Merge branch 'main' into documentation

.github/workflows/archive.yml

@@ -22,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@v4
+      uses: aws-actions/configure-aws-credentials@v4.0.2
       with:
         aws-region: us-gov-west-1
         role-to-assume: ${{ vars.AWS_ASSUME_ROLE }}
@@ -142,7 +142,7 @@ jobs:
       run: tar -c main/out/ -cf ${{ env.BUILD_TYPE }}.tar.bz2 .
 
     - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@v4
+      uses: aws-actions/configure-aws-credentials@v4.0.2
       with:
         aws-region: us-gov-west-1
         role-to-assume: ${{ vars.AWS_ASSUME_ROLE }}

.github/workflows/content-release-dev.yml

@@ -0,0 +1,26 @@
+name: "Content release: Dev"
+on:
+  # Can be manually triggered
+  workflow_dispatch:
+  # Runs 5:05 am EDT Monday to Friday.
+  # This currently UTC -> EDT.
+  schedule:
+    - cron: "05 9 * * 1-5"
+  # Runs each time there is a new Production Tag created.
+  workflow_run:
+    workflows: ['Create Production Tag']
+    types: [completed]
+    branches: [main]
+
+concurrency: next-build-content-release-dev
+
+jobs:
+  content-release-dev:
+    # This job should run for any valid event besides workflow_run, or workflow_run if the conclusion was successful.
+    if: ${{ github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success' }}
+    uses: department-of-veterans-affairs/next-build/.github/workflows/content-release.yml@main
+    with:
+      build_type: "dev"
+    secrets: inherit
+
+

.github/workflows/content-release-prod.yml

@@ -0,0 +1,23 @@
+name: "Content release: Prod"
+on:
+  # Can be manually triggered
+  workflow_dispatch:
+  # Runs automatically every 30 minutes from 8am to 8pm Monday to Friday.
+  # This currently UTC -> EDT.
+  schedule:
+    - cron: "*/30 0,12-23 * * 1-5"
+  # Runs on API call. Used for CMS-driven build triggers.
+  repository_dispatch:
+    types: [content-release]
+
+concurrency: next-build-content-release-prod
+
+jobs:
+  content-release:
+    uses: department-of-veterans-affairs/next-build/.github/workflows/content-release.yml@main
+    with:
+      build_type: "prod"
+    secrets: inherit
+
+
+

.github/workflows/content-release-staging.yml

@@ -0,0 +1,26 @@
+name: "Content release: Staging"
+on:
+  # Can be manually triggered
+  workflow_dispatch:
+  # Runs 5:35 am EDT Monday to Friday.
+  # This currently UTC -> EDT.
+  schedule:
+    - cron: "35 9 * * 1-5"
+  # Runs each time there is a new Production Tag created.
+  workflow_run:
+    workflows: ['Create Production Tag']
+    types: [completed]
+    branches: [main]
+
+concurrency: next-build-content-release-staging
+
+jobs:
+  content-release-staging:
+    # This job should run for any valid event besides workflow_run, or workflow_run if the conclusion was successful.
+    if: ${{ github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success' }}
+    uses: department-of-veterans-affairs/next-build/.github/workflows/content-release.yml@main
+    with:
+      build_type: "staging"
+    secrets: inherit
+
+

.github/workflows/content-release.yml

@@ -5,19 +5,15 @@ permissions:
   contents: read  # This is required for actions/checkout
 
 on:
-  repository_dispatch:
-    types: [content-release]
-  workflow_run:
-    workflows: ['Create Production Tag']
-    types: [completed]
-    branches: [main]
+  # Runs when called from other workflows. Used for ongoing releases for dev/staging/prod.
   workflow_call:
     inputs:
       build_type:
         type: string
         description: "Environment this workflow runs against"
         required: true
         default: 'PROD'
+  # Manual release.
   workflow_dispatch:
     inputs:
       build_type:
@@ -31,7 +27,7 @@ on:
           - prod
 
 concurrency:
-  group: ${{ inputs.build_type || 'prod' }} 
+  group: ${{ inputs.build_type || 'prod' }}
 
 env:
   SLACK_CHANNEL: C06DSBT7CBW #status-next-build
@@ -42,7 +38,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@v4
+      uses: aws-actions/configure-aws-credentials@v4.0.2
       with:
         aws-region: us-gov-west-1
         role-to-assume: ${{ vars.AWS_ASSUME_ROLE }}
@@ -107,7 +103,7 @@ jobs:
         continue-on-error: true
         with:
           payload: '{"attachments": [{"color": "#2EB67D","blocks": [{"type": "section","text": {"type": "mrkdwn","text": "Stand by, content release for next-build coming up (using ${{ needs.validate-build-status.outputs.TAG }}). <https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}>"}}]}]}'
-          channel_id: ${{ env.SLACK_CHANNEL }} 
+          channel_id: ${{ env.SLACK_CHANNEL }}
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
 
@@ -133,14 +129,14 @@ jobs:
       env:
         NODE_EXTRA_CA_CERTS: /etc/ssl/certs/ca-certificates.crt
         APP_ENV: ${{ inputs.build_type || 'prod' }}
-         
+
 
       ports:
         - 80
       volumes:
         - /etc/ssl/certs:/etc/ssl/certs
     steps:
-    
+
     - name: Export setup start time
       id: export-setup-start-time
       run: echo SETUP_START_TIME=$(date +"%s") >> $GITHUB_OUTPUT
@@ -208,12 +204,12 @@ jobs:
             cd out
             ls -l
           fi
-                  
+
     - name: Build sitemap
       run: cd main && yarn build:sitemap
 
     - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@v4
+      uses: aws-actions/configure-aws-credentials@v4.0.2
       with:
         aws-region: us-gov-west-1
         role-to-assume: ${{ vars.AWS_ASSUME_ROLE }}
@@ -237,7 +233,7 @@ jobs:
         DEST: s3://next-content.dev.va.gov
     - if: inputs.build_type == 'staging'
       name: Deploy to S3
-      run: | 
+      run: |
         cd main && ./scripts/github-actions/deploy.sh -s $SRC -d $DEST -v
         ls
         cd out
@@ -251,8 +247,8 @@ jobs:
       env:
         SRC: ./out/
         DEST: s3://next-content.www.va.gov
-    
-    - if: inputs.build_type == '' 
+
+    - if: inputs.build_type == ''
       name: Deploy to S3
       run: cd main && ./scripts/github-actions/deploy.sh -s $SRC -d $DEST -v
       env:
@@ -262,7 +258,7 @@ jobs:
     - name: Export deploy end time
       id: export-deploy-end-time
       run: echo DEPLOY_END_TIME=$(date +"%s") >> $GITHUB_OUTPUT
-      
+
   notify-success:
     name: Notify Success
     needs: [validate-build-status, build]
@@ -282,7 +278,7 @@ jobs:
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@v4.0.2
         with:
           aws-region: us-gov-west-1
           role-to-assume: ${{ vars.AWS_ASSUME_ROLE }}
@@ -336,7 +332,7 @@ jobs:
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@v4.0.2
         with:
           aws-region: us-gov-west-1
           role-to-assume: ${{ vars.AWS_ASSUME_ROLE }}
@@ -380,7 +376,7 @@ jobs:
         METRIC_NAMESPACE: dsva_vagov.next_build
       steps:
         - name: Checkout
-          uses: actions/checkout@v4  
+          uses: actions/checkout@v4
         #uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
         - name: Get current timestamp

.github/workflows/gha-metrics-datadog.yml

@@ -11,7 +11,7 @@ jobs:
     timeout-minutes: 10
     steps:
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
@@ -25,7 +25,7 @@ jobs:
           env_variable_name: GHA_CONTENT_BUILD_DATADOG_API_KEY
 
       - name: Send GitHub Actions metrics to DataDog
-        uses: int128/datadog-actions-metrics@5dbc8b81eb6d1b3cbd24099ff83373df472e0e36 # v1.95.0
+        uses: int128/datadog-actions-metrics@b55864e8d4ccab2d30f33e9eabc6e02031894555 # v1.97.0
         with:
           datadog-api-key: ${{ env.GHA_CONTENT_BUILD_DATADOG_API_KEY }}
           collect-job-metrics: true

.github/workflows/mirror-images.yml

@@ -67,7 +67,7 @@ jobs:
           echo "IMAGE_TAG=$(cat tag.txt)" >> $GITHUB_ENV
 
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@v4.0.2
         with:
           aws-region: us-gov-west-1
           role-to-assume: ${{ vars.AWS_ASSUME_ROLE }}

.github/workflows/playwright.yml

@@ -13,7 +13,7 @@ jobs:
     if: github.event.deployment_status.state == 'success'
     steps:
     - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@v4
+      uses: aws-actions/configure-aws-credentials@v4.0.2
       with:
         aws-region: us-gov-west-1
         role-to-assume: ${{ vars.AWS_ASSUME_ROLE }}

.github/workflows/preview.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@v4
+      uses: aws-actions/configure-aws-credentials@v4.0.2
       with:
         aws-region: us-gov-west-1
         role-to-assume: ${{ vars.AWS_ASSUME_ROLE }}

.github/workflows/update-manifest.yml

@@ -66,7 +66,7 @@ jobs:
           echo "IMAGE_TAG=$(cat tag.txt)" >> $GITHUB_ENV
 
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@v4.0.2
         with:
           aws-region: us-gov-west-1
           role-to-assume: ${{ vars.AWS_ASSUME_ROLE }}

READMEs/devops/content-release.md

@@ -4,11 +4,27 @@ Content Release is what VA teams call the process of moving new published conten
 
 See [CMS Content Release](https://github.com/department-of-veterans-affairs/va.gov-cms/blob/main/READMES/cms-content-release.md) for more information on how content release is currently triggered via CMS for `content-build` and BRD.
 
-In the short term, next-build will operate in very much the same way. When content is published in Drupal, a dispatch to our [content-release workflow](/.github/workflows/content-release.yml) will be triggered. This workflow builds all the static pages and assets currently known to next-build (as discovered by `RESOURCE_TYPES_TO_BUILD` in the catchall [slug file](/READMEs/slug.md)). It also generates a sitemap for these pages. Once the build process is completed, all of these items are pushed to the appropriate [S3 bucket](/READMEs/devops/infrastructure.md). Once the files are uploaded to S3, they are available for public traffic.
+In the short term, next-build will operate in very much the same way. All content that is managed by Next Build will be built with each content release, regardless of whether it is new/changed or unchanged.
 
-This workflow also happens whenever new code is merged to the main branch, to ensure the S3 bucket has the most up-to-date changes.
+## Production content release
 
-Right now, the workflow always runs using prod.cms.va.gov as it's data source and pushes output to the production next-content.www S3 bucket. If/when the workflow is parameterized to run against multiple targets (similar to how content-build builds `vagovdev`, `vagovstaging` and `vagovprod`), the sources and output buckets should also be adjusted.
+Production content release currently is triggered by the following events:
+
+- On a schedule, every 30 minutes between 8 am and 8 pm ET
+- Manually through the Github Actions interface
+- When specific content is published in the CMS
+
+Production content releases use https://prod.cms.va.gov/ as their content source.
+
+## Dev and Staging content release
+
+Dev and Staging content releases are triggered by the following events:
+
+- On a schedule, nightly at 5:05 am ET or 5:35 am ET for Dev arnd Staging respectively. This keeps content relatively fresh even when there are no code changes to trigger a Dev or Staging content release.
+- When any code is merged to the `main` branch of Next Build and has a successfull CI run on main - this is to keep Dev and Staging up-to-date with code changes they come in.
+- Manually through the Github Actions interface
+
+Dev and Staging content releases use https://main-medc0xjkxm4jmpzxl3tfbcs7qcddsivh.ci.cms.va.gov/ as their content source.
 
 # Archiving
 

READMEs/env-loader.md

@@ -4,17 +4,17 @@ The env-loader package is our custom solution for ingesting environment variable
 
 It collects variables from:
 
-1. appropriate `.env` file in `envs/` based on the `APP_ENV` env var
+1. the CMS environment's defined feature flags
 
-- (defaults to `.env.local`)
+- which CMS enviroment determined via `NEXT_PUBLIC_BASE_DRUPAL_URL` env var
 
-2. the CMS environment's defined feature flags
+2. appropriate `.env` file in `envs/` based on the `APP_ENV` env var
 
-- which CMS enviroment determined via `NEXT_PUBLIC_BASE_DRUPAL_URL` env var
+- (defaults to `.env.local`)
 
 3. CLI options included with the command
 
-After collecting (and overwriting values as needed based on the order above), all env vars are set and the command runs.
+After collecting (and overwriting values as needed based on the order above), all env vars are set and the command runs. Keep in mind the ordering. If the same environment variable is set in both the CMS feature flags and in the .env file, the value in the .env file will be chosen.
 
 For a full list of CLI options available, see [cli-options.tsx](packages/env-loader/src/cli-options.ts)