This page documents how to update Sourcegraph.com site configuration.

Also refer to [Sourcegraph.com operational playbooks](https://sourcegraph.notion.site/Sourcegraph-com-operational-playbooks-b3b6e85251f6437499a68b449dc782af) for more general playbooks.

<aside> ❓ Why can’t I edit the page through the site-admin page? Site configuration for Sourcegraph.com is split into two files. One contains non-sensitive configurations and the other production secrets such as GitHub OAuth credentials. The instance loads site configuration from these files, and they cannot be edited from the Sourcegraph.com user interface.

</aside>

Non-sensitive configuration

Non-sensitive configurations and env vars are stored in an overlay. Other config files can be found in the overlay folder. To update the non-sensitive configuration, follow these steps:

  1. After your PR is approved, merge it with the “release” branch.
  2. Wait until the Buildkite build is green, so your changes are successfully deployed.
  3. Your changes will be result in the frontend being redeployed with a unique hash for the configuration change. See ConfigMapGeneration
  4. Go to https://sourcegraph.com/site-admin/configuration to confirm that the non-sensitive configuration changes are live.

Sensitive configuration

Our site configuration contains many secrets like OAuth credentials. It is stored in GSM in the sourcegraph-dev project. The secrets are synced to the cluster using Terraform, and is managed in the dotcom workspace on Terraform Cloud.

To update secrets in site config for our Dotcom deployment, follow these steps:

  1. Use this Entitle link to gain Secrets Admin access to the sourcegraph-dev project.

  2. Navigate to the project’s Google Secret Manager (GSM) resources.

  3. In GSM, copy the contents of the latest version of the secret and make the necessary changes.

  4. Create a new GSM secret version with the updated site configuration. Disable all previous versions.

  5. Start a new run in the dotcom Terraform Cloud workspace to apply your updated GSM secrets in-cluster.

    <aside> 🔒 Syncing new secret versions requires additional access to the Terraform Cloud workspace. You can request access via Entitle, use Terraform Cloud: Infrastructure - Core Services - Member or kindly request someone from #discuss-core-services or #discuss-security to apply the workspace changes for you. This is required to approve and apply any pending runs.

    Note that you must log in to Terraform Cloud before making your Entitle request. If you make your Entitle request, then log in, you will be removed from any team memberships granted through Entitle by Terraform Cloud's SSO implementation.

    </aside>

    1. Click Actions → Start a new run
    2. Specify that the reason for running is to sync secrets
    3. Select the run type Plan and apply (standard)
    4. Press Start run