DPC-4433: Tag and deploy static site (#132)

## 🎫 Ticket

https://jira.cms.gov/browse/DPC-4433

## 🛠 Changes

- Deploy Workflow added
- Release Workflow added

## ℹ️ Context

We are moving from Jenkins to Github actions for our deployments. These
workflows duplicate:
-
[Jenkinsfile.deploy_static_site](https://github.com/CMSgov/dpc-ops/blob/main/jenkins_files/Jenkinsfile.deploy_static_site)
-
[Jenkinsfile.release_static_site](https://github.com/CMSgov/dpc-ops/blob/main/jenkins_files/Jenkinsfile.release_static_site)

## 🧪 Validation

Release (which includes deploy) ran successfully:
https://github.com/CMSgov/dpc-static-site/actions/runs/12377126243/job/34545914298
Note: The run pointed to a branch of dpc-app and was run on push (which
has since been removed). Will test inputs when available.

.github/workflows/deploy.yml

@@ -0,0 +1,88 @@
+name: 'Deploy Static Site'
+
+on:
+  workflow_dispatch:
+    inputs:
+      target_environment:
+        description: Deploy where?
+        required: false
+        default: 'staging'
+        type: choice
+        options:
+          - staging
+          - prod
+      static_repo_ref:
+        description: Which branch or tag?
+        required: true
+        default: 'main'
+        type: 'string'
+  workflow_call:
+    inputs:
+      target_environment:
+        description: Deploy where?
+        required: false
+        default: 'staging'
+        type: 'string'
+      static_repo_ref:
+        description: Which branch or tag?
+        required: true
+        default: 'main'
+        type: 'string'
+jobs:
+  deploy_static_site:
+    name: Deploy Static Site
+    runs-on: self-hosted
+    env:
+      TARGET_BUCKET: ${{ inputs.target_environment == 'prod' && 'dpc.cms.gov' || 'stage.dpc.cms.gov' }}
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v4
+        with:
+          repository: 'CMSgov/dpc-static-site'
+          ref: ${{ inputs.static_repo_ref }}
+      - name: "Set Version"
+        env:
+          STATIC_REPO_REF: ${{ inputs.static_repo_ref }}
+        run: |
+          echo "version: $STATIC_REPO_REF" >> _version_config.yml
+      - name: "Add dirs"
+        run: mkdir -p _site && mkdir -p .jekyll-cache
+      - name: 'Build Image'
+        run: docker build . -f Dockerfiles/Dockerfile.static_site -t static_site
+      - name: 'Build Site'
+        run: docker run -v ./_site:/dpc-site-static/_site -v ./.jekyll-cache:/dpc-site-static/.jekyll-cache --rm static_site
+      - name: Set env vars from AWS params
+        uses: cmsgov/ab2d-bcda-dpc-platform/actions/aws-params-env-action@main
+        env:
+          AWS_REGION: ${{ vars.AWS_REGION }}
+        with:
+          params: |
+            SONAR_HOST_URL=/sonarqube/url
+            SONAR_TOKEN=/sonarqube/token
+      - name: Run quality gate scan
+        if: ${{ inputs.target_environment == 'staging' }}
+        uses: sonarsource/sonarqube-scan-action@master
+        with:
+          args:
+            -Dsonar.projectKey=bcda-dpc-static-site
+            -Dsonar.sources=.
+            -Dsonar.working.directory=./sonar_workspace
+            -Dsonar.branch.name=${{ github.event_name == 'pull_request' && github.head_ref || github.ref_name }}
+            -Dsonar.projectVersion=${{ github.ref_name == 'main' && github.sha || 'branch' }}
+            -Dsonar.qualitygate.wait=true
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ vars.AWS_REGION }}
+          role-to-assume: arn:aws:iam::${{ secrets.ACCOUNT_ID }}:role/delegatedadmin/developer/dpc-${{ inputs.target_environment == 'prod' && 'prod' || 'dev' }}-github-actions
+      - name: "Sync _site"
+        run: aws s3 sync _site/ s3://$TARGET_BUCKET/ --delete
+      - name: Upload html files without suffix with content-language set
+        run: |
+          for file in _site/*.html; do
+            suffixless=`basename ${file/.html}`
+            aws s3 cp $file s3://$TARGET_BUCKET/$suffixless --content-language text/html
+          done
+      - name: Invalidate Cloudfront cache
+        run: |
+          DISTRIBUTION_ID=`aws cloudfront list-distributions --query "DistributionList.Items[].{Id:Id, OriginDomainName: Origins.Items[0].DomainName}[?starts_with(OriginDomainName, '$TARGET_BUCKET')].Id" --output text`
+          aws cloudfront create-invalidation --distribution-id $DISTRIBUTION_ID --paths '/*'

.github/workflows/release.yml

@@ -0,0 +1,32 @@
+name: 'Tag and Deploy Site'
+
+on:
+  workflow_dispatch:
+    inputs:
+      deploy:
+        description: 'Also deploy to staging?'
+        type: boolean
+        default: true
+        required: true
+      repo_ref:
+        description: 'Which branch or tag?'
+        required: true
+        default: 'main'
+        type: 'string'
+
+jobs:
+  tag_repo:
+    name: Tag Repo
+    uses: CMSgov/dpc-app/.github/workflows/tag_release.yml@main
+    with:
+      repo_ref: ${{ inputs.repo_ref }}
+    secrets: inherit
+  deploy:
+    if: ${{ inputs.deploy }}
+    name: Deploy to Staging
+    needs: tag_repo
+    uses: ./.github/workflows/deploy.yml
+    with:
+      target_environment: staging
+      static_repo_ref: ${{ needs.tag_repo.outputs.tag }}
+    secrets: inherit