fix: CD to sandbox/live GitOps, remove .env.production, SPA catch-all, manual deploy

- Deploy: Downstream: add permissions (contents, actions, pull-requests), add
  workflow_dispatch target (both|sandbox|live) for manual deploy; CD to
  sandbox on develop, live on release; manual run opens PRs to cluster repos
- Remove frontend/.env.production and VITE_API_BASE_URL from .env (relative URLs)
- SPA catch-all: always register, serve index.html at request time or 404
- Docs: README/CLAUDE/MIGRATION/DEPLOY_RESOLUTION_STEPS and PR body

Author: TineoC

.github/PULL_REQUEST_BODY_fix-deploy-api-and-ci.md

@@ -0,0 +1,21 @@
+## Description
+
+Single PR that fixes deploy/API/CI for sandbox + live.
+
+**Included:**
+- Deploy/API/CI for sandbox and live: relative API URLs, frontend lint CI, resolution steps doc
+- **Closes #450** – fix/local-compose (README, Docker Compose healthchecks, backend STATICFILES) is fully included in this branch
+- **Closes #452** – removed `.env.production` (not needed; frontend uses relative API URLs for sandbox/live)
+
+**Frontend and environment:** The frontend uses relative API URLs (`baseURL = ""`), so one image works for both environments: when running on **sandbox** (balancer.sandbox.k8s.phl.io) it calls that host; when running on **live** (balancerproject.org) it calls that host. No env-specific build or config required.
+
+**Not closed:** #451 (sanitizer) – unrelated; left open.
+
+## Related
+
+- Closes #450
+- Closes #452
+
+## Reviewers
+
+@chris (for deploy/secrets follow-up; see docs/DEPLOY_RESOLUTION_STEPS.md)

.github/workflows/deploy-downstream.yml

@@ -1,5 +1,9 @@
 name: "Deploy: Downstream Clusters"
 
+# CD: push to develop -> Containers: Publish -> this workflow -> PR to cfp-sandbox-cluster.
+# Live: publish release -> Containers: Publish -> this workflow -> PR to cfp-live-cluster.
+# Manual: Run workflow_dispatch with tag (and optional target) to open deploy PRs.
+# Requires BOT_GITHUB_TOKEN with write access to CodeForPhilly/cfp-sandbox-cluster and cfp-live-cluster.
 on:
   workflow_run:
     workflows: ["Containers: Publish"]
@@ -8,15 +12,29 @@ on:
   workflow_dispatch:
     inputs:
       tag:
-        description: 'Image tag to deploy (e.g. 1.1.0)'
+        description: 'Image tag to deploy (e.g. 1.1.0 or dev-abc1234)'
         required: true
         default: 'latest'
+      target:
+        description: 'Which cluster(s) to open deploy PRs for'
+        required: false
+        default: 'both'
+        type: choice
+        options:
+          - both
+          - sandbox
+          - live
+
+permissions:
+  contents: read
+  actions: read
+  pull-requests: write
 
 jobs:
   update-sandbox:
     name: Update Sandbox Cluster
     runs-on: ubuntu-latest
-    if: ${{ github.event_name == 'workflow_dispatch' || (github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.head_branch == 'develop') }}
+    if: ${{ (github.event_name == 'workflow_dispatch' && (inputs.target == 'both' || inputs.target == 'sandbox')) || (github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.head_branch == 'develop') }}
     outputs:
       tag: ${{ steps.get_tag.outputs.TAG }}
     steps:
@@ -65,7 +83,7 @@ jobs:
   update-live:
     name: Update Live Cluster
     runs-on: ubuntu-latest
-    if: ${{ github.event_name == 'workflow_dispatch' || (github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'release') }}
+    if: ${{ (github.event_name == 'workflow_dispatch' && (inputs.target == 'both' || inputs.target == 'live')) || (github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'release') }}
     steps:
       - name: Checkout App
         uses: actions/checkout@v4

CLAUDE.md

@@ -210,8 +210,7 @@ Routes defined in `src/routes/routes.tsx`:
 
 ### Environment Configuration
 - **Development**: `config/env/dev.env` (used by Docker Compose)
-- **Frontend Production**: `frontend/.env.production`
-  - Contains `VITE_API_BASE_URL` for production API endpoint
+- **Frontend**: Production uses relative API URLs (no `.env.production`); local dev uses `frontend/.env` (e.g. `VITE_API_BASE_URL` for proxy).
 - **Never commit** actual API keys - use `.env.example` as template
 - Django `SECRET_KEY` should be a long random string in production (not "foo")
 

README.md

@@ -76,8 +76,8 @@ To run the application, you need to configure your environment variables.
     > **⚠️ SECURITY WARNING**: Never commit `config/env/dev.env` to version control. It is already ignored by `.gitignore`.
 
 2.  **Frontend Config**:
-    *   The frontend uses `frontend/.env` (or `.env.production` for builds).
-    *   Key variable: `VITE_API_BASE_URL` (Defaults to `http://localhost:8000` for local dev).
+    *   The frontend uses `frontend/.env` for local dev only (e.g. `VITE_API_BASE_URL=http://localhost:8000` for the Vite proxy).
+    *   Production builds use relative API URLs (no `.env.production` or API base URL needed); the same image works for sandbox and live.
 
 ---
 

docs/DEPLOY_RESOLUTION_STEPS.md

@@ -33,9 +33,9 @@ Deploy Downstream will open a PR in **CodeForPhilly/cfp-sandbox-cluster** to upd
 
 ## Step 4 – Live (production)
 
-Live deploys only on **release** (see `.github/workflows/deploy-downstream.yml`: `workflow_run.event == 'release'`).
+Live deploys automatically when a **release** is published (Containers: Publish runs, then Deploy: Downstream opens a PR to cfp-live-cluster). You can also **manually** open deploy PRs after merging to main:
 
-- **Action**: Create a release from `main` (or the intended tag) so **Deploy: Downstream** runs for live and opens a PR in **CodeForPhilly/cfp-live-cluster**. Merge that PR. Verify **https://balancerproject.org** and that API calls go to `https://balancerproject.org/api/...`.
+- **Action**: In **Actions → Deploy: Downstream → Run workflow**, choose **workflow_dispatch**, enter the image tag (e.g. `v1.2.0` or `dev-abc1234`), and set **target** to `live` (or `both` for sandbox + live). This opens the deploy PR(s) in the GitOps repos. Then create a release from `main` if you want the usual release flow, or just merge the opened deploy PR. Verify **https://balancerproject.org** and that API calls go to `https://balancerproject.org/api/...`.
 - **Ping**: @chris or release manager for creating the release and merging the live deploy PR.
 
 ---

docs/MIGRATION_PDF_AUTH.md

@@ -278,8 +278,7 @@ If issues occur:
 
 ## Environment Variables
 
-No new environment variables required. Uses existing:
-- `VITE_API_BASE_URL` - Frontend API base URL
+No new environment variables required. Production uses relative API URLs (no env needed). Local dev may use `VITE_API_BASE_URL` in `frontend/.env` for the Vite proxy.
 
 ## Known Issues / Limitations
 

frontend/.env

@@ -1,2 +1,2 @@
-# VITE_API_BASE_URL=https://balancertestsite.com/
-VITE_API_BASE_URL=http://localhost:8000
+# Optional: add VITE_* vars here if needed. None required for docker-compose;
+# the app uses relative API URLs and vite.config.ts proxies /api to the backend.

frontend/.env.production

@@ -53,10 +53,19 @@
 
 import os
 from django.conf import settings
+from django.http import HttpResponseNotFound
 
-# Add a catch-all URL pattern for handling SPA (Single Page Application) routing
-# Serve 'index.html' for any unmatched URL (must come after /api/ routes)
-if os.path.exists(os.path.join(settings.BASE_DIR, "build", "index.html")):
-    urlpatterns += [
-        re_path(r"^(?!api|admin|static).*$", TemplateView.as_view(template_name="index.html")),
-    ]
+
+def spa_fallback(request):
+    """Serve index.html for SPA routing when build is present; otherwise 404."""
+    index_path = os.path.join(settings.BASE_DIR, "build", "index.html")
+    if os.path.exists(index_path):
+        return TemplateView.as_view(template_name="index.html")(request)
+    return HttpResponseNotFound()
+
+
+# Always register SPA catch-all so production serves the frontend regardless of
+# URL config load order. At request time we serve index.html if build exists, else 404.
+urlpatterns += [
+    re_path(r"^(?!api|admin|static).*$", spa_fallback),
+]