Deployment pipeline.

.bp-config/httpd/httpd.conf

@@ -0,0 +1,27 @@
+# Overrides https://github.com/cloudfoundry/php-buildpack/blob/master/defaults/config/httpd/httpd.conf
+# to include our customization.
+# See https://docs.cloudfoundry.org/buildpacks/php/gsg-php-config.html#engine-configurations for background
+
+ServerRoot "${HOME}/httpd"
+Listen ${PORT}
+ServerAdmin "${HTTPD_SERVER_ADMIN}"
+ServerName "0.0.0.0"
+DocumentRoot "${HOME}/#{WEBDIR}"
+Include conf/extra/httpd-modules.conf
+Include conf/extra/httpd-directories.conf
+Include conf/extra/httpd-mime.conf
+Include conf/extra/httpd-deflate.conf
+Include conf/extra/httpd-logging.conf
+Include conf/extra/httpd-mpm.conf
+Include conf/extra/httpd-default.conf
+Include conf/extra/httpd-remoteip.conf
+Include conf/extra/httpd-php.conf
+
+# If they exist, include any user-provided customizations
+IncludeOptional conf/user-provided/*.conf
+
+<IfModule !mod_headers.c>
+  LoadModule headers_module modules/mod_headers.so
+</IfModule>
+
+RequestHeader unset Proxy early

.bp-config/httpd/user-provided/httpd-drupalsupport.conf

@@ -0,0 +1,2 @@
+# Enable proxy_http for our s3fs module
+LoadModule proxy_http_module modules/mod_proxy_http.so

.bp-config/options.json

@@ -0,0 +1,11 @@
+{
+  "COMPOSER_INSTALL_OPTIONS": [
+    "--no-dev --optimize-autoloader --no-progress --no-interaction"
+  ],
+  "COMPOSER_VENDOR_DIR": "vendor",
+  "WEBDIR": "web",
+  "PHP_VERSION": "{PHP_83_LATEST}",
+  "ADDITIONAL_PREPROCESS_CMDS": [
+    "source $HOME/scripts/bootstrap.sh"
+  ]
+}

.bp-config/php/php.ini.d/extensions.ini

@@ -0,0 +1,9 @@
+extension=apcu
+extension=igbinary
+extension=imagick
+extension=pdo_mysql
+extension=redis
+extension=sodium
+extension=zip
+
+zend_extension=opcache.so

.bp-config/php/php.ini.d/memory_limit.ini

@@ -0,0 +1,3 @@
+; Maximum amount of memory a script may consume (128MB)
+; http://php.net/memory-limit
+memory_limit = 512M

.github/workflows/build-and-deploy.yml

@@ -0,0 +1,24 @@
+name: Build and deploy
+
+on:
+  push:
+    branches:
+      - develop
+      - main
+      - stage
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  deploy-infra:
+    uses: ./.github/workflows/terraform-deploy-infra.yml
+    secrets: inherit
+  deploy-app:
+    uses: ./.github/workflows/cloudgov-deploy-app.yml
+    needs: deploy-infra
+    secrets: inherit
+  validate:
+    uses: ./.github/workflows/validation-run.yml
+    secrets: inherit

.github/workflows/cloudgov-deploy-app.yml

@@ -0,0 +1,73 @@
+name: Deploy App
+
+on:
+  workflow_call:
+
+jobs:
+  updateApp:
+    name: Update App
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Set enviornment
+        run: |
+          BRANCH=$(echo $GITHUB_REF | cut -d'/' -f 3)
+          COMPOSER_DEV=1
+          case ${BRANCH} in
+            develop)
+              CF_SPACE="dev"
+              DRUPAL_MEMORY=${{ vars.DEVELOP_CMS_MEMORY }}
+              DRUPAL_INSTANCES=${{ vars.DEVELOP_INSTANCES }}
+              ;;
+            main)
+              CF_SPACE="prod"
+              COMPOSER_DEV=0
+              DRUPAL_MEMORY=${{ vars.MAIN_CMS_MEMORY }}
+              DRUPAL_INSTANCES=${{ vars.MAIN_INSTANCES }}
+              ;;
+            stage)
+              CF_SPACE="stage"
+              COMPOSER_DEV=0
+              DRUPAL_MEMORY=${{ vars.STAGE_CMS_MEMORY }}
+              DRUPAL_INSTANCES=${{ vars.STAGE_INSTANCES }}
+              ;;
+          esac
+
+          echo "APP_NAME=drupal" | tee -a $GITHUB_ENV
+          echo "BRANCH=${BRANCH}" | tee -a $GITHUB_ENV
+          echo "BUILDPACK_PORT=${{ vars.BUILDPACK_PORT }}" | tee -a $GITHUB_ENV
+          echo "CF_SPACE=${CF_SPACE}" | tee -a $GITHUB_ENV
+          echo "COMPOSER_DEV=${COMPOSER_DEV}" | tee -a $GITHUB_ENV
+          echo "DRUPAL_INSTANCES=${DRUPAL_INSTANCES}" | tee -a $GITHUB_ENV
+          echo "DRUPAL_MEMORY=${DRUPAL_MEMORY}" | tee -a $GITHUB_ENV
+          echo "HASH_SALT=${{ secrets.HASH_SALT }}" | tee -a $GITHUB_ENV
+          echo "WAF_NAME=waf"| tee -a $GITHUB_ENV
+
+          [ "${COMPOSER_DEV}" = "1" ] && sed -i 's/--no-dev //' .bp-config/options.json
+
+      - name: Set repo name
+        run: echo "REPO_NAME=${{ github.event.repository.name }}" >> $GITHUB_ENV
+      - name: Install basic dependancies
+        run: ./scripts/pipeline/deb-basic-deps.sh
+      - name: Install Cloudfoundry CLI
+        run: ./scripts/pipeline/deb-cf-install.sh
+      - name: Cloud.gov login
+        env:
+          CF_USER: "${{ secrets.CF_USER }}"
+          CF_PASSWORD: "${{ secrets.CF_PASSWORD }}"
+          CF_ORG: "${{ secrets.CF_ORG }}"
+          PROJECT: "${{ secrets.PROJECT }}"
+        run: |
+          source ./scripts/pipeline/cloud-gov-login.sh
+          cf target -s "${CF_SPACE}" >/dev/null 2>&1
+      - name: Build theme
+        run: ./orch/build_node.sh
+      - name: Deploy App
+        env:
+          PROJECT: "${{ secrets.PROJECT }}"
+        run: source ./scripts/pipeline/cloud-gov-deploy.sh
+      - name: Post Deploy
+        env:
+          PROJECT: "${{ secrets.PROJECT }}"
+        run: source ./scripts/pipeline/cloud-gov-post-deploy.sh

.github/workflows/terraform-deploy-infra.yml

@@ -0,0 +1,133 @@
+name: Update Infrastructure
+
+on:
+  workflow_call:
+
+jobs:
+  updateInfrastructure:
+    name: Update Infrastructure
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Set env.BRANCH
+        run: |
+          BRANCH=develop
+          #BRANCH=$(echo $GITHUB_REF | cut -d'/' -f 3)
+          case ${BRANCH} in
+            develop)
+              CF_SPACE="dev"
+              ;;
+            main)
+              CF_SPACE="prod"
+              ;;
+          esac
+          echo "BRANCH=${BRANCH}" >> $GITHUB_ENV
+          echo "CF_SPACE=${CF_SPACE}" >> $GITHUB_ENV
+      - name: Set repo name
+        run: echo "REPO_NAME=${{ github.event.repository.name }}" >> $GITHUB_ENV
+      - name: Install basic dependancies
+        run: ./scripts/pipeline/deb-basic-deps.sh
+      - name: Install Cloudfoundry CLI
+        run: ./scripts/pipeline/deb-cf-install.sh
+      - name: Cloud.gov login
+        env:
+          CF_USER: "${{ secrets.CF_USER }}"
+          CF_PASSWORD: "${{ secrets.CF_PASSWORD }}"
+          CF_ORG: "${{ secrets.CF_ORG }}"
+          PROJECT: "${{ secrets.PROJECT }}"
+          TF_BASTION: "${{ secrets.TF_BASTION }}"
+          TF_BACKEND_SPACE: "${{ secrets.TF_BACKEND_SPACE }}"
+        run: |
+          source ./scripts/pipeline/cloud-gov-login.sh
+          cf target -s "${TF_BACKEND_SPACE}" >/dev/null 2>&1
+      - name: Start Bastion
+        env:
+          TF_BASTION: "${{ secrets.TF_BASTION }}"
+        run: |
+          cf start "${TF_BASTION}" >/dev/null 2>&1
+          ./scripts/pipeline/cloud-gov-wait-for-app-start.sh "${TF_BASTION}"
+      - name: Cloud.gov bastion git checkout
+        env:
+          TF_BASTION: "${{ secrets.TF_BASTION }}"
+        run: |
+          #declare -a commands=("rm -rf ${REPO_NAME}" "git clone https://github.com/${GITHUB_REPOSITORY_OWNER}/${REPO_NAME}.git" "cd ${REPO_NAME}" "git checkout ${BRANCH}")
+          declare -a commands=("rm -rf ${REPO_NAME}" "git clone -b "feature/dg-98-build-and-configure-pipeline" https://github.com/${GITHUB_REPOSITORY_OWNER}/${REPO_NAME}.git")
+          for command in "${commands[@]}"; do
+            ./scripts/pipeline/cloud-gov-remote-command.sh "${TF_BASTION}" "${command}" 1
+          done
+      - name: Build nginx WAF Plugin
+        env:
+          ubuntu_version: "${{ vars.UBUNTU_VERSION }}"
+          modsecurity_nginx_version: "${{ vars.MODSECURITY_NGINX_VERSION }}"
+          TF_BASTION: "${{ secrets.TF_BASTION }}"
+        run: |
+          source ./scripts/pipeline/cloud-gov-waf-version.sh
+          source ./scripts/pipeline/terraform-build-waf-plugin.sh
+      - name: Configure Terraform
+        env:
+          CF_USER: "${{ secrets.CF_USER }}"
+          CF_PASSWORD: "${{ secrets.CF_PASSWORD }}"
+          CF_ORG: "${{ secrets.CF_ORG }}"
+          PROJECT: "${{ secrets.PROJECT }}"
+          TF_BASTION: "${{ secrets.TF_BASTION }}"
+        run: |
+          CWD=$(pwd)
+          cd terraform/infra
+          envsubst < terraform.tfvars.tmpl > terraform.tfvars
+          ${CWD}/scripts/pipeline/cloud-gov-scp-file.sh "${TF_BASTION}" "terraform.tfvars" "${REPO_NAME}/terraform/infra/"
+          cd "${CWD}"
+      - name: Terraform Init
+        env:
+          TF_BASTION: "${{ secrets.TF_BASTION }}"
+        id: init
+        run: |
+          ./scripts/pipeline/cloud-gov-remote-command.sh "${TF_BASTION}" "tofu -chdir=${REPO_NAME}/terraform/infra init" 1
+          ./scripts/pipeline/cloud-gov-remote-command.sh "${TF_BASTION}" "tofu -chdir=${REPO_NAME}/terraform/infra workspace new ${CF_SPACE} || exit 0" 1
+      - name: Terraform Validate
+        env:
+          TF_BASTION: "${{ secrets.TF_BASTION }}"
+        id: validate
+        run: |
+          ./scripts/pipeline/cloud-gov-remote-command.sh ${TF_BASTION} "TF_WORKSPACE=${CF_SPACE} tofu -chdir=${REPO_NAME}/terraform/infra validate -no-color" 1
+      - name: Terraform Plan
+        env:
+          TF_BASTION: "${{ secrets.TF_BASTION }}"
+        id: plan
+        run: |
+          ./scripts/pipeline/cloud-gov-remote-command.sh "${TF_BASTION}" "TF_WORKSPACE=${CF_SPACE} tofu -chdir=${REPO_NAME}/terraform/infra plan -no-color" 1
+      - name: Terraform Apply
+        env:
+          TF_BASTION: "${{ secrets.TF_BASTION }}"
+        id: apply
+        run: |
+          ./scripts/pipeline/cloud-gov-remote-command.sh "${TF_BASTION}" "TF_WORKSPACE=${CF_SPACE} tofu -chdir=${REPO_NAME}/terraform/infra apply -auto-approve" 1
+  stopBastion:
+    name: Stop Bastion
+    runs-on: ubuntu-latest
+    needs: updateInfrastructure
+    if: ${{ always() }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Set env.BRANCH
+        run: echo "BRANCH=dev" >> $GITHUB_ENV
+      - name: Install basic dependancies
+        run: ./scripts/pipeline/deb-basic-deps.sh
+      - name: Install Cloudfoundry CLI
+        run: ./scripts/pipeline/deb-cf-install.sh
+      - name: Cloud.gov login
+        env:
+          CF_USER: "${{ secrets.CF_USER }}"
+          CF_PASSWORD: "${{ secrets.CF_PASSWORD }}"
+          CF_ORG: "${{ secrets.CF_ORG }}"
+          PROJECT: "${{ secrets.PROJECT }}"
+          TF_BASTION: "${{ secrets.TF_BASTION }}"
+          TF_BACKEND_SPACE: "${{ secrets.TF_BACKEND_SPACE }}"
+        run: |
+          source ./scripts/pipeline/cloud-gov-login.sh
+          cf target -s "${TF_BACKEND_SPACE}" >/dev/null 2>&1
+      - name: Stop Bastion
+        env:
+          TF_BASTION: "${{ secrets.TF_BASTION }}"
+        run: cf stop "${TF_BASTION}"  >/dev/null 2>&1

.github/workflows/run-validation.yml → .github/workflows/validation-run.yml

@@ -1,15 +1,11 @@
 name: Run validation with RoboValidate
 
 on:
-    # Run on any branch so validate branch can always run.
-    push:
-    # Commit message validation requires a target branch which is only available in a PR.
-    pull_request:
+    workflow_call:
 
 jobs:
     validate:
         runs-on: ubuntu-latest
-
         steps:
             -   name: Checkout code
                 uses: actions/checkout@v4

.github/workflows/validation.yml

@@ -0,0 +1,11 @@
+name: Validation
+
+on:
+  push:
+    branches:
+      - 'feature/**'
+
+jobs:
+  validate:
+    uses: ./.github/workflows/validation-run.yml
+    secrets: inherit

.phpcs.xml.dist

@@ -0,0 +1,62 @@
+<?xml version="1.0"?>
+<!--
+   To override this file, copy it to phpcs.xml and then modify.
+   @see https://github.com/squizlabs/PHP_CodeSniffer/wiki/Annotated-ruleset.xml#the-annotated-sample-file
+-->
+<ruleset name="mobomo">
+  <description>PHP_CodeSniffer standards overrides.</description>
+
+  <!-- Create .phpcs.xml to override anything in this file
+    <?xml version="1.0"?>
+    <ruleset name="devloper">
+      <description>My Developer overrides.</description>
+      <rule ref="./.phpcs.xml.dist"/>
+    </ruleset>
+  -->
+  <!-- By default, warnings and errors cause an exception. -->
+  <config name="ignore_warnings_on_exit" value="1" />
+  <config name="ignore_errors_on_exit" value="0" />
+
+  <!-- Set ignore extensions. -->
+  <!-- @see https://www.drupal.org/node/2867601#comment-12075633 -->
+  <!-- This can probably be removed by setting a dependency on Coder 8.3.7 -->
+  <arg name="ignore" value="*.css,*.md,*.txt,*.png,*.gif,*.jpeg,*.jpg,*.svg"/>
+
+  <!-- Set extensions to scan (taken from Coder 8.3.6). -->
+  <!-- @see https://git.drupalcode.org/project/coder/blob/8.3.6/coder_sniffer/Drupal/ruleset.xml#L8 -->
+  <arg name="extensions" value="php,module,inc,install,test,profile,theme,info,yml"/>
+
+  <!-- Use colors in output. -->
+  <arg name="colors"/>
+  <!-- Show progress. -->
+  <arg value="p"/>
+
+   <rule ref="Drupal.Files.LineLength">
+    <properties>
+       <property name="lineLimit" value="100"/>
+       <property name="absoluteLineLimit" value="0"/>
+    </properties>
+   </rule>
+
+  <!-- Include existing standards. -->
+  <rule ref="Drupal">
+    <!-- Ignore specific sniffs. -->
+    <exclude name="Drupal.Commenting.InlineComment"/>
+    <exclude name="Drupal.InfoFiles.AutoAddedKeys.Version"/>
+    <exclude name="Drupal.Commenting"/>
+  </rule>
+  <rule ref="DrupalPractice">
+    <!-- Ignore specific sniffs. -->
+  </rule>
+
+  <!-- Default directories to sniff if no commandline instructions -->
+  <file>web/modules/custom</file>
+  <file>web/themes/custom</file>
+
+  <exclude-pattern>*/vendor/*</exclude-pattern>
+  <exclude-pattern>*/node_modules/*</exclude-pattern>
+  <exclude-pattern>.github/</exclude-pattern>
+  <exclude-pattern>web/modules/custom/tome</exclude-pattern>
+  <exclude-pattern>web/modules/custom/samlauth</exclude-pattern>
+
+</ruleset>

apt.yml

@@ -0,0 +1,11 @@
+---
+#keys:
+#  - https://download.newrelic.com/548C16BF.gpg
+#repos:
+  #- deb http://apt.newrelic.com/debian/ newrelic non-free
+packages:
+  - awscli
+  - bsdmainutils
+  - mysql-client
+  #- newrelic-php5
+  - nano