_modules

      - name: Audit dependencies
        run: yarn security-check

  drupal-cache-test:
    name: Drupal Cache Test
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

      - name: Install dependencies
        uses: ./.github/workflows/install
        timeout-minutes: 30
        with:
          key: ${{ hashFiles('yarn.lock') }}
          yarn_cache_folder: .cache/yarn
          path: |
            .cache/yarn
            node_modules

      - name: Fetch Drupal cache
        run: yarn fetch-drupal-cache

  # This is necessary to get credentials to use the private ECR image defined in the test job container.
  login-to-amazon-ecr:
    runs-on: ubuntu-latest
    steps:
    - name: Configure AWS credentials
      uses: aws-actions/configure-aws-credentials@v4
      with:
        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        aws-region: us-gov-west-1
        mask-aws-account-id: 'false'
    - name: Login to Amazon ECR
      id: login-ecr
      uses: aws-actions/amazon-ecr-login@v2
      with:
        mask-password: 'false'
    outputs:
      docker_username: ${{ steps.login-ecr.outputs.docker_username_008577686731_dkr_ecr_us_gov_west_1_amazonaws_com }}
      docker_password: ${{ steps.login-ecr.outputs.docker_password_008577686731_dkr_ecr_us_gov_west_1_amazonaws_com }}

  cypress-tests:
    name: Cypress E2E Tests
    runs-on: [self-hosted, asg]
    needs:
      - login-to-amazon-ecr
      - build
    timeout-minutes: 30
    container:
      image: 008577686731.dkr.ecr.us-gov-west-1.amazonaws.com/cypress-io:node16.13.2-chrome100-ff98
      credentials:
        username: ${{ needs.login-to-amazon-ecr.outputs.docker_username }}
        password: ${{ needs.login-to-amazon-ecr.outputs.docker_password }}
      options: --user 1001:1001
      volumes:
        - /usr/local/share:/share
        - /etc/ssl/certs:/etc/ssl/certs

    env:
      NODE_EXTRA_CA_CERTS: /etc/ssl/certs/ca-certificates.crt
      CHROMEDRIVER_FILEPATH: /share/chrome_driver/chromedriver

    steps:
      - name: Checkout content-build
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

      - name: Download production build
        run: curl -L "https://s3-us-gov-west-1.amazonaws.com/vetsgov-website-builds-s3-upload/content-build/${{ github.sha }}/vagovprod.tar.bz2" -o vagovprod.tar.bz2

      - name: Unpack build
        run: |
          mkdir -p build/vagovprod
          tar -C build/vagovprod -xf vagovprod.tar.bz2

      - name: Install dependencies
        uses: ./.github/workflows/install
        timeout-minutes: 30
        with:
          key: on-demand-runner-cypress-${{ hashFiles('**/yarn.lock') }}
          restore-keys: on-demand-runner-cypress-
          yarn_cache_folder: .cache/yarn
          path: |
            .cache/yarn
            /github/home/.cache/Cypress
            **/node_modules

      - name: Start server
        run: node src/platform/testing/e2e/test-server.js --buildtype vagovprod --port=3002 &

      - name: Run Cypress tests
        run: yarn cy:run --reporter cypress-multi-reporters --reporter-options "configFile=config/cypress-reporters.json" --env buildtype=vagovprod

      - name: Publish test results
        if: ${{ always() }}
        uses: mikepenz/action-junit-report@959aefb7f095e717eb407fe917238d61ca323ff3 # v3.7.6
        with:
          check_name: 'Cypress Tests Summary'
          github_token: ${{ secrets.GITHUB_TOKEN }}
          report_paths: 'test-results/e2e-test-output-*.xml'

      - name: Archive Cypress test videos
        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
        if: ${{ failure() }}
        with:
          name: cypress-video-artifacts
          path: cypress/videos

      - name: Archive Cypress test screenshots
        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
        if: ${{ failure() }}
        with:
          name: cypress-screenshot-artifacts
          path: cypress/screenshots

      - name: Archive Mochawesome test results
        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
        if: ${{ always() }}
        with:
          name: cypress-mochawesome-test-results
          path: cypress/results
          retention-days: 1

      - name: Notify Slack about Cypress test failures
        if: ${{ github.ref == 'refs/heads/main' && failure() }}
        uses: department-of-veterans-affairs/platform-release-tools-actions/slack-notify@8c496a4b0c9158d18edcd9be8722ed0f79e8c5b4 # main
        continue-on-error: true
        env:
          SSL_CERT_DIR: /etc/ssl/certs
        with:
          payload: '{"attachments": [{"color": "#D33834","blocks": [{"type": "section","text": {"type": "mrkdwn","text": "<!here> E2E tests in `content-build` have failed on the `main` branch, run: <https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}|${{github.run_id}}>"}}]}]}'
          channel_id: C026PD47Z19
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

  testing-reports:
    name: Testing Reports
    runs-on: ubuntu-latest
    needs: [cypress-tests]
    if: ${{ needs.cypress-tests.result == 'failure' || needs.cypress-tests.result == 'success' }}
    continue-on-error: true
    timeout-minutes: 30
    steps:
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-gov-west-1

      - name: Get va-vsp-bot token
        uses: department-of-veterans-affairs/action-inject-ssm-secrets@d8e6de3bde4dd728c9d732baef58b3c854b8c4bb # latest
        with:
          ssm_parameter: /devops/VA_VSP_BOT_GITHUB_TOKEN
          env_variable_name: VA_VSP_BOT_GITHUB_TOKEN

      # ------------------------
      # | Upload BigQuery Data |
      # ------------------------

      - name: Checkout Testing Tools Team Dashboard Data repo
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          repository: department-of-veterans-affairs/testing-tools-team-dashboard-data
          token: ${{ env.VA_VSP_BOT_GITHUB_TOKEN }}
          path: testing-tools-team-dashboard-data

      # TODO: Set .nvmrc in testing-tools-team-dashboard-data.
      # - name: Get Node version
      #   id: get-node-version
      #   run: echo NODE_VERSION=$(cat .nvmrc) >> $GITHUB_OUTPUT
      #   working-directory: testing-tools-team-dashboard-data

      - name: Setup Node
        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
        with:
          node-version: 14 # ${{ steps.get-node-version.outputs.NODE_VERSION }}

      # TODO: Potentially use install composite
      - name: Install dependencies
        run: yarn install --frozen-lockfile --prefer-offline --production=false
        env:
          YARN_CACHE_FOLDER: .cache/yarn
        working-directory: testing-tools-team-dashboard-data

      - name: Download Mochawesome test results
        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
        with:
          name: cypress-mochawesome-test-results
          path: testing-tools-team-dashboard-data/src/testing-reports/data

      - name: Get BigQuery service credentials
        uses: department-of-veterans-affairs/action-inject-ssm-secrets@d8e6de3bde4dd728c9d732baef58b3c854b8c4bb # latest
        with:
          ssm_parameter: /dsva-vagov/testing-team/bigquery_service_credentials
          env_variable_name: BIGQUERY_SERVICE_CREDENTIALS

      - name: Setup Cloud SDK
        uses: google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b # v1.1.1
        with:
          project_id: vsp-analytics-and-insights
          service_account_key: ${{ env.BIGQUERY_SERVICE_CREDENTIALS }}
          export_default_credentials: true

      - name: Set UUID for Mochawesome report
        run: echo "UUID=$(uuidgen)" >> $GITHUB_ENV

      - name: Create report and post results to BigQuery
        run: yarn cypress-mochawesome-to-bigquery
        working-directory: testing-tools-team-dashboard-data
        env:
          IS_MASTER_BUILD: ${{ needs.cypress-tests-prep.outputs.is_master_build }}
          NUM_CONTAINERS: ${{ needs.cypress-tests-prep.outputs.num_containers }}
          TEST_EXECUTIONS_TABLE_NAME: content_build_cypress_test_suite_executions
          TEST_RESULTS_TABLE_NAME: content_build_cypress_test_results
          TEST_REPORTS_FOLDER_NAME: content-build-cypress-reports

      # env.MOCHAWESOME_REPORT_RESULTS is set and exported during the above step when the mochawesome report is generated.  It contains the output string for the publish step at the end of the job with the numbers from the Mochawesome report.

      # --------------------------
      # | Publish Testing Report |
      # --------------------------

      - name: Download video artifacts
        if: ${{ needs.cypress-tests.result == 'failure' }}
        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
        with:
          name: cypress-video-artifacts
          path: testing-tools-team-dashboard-data/testing-reports/videos/${{ env.UUID }}

      - name: Get AWS IAM role
        uses: department-of-veterans-affairs/action-inject-ssm-secrets@d8e6de3bde4dd728c9d732baef58b3c854b8c4bb # latest
        with:
          ssm_parameter: /frontend-team/github-actions/parameters/AWS_FRONTEND_NONPROD_ROLE
          env_variable_name: AWS_FRONTEND_NONPROD_ROLE

      - name: Configure AWS Credentials (2)
        uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-gov-west-1
          role-to-assume: ${{ env.AWS_FRONTEND_NONPROD_ROLE }}
          role-duration-seconds: 900
          role-session-name: vsp-frontendteam-githubaction

      - name: Upload test videos to s3
        if: ${{ needs.cypress-tests.result == 'failure' }}
        run: aws s3 cp testing-tools-team-dashboard-data/cypress-reports/videos/${{ env.UUID }} s3://testing-tools-testing-reports/content-build-cypress-reports/videos/${{ env.UUID }} --acl public-read --region us-gov-west-1 --recursive

      - name: Upload test report to s3
        run: aws s3 cp testing-tools-team-dashboard-data/mochawesome-report s3://testing-tools-testing-reports/content-build-cypress-reports --acl public-read --region us-gov-west-1 --recursive

      # -------------------------
      # | Cypress Tests Summary |
      # -------------------------

      - name: Publish Cypress test results
        if: ${{ always() }}
        uses: LouisBrunner/checks-action@69aaabbcf32668b60dc03b65deabfe23e92d9c41 # v1.6.0
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          name: Cypress Tests Summary
          conclusion: ${{ needs.cypress-tests.result }}
          output: |
            {"summary":${{ env.MOCHAWESOME_REPORT_RESULTS }}}

  get-latest-run-number:
    name: Get Latest Workflow Run Number
    runs-on: ubuntu-latest
    if: ${{ always() && github.ref == 'refs/heads/main' && needs.cypress-tests.result == 'success' }}
    needs: cypress-tests
    outputs:
      latest_run_number: ${{ steps.latest-run-number.outputs.latest_run_number }}

    steps:
      - name: Checkout
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

      - name: Install dependencies
        uses: ./.github/workflows/install
        timeout-minutes: 30
        with:
          key: ${{ hashFiles('yarn.lock') }}
          yarn_cache_folder: .cache/yarn
          path: |
            .cache/yarn
            node_modules

      - name: Set output of latest_run_number
        id: latest-run-number
        run: echo latest_run_number=$(node ./script/github-actions/get-latest-run-number.js) >> $GITHUB_OUTPUT
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  deploy:
    name: Deploy
    runs-on: [self-hosted, asg]
    if: ${{ always() && github.ref == 'refs/heads/main' && needs.get-latest-run-number.result == 'success' && needs.get-latest-run-number.outputs.latest_run_number == github.run_number }}
    needs: [build, cypress-tests, get-latest-run-number]

    env:
      NODE_EXTRA_CA_CERTS: /etc/ssl/certs/ca-certificates.crt

    strategy:
      matrix:
        include:
          - environment: vagovdev
            bucket: content.dev.va.gov
          - environment: vagovstaging
            bucket: content.staging.va.gov

    steps:
      - name: Checkout
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

      - name: Configure AWS credentials (1)
        uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-gov-west-1

      - name: Get role from Parameter Store
        uses: department-of-veterans-affairs/action-inject-ssm-secrets@d8e6de3bde4dd728c9d732baef58b3c854b8c4bb # latest
        with:
          ssm_parameter: /frontend-team/github-actions/parameters/AWS_FRONTEND_NONPROD_ROLE
          env_variable_name: AWS_FRONTEND_NONPROD_ROLE

      - name: Get Drupal token from Parameter Store
        if: ${{ matrix.environment == 'vagovstaging' }}
        uses: department-of-veterans-affairs/action-inject-ssm-secrets@d8e6de3bde4dd728c9d732baef58b3c854b8c4bb # latest
        with:
          ssm_parameter: /dsva-vagov/vets-website/staging/drupal-password
          env_variable_name: CALLBACK_TOKEN

      - name: Configure AWS Credentials (2)
        uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-gov-west-1
          role-to-assume: ${{ env.AWS_FRONTEND_NONPROD_ROLE }}
          role-duration-seconds: 1800
          role-session-name: vsp-frontendteam-githubaction

      - name: Deploy
        run: ./script/github-actions/deploy.sh -s $SRC -d $DEST -v
        env:
          SRC: s3://vetsgov-website-builds-s3-upload/content-build/${{ github.sha }}/${{ matrix.environment }}.tar.bz2
          DEST: s3://${{ matrix.bucket }}

      - name: Wait for the CMS to be ready
        if: ${{ matrix.environment == 'vagovstaging' }}
        uses: ./.github/workflows/wait-for-cms-ready
        with:
          base_url: ${{ env.DRUPAL_ADDRESS }}

      - name: CMS GovDelivery callback
        if: ${{ matrix.environment == 'vagovstaging' }}
        uses: fjogeleit/http-request-action@e8dd067b83c3ab0774c76bf065b1c4f11c7e45ba # v1.14.0
        with:
          url: ${{ env.DRUPAL_ADDRESS }}/api/govdelivery_bulletins/queue?EndTime=${{ needs.build.outputs.vagovstaging_buildtime }}&src=gha&runId=${{ github.run_id }}&runNumber=${{ github.run_number }}
          method: GET
          username: api
          password: ${{ env.CALLBACK_TOKEN }}
          timeout: 10000
        # A failure here should not prevent the workflow from continuing.
        continue-on-error: true

  jenkins:
    name: Run Jenkins CI
    runs-on: ubuntu-latest
    steps:
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-gov-west-1

      - name: Get Jenkins token from Parameter Store
        uses: department-of-veterans-affairs/action-inject-ssm-secrets@d8e6de3bde4dd728c9d732baef58b3c854b8c4bb # latest
        with:
          ssm_parameter: /frontend-team/github-actions/parameters/JENKINS_API_TOKEN
          env_variable_name: JENKINS_API_TOKEN

      - name: Checkout
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

      - name: Install dependencies
        uses: ./.github/workflows/install
        timeout-minutes: 30
        with:
          key: ${{ hashFiles('yarn.lock') }}
          yarn_cache_folder: ~/.cache/yarn
          path: |
            ~/.cache/yarn
            node_modules

      - name: Trigger Jenkins pipeline
        run: node script/github-actions/trigger-jenkins.js

  notify-failure:
    name: Notify Failure
    runs-on: ubuntu-latest
    if: ${{ github.ref == 'refs/heads/main' && (failure() || cancelled()) }}
    needs: deploy

    steps:
      - name: Checkout
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

      - name: Notify Slack
        uses: department-of-veterans-affairs/platform-release-tools-actions/slack-notify@8c496a4b0c9158d18edcd9be8722ed0f79e8c5b4 # main
        continue-on-error: true
        with:
          payload: '{"attachments": [{"color": "#D33834","blocks": [{"type": "section","text": {"type": "mrkdwn","text": "<!subteam^S01JXBLLMJL|cms-devops-engineers> content-build main branch CI failed!: <https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}>"}}]}]}'
          channel_id: ${{ env.CONTENT_BUILD_CHANNEL_ID }}
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}