ci: add workflow to deploy Firebase rules (#419)

Wrote a workflow to deploy Firebase rules via GitHub Actions. This is done automatically for dev, and can be run manually in any other available environment.

Also consolidated our Firebase rules files to only have one file for all environments.

Author: staceybeard

.github/workflows/firebase-rules.yml

@@ -0,0 +1,82 @@
+# SPDX-FileCopyrightText: Copyright 2025 Opal Health Informatics Group at the Research Institute of the McGill University Health Centre <[email protected]>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+# This workflow is explained in `docs/source/ci-cd-workflows.md`; please keep that documentation file up to date when making changes here.
+
+name: Firebase Rules
+# Default to dev when running automatically (see also "env" below)
+run-name: Deploying Firebase rules for ${{ inputs.ENVIRONMENT || 'dev' }} 🚀
+on:
+  # When the database rules are changed, automatically deploy to dev
+  push:
+    branches:
+      - main
+    paths:
+      - 'firebase/database.rules.json'
+
+  # Offer a manual interface to deploy to all other environments as needed
+  workflow_dispatch:
+    inputs:
+      ENVIRONMENT:
+        description: 'Environment in which to deploy rules'
+        type: choice
+        required: true
+        default: 'dev'
+        options:
+          - dev
+          - prod
+
+permissions:
+  contents: read
+
+# Read the target environment from workflow_dispatch inputs, or default to dev
+env:
+  ENVIRONMENT: ${{ inputs.ENVIRONMENT || 'dev' }}
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      # Setup
+      - name: Convert environment to all caps
+        run: echo "ENVIRONMENT_CAPS=${ENVIRONMENT^^}" >> "$GITHUB_ENV"
+      - name: Print environment
+        run: |
+          echo "Environment: $ENVIRONMENT ($ENVIRONMENT_CAPS)"
+      - uses: actions/[email protected]
+        with:
+          persist-credentials: false
+      - name: Use Node.js
+        uses: actions/[email protected]
+        with:
+          # renovate: datasource=node-version dependency=node
+          node-version: '22.14.0'
+      - name: Check npm installation
+        run: npm -v
+      - name: Install firebase-tools
+        run: |
+          npm install -g firebase-tools
+          firebase --version
+
+      # Deploy Firebase rules
+      # Deployment via 'firebase deploy' implicitly uses a service account assigned to $GOOGLE_APPLICATION_CREDENTIALS below (from values defined in the GitHub project settings)
+      # This service account provides permissions for editing Firebase rules
+      # See: https://firebase.google.com/docs/admin/setup#initialize_the_sdk_in_non-google_environments
+      - name: Read the service account needed to deploy to Firebase
+        # See: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions#setting-an-environment-variable
+        run: |
+          echo "${SECRET_GOOGLE_APPLICATION_CREDENTIALS}" > google-application-credentials.json
+          echo "GOOGLE_APPLICATION_CREDENTIALS=$(readlink -f google-application-credentials.json)" >> "$GITHUB_ENV"
+        env:
+          # See: https://stackoverflow.com/questions/61255989/dynamically-retrieve-github-actions-secret
+          SECRET_GOOGLE_APPLICATION_CREDENTIALS: ${{ secrets[format('{0}_GOOGLE_APPLICATION_CREDENTIALS', env.ENVIRONMENT_CAPS)] }} # zizmor: ignore[overprovisioned-secrets]
+      - name: Specify which Firebase project to use
+        working-directory: ./firebase
+        # Replace the <PROJECT-ID> placeholder with the project ID from repository variables
+        run: sed -i "s/<PROJECT-ID>/${VAR_PROJECT_ID}/" .firebaserc
+        env:
+          VAR_PROJECT_ID: ${{ vars[format('{0}_FIREBASE_PROJECT_ID', env.ENVIRONMENT_CAPS)] }}
+      - name: Deploy rules to Firebase
+        working-directory: ./firebase
+        run: firebase deploy --only database

REUSE.toml

@@ -7,27 +7,9 @@ path = [
     ".vscode/extensions.json",
     "docs/jsdoc.config.json",
     "docs/source/config.json",
-    "firebase/demo/.firebaserc",
-    "firebase/demo/database.rules.json",
-    "firebase/demo/firebase.json",
-    "firebase/dev/.firebaserc",
-    "firebase/dev/database.rules.json",
-    "firebase/dev/firebase.json",
-    "firebase/devops/.firebaserc",
-    "firebase/devops/database.rules.json",
-    "firebase/devops/firebase.json",
-    "firebase/preprod/.firebaserc",
-    "firebase/preprod/database.rules.json",
-    "firebase/preprod/firebase.json",
-    "firebase/prod/.firebaserc",
-    "firebase/prod/database.rules.json",
-    "firebase/prod/firebase.json",
-    "firebase/qa/.firebaserc",
-    "firebase/qa/database.rules.json",
-    "firebase/qa/firebase.json",
-    "firebase/staging/.firebaserc",
-    "firebase/staging/database.rules.json",
-    "firebase/staging/firebase.json",
+    "firebase/.firebaserc",
+    "firebase/database.rules.json",
+    "firebase/firebase.json",
     "listener/educational-material/eduMaterialConfig.json",
     "listener/studies/studiesConfig.json",
     "package.json",

docs/source/ci-cd-workflows.md

@@ -0,0 +1,61 @@
+<!--
+SPDX-FileCopyrightText: Copyright 2025 Opal Health Informatics Group at the Research Institute of the McGill University Health Centre <[email protected]>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+-->
+
+This project uses GitHub Actions to manage various CI/CD tasks.
+
+### Deploy Firebase Rules
+
+Deployment of [Firebase Realtime Database security rules](https://firebase.google.com/docs/database/security)
+has been configured in `.github/workflows/firebase-rules.yml` in this repository.
+For more information on our use of Firebase rules, see {@tutorial firebase-rules}.
+
+There are two ways to deploy the Firebase rules:
+
+#### 1. Automatically (Dev)
+
+Any commit on the main branch that modifies the Firebase rules file will automatically trigger a deployment in the dev environment.
+Since other Opal components are also automatically deployed to Dev,
+this allows changes to the Firebase rules to be immediately available in that environment.
+
+#### 2. Manually (any environment)
+
+Rules can be deployed manually using the GitHub Actions interface.
+In environments other than Dev, this facilitates timing the deployment of new rules concurrently with the deployment of the app or listener.
+
+To deploy rules manually, go to the [GitHub Actions Tab](https://github.com/opalmedapps/opal-listener/actions),
+select `Firebase Rules` in the left sidebar, and next to `This workflow has a workflow_dispatch event trigger`,
+select `Run workflow`.
+This will open a panel in which to provide inputs, such as which environment to use.
+
+#### Configuration: Service Accounts
+
+Service accounts were created to give the workflow the required permissions to publish Firebase rules.
+
+To create a new service account, follow these steps:
+
+ 1. Navigate to https://console.cloud.google.com/iam-admin/serviceaccounts
+    and select the Firebase project for which you'd like to create a service account.
+ 2. Select `Create service account`.
+ 3. Suggested inputs:
+    - Service account name: GitHub CI/CD - opal-listener
+    - Service account ID: `<automatically generated>`
+    - Service account description: Manually created service account that allows automatic deployment of Realtime Database rules to Firebase.
+ 4. Grant the account the following permissions:
+    - Firebase Realtime Database Admin
+    - Firebase Rules Admin
+
+If you'd like to view or edit permissions for a service account after it's been created,
+you can do so at https://console.cloud.google.com/iam-admin/iam (make sure to select the right project).
+
+Once created, service accounts can be made accessible to the workflow by adding them as
+[Repository Secrets for GitHub Actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository),
+and naming them in the format expected by the workflow, for example `DEV_GOOGLE_APPLICATION_CREDENTIALS`.
+
+#### Configuration: Project IDs
+
+To deploy rules to a given Firebase project, its `projectID` must be saved as a
+[Repository Variable for GitHub Actions](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/store-information-in-variables#creating-configuration-variables-for-a-repository),
+for example `DEV_FIREBASE_PROJECT_ID`.

docs/source/config.json

@@ -7,10 +7,13 @@
       }
     }
   },
-  "strangler-fig": {
-    "title": "Strangler Fig"
+  "ci-cd-workflows": {
+    "title": "CI/CD Workflows"
   },
   "firebase-rules": {
     "title": "Firebase Rules"
+  },
+  "strangler-fig": {
+    "title": "Strangler Fig"
   }
 }

docs/source/firebase-rules.md

@@ -5,21 +5,17 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 -->
 
 The Firebase rules for the Realtime Database used by the app and listener are version-controlled in this project.
-Rules for each environment can be found in the `firebase` directory.
+Rules and configuration files can be found in the `firebase` directory.
 
-With the exception of `prod`, rules can be deployed by the CI/CD pipeline whenever a `database.rules.json`
-file is modified and the changes are pushed to the default branch.
-This deployment is executed automatically for changes to `dev`, and manually for all other environments.
-Each deployment job is connected to a [GitLab protected environment](https://docs.gitlab.com/ee/ci/environments/protected_environments.html),
-which allows user permissions to be set to control deployment.
+For information on the automatic deployment of these rules via GitHub Actions, see {@tutorial ci-cd-workflows}.
 
-To deploy the `prod` rules, or to manually deploy rules for another environment without using the pipeline, the Firebase CLI can be used.
-Note that the CLI is installed during `npm install` (see `firebase-tools` in `package.json`). To deploy rules for an
+To manually deploy Firebase rules without using the pipeline, the Firebase CLI can be used.
+Note that the CLI is installed during `npm install` (see `firebase-tools` in `package.json`). To deploy rules for any
 environment, execute the following steps:
 
-1. Run `firebase login` and follow the instructions on the terminal. To publish firebase rules, you must log into
+1. Run `firebase login` and follow the instructions on the terminal. To publish Firebase rules, you must log into
    an account that has access to the right project.
 
-2. Change directory into the folder of the target environment. For example, `cd firebase/dev`.
+2. Change directory into the `firebase` folder.
 
-3. Run `firebase deploy --only database` to deploy the database rules from the directory you're currently in.
+3. Run `firebase deploy --only database` to deploy the rules defined in `database.rules.json`.

firebase/demo/.firebaserc renamed to firebase/.firebaserc

@@ -1,6 +1,6 @@
 {
   "projects": {
-    "default": "opal-3a1a23"
+    "default": "<PROJECT-ID>"
   },
   "targets": {},
   "etags": {}