Docs/drift section (#2341)

* Plan for drift docs

* Drift docs - firt pass

* Update drift section docs

* Fix slack notifications page slug

* Title Slack Notifications

Author: ZIJ

agent-tasks/drift-docs-section-plan.md

@@ -0,0 +1,153 @@
+# Drift Documentation: New Section Plan
+
+## Goals
+
+- Create a dedicated Drift section (parallel to State Management / Self-host Digger) that clearly explains concepts, setup, operations, and troubleshooting.
+- Reduce fragmentation by moving/adapting current content under a coherent information architecture (IA).
+- Fill current gaps: org/project settings, scheduling strategies, remediation, and self-host specifics.
+
+## Current Inventory (what exists today)
+
+- Features → Drift Detection: `docs/ce/features/drift-detection.mdx`
+  - Covers: GH Actions scheduled workflow for drift; Slack and GitHub Issues examples; note about 403/no-backend.
+- How To → Scope Drift Detection: `docs/ce/howto/scope-drift-detection.mdx`
+  - Covers: Using `digger-filename` to limit drift to certain projects.
+- Reference → Action inputs: `docs/ce/reference/action-inputs.mdx`
+  - Mentions: `mode: drift-detection`, `drift-detection-slack-notification-url`, `digger-filename`, `no-backend`.
+- Codebase capabilities (underdocumented in docs):
+  - Org-level drift settings: enable/disable, cron string, Slack webhook URL (`/api/orgs/settings/`).
+  - Project-level drift enable flag (`/api/projects/:project_id`).
+  - Internal drift service endpoints and scheduler hooks (for backend-driven scans and Slack rollups).
+  - Plan snapshots and counts stored per project; status surfaced in UI/API.
+
+## Proposed Section Name and Nav
+
+- Group: Drift.
+- Placement: Top-level group in `docs/mint.json` after “Getting Started” and “State Management”.
+- Remove “Drift Detection” from Features; move/retitle into this new section.
+
+## Information Architecture (pages and purpose)
+
+1) `ce/drift/overview.mdx`
+   - What is drift, why it matters, how Digger detects it (scheduled plans on default branch per project).
+   - Two operating modes: GitHub Actions-only vs backend-orchestrated scans.
+   - Optional high-level mention of drift states (no dedicated page).
+
+2) `ce/drift/how-it-works.mdx`
+   - Architecture: drift as a separate service with a cron-driven scheduler; internal endpoints and DB updates.
+   - Backendless mode: running entirely via GitHub Actions with `mode: drift-detection`.
+   - When to choose each approach.
+
+3) `ce/drift/quickstart-github-actions.mdx`
+   - Minimal GH Actions workflow using `mode: drift-detection` and a cron.
+   - Includes a note that it is "backendless mode"
+   - Tips: install Terraform (`setup-terraform: true`), store webhook secret, use `no-backend: true` when applicable.
+
+4) `ce/drift/scoping-projects.mdx`
+   - Consolidate/replace How To → Scope Drift Detection.
+   - Techniques: dedicated `digger.yml` via `digger-filename`, project `drift_detection: false` in digger.yml, branch filters, dependency considerations.
+
+5) `ce/drift/notifications.mdx`
+   - Slack rollup notifications: format, frequency, org-level webhook, test endpoint, common errors.
+   - Mentions GitHub Issues exist for drift, with a link to the dedicated page below.
+
+6) `ce/drift/github-issues.mdx`
+   - Dedicated setup and permissions for creating GitHub Issues during drift.
+   - What’s in the issue, labels, ownership, and housekeeping guidance.
+
+7) `ce/drift/remediation.mdx`
+   - How to remediate drift using GitHub Issues integration.
+   - Describe remediation by commenting `digger apply` in the GitHub issue; include a clear note that this flow is only relevant for the GitHub Issues integration.
+
+8) `ce/drift/scheduling.mdx`
+   - GH Actions cron examples (simple mode).
+   - Backend scheduling (self-host/Cloud): org-level `drift_cron_tab` and how scans are batched; internal endpoints overview.
+
+9) `ce/drift/self-host.mdx`
+   - Running the drift service (`Dockerfile_drift`), required env vars: `DIGGER_HOSTNAME`, `DIGGER_WEBHOOK_SECRET`, `DIGGER_APP_URL`, `DIGGER_DRIFT_REPORTER_HOSTNAME`.
+   - Database/scheduler notes (pg_cron/pg_net SQL jobs in `drift/scripts/cron/*.sql`).
+   - Securing internal endpoints, topology, scaling.
+
+10) `ce/drift/troubleshooting.mdx`
+    - 403/permissions during drift reporting → often missing `no-backend: true` in Actions.
+    - Slack webhook failures and how to test.
+    - Issues creation failures (token scopes), large plan outputs, runner timeouts.
+
+## Content Outlines (key sections per page)
+
+- Overview
+  - Concept, detection flow description, supported IaC; optional brief mention of states.
+
+- How It Works
+  - Separate service architecture and cron; internal endpoints; backendless mode explained.
+
+- Quickstart (GH Actions)
+  - YAML snippet; secrets; validation; verification steps; example outputs.
+
+- Scoping Projects
+  - `digger-filename` technique; per-project `drift_detection` flag; branch selection considerations.
+
+- Notifications
+  - Slack rollup design (aggregated per org), color legend, test endpoint; direct link to GitHub Issues page.
+
+- GitHub Issues
+  - Enablement, required env vars/permissions, example outputs, labels/assignment.
+
+- Remediation
+  - Comment `digger apply` in the GitHub issue to remediate drift (only relevant for Issues integration).
+
+- Scheduling
+  - GH Actions cron; backend scheduler overview (SQL jobs in `drift/scripts/cron/`), `drift_cron_tab` semantics; examples.
+
+- Self-host
+  - Deploying the drift service; required components; env vars; security; health checks; scaling.
+
+- Troubleshooting
+  - Symptoms, likely causes, resolutions; logs to check; sample curl commands for internal endpoints (self-host operators).
+
+## Migration and Link Strategy
+
+- Move: `ce/features/drift-detection` → `ce/drift/quickstart-github-actions` (rename and retitle).
+- Move: `ce/howto/scope-drift-detection` → `ce/drift/scoping-projects` (update links site-wide).
+- Update: cross-links in `action-inputs.mdx` to reference new “Quickstart”, “Notifications”, and “Scheduling” pages.
+
+## Navigation Changes (mint.json)
+
+- Add a top-level group:
+  - Drift → pages:
+    - `ce/drift/overview`
+    - `ce/drift/how-it-works`
+    - `ce/drift/quickstart-github-actions`
+    - `ce/drift/scoping-projects`
+    - `ce/drift/notifications`
+    - `ce/drift/github-issues`
+    - `ce/drift/remediation`
+    - `ce/drift/scheduling`
+    - `ce/drift/self-host`
+    - `ce/drift/troubleshooting`
+- Remove `ce/features/drift-detection` from “Features”.
+- Remove `ce/howto/scope-drift-detection` from “How To”.
+
+## Acceptance Criteria
+
+- New Drift group appears as a dedicated section with the listed pages.
+- Quickstart reproducible end-to-end (Slack and Issues options tested).
+- Remediation page accurately reflects the supported comment flow for Issues integration.
+- Self-host and How It Works pages list required env vars and components and reference the SQL scheduler snippets.
+
+## Implementation Plan (steps)
+
+1. Create new directory and placeholder pages under `docs/ce/drift/` with titles and short summaries.
+2. Move/adapt content from `features/drift-detection` and `howto/scope-drift-detection` into the new pages.
+3. Update `docs/mint.json` to add the Drift group; remove moved pages from Features/How To.
+4. Update cross-links in the docs (search for references to old paths and fix).
+5. QA pass: local build of docs, link checker, skim for tone and consistency.
+
+## References (code pointers for authoring)
+
+- Action inputs mentioning drift: `docs/ce/reference/action-inputs.mdx`.
+- Current feature page: `docs/ce/features/drift-detection.mdx`.
+- How-to: `docs/ce/howto/scope-drift-detection.mdx`.
+- Backend endpoints and models: `backend/controllers/orgs.go`, `backend/controllers/projects.go`, `backend/bootstrap/main.go`, `backend/models/orgs.go`.
+- Issue comment handling: `backend/controllers/github_comment.go`.
+- Drift service and scheduler: `drift/controllers/*.go`, `drift/scripts/cron/*.sql`.

docs/ce/drift/github-issues.mdx

@@ -0,0 +1,28 @@
+---
+title: "GitHub Issues"
+---
+
+You can create a GitHub Issue whenever drift is detected, to route remediation through your normal triage process. Digger supports sending a summary of Drift notifications via Slack. Another way to get notified is via [Slack](/ce/drift/slack-notifications)
+
+
+## Enable in GitHub Actions
+
+Add the following to your drift workflow:
+
+```
+env:
+  GITHUB_CONTEXT: ${{ toJson(github) }}
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  INPUT_DRIFT_GITHUB_ISSUES: 'true'
+  # Optional: DIGGER_GITHUB_TOKEN or PAT with appropriate scopes
+```
+
+## Notes
+
+- Ensure the token has permission to create issues in the repository.
+- The issue records the project(s) with drift and links back to context for quick follow-up.
+
+## Next step
+
+- See [Remediation](/ce/drift/remediation) for closing the loop by applying from the issue.
+

docs/ce/drift/remediation.mdx

@@ -0,0 +1,18 @@
+---
+title: "Remediation"
+---
+
+If you use the GitHub Issues integration for drift, you can remediate directly from the issue by commenting a Digger command.
+
+## Apply changes from the issue
+
+- Comment `digger apply` in the GitHub issue created for the drift event.
+- Digger runs the apply for the impacted project(s) and reports status back.
+
+## Notes
+
+- This flow is specific to the GitHub Issues integration. If you are not using Issues, remediate by opening a PR with fixes and using your normal PR flow.
+
+## Related
+
+- GitHub Issues: see [/ce/drift/github-issues](/ce/drift/github-issues)

docs/ce/drift/scoping-projects.mdx

@@ -0,0 +1,66 @@
+---
+title: "Scope Drift to Specific Projects"
+---
+
+Use separate Digger config files and workflows to scope drift detection to only the projects you want. The drift config file is a regular `digger.yml` listing a subset of projects (for example, only `dev` or only `prod`).
+
+## Approach
+
+- Create a dedicated `digger.yml` that lists only the projects or blocks you want scanned.
+- Point your drift workflow to that file using the `digger-filename` input.
+- Repeat per environment if needed.
+
+## Examples
+
+### Explicit projects
+
+```yml
+# digger-drift-dev.yml
+projects:
+  - name: app-dev-a
+    dir: terraform/aws_devel/app-a
+    workflow: default
+  - name: app-dev-b
+    dir: terraform/aws_devel/app-b
+    workflow: default
+```
+
+### Terragrunt-generated blocks
+
+```yml
+# digger-drift-dev.yml
+generate_projects:
+  blocks:
+    - block_name: aws_devel
+      terragrunt: true
+      root_dir: terraform/aws_devel/
+      workflow: default
+```
+
+## Referencing the file in your workflow
+
+```yml
+name: Drift (dev)
+
+on:
+  workflow_dispatch:
+
+jobs:
+  detect-drift:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: diggerhq/digger@vLatest
+        with:
+          mode: drift-detection
+          digger-filename: digger-drift-dev.yml
+```
+
+## Notes
+
+- There is no per-project drift filter in the action; scoping via a dedicated config file is the recommended approach.
+- You can also mark projects with `drift_detection: false` in your main config to disable drift checks for them.
+
+## Related
+
+- Quickstart: see [/ce/drift/quickstart-github-actions](/ce/drift/quickstart-github-actions)
+- Scheduling: see [/ce/drift/scheduling](/ce/drift/scheduling)

docs/ce/drift/self-host.mdx

@@ -0,0 +1,29 @@
+---
+title: "Self-hosting"
+---
+
+Drift checks are triggered by a separate service, with its own Dockerfile
+
+## Requirements
+
+- Build/run the drift service (see `Dockerfile_drift`).
+- Backend database accessible to the service.
+- Webhook secret configured and used to protect internal endpoints.
+
+## Key environment variables
+
+- `DIGGER_HOSTNAME`: Base URL of your backend, used to call internal endpoints.
+- `DIGGER_WEBHOOK_SECRET`: Shared secret to authenticate internal requests.
+- `DIGGER_APP_URL`: Base URL for links in notifications.
+- `DIGGER_DRIFT_REPORTER_HOSTNAME`: Hostname for the reporter in CI job specs.
+
+## Scheduling and notifications
+
+- Set the org-level `drift_cron_tab` for when to scan.
+- Slack rollups use an org-level webhook URL when configured.
+- SQL helper snippets for periodic invocation live in `drift/scripts/cron/`.
+
+## Security
+
+- Expose internal endpoints only behind your network boundary and verify the webhook secret on requests.
+

docs/ce/drift/set-up-in-ui.mdx

@@ -0,0 +1,19 @@
+---
+title: "Set up in UI"
+---
+
+Configuring Drift Detection in [Digger UI](https://ui.digger.dev).
+
+# Schedule
+
+You can run drift detection on pre-defined intervals (e.g. hourly or daily) - or use a custom crontab:
+
+![Drift UI Schedule](/images/drift-ui-schedule.png)
+
+# Slack notifications
+
+You can also configure Slack notifications via webhooks:
+
+![Drift UI Slack](/images/drift-ui-slack.png)
+
+

docs/ce/drift/slack-notifications.mdx

@@ -0,0 +1,44 @@
+---
+title: "Slack Notifications"
+---
+
+Digger supports sending a summary of Drift notifications via Slack. Another way to get notified is [GitHub Issues](/ce/drift/github-issues)
+
+## Configuration in UI
+
+You can cofigure and test Slack webhooks in the Drift section of the dashboard:
+
+![Drift UI Slack](/images/drift-ui-slack.png)
+
+## Backendless mode
+
+Drift detection can also run in Backendless mode. In this case, it is a regular GitHub Action envoked on schedule - you just need to pass `drift-detection-slack-notification-url` action input:
+
+```
+name: Drift Detection
+
+on:
+  workflow_dispatch:
+  #schedule:
+  #  - cron: '0 0 * * *'  # 12am daily
+
+jobs:
+  detect-drift:
+    runs-on: ubuntu-latest
+    steps:
+    - name: digger drift detection
+      uses: diggerhq/digger@743844a930fd404882869ee036213cd1b24d20dd
+      with:
+        mode: drift-detection
+        drift-detection-slack-notification-url: SLACK_WEBHOOK_URL_HERE
+        setup-terraform: true
+        setup-aws: true
+        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        no-backend: true
+      env:
+        GITHUB_CONTEXT: ${{ toJson(github) }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        DIGGER_GITHUB_TOKEN: ${{ secrets.DIGGER_GITHUB_TOKEN }}
+        INPUT_DRIFT_GITHUB_ISSUES: 'true'
+    ```

docs/ce/drift/troubleshooting.mdx

@@ -0,0 +1,21 @@
+---
+title: "Troubleshooting"
+---
+
+## Common issues
+
+- 403 or permission errors when reporting results
+  - Ensure `no-backend: true` is set in backendless workflows.
+  - Confirm tokens used by the workflow have the required scopes.
+
+- Slack messages not received
+  - Verify the webhook URL and that it’s configured in the correct place (action input or org settings).
+  - Check the configured schedule (Actions cron or org-level crontab).
+
+- Issue creation failures
+  - Confirm the token has permission to create issues in the repository.
+
+## Operator tips (self-hosting)
+
+- Check service logs around the scheduled run time.
+- Use the SQL helpers in `drift/scripts/cron/` to invoke internal endpoints on a predictable cadence.