[GOVCMSCT2-121] CT PORT - Fast fact card

.docker/cli.dockerfile

@@ -110,3 +110,4 @@ RUN cd /app/web/themes/contrib/civictheme \
 # Compile sub-theme assets.
 RUN npm --prefix web/themes/custom/civictheme_demo install --no-audit --no-progress --unsafe-perm \
   && cd /app/web/themes/custom/civictheme_demo && npm run build
+COPY .docker/entrypoints/cli/* /quant-entrypoint.d/

.docker/entrypoints/cli/00-fix-permissions.sh

@@ -0,0 +1,52 @@
+#!/bin/sh
+set -e
+
+# Fix EFS volume permissions based on lagoon.persistent labels
+#
+# Two approaches based on container configuration:
+# 1. VOLUME_USER set: Use secure permissions with UID/GID 1000 (requires container remapping)
+# 2. VOLUME_USER unset: Fall back to world-writable (777/666) for compatibility
+
+echo "Fixing file permissions for EFS volumes..."
+
+# Check if containers have been configured with UID/GID remapping
+if [ -n "$VOLUME_USER" ]; then
+    echo "🔒 VOLUME_USER detected: Using secure permissions with UID/GID 1000"
+    echo "   (Assumes containers remap www-data to UID/GID 1000 for EFS compatibility)"
+    PERMISSION_MODE="secure"
+else
+    echo "⚠️  VOLUME_USER not set: Using world-writable permissions for compatibility"
+    echo "   (Consider setting VOLUME_USER and remapping container users to UID/GID 1000)"
+    PERMISSION_MODE="compatible"
+fi
+
+# Persistent volume paths from docker-compose lagoon.persistent labels
+for path in "/app/web/sites/default/files/"; do
+    if [ -d "$path" ]; then
+        echo "Fixing permissions for: $path"
+
+        if [ "$PERMISSION_MODE" = "secure" ]; then
+            # Set secure directory permissions (755 = rwxr-xr-x)
+            find "$path" -type d -exec chmod 755 {} + 2>/dev/null || true
+
+            # Set secure file permissions (644 = rw-r--r--)
+            find "$path" -type f -exec chmod 644 {} + 2>/dev/null || true
+
+            echo "✓ Secure permissions applied: $path (dirs: 755, files: 644)"
+        else
+            # Compatible approach: World-writable fallback
+
+            # Make directories world-writable (since we can't chown to unknown web server user)
+            find "$path" -type d -exec chmod 777 {} + 2>/dev/null || true
+
+            # Make files world-readable/writable (since we can't chown to unknown web server user) 
+            find "$path" -type f -exec chmod 666 {} + 2>/dev/null || true
+
+            echo "✓ Compatible permissions applied: $path (dirs: 777, files: 666)"
+        fi
+    else
+        echo "Path not found (may not be mounted yet): $path"
+    fi
+done
+
+echo "Permission fixing completed for 1 volumes ($PERMISSION_MODE mode)"

.docker/entrypoints/cli/01-show-drevops-variables.sh

@@ -0,0 +1,7 @@
+#!/bin/sh
+set -e
+
+# Post-rollout task: Show DrevOps variables.
+# Generated from .lagoon.yml
+
+env -0  | sort -z | tr '\0' '\n' | grep ^DREVOPS_ || true

.docker/entrypoints/cli/02-notify-about-pre-deployment.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+set -e
+
+# Post-rollout task: Notify about pre-deployment.
+# Generated from .lagoon.yml
+
+if [ -n "$LAGOON_PR_NUMBER" ]; then export DREVOPS_NOTIFY_REF=$LAGOON_PR_NUMBER;export DREVOPS_NOTIFY_SHA=${LAGOON_PR_HEAD_SHA#origin/};export DREVOPS_NOTIFY_BRANCH=$LAGOON_PR_HEAD_BRANCH;else export DREVOPS_NOTIFY_REF=$LAGOON_GIT_BRANCH;export DREVOPS_NOTIFY_SHA=$LAGOON_GIT_SHA;export DREVOPS_NOTIFY_BRANCH=$LAGOON_GIT_BRANCH;fi
+DREVOPS_NOTIFY_PROJECT=$LAGOON_PROJECT \
+DREVOPS_NOTIFY_ENVIRONMENT_URL=$LAGOON_ROUTE \
+DREVOPS_NOTIFY_EVENT=pre_deployment ./scripts/drevops/notify.sh || true
+

.docker/entrypoints/cli/03-provision-site.sh

@@ -0,0 +1,30 @@
+#!/bin/sh
+set -e
+
+# Post-rollout task: Provision site
+# Generated from .lagoon.yml
+# COMMENTED OUT: This script contains rsync commands that won't work in Quant Cloud
+
+# if [ "$LAGOON_ENVIRONMENT_TYPE" = "production" ] || [ "$LAGOON_GIT_BRANCH" = "${DREVOPS_LAGOON_PRODUCTION_BRANCH:-main}" ]; then
+#   echo "==> Running in PRODUCTION environment."
+#   # Never unblock admin user in production.
+#   export DRUPAL_UNBLOCK_ADMIN=0
+#   # Never sanitize DB in production.
+#   export DREVOPS_PROVISION_SANITIZE_DB_SKIP=1
+# fi
+#
+# # Deployments from UI are not able to bypass the value of
+# # DREVOPS_PROVISION_OVERRIDE_DB set by the deploy-lagoon.sh
+# # during previous deployments (it sets value to '0' to mitigate Lagoon bug
+# # where environment variables cannot be deleted and have to be set to a value).
+# # @see https://github.com/uselagoon/lagoon/issues/1922
+# # Explicitly set DB overwrite flag to the value from .env file for
+# # deployments from the profile.
+# if [ "${DREVOPS_PROVISION_USE_PROFILE}" = "1" ]; then
+#   export DREVOPS_PROVISION_OVERRIDE_DB="$(cat .env | grep ^DREVOPS_PROVISION_OVERRIDE_DB | cut -c31-)"
+# fi
+# ./scripts/drevops/provision.sh
+
+# NOTE: This provision script has been disabled because:
+# - rsync commands try to connect to Lagoon SSH which is not available in Quant Cloud
+# - Use DREVOPS_PROVISION_SKIP=1 environment variable to skip provision steps

.docker/entrypoints/cli/04-send-deployment-notifications.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+set -e
+
+# Post-rollout task: Send deployment notifications
+# Generated from .lagoon.yml
+
+if [ -n "$LAGOON_PR_NUMBER" ]; then export DREVOPS_NOTIFY_REF=$LAGOON_PR_NUMBER; export DREVOPS_NOTIFY_SHA=${LAGOON_PR_HEAD_SHA#origin/}; export DREVOPS_NOTIFY_BRANCH=$LAGOON_PR_HEAD_BRANCH; else export DREVOPS_NOTIFY_REF=$LAGOON_GIT_BRANCH; export DREVOPS_NOTIFY_SHA=$LAGOON_GIT_SHA; export DREVOPS_NOTIFY_BRANCH=$LAGOON_GIT_BRANCH; fi
+DREVOPS_NOTIFY_EVENT=post_deployment \
+DREVOPS_NOTIFY_PROJECT=$LAGOON_PROJECT \
+DREVOPS_NOTIFY_ENVIRONMENT_URL=$LAGOON_ROUTE \
+./scripts/drevops/notify.sh
+

.docker/entrypoints/nginx/00-fix-permissions.sh

@@ -0,0 +1,52 @@
+#!/bin/sh
+set -e
+
+# Fix EFS volume permissions based on lagoon.persistent labels
+#
+# Two approaches based on container configuration:
+# 1. VOLUME_USER set: Use secure permissions with UID/GID 1000 (requires container remapping)
+# 2. VOLUME_USER unset: Fall back to world-writable (777/666) for compatibility
+
+echo "Fixing file permissions for EFS volumes..."
+
+# Check if containers have been configured with UID/GID remapping
+if [ -n "$VOLUME_USER" ]; then
+    echo "🔒 VOLUME_USER detected: Using secure permissions with UID/GID 1000"
+    echo "   (Assumes containers remap www-data to UID/GID 1000 for EFS compatibility)"
+    PERMISSION_MODE="secure"
+else
+    echo "⚠️  VOLUME_USER not set: Using world-writable permissions for compatibility"
+    echo "   (Consider setting VOLUME_USER and remapping container users to UID/GID 1000)"
+    PERMISSION_MODE="compatible"
+fi
+
+# Persistent volume paths from docker-compose lagoon.persistent labels
+for path in "/app/web/sites/default/files/"; do
+    if [ -d "$path" ]; then
+        echo "Fixing permissions for: $path"
+
+        if [ "$PERMISSION_MODE" = "secure" ]; then
+            # Set secure directory permissions (755 = rwxr-xr-x)
+            find "$path" -type d -exec chmod 755 {} + 2>/dev/null || true
+
+            # Set secure file permissions (644 = rw-r--r--)
+            find "$path" -type f -exec chmod 644 {} + 2>/dev/null || true
+
+            echo "✓ Secure permissions applied: $path (dirs: 755, files: 644)"
+        else
+            # Compatible approach: World-writable fallback
+
+            # Make directories world-writable (since we can't chown to unknown web server user)
+            find "$path" -type d -exec chmod 777 {} + 2>/dev/null || true
+
+            # Make files world-readable/writable (since we can't chown to unknown web server user) 
+            find "$path" -type f -exec chmod 666 {} + 2>/dev/null || true
+
+            echo "✓ Compatible permissions applied: $path (dirs: 777, files: 666)"
+        fi
+    else
+        echo "Path not found (may not be mounted yet): $path"
+    fi
+done
+
+echo "Permission fixing completed for 1 volumes ($PERMISSION_MODE mode)"

.docker/entrypoints/php/00-fix-permissions.sh

@@ -0,0 +1,52 @@
+#!/bin/sh
+set -e
+
+# Fix EFS volume permissions based on lagoon.persistent labels
+#
+# Two approaches based on container configuration:
+# 1. VOLUME_USER set: Use secure permissions with UID/GID 1000 (requires container remapping)
+# 2. VOLUME_USER unset: Fall back to world-writable (777/666) for compatibility
+
+echo "Fixing file permissions for EFS volumes..."
+
+# Check if containers have been configured with UID/GID remapping
+if [ -n "$VOLUME_USER" ]; then
+    echo "🔒 VOLUME_USER detected: Using secure permissions with UID/GID 1000"
+    echo "   (Assumes containers remap www-data to UID/GID 1000 for EFS compatibility)"
+    PERMISSION_MODE="secure"
+else
+    echo "⚠️  VOLUME_USER not set: Using world-writable permissions for compatibility"
+    echo "   (Consider setting VOLUME_USER and remapping container users to UID/GID 1000)"
+    PERMISSION_MODE="compatible"
+fi
+
+# Persistent volume paths from docker-compose lagoon.persistent labels
+for path in "/app/web/sites/default/files/"; do
+    if [ -d "$path" ]; then
+        echo "Fixing permissions for: $path"
+
+        if [ "$PERMISSION_MODE" = "secure" ]; then
+            # Set secure directory permissions (755 = rwxr-xr-x)
+            find "$path" -type d -exec chmod 755 {} + 2>/dev/null || true
+
+            # Set secure file permissions (644 = rw-r--r--)
+            find "$path" -type f -exec chmod 644 {} + 2>/dev/null || true
+
+            echo "✓ Secure permissions applied: $path (dirs: 755, files: 644)"
+        else
+            # Compatible approach: World-writable fallback
+
+            # Make directories world-writable (since we can't chown to unknown web server user)
+            find "$path" -type d -exec chmod 777 {} + 2>/dev/null || true
+
+            # Make files world-readable/writable (since we can't chown to unknown web server user) 
+            find "$path" -type f -exec chmod 666 {} + 2>/dev/null || true
+
+            echo "✓ Compatible permissions applied: $path (dirs: 777, files: 666)"
+        fi
+    else
+        echo "Path not found (may not be mounted yet): $path"
+    fi
+done
+
+echo "Permission fixing completed for 1 volumes ($PERMISSION_MODE mode)"

.docker/php.dockerfile

@@ -15,3 +15,4 @@ FROM uselagoon/php-8.3-fpm:25.1.0
 RUN apk add --no-cache tzdata
 
 COPY --from=cli /app /app
+COPY .docker/entrypoints/php/* /quant-entrypoint.d/

.dockerignore

@@ -29,6 +29,7 @@ node_modules
 
 # Do not ignore other required files.
 !.docker/scripts
+!.docker/entrypoints
 !.docker/config
 !.env
 !.eslintrc.json

.github/workflows/build-deploy.yml

@@ -0,0 +1,144 @@
+name: Build and Push civictheme-monorepo-drupal to Quant Cloud
+'on':
+  push:
+    branches:
+    - main
+    - master
+    - develop
+    - quant-cloud-migration
+    - feature/*
+    tags:
+    - '*'
+  pull_request:
+    branches: '*'
+
+concurrency:
+  group: build-and-push-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build-and-push:
+    runs-on: sh-runner-1-arm64
+    steps:
+
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Initialize Quant Cloud
+      uses: quantcdn/[email protected]
+      id: init
+      with:
+        quant_organization: ${{ secrets.QUANT_ORGANIZATION }}
+        quant_api_key: ${{ secrets.QUANT_API_KEY }}
+        quant_application: civictheme-monorepo-drupal
+        master_branch_override: main
+
+    - name: Override outputs for quant-cloud-migration branch
+      id: override-outputs
+      run: |-
+        # Override outputs for quant-cloud-migration branch to treat it as production
+        if [[ "${{ github.ref }}" == "refs/heads/quant-cloud-migration" ]]; then
+          echo "image_suffix=-latest" >> $GITHUB_OUTPUT
+          echo "image_suffix_clean=latest" >> $GITHUB_OUTPUT
+          echo "is_production=true" >> $GITHUB_OUTPUT
+          echo "environment_name=production" >> $GITHUB_OUTPUT
+          echo "environment_exists=true" >> $GITHUB_OUTPUT
+          echo "Overriding outputs for quant-cloud-migration branch: using -latest suffix and production environment"
+        else
+          # Use the original action outputs
+          echo "image_suffix=${{ steps.init.outputs.image_suffix }}" >> $GITHUB_OUTPUT
+          # Remove leading hyphen from image_suffix for image_suffix parameter
+          suffix="${{ steps.init.outputs.image_suffix }}"
+          clean_suffix="${suffix#-}"
+          echo "image_suffix_clean=$clean_suffix" >> $GITHUB_OUTPUT
+          echo "is_production=${{ steps.init.outputs.is_production }}" >> $GITHUB_OUTPUT
+          echo "environment_name=${{ steps.init.outputs.environment_name }}" >> $GITHUB_OUTPUT
+          echo "environment_exists=${{ steps.init.outputs.environment_exists }}" >> $GITHUB_OUTPUT
+        fi
+
+    - name: Build and push cli image
+      uses: docker/build-push-action@v5
+      with:
+        context: .
+        file: ./.docker/cli.dockerfile
+        platforms: linux/arm64
+        push: true
+        tags: ${{ steps.init.outputs.stripped_endpoint }}/${{ secrets.QUANT_ORGANIZATION }}/${{ steps.init.outputs.quant_application
+          }}:cli${{ steps.override-outputs.outputs.image_suffix }}
+        cache-from: |-
+          type=gha
+          type=registry,ref=${{ steps.init.outputs.stripped_endpoint }}/${{ secrets.QUANT_ORGANIZATION }}/${{ steps.init.outputs.quant_application }}:cli-cache
+        cache-to: type=gha,mode=max
+        build-args: CLI_IMAGE=${{ steps.init.outputs.stripped_endpoint }}/${{ secrets.QUANT_ORGANIZATION }}/${{ steps.init.outputs.quant_application
+          }}:cli${{ steps.override-outputs.outputs.image_suffix }}
+
+    - name: Build and push nginx image
+      uses: docker/build-push-action@v5
+      with:
+        context: .
+        file: ./.docker/nginx-drupal.dockerfile
+        platforms: linux/arm64
+        push: true
+        tags: ${{ steps.init.outputs.stripped_endpoint }}/${{ secrets.QUANT_ORGANIZATION }}/${{ steps.init.outputs.quant_application
+          }}:nginx${{ steps.override-outputs.outputs.image_suffix }}
+        cache-from: |-
+          type=gha
+          type=registry,ref=${{ steps.init.outputs.stripped_endpoint }}/${{ secrets.QUANT_ORGANIZATION }}/${{ steps.init.outputs.quant_application }}:nginx-cache
+        cache-to: type=gha,mode=max
+        build-args: CLI_IMAGE=${{ steps.init.outputs.stripped_endpoint }}/${{ secrets.QUANT_ORGANIZATION }}/${{ steps.init.outputs.quant_application
+          }}:cli${{ steps.override-outputs.outputs.image_suffix }}
+
+    - name: Build and push php image
+      uses: docker/build-push-action@v5
+      with:
+        context: .
+        file: ./.docker/php.dockerfile
+        platforms: linux/arm64
+        push: true
+        tags: ${{ steps.init.outputs.stripped_endpoint }}/${{ secrets.QUANT_ORGANIZATION }}/${{ steps.init.outputs.quant_application
+          }}:php${{ steps.override-outputs.outputs.image_suffix }}
+        cache-from: |-
+          type=gha
+          type=registry,ref=${{ steps.init.outputs.stripped_endpoint }}/${{ secrets.QUANT_ORGANIZATION }}/${{ steps.init.outputs.quant_application }}:php-cache
+        cache-to: type=gha,mode=max
+        build-args: CLI_IMAGE=${{ steps.init.outputs.stripped_endpoint }}/${{ secrets.QUANT_ORGANIZATION }}/${{ steps.init.outputs.quant_application
+          }}:cli${{ steps.override-outputs.outputs.image_suffix }}
+
+    - name: Create environment if it doesn't exist
+      if: ${{ !startsWith(github.ref, 'refs/tags/') && steps.override-outputs.outputs.environment_exists == 'false' }}
+      uses: quantcdn/[email protected]
+      with:
+        api_key: ${{ secrets.QUANT_API_KEY }}
+        organization: ${{ secrets.QUANT_ORGANIZATION }}
+        app_name: ${{ steps.init.outputs.quant_application }}
+        environment_name: ${{ steps.override-outputs.outputs.environment_name }}
+        from_environment: production
+        image_suffix: ${{ steps.override-outputs.outputs.image_suffix_clean }}
+
+    - name: Sync database from production to new environment
+      if: ${{ !startsWith(github.ref, 'refs/tags/') && steps.override-outputs.outputs.environment_exists == 'false' && steps.override-outputs.outputs.environment_name
+        != 'production' }}
+      uses: quantcdn/[email protected]
+      with:
+        api_key: ${{ secrets.QUANT_API_KEY }}
+        organization: ${{ secrets.QUANT_ORGANIZATION }}
+        app_name: ${{ steps.init.outputs.quant_application }}
+        environment_name: ${{ steps.override-outputs.outputs.environment_name }}
+        source: production
+        type: database
+        wait: true
+        wait_interval: 10
+        max_retries: 30
+
+    - name: Redeploy existing environment
+      if: ${{ !startsWith(github.ref, 'refs/tags/') && steps.override-outputs.outputs.environment_exists == 'true' }}
+      uses: quantcdn/quant-cloud-environment-state-action@v1
+      with:
+        api_key: ${{ secrets.QUANT_API_KEY }}
+        organization: ${{ secrets.QUANT_ORGANIZATION }}
+        application: ${{ steps.init.outputs.quant_application }}
+        environment: ${{ steps.override-outputs.outputs.environment_name }}
+        action: redeploy