Merge pull request #3521 from CityOfBoston/master

(production) GA updates, SAML and timeouts
CityOfBoston · Jul 10, 2024 · 85bf7ce · 85bf7ce
2 parents cb85f36 + 435587f
commit 85bf7ce
Show file tree

Hide file tree

Showing 22 changed files with 170 additions and 89 deletions.
diff --git a/.github/workflows/D10-Deploy.yml b/.github/workflows/D10-Deploy.yml
@@ -42,6 +42,7 @@ jobs:
   Deploy:
     # installed software: https://github.com/actions/runner-images/blob/main/images/linux/Ubuntu2204-Readme.md
     runs-on: ubuntu-latest
+    if: contains(github.event.pull_request.labels.*.name, 'ci-no-deploy') == false
     defaults:
       run:
         shell: bash
@@ -55,9 +56,12 @@ jobs:
       #
       - name: Output some debugging info
         if: ${{ vars.DEBUG == 1 }}
+        env:
+          EVENT_CONTEXT: ${{ toJSON(github.event) }}
         run: |
           export
           pwd
+          echo $EVENT_CONTEXT
       #
       # Install some dependencies.
       - name: Install additional Linux packages

diff --git a/.github/workflows/D10-GeneratePrivateRelease.yml b/.github/workflows/D10-GeneratePrivateRelease.yml
@@ -35,7 +35,7 @@ jobs:
   MakeRelease:
     # installed software: https://github.com/actions/runner-images/blob/main/images/linux/Ubuntu2204-Readme.md
     runs-on: ubuntu-latest
-    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    if: github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch'
     defaults:
       run:
         shell: bash
@@ -47,17 +47,18 @@ jobs:
         with:
           path: private
           depth: 5
-
+      #
       # Create the GitHub private repo Release Note.
       - name: Generate Release Note
         if: ${{ vars.DRY_RUN == 0 }}
         env:
+          GH_TOKEN: ${{ secrets.PUBLISH_GITHUB_TOKEN }}
           TITLE: ${{ vars.THIS_TITLE }}
           TICKETS: ${{ vars.THIS_BODY }}
           TAG: ${{ vars.THIS_TAG }}
           RELEASE_NOTES: "[PM to complete]"
           RELEASE_NUMBER: ${{ vars.THIS_RELEASE }}
-          WORKING_FILE: "private/CHANGELOG.md"
+          WORKING_FILE: "CHANGELOG.md"
           DRAFT: 0                # 1 = ReleaseNote is draft - else is published
         run: |
           cd private
@@ -75,8 +76,9 @@ jobs:
           options="$options --notes-file ${{ env.WORKING_FILE }}"
           options="$options --title ${{ env.RELEASE_NUMBER }}"
           [ ${{ env.DRAFT }} == 1 ] && options="--draft $options"
-          [ ${{ vars.DRY_RUN }} == 0 ] && gh release create ${{ env.ACQUIA_TAG }} $options
-
+          [ ${{ vars.DRY_RUN }} == 0 ] && gh release create ${{ env.TAG }} $options
+      #
+      # Send FAIL message to slack.
       - name: Post to Slack - failure
         uses: act10ns/[email protected]
         if: ${{ failure() }}

diff --git a/.github/workflows/D10-GeneratePublicRelease.yml b/.github/workflows/D10-GeneratePublicRelease.yml
@@ -27,7 +27,6 @@ on:
     workflows: [Publish to Public Repo]
     branches: [production]
 env:
-  GH_TOKEN: ${{ secrets.PUBLISH_GITHUB_TOKEN }}
   GITHUB_TOKEN: ${{ secrets.PUBLISH_GITHUB_TOKEN }}
   DEV_EMAIL: "[email protected]"
   USER: "City of Boston Deploy Pipeline"
@@ -37,7 +36,7 @@ jobs:
   MakeRelease:
     # installed software: https://github.com/actions/runner-images/blob/main/images/linux/Ubuntu2204-Readme.md
     runs-on: ubuntu-latest
-    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    if: github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch'
     defaults:
       run:
         shell: bash
@@ -46,6 +45,8 @@ jobs:
       # Checkout THE public repo, set remote correctly.
       - name: Checkout Public repository
         id: Checkout-Public-Repo
+        env:
+          GH_TOKEN: ${{ secrets.PUBLISH_GITHUB_TOKEN }}
         run: |
           URL=${{ secrets.PUBLIC_REPO_TARGET }}
           echo "gh repo clone $URL public -- --depth 10 --branch ${{ secrets.PUBLIC_REPO_TARGET_BRANCH }}"
@@ -54,24 +55,18 @@ jobs:
           git fetch origin ${{ secrets.PUBLIC_REPO_TARGET_BRANCH }}
           git reset --hard FETCH_HEAD
 
-      # Tag the branch and push to remote.
-      - name: Tag the branch
-        run: |
-          cd public
-          git config --global user.email "${{ env.DEV_EMAIL }}"
-          git config --global user.name "${{ env.USER }}"
-          git tag -a "${{ vars.THIS_RELEASE }}" -m "${{ vars.THIS_RELEASE }}"
-          [ ${{ vars.DRY_RUN }} == 0 ] && git push origin ${{ vars.THIS_RELEASE }}
 
       # Create the GitHub PUBLIC repo Release Note.
       - name: Generate Release Notes
         if: ${{ vars.DRY_RUN == 0 }}
         env:
+          GH_TOKEN: ${{ secrets.PUBLISH_GITHUB_TOKEN }}
           TITLE: ${{ vars.THIS_TITLE }}
           TICKETS: ${{ vars.THIS_BODY }}
+          TAG: ${{ vars.THIS_TAG }}
           RELEASE_NOTES: "[PM to complete]"
           RELEASE_NUMBER: ${{ vars.THIS_RELEASE }}
-          WORKING_FILE: "public/CHANGELOG.md"
+          WORKING_FILE: "CHANGELOG.md"
           DRAFT: 1                # 1 = ReleaseNote is draft - else is published
         run: |
           cd public
@@ -81,12 +76,14 @@ jobs:
           ### Release Notes
           ${{ env.RELEASE_NOTES }}" > ${{ env.WORKING_FILE }}
           options="--latest --generate-notes"
-          options="$options --notes-start-tag ${{ vars.LAST_RELEASE }}"
+          options="$options --notes-start-tag ${{ vars.LAST_TAG }}"
           options="$options --notes-file ${{ env.WORKING_FILE }}"
           options="$options --title ${{ env.RELEASE_NUMBER }}"
           [ ${{ env.DRAFT }} == 1 ] && options="--draft $options"
-          [ ${{ vars.DRY_RUN }} == 0 ] && gh release create ${{ env.ACQUIA_TAG }} $options
+          [ ${{ vars.DRY_RUN }} == 0 ] && gh release create ${{ env.TAG }} $options
 
+      #
+      # Send FAIL message to slack.
       - name: Post to Slack - failure
         uses: act10ns/[email protected]
         if: ${{ failure() }}

diff --git a/.github/workflows/D10-Publish.yml b/.github/workflows/D10-Publish.yml
@@ -42,7 +42,6 @@ on:
       - production
 
 env:
-  GH_TOKEN: ${{ secrets.PUBLISH_GITHUB_TOKEN }}
   GITHUB_TOKEN: ${{ secrets.PUBLISH_GITHUB_TOKEN }}
   DEV_EMAIL: "[email protected]"
   PR_USER: ${{ github.event.pull_request.merged_by.login }}
@@ -150,7 +149,7 @@ jobs:
 
       #
       # Commit and push latest code to Public repository
-      - name: Push to the Public Repo
+      - name: Tag and Push to the Public Repo
         run: |
           cd publish
           err=''
@@ -186,6 +185,9 @@ jobs:
           [[ ${{ vars.DRY_RUN }} == 1 ]] && pushopts="$pushopts --dry-run"
 
           if [[ $(echo "$res" | grep "nothing to commit") == "" ]]; then
+
+            git tag -a "${{ env.THIS_TAG }}" -m "${{ env.THIS_RELEASE }}"
+
             echo "changes=1" >> "$GITHUB_OUTPUT"
             echo "git push --set-upstream origin ${{ secrets.PUBLIC_REPO_TARGET_BRANCH }}:${{ secrets.PUBLIC_REPO_TARGET_BRANCH }} ${pushopts}"
             git push --set-upstream origin ${{ secrets.PUBLIC_REPO_TARGET_BRANCH }}:${{ secrets.PUBLIC_REPO_TARGET_BRANCH }} ${pushopts} || err="$err: Problem pushing changes to Public Repo"
@@ -208,6 +210,8 @@ jobs:
       # On success, save GitHub variables for future use.
       - name: Update Variables on success
         if: ${{ success() && vars.DRY_RUN == 0 }}
+        env:
+          GH_TOKEN: ${{ secrets.PUBLISH_GITHUB_TOKEN }}
         run: |
           cd private
           gh variable set LAST_TAG --body "${{ vars.THIS_TAG }}"

diff --git a/RELEASE.md b/RELEASE.md
@@ -1,6 +1,6 @@
 # Release Methodology
 
-## Deploy Pipeline Overview.
+## Deploy Pipeline Overview
 For this repository, the deploy pipeline follows these steps:
 - Merge a working branch to `develop` branch => triggers a deploy to Acquia dev environment
 - Merge `develop` branch into `master` branch => triggers a deploy to Acquia stage environment

diff --git a/composer.json b/composer.json
@@ -111,7 +111,7 @@
         "drupal/file_entity": "^2.x-dev",
         "drupal/file_mdm": "^2.2.0",
         "drupal/geolocation": "3.12",
-        "drupal/google_tag": "^1.0",
+        "drupal/google_tag": "^2.0",
         "drupal/honeypot": "^2.1",
         "drupal/image_url_formatter": "^1.0",
         "drupal/image_widget_crop": "^2.4",

diff --git a/composer.lock b/composer.lock
diff --git a/config/acquia_dev/key.key.iam_dir_sso.yml b/config/acquia_dev/key.key.iam_dir_sso.yml
@@ -0,0 +1,18 @@
+uuid: 907217d3-2f35-4445-8d07-5105b6409c0a
+langcode: en
+status: true
+dependencies:
+  module:
+    - key_asymmetric
+id: iam_dir_sso
+label: 'IAM-DIR SSO'
+description: ''
+key_type: asymmetric_public
+key_type_settings:
+  private_key: ''
+key_provider: env
+key_provider_settings:
+  env_variable: iam_x509_cert
+  strip_line_breaks: true
+key_input: none
+key_input_settings: {  }
diff --git a/config/acquia_dev/key.key.iam_dir_sso_test_.yml b/config/acquia_dev/key.key.iam_dir_sso_test_.yml
@@ -8,7 +8,7 @@ id: iam_dir_sso_test_
 label: 'IAM-DIR SSO (test)'
 description: 'TEST Environment X509 cert from IAM supplied IDP metadata'
 key_type: asymmetric_public
-key_type_settings: {}
+key_type_settings: {  }
 key_provider: env
 key_provider_settings:
   env_variable: iam_x509_cert_test

diff --git a/config/acquia_dev/samlauth.authentication.yml b/config/acquia_dev/samlauth.authentication.yml
@@ -18,6 +18,7 @@ drupal_login_roles:
   content_author: '0'
   metrolist_editor: '0'
   election_editor: '0'
+  city_clerk_editor: '0'
 sp_entity_id: d10test
 sp_name_id_format: 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'
 sp_x509_certificate: ''
@@ -30,6 +31,7 @@ idp_single_sign_on_service: 'https://sso.boston.gov/idp/SSO.saml2'
 idp_single_log_out_service: 'https://sso.boston.gov/idp/startSLO.ping'
 idp_change_password_service: 'https://access.boston.gov/change-password'
 idp_certs:
+  - 'key:iam_dir_sso'
   - 'key:iam_dir_sso_test_'
 idp_cert_encryption: ''
 unique_id_attribute: uid
@@ -45,6 +47,7 @@ map_users_roles:
   content_author: content_author
   metrolist_editor: metrolist_editor
   election_editor: election_editor
+  city_clerk_editor: '0'
 create_users: true
 sync_name: false
 sync_mail: true
@@ -78,4 +81,4 @@ use_base_url: true
 bypass_relay_state_check: false
 realname: 'given_name sn'
 login_menu_item_instructions: 'Please log in using Access Boston, or enter your Drupal username and password'
-allow_local_login: '1'
+allow_local_login: 1
diff --git a/config/acquia_prod/autologout.settings.yml b/config/acquia_prod/autologout.settings.yml
@@ -1,15 +1,27 @@
 _core:
   default_config_hash: zJS1GknUylh656CJSNXOupqKSqm6Xw200h1cq1eI970
+enabled: true
 timeout: 1800
 max_timeout: 172800
 padding: 20
+logout_regardless_of_activity: false
+no_individual_logout_threshold: false
 role_logout: false
+role_logout_max: false
 redirect_url: /
+include_destination: true
 no_dialog: false
-message: 'Your session is about to expire. Do you want to reset it?'
+message: 'We are about to log you out for inactivity. If we do, you will lose any unsaved work. Do you need more time?'
 inactivity_message: 'You have been logged out due to inactivity.'
+inactivity_message_type: status
+modal_width: null
 enforce_admin: true
 jstimer_format: '%hours%:%mins%:%secs%'
 jstimer_js_load_option: false
 use_alt_logout_method: false
 use_watchdog: false
+dialog_title: 'Boston.gov Alert'
+disable_buttons: false
+yes_button: ''
+no_button: ''
+whitelisted_ip_addresses: ''