From bb128c1a8f2915064793e6fd84d409f33661390f Mon Sep 17 00:00:00 2001
From: Oliver Davies <oliver@oliverdavies.uk>
Date: Thu, 2 Jul 2020 21:18:25 +0100
Subject: [PATCH] Deploy automatically via GitHub Actions

Fixes #19 and #58
---
 .github/workflows/deploy.yml | 52 ++++++++++++++++++++++++++++++++++++
 README.md                    |  9 +++++--
 2 files changed, 59 insertions(+), 2 deletions(-)
 create mode 100644 .github/workflows/deploy.yml

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
new file mode 100644
index 0000000..b8d728b
--- /dev/null
+++ b/.github/workflows/deploy.yml
@@ -0,0 +1,52 @@
+---
+name: Deploy
+
+on:
+  push:
+    branches:
+      - production
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+
+    name: Deploy via Ansible
+
+    env:
+      ANSIBLE_FORCE_COLOR: 1
+      ANSIBLE_HOST_KEY_CHECKING: no
+
+    steps:
+      - name: Checkout the code
+        uses: actions/checkout@v2
+
+      - name: Add the deployment SSH key
+        uses: shimataro/ssh-key-action@v2
+        with:
+          key: ${{ secrets.SSH_PRIVATE_KEY }}
+          name: id_rsa
+          known_hosts: ${{ secrets.SSH_KNOWN_HOSTS }}
+
+      - name: Cache dependencies
+        uses: actions/cache@v1
+        with:
+          path: tools/ansible/.roles
+          key: dependencies-composer-${{ hashFiles('tools/ansible/requirements.yml') }}
+
+      - name: Download Ansible roles
+        run: ansible-galaxy install -r tools/ansible/requirements.yml
+
+      - name: Export the Ansible Vault password
+        run: echo $ANSIBLE_VAULT_PASS > tools/ansible/.vault-pass.txt
+        env:
+          ANSIBLE_VAULT_PASS: ${{ secrets.ANSIBLE_VAULT_PASS }}
+
+      - name: Deploy the code
+        run: >
+          ansible-playbook tools/ansible/deploy.yml
+          -i tools/ansible/hosts.yml
+          -e "ansistrano_deploy_branch=$GITHUB_SHA"
+          --vault-password-file=tools/ansible/.vault-pass.txt
+
+      - name: Remove the Ansible Vault password file
+        run: rm tools/ansible/.vault-pass.txt
diff --git a/README.md b/README.md
index b243889..9e7b4bb 100644
--- a/README.md
+++ b/README.md
@@ -23,13 +23,18 @@ ansible-playbook tools/ansible/provision.yml
 Deployments for this site for managed with Ansible and [Ansistrano][].
 Ansible Vault is used to manage sensitive information like database passwords.
 
-Deployments are triggered automatically when changes are pushed to GitHub, and are performed via [CircleCI][].
+Deployments are triggered automatically when changes are pushed to GitHub, and are performed automatically via GitHub Actions on each push to the `production` branch.
 
 To run a deployment manually, run `ansible-playbook tools/ansible/deploy.yml --ask-vault-pass`.
 The Vault password is stored in LastPass.
 
 [Ansistrano]: https://ansistrano.com
-[CircleCI]: https://circleci.com/gh/opdavies/oliverdavies-uk
+
+#### Generating settings files
+
+Production settings files are generated automatically during a deployment. This is done using the [opdavies.drupal_settings_files][] Ansible role, using variables from `tools/ansible/vars/deploy_vars.yml`, and performed during Ansistrano’s `After update code` build step.
+
+[opdavies.drupal_settings_files][https://galaxy.ansible.com/opdavies/drupal_settings_files]
 
 ## Migrating data into the website