canonical · alvaromateo · Mar 31, 2026 · Apr 1, 2026
diff --git a/.github/workflows/cleanup-demo.yaml b/.github/workflows/cleanup-demo.yaml
@@ -0,0 +1,20 @@
+name: Demo Cleanup
+on:
+  pull_request:
+    types:
+      - closed
+permissions:
+  pull-requests: write
+  packages: write
+
+jobs:
+  cleanup:
+    name: Cleanup Demo
+    uses: canonical/webteam-devops/.github/workflows/cleanup-demo.yaml@demos
+    with:
+      juju-model-name: "795798e4-922f-49c7-9169-004ffc17df90@serviceaccount/k8s-marketplace-demos-default"
+    secrets:
+      demos_juju_client_id: ${{ secrets.DEMOS_JUJU_CLIENT_ID }}
+      demos_juju_client_secret: ${{ secrets.DEMOS_JUJU_CLIENT_SECRET }}
+      demos_s3_access_key_id: ${{ secrets.DEMOS_S3_ACCESS_KEY_ID }}
+      demos_s3_secret_access_key: ${{ secrets.DEMOS_S3_SECRET_ACCESS_KEY }}
diff --git a/.github/workflows/demo.yaml b/.github/workflows/demo.yaml
@@ -0,0 +1,28 @@
+name: Demo
+on:
+  pull_request:
+    types:
+      - opened
+      - reopened
+      - synchronize
+permissions:
+  pull-requests: write
+  packages: write
+
+# Ensure only one demo runs at a time.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  deploy:
+    name: Deploy Demo
+    uses: canonical/webteam-devops/.github/workflows/start-demo.yaml@demos
+    with:
+      juju-model-name: "795798e4-922f-49c7-9169-004ffc17df90@serviceaccount/k8s-marketplace-demos-default"
+      juju-model-uuid: "b765a126-883d-440b-847d-0bd30a4f8318"
+    secrets:
+      demos_juju_client_id: ${{ secrets.DEMOS_JUJU_CLIENT_ID }}
+      demos_juju_client_secret: ${{ secrets.DEMOS_JUJU_CLIENT_SECRET }}
+      demos_s3_access_key_id: ${{ secrets.DEMOS_S3_ACCESS_KEY_ID }}
+      demos_s3_secret_access_key: ${{ secrets.DEMOS_S3_SECRET_ACCESS_KEY }}
diff --git a/charm/charmcraft.yaml b/charm/charmcraft.yaml
@@ -30,31 +30,31 @@ config:
 
     marketo-client-id:
       description: "Marketo API client ID"
-      type: string
+      type: secret
 
     marketo-client-secret:
       description: "Marketo API client secret"
-      type: string
+      type: secret
 
     github-client-id:
       description: "GitHub OAuth application ID for prompting users for access to their repositories"
       type: string
 
     github-client-secret:
       description: "GitHub OAuth application client secret for prompting users for access to their repositories"
-      type: string
+      type: secret
 
     github-snapcraft-user-token:
       description: "GitHub application token for automated builds"
-      type: string
+      type: secret
 
     github-snapcraft-bot-user-token:
       description: "GitHub application token for CVE data"
-      type: string
+      type: secret
 
     github-webhook-secret:
       description: "Secret salt used for signing automated build webhooks"
-      type: string
+      type: secret
 
     github-webhook-host-url:
       description: "URL of the automated build webhooks' host"
@@ -66,27 +66,27 @@ config:
 
     lp-api-token:
       description: "Launchpad API token"
-      type: string
+      type: secret
 
     lp-api-token-secret:
       description: "Launchpad API secret"
-      type: string
+      type: secret
 
     youtube-api-key:
       description: "API key used to access the YouTube Data API for retrieving and displaying YouTube video content on snapcraft.io"
-      type: string
+      type: secret
 
     discourse-api-key:
       description: "API key used by the application to authenticate with the configured Discourse forum"
-      type: string
+      type: secret
 
     discourse-api-username:
       description: "Discourse username to associate with API requests to the Discourse forum"
       type: string
 
     dns-verification-salt:
       description: "Secret salt used when generating DNS verification tokens to confirm domain ownership"
-      type: string
+      type: secret
 
     login-url:
       description: "Base URL for SSO login redirects"

diff --git a/terraform/demo/demo.tf b/terraform/demo/demo.tf
@@ -0,0 +1,74 @@
+resource "juju_application" "demo" {
+  name       = var.demo_id
+  model_uuid = data.juju_model.demos.uuid
+
+  charm {
+    name = "snapcraft-io"
+  }
+
+  config = {
+    bsi-url = "https://build.snapcraft.io"
+    devicegw-url = "https://api.snapcraft.io/"
+    discourse-api-key = "secret:${data.juju_secret.snapcraft_io-discourse_api_key.secret_id}"
+    discourse-api-username = "system"
+    dns-verification-salt = "secret:${data.juju_secret.snapcraft_io-dns_verification_salt.secret_id}"
+    environment = "production"
+    flask-preferred-url-scheme = "HTTPS"
+    flask-secret-key = "secret:${data.juju_secret.snapcraft_io-flask_secret_key.secret_id}"
+    github-client-id = "029a65c1d9dc821b0227"
+    github-client-secret = "secret:${data.juju_secret.snapcraft_io-github_client_secret.secret_id}"
+    github-snapcraft-bot-user-token = "secret:${data.juju_secret.snapcraft_io-github_snapcraft_bot_user_token.secret_id}"
+    github-snapcraft-user-token = "secret:${data.juju_secret.snapcraft_io-github_snapcraft_user_token.secret_id}"
+    github-webhook-host-url = "https://snapcraft.io/"
+    github-webhook-secret = "secret:${data.juju_secret.snapcraft_io-github_webhook_secret.secret_id}"
+    login-url = "https://login.ubuntu.com"
+    lp-api-token = "secret:${data.juju_secret.snapcraft_io-lp_api_token.secret_id}"
+    lp-api-token-secret = "secret:${data.juju_secret.snapcraft_io-lp_api_token_secret.secret_id}"
+    lp-api-username = "build.snapcraft.io"
+    marketo-client-id = "secret:${data.juju_secret.snapcraft_io-marketo_client_id.secret_id}"
+    marketo-client-secret = "secret:${data.juju_secret.snapcraft_io-marketo_client_secret.secret_id}"
+    publishergw-url = "https://api.charmhub.io"
+    report-sheet-url = "https://script.google.com/macros/s/AKfycbywNDNVeD4_xnE36HP7gJUbbLHNrrcxgy0yVuwr0poPfGoDnH0Vl1oOWjnRXNtLkrcmlQ/exec"
+    snapstore-dashboard-api-url = "https://dashboard.snapcraft.io/"
+    youtube-api-key = "secret:${data.juju_secret.snapcraft_io-youtube_api_key.secret_id}"
+  }
+}
+
+resource "juju_integration" "demo_ingress" {
+  model_uuid = data.juju_model.demos.uuid
+
+  application {
+    name     = juju_application.demo.name
+    endpoint = "ingress"
+  }
+
+  application {
+    name     = "subdomain-integrator"
+    endpoint = "ingress"
+  }
+}
+
+// Redis instance and relation
+
+resource "juju_application" "redis" {
+  name = "${var.demo_id}-redis"
+  model_uuid = data.juju_model.demos.uuid
+
+  charm {
+    name = "redis-k8s"
+  }
+}
+
+resource "juju_integration" "demo_redis" {
+  model_uuid = data.juju_model.demos.uuid
+
+  application {
+    name      = juju_application.demo.name
+    endpoint  = "redis"
+  }
+
+  application {
+    name      = juju_application.redis.name
+    endpoint  = "redis"
+  }
+}
diff --git a/terraform/demo/secrets.tf b/terraform/demo/secrets.tf
@@ -0,0 +1,191 @@
+// discourse-api-key
+data "juju_secret" "snapcraft_io-discourse_api_key" {
+  name       = "snapcraft_io-discourse_api_key"
+  model_uuid = data.juju_model.demos.uuid
+}
+
+resource "juju_access_secret" "discourse_api_key-access" {
+  model_uuid = data.juju_model.demos.uuid
+
+  secret_id = data.juju_secret.snapcraft_io-discourse_api_key.secret_id
+
+  applications = [
+    juju_application.demo.name
+  ]
+}
+
+// dns-verification-salt
+data "juju_secret" "snapcraft_io-dns_verification_salt" {
+  name       = "snapcraft_io-dns_verification_salt"
+  model_uuid = data.juju_model.demos.uuid
+}
+
+resource "juju_access_secret" "dns_verification_salt-access" {
+  model_uuid = data.juju_model.demos.uuid
+
+  secret_id = data.juju_secret.snapcraft_io-dns_verification_salt.secret_id
+
+  applications = [
+    juju_application.demo.name
+  ]
+}
+
+// flask-secret-key
+data "juju_secret" "snapcraft_io-flask_secret_key" {
+  name       = "snapcraft_io-flask_secret_key"
+  model_uuid = data.juju_model.demos.uuid
+}
+
+resource "juju_access_secret" "flask_secret_key-access" {
+  model_uuid = data.juju_model.demos.uuid
+
+  secret_id = data.juju_secret.snapcraft_io-flask_secret_key.secret_id
+
+  applications = [
+    juju_application.demo.name
+  ]
+}
+
+// github-client-secret
+data "juju_secret" "snapcraft_io-github_client_secret" {
+  name       = "snapcraft_io-github_client_secret"
+  model_uuid = data.juju_model.demos.uuid
+}
+
+resource "juju_access_secret" "github_client_secret-access" {
+  model_uuid = data.juju_model.demos.uuid
+
+  secret_id = data.juju_secret.snapcraft_io-github_client_secret.secret_id
+
+  applications = [
+    juju_application.demo.name
+  ]
+}
+
+// github-snapcraft-bot-user-token
+data "juju_secret" "snapcraft_io-github_snapcraft_bot_user_token" {
+  name       = "snapcraft_io-github_snapcraft_bot_user_token"
+  model_uuid = data.juju_model.demos.uuid
+}
+
+resource "juju_access_secret" "github_snapcraft_bot_user_token-access" {
+  model_uuid = data.juju_model.demos.uuid
+
+  secret_id = data.juju_secret.snapcraft_io-github_snapcraft_bot_user_token.secret_id
+
+  applications = [
+    juju_application.demo.name
+  ]
+}
+
+// github-snapcraft-user-token
+data "juju_secret" "snapcraft_io-github_snapcraft_user_token" {
+  name       = "snapcraft_io-github_snapcraft_user_token"
+  model_uuid = data.juju_model.demos.uuid
+}
+
+resource "juju_access_secret" "github_snapcraft_user_token-access" {
+  model_uuid = data.juju_model.demos.uuid
+
+  secret_id = data.juju_secret.snapcraft_io-github_snapcraft_user_token.secret_id
+
+  applications = [
+    juju_application.demo.name
+  ]
+}
+
+// github-webhook-secret
+data "juju_secret" "snapcraft_io-github_webhook_secret" {
+  name       = "snapcraft_io-github_webhook_secret"
+  model_uuid = data.juju_model.demos.uuid
+}
+
+resource "juju_access_secret" "github_webhook_secret-access" {
+  model_uuid = data.juju_model.demos.uuid
+
+  secret_id = data.juju_secret.snapcraft_io-github_webhook_secret.secret_id
+
+  applications = [
+    juju_application.demo.name
+  ]
+}
+
+// lp-api-token
+data "juju_secret" "snapcraft_io-lp_api_token" {
+  name       = "snapcraft_io-lp_api_token"
+  model_uuid = data.juju_model.demos.uuid
+}
+
+resource "juju_access_secret" "lp_api_token-access" {
+  model_uuid = data.juju_model.demos.uuid
+
+  secret_id = data.juju_secret.snapcraft_io-lp_api_token.secret_id
+
+  applications = [
+    juju_application.demo.name
+  ]
+}
+
+// lp-api-token-secret
+data "juju_secret" "snapcraft_io-lp_api_token_secret" {
+  name       = "snapcraft_io-lp_api_token_secret"
+  model_uuid = data.juju_model.demos.uuid
+}
+
+resource "juju_access_secret" "lp_api_token_secret-access" {
+  model_uuid = data.juju_model.demos.uuid
+
+  secret_id = data.juju_secret.snapcraft_io-lp_api_token_secret.secret_id
+
+  applications = [
+    juju_application.demo.name
+  ]
+}
+
+// marketo-client-id
+data "juju_secret" "snapcraft_io-marketo_client_id" {
+  name       = "snapcraft_io-marketo_client_id"
+  model_uuid = data.juju_model.demos.uuid
+}
+
+resource "juju_access_secret" "marketo_client_id-access" {
+  model_uuid = data.juju_model.demos.uuid
+
+  secret_id = data.juju_secret.snapcraft_io-marketo_client_id.secret_id
+
+  applications = [
+    juju_application.demo.name
+  ]
+}
+
+// marketo-client-secret
+data "juju_secret" "snapcraft_io-marketo_client_secret" {
+  name       = "snapcraft_io-marketo_client_secret"
+  model_uuid = data.juju_model.demos.uuid
+}
+
+resource "juju_access_secret" "marketo_client_secret-access" {
+  model_uuid = data.juju_model.demos.uuid
+
+  secret_id = data.juju_secret.snapcraft_io-marketo_client_secret.secret_id
+
+  applications = [
+    juju_application.demo.name
+  ]
+}
+
+// youtube-api-key
+data "juju_secret" "snapcraft_io-youtube_api_key" {
+  name       = "snapcraft_io-youtube_api_key"
+  model_uuid = data.juju_model.demos.uuid
+}
+
+resource "juju_access_secret" "youtube_api_key-access" {
+  model_uuid = data.juju_model.demos.uuid
+
+  secret_id = data.juju_secret.snapcraft_io-youtube_api_key.secret_id
+
+  applications = [
+    juju_application.demo.name
+  ]
+}