NHSDigital · saliceti · Aug 14, 2025 · Aug 13, 2025 · Aug 13, 2025 · Aug 13, 2025
diff --git a/.azuredevops/pipelines/delete-review-app.yml b/.azuredevops/pipelines/delete-review-app.yml
@@ -0,0 +1,46 @@
+trigger: none
+pr: none
+
+parameters:
+  - name: commitSHA
+    displayName: Commit SHA
+    type: string
+  - name: prNumber
+    displayName: Pull request number
+    type: string
+
+stages:
+  - stage: review
+    displayName: Delete review app
+    pool:
+      name: private-pool-dev-uks
+    isSkippable: false
+
+    jobs:
+      - deployment: DeleteReviewApp
+        displayName: Delete review app
+        environment: review
+        strategy:
+          runOnce:
+            deploy:
+              steps:
+                - checkout: self
+
+                - task: TerraformInstaller@1
+                  displayName: Install terraform
+                  inputs:
+                    terraformVersion: 1.7.0
+
+                - task: AzureCLI@2
+                  displayName: Run terraform
+                  inputs:
+                    azureSubscription: manbrs-review
+                    scriptType: bash
+                    scriptLocation: inlineScript
+                    addSpnToEnvironment: true
+                    inlineScript: |
+                      export ARM_TENANT_ID="$tenantId"
+                      export ARM_CLIENT_ID="$servicePrincipalId"
+                      export ARM_OIDC_TOKEN="$idToken"
+                      export ARM_USE_OIDC=true
+                      make ci review terraform-destroy DOCKER_IMAGE_TAG=git-sha-${{ parameters.commitSHA }} PR_NUMBER=${{ parameters.prNumber }}
diff --git a/.azuredevops/pipelines/deploy.yml b/.azuredevops/pipelines/deploy.yml
@@ -5,54 +5,56 @@ parameters:
   - name: commitSHA
     displayName: Commit SHA
     type: string
-  - name: environments
-    type: object
-    default:
-      - dev
+  - name: environment
+    displayName: Environment
+    type: string
+  - name: prNumber
+    displayName: Pull request number
+    type: string
+    default: ''
 
 stages:
-  - ${{ each env in parameters.environments }}:
-      - stage: ${{ env }}
-        displayName: Deploy to ${{ env }} environment
-        pool:
-          name: private-pool-dev-uks
-        lockBehavior: sequential
-        isSkippable: false
+  - stage: ${{ parameters.environment }}
+    displayName: Deploy to ${{ parameters.environment }} environment
+    pool:
+      name: private-pool-dev-uks
+    lockBehavior: sequential
+    isSkippable: false
 
-        jobs:
-          - deployment: DeployApp
-            displayName: Deploy application
-            environment: ${{ env }}
-            strategy:
-              runOnce:
-                deploy:
-                  steps:
-                    - checkout: self
+    jobs:
+      - deployment: DeployApp
+        displayName: Deploy application
+        environment: ${{ parameters.environment }}
+        strategy:
+          runOnce:
+            deploy:
+              steps:
+                - checkout: self
 
-                    - task: TerraformInstaller@1
-                      displayName: Install terraform
-                      inputs:
-                        terraformVersion: 1.7.0
+                - task: TerraformInstaller@1
+                  displayName: Install terraform
+                  inputs:
+                    terraformVersion: 1.7.0
 
-                    - task: AzureCLI@2
-                      displayName: Run terraform
-                      inputs:
-                        azureSubscription: manbrs-${{ env }}
-                        scriptType: bash
-                        scriptLocation: inlineScript
-                        addSpnToEnvironment: true
-                        inlineScript: |
-                          export ARM_TENANT_ID="$tenantId"
-                          export ARM_CLIENT_ID="$servicePrincipalId"
-                          export ARM_OIDC_TOKEN="$idToken"
-                          export ARM_USE_OIDC=true
-                          make ci ${{ env }} terraform-apply DOCKER_IMAGE_TAG=git-sha-${{ parameters.commitSHA }}
+                - task: AzureCLI@2
+                  displayName: Run terraform
+                  inputs:
+                    azureSubscription: manbrs-${{ parameters.environment }}
+                    scriptType: bash
+                    scriptLocation: inlineScript
+                    addSpnToEnvironment: true
+                    inlineScript: |
+                      export ARM_TENANT_ID="$tenantId"
+                      export ARM_CLIENT_ID="$servicePrincipalId"
+                      export ARM_OIDC_TOKEN="$idToken"
+                      export ARM_USE_OIDC=true
+                      make ci ${{ parameters.environment }} terraform-apply DOCKER_IMAGE_TAG=git-sha-${{ parameters.commitSHA }} PR_NUMBER=${{ parameters.prNumber }}
 
-                    - task: AzureCLI@2
-                      displayName: Run database migration
-                      inputs:
-                        azureSubscription: manbrs-${{ env }}
-                        scriptType: bash
-                        scriptLocation: inlineScript
-                        addSpnToEnvironment: true
-                        inlineScript: ./scripts/bash/db_migrate.sh ${{ env }}
+                - task: AzureCLI@2
+                  displayName: Run database migration
+                  inputs:
+                    azureSubscription: manbrs-${{ parameters.environment }}
+                    scriptType: bash
+                    scriptLocation: inlineScript
+                    addSpnToEnvironment: true
+                    inlineScript: ./scripts/bash/db_migrate.sh ${{ parameters.environment }} ${{ parameters.prNumber }}
diff --git a/.github/workflows/cicd-1-pull-request-closed.yaml b/.github/workflows/cicd-1-pull-request-closed.yaml
@@ -0,0 +1,38 @@
+name: Delete review app
+
+on:
+  pull_request:
+    types: [closed]
+
+jobs:
+  destroy:
+    if: contains(github.event.pull_request.labels.*.name, 'deploy')
+    name: Delete review app pr-${{ github.event.pull_request.number }}
+    permissions:
+      id-token: write
+    runs-on: ubuntu-latest
+    environment: review
+    concurrency: deploy-review-${{ github.ref }}
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+      - name: Call delete review app pipeline
+        run: |
+          echo "Starting Azure devops pipeline \"Delete review app\"..."
+          RUN_ID=(az pipelines run \
+            --commit-id ${{ github.event.pull_request.head.sha }}\
+            --name "Delete review app"\
+            --org https://dev.azure.com/nhse-dtos \
+            --project dtos-manage-breast-screening \
+            --parameters commitSHA=${{ github.event.pull_request.head.sha }} prNumber=${{ github.event.pull_request.number }} \
+            --output tsv --query id)
+
+          scripts/bash/wait_ado_pipeline.sh "$RUN_ID" https://dev.azure.com/nhse-dtos dtos-manage-breast-screening
diff --git a/.github/workflows/cicd-1-pull-request.yaml b/.github/workflows/cicd-1-pull-request.yaml
@@ -2,7 +2,7 @@ name: 'CI/CD pull request'
 
 on:
   pull_request:
-    types: [opened, reopened, synchronize]
+    types: [opened, reopened, synchronize, labeled]
 
 jobs:
   metadata:
@@ -33,42 +33,55 @@ jobs:
           echo "python_version=$(grep "^python" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
           echo "terraform_version=$(grep "^terraform" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
           echo "version=${GITHUB_REF}" >> $GITHUB_OUTPUT
-  commit-stage:
-    name: 'Commit stage'
-    needs: [metadata]
-    uses: ./.github/workflows/stage-1-commit.yaml
-    with:
-      build_datetime: '${{ needs.metadata.outputs.build_datetime }}'
-      build_timestamp: '${{ needs.metadata.outputs.build_timestamp }}'
-      build_epoch: '${{ needs.metadata.outputs.build_epoch }}'
-      nodejs_version: '${{ needs.metadata.outputs.nodejs_version }}'
-      python_version: '${{ needs.metadata.outputs.python_version }}'
-      terraform_version: '${{ needs.metadata.outputs.terraform_version }}'
-      version: '${{ needs.metadata.outputs.version }}'
-    secrets: inherit
-  test-stage:
-    name: 'Test stage'
+  # commit-stage:
+  #   name: 'Commit stage'
+  #   needs: [metadata]
+  #   uses: ./.github/workflows/stage-1-commit.yaml
+  #   with:
+  #     build_datetime: '${{ needs.metadata.outputs.build_datetime }}'
+  #     build_timestamp: '${{ needs.metadata.outputs.build_timestamp }}'
+  #     build_epoch: '${{ needs.metadata.outputs.build_epoch }}'
+  #     nodejs_version: '${{ needs.metadata.outputs.nodejs_version }}'
+  #     python_version: '${{ needs.metadata.outputs.python_version }}'
+  #     terraform_version: '${{ needs.metadata.outputs.terraform_version }}'
+  #     version: '${{ needs.metadata.outputs.version }}'
+  #   secrets: inherit
+  # test-stage:
+  #   name: 'Test stage'
+  #   needs: [metadata]
+  #   uses: ./.github/workflows/stage-2-test.yaml
+  #   with:
+  #     build_datetime: '${{ needs.metadata.outputs.build_datetime }}'
+  #     build_timestamp: '${{ needs.metadata.outputs.build_timestamp }}'
+  #     build_epoch: '${{ needs.metadata.outputs.build_epoch }}'
+  #     nodejs_version: '${{ needs.metadata.outputs.nodejs_version }}'
+  #     python_version: '${{ needs.metadata.outputs.python_version }}'
+  #     terraform_version: '${{ needs.metadata.outputs.terraform_version }}'
+  #     version: '${{ needs.metadata.outputs.version }}'
+  #   secrets: inherit
+  # build-stage:
+  #   name: 'Build stage'
+  #   needs: [metadata]
+  #   uses: ./.github/workflows/stage-3-build.yaml
+  #   with:
+  #     build_datetime: '${{ needs.metadata.outputs.build_datetime }}'
+  #     build_timestamp: '${{ needs.metadata.outputs.build_timestamp }}'
+  #     build_epoch: '${{ needs.metadata.outputs.build_epoch }}'
+  #     nodejs_version: '${{ needs.metadata.outputs.nodejs_version }}'
+  #     python_version: '${{ needs.metadata.outputs.python_version }}'
+  #     terraform_version: '${{ needs.metadata.outputs.terraform_version }}'
+  #     version: '${{ needs.metadata.outputs.version }}'
+  #   secrets: inherit
+
+  deploy-stage:
+    if: contains(github.event.pull_request.labels.*.name, 'deploy')
+    name: Deploy stage
     needs: [metadata]
-    uses: ./.github/workflows/stage-2-test.yaml
-    with:
-      build_datetime: '${{ needs.metadata.outputs.build_datetime }}'
-      build_timestamp: '${{ needs.metadata.outputs.build_timestamp }}'
-      build_epoch: '${{ needs.metadata.outputs.build_epoch }}'
-      nodejs_version: '${{ needs.metadata.outputs.nodejs_version }}'
-      python_version: '${{ needs.metadata.outputs.python_version }}'
-      terraform_version: '${{ needs.metadata.outputs.terraform_version }}'
-      version: '${{ needs.metadata.outputs.version }}'
-    secrets: inherit
-  build-stage:
-    name: 'Build stage'
-    needs: [metadata, test-stage]
-    uses: ./.github/workflows/stage-3-build.yaml
+    permissions:
+      id-token: write
+    uses: ./.github/workflows/stage-4-deploy.yaml
     with:
-      build_datetime: '${{ needs.metadata.outputs.build_datetime }}'
-      build_timestamp: '${{ needs.metadata.outputs.build_timestamp }}'
-      build_epoch: '${{ needs.metadata.outputs.build_epoch }}'
-      nodejs_version: '${{ needs.metadata.outputs.nodejs_version }}'
-      python_version: '${{ needs.metadata.outputs.python_version }}'
-      terraform_version: '${{ needs.metadata.outputs.terraform_version }}'
-      version: '${{ needs.metadata.outputs.version }}'
+      environments: "[\"review\"]"
+      commit_sha: ${{ github.event.pull_request.head.sha }}
+      pr_number: ${{ github.event.pull_request.number }}
     secrets: inherit
diff --git a/.github/workflows/cicd-2-main-branch.yaml b/.github/workflows/cicd-2-main-branch.yaml
@@ -85,5 +85,6 @@ jobs:
       id-token: write
     uses: ./.github/workflows/stage-4-deploy.yaml
     with:
+      environments: "[\"review\",\"dev\"]"
       commit_sha: ${{ github.sha }}
     secrets: inherit
diff --git a/.github/workflows/stage-4-deploy.yaml b/.github/workflows/stage-4-deploy.yaml
@@ -3,16 +3,29 @@ name: Deployment stage
 on:
   workflow_call:
     inputs:
+      environments:
+        description: List of environments to deploy to (String array)
+        required: true
+        type: string
       commit_sha:
         description: Commit SHA used to fetch ADO pipeline and docker image
         required: true
         type: string
+      pr_number:
+        description: Pull request number when used in a pull request
+        required: false
+        type: string
 
 jobs:
   deploy:
     name: Deploy
     runs-on: ubuntu-latest
-    environment: azure
+    strategy:
+      matrix:
+        environment: ${{ fromJson(inputs.environments) }}
+      max-parallel: 1
+    environment: ${{ matrix.environment }}
+    concurrency: deploy-${{ matrix.environment }}-${{ github.ref }}
 
     steps:
       - name: Checkout code
@@ -26,5 +39,13 @@ jobs:
 
       - name: Call deployment pipeline
         run: |
-          az pipelines run --commit-id ${{inputs.commit_sha}} --name "Deploy to Azure" --org https://dev.azure.com/nhse-dtos --project dtos-manage-breast-screening \
-            --parameters commitSHA=${{inputs.commit_sha}}
+          echo "Starting Azure devops pipeline \"Deploy to Azure - ${{ matrix.environment }}\"..."
+          RUN_ID=$(az pipelines run \
+            --commit-id ${{inputs.commit_sha}} \
+            --name "Deploy to Azure - ${{ matrix.environment }}" \
+            --org https://dev.azure.com/nhse-dtos \
+            --project dtos-manage-breast-screening \
+            --parameters commitSHA=${{inputs.commit_sha}} prNumber=${{inputs.pr_number}} environment=${{ matrix.environment }} \
+            --output tsv --query id)
+
+          scripts/bash/wait_ado_pipeline.sh "$RUN_ID" https://dev.azure.com/nhse-dtos dtos-manage-breast-screening
diff --git a/.gitleaksignore b/.gitleaksignore
@@ -10,5 +10,10 @@ manage_breast_screening/templates/components/pagination/template.njk:ipv4:26
 infrastructure/terraform/resource_group_init/core.bicep:generic-api-key:10
 infrastructure/terraform/resource_group_init/core.bicep:generic-api-key:11
 infrastructure/terraform/resource_group_init/core.bicep:generic-api-key:12
-infrastructure/terraform/resource_group_init/main.bicep:generic-api-key:80
+infrastructure/terraform/resource_group_init/main.bicep:generic-api-key:29
+infrastructure/terraform/resource_group_init/main.bicep:generic-api-key:30
+infrastructure/terraform/resource_group_init/main.bicep:generic-api-key:31
+infrastructure/terraform/resource_group_init/main.bicep:generic-api-key:32
+infrastructure/terraform/resource_group_init/main.bicep:generic-api-key:33
 infrastructure/terraform/resource_group_init/storage.bicep:generic-api-key:59
+infrastructure/terraform/resource_group_init/keyVault.bicep:generic-api-key:10