Merge branch 'main' into feature/eja-eli-384-adding-WAF-for-API-gateway

Author: eddalmond1

.act/act_tests.mk

@@ -0,0 +1,39 @@
+ACT_IMAGE = ghcr.io/nhs-england-tools/github-runner-image:20230909-321fd1e-rt
+PREPROD_WORKFLOW  = .github/workflows/cicd-4-preprod-deploy.yaml
+JOB       = metadata # This can be changed depending on which part of the workflow we are testing
+
+# Usage: make act EVENT=.act/auto_preprod_trigger_*.json TRIGGER_TYPE=workflow_run
+act-preprod-deploy:
+	@if [ -z "$(EVENT)" ]; then \
+		echo "Usage: make act EVENT=<path-to-event-json>"; \
+		exit 1; \
+	fi
+	@echo "Running act with event file: $(EVENT)"
+	ACT=true act \
+		-W $(PREPROD_WORKFLOW) \
+		--job $(JOB) \
+		--eventpath $(EVENT) \
+		-P ubuntu-latest=$(ACT_IMAGE) \
+		-s GITHUB_TOKEN="$$GITHUB_TOKEN" \
+		-s GH_TOKEN="$$GITHUB_TOKEN" \
+		--env GITHUB_REPOSITORY="$$REPO" \
+		--env TEST_WORKFLOW_ID=190123511 \
+		--env GITHUB_EVENT_NAME=$(TRIGGER_TYPE)
+
+
+#act-dev-deploy:
+#	@if [ -z "$(EVENT)" ]; then \
+#		echo "Usage: make act EVENT=<path-to-event-json>"; \
+#		exit 1; \
+#	fi
+#	@echo "Running act with event file: $(EVENT)"
+#	ACT=true act \
+#		-W $(WORKFLOW) \
+#		--job $(JOB) \
+#		--eventpath $(EVENT) \
+#		-P ubuntu-latest=$(ACT_IMAGE) \
+#		-s GITHUB_TOKEN="$$GITHUB_TOKEN" \
+#		-s GH_TOKEN="$$GITHUB_TOKEN" \
+#		--env GITHUB_REPOSITORY="$$REPO" \
+#		--env DEV_WORKFLOW_ID=143714547 \
+#		--env GITHUB_EVENT_NAME=$(TRIGGER_TYPE)

.act/auto_preprod_trigger_latest.json

@@ -0,0 +1,22 @@
+{
+  "event_name": "workflow_run",
+  "action": "completed",
+  "workflow": {
+    "name": "Test stage",
+    "path": ".github/workflows/cicd-3-test-deploy.yaml"
+  },
+  "workflow_run": {
+    "id": 18556637650,
+    "name": "Test stage",
+    "event": "push",
+    "status": "completed",
+    "conclusion": "success",
+    "head_branch": "main",
+    "head_sha": "758a8d751ca1885695e9ac0766fcc0007dfb2995"
+  },
+  "repository": {
+    "full_name": "NHSDigital/eligibility-signposting-api",
+    "name": "eligibility-signposting-api",
+    "owner": {"login": "NHSDigital"}
+  }
+}

.act/auto_preprod_trigger_newer.json

@@ -0,0 +1,22 @@
+{
+  "event_name": "workflow_run",
+  "action": "completed",
+  "workflow": {
+    "name": "Test stage",
+    "path": ".github/workflows/cicd-3-test-deploy.yaml"
+  },
+  "workflow_run": {
+    "id": 18556637650,
+    "name": "Test stage",
+    "event": "push",
+    "status": "completed",
+    "conclusion": "success",
+    "head_branch": "main",
+    "head_sha": "60d567d18eb4916e931d4bdd4e15b9639ef1a0a0"
+  },
+  "repository": {
+    "full_name": "NHSDigital/eligibility-signposting-api",
+    "name": "eligibility-signposting-api",
+    "owner": {"login": "NHSDigital"}
+  }
+}

.act/auto_preprod_trigger_stale.json

@@ -0,0 +1,22 @@
+{
+  "event_name": "workflow_run",
+  "action": "completed",
+  "workflow": {
+    "name": "Test stage",
+    "path": ".github/workflows/cicd-3-test-deploy.yaml"
+  },
+  "workflow_run": {
+    "id": 18556637650,
+    "name": "Test stage",
+    "event": "push",
+    "status": "completed",
+    "conclusion": "success",
+    "head_branch": "main",
+    "head_sha": "b2675604f38a7c89f3cfe66f8b927b39d7ddedf6"
+  },
+  "repository": {
+    "full_name": "NHSDigital/eligibility-signposting-api",
+    "name": "eligibility-signposting-api",
+    "owner": {"login": "NHSDigital"}
+  }
+}

.act/manual_preprod_trigger.json

@@ -0,0 +1,17 @@
+{
+  "event_name": "workflow_dispatch",
+  "ref": "refs/heads/main",
+  "inputs": {
+    "ref": "dev-20251015111601",
+    "release_type": "minor",
+    "reason": "manual promotion from test to pre-prod"
+  },
+  "repository": {
+    "full_name": "NHSDigital/eligibility-signposting-api",
+    "name": "eligibility-signposting-api",
+    "owner": { "login": "NHSDigital" }
+  },
+  "sender": {
+    "login": "tome"
+  }
+}

.github/workflows/cicd-3-test-deploy.yaml

@@ -5,6 +5,10 @@ on:
     workflows: ["2. CD | Deploy to Dev"]
     types: [completed]
 
+concurrency:
+  group: test-deployments
+  cancel-in-progress: false
+
 permissions:
   contents: read
   id-token: write
@@ -52,11 +56,6 @@ jobs:
       id-token: write
       contents: read
     steps:
-      - name: "Acquire deploy lock"
-        uses: softprops/turnstyle@v3
-        with:
-          poll-interval-seconds: 10
-
       - name: "Checkout same commit"
         uses: actions/checkout@v5
         with:

.github/workflows/cicd-4-preprod-deploy.yaml

@@ -0,0 +1,99 @@
+name: "4. CD | Deploy to PreProd"
+
+concurrency:
+  group: preprod-deploy
+  cancel-in-progress: false
+
+on:
+  workflow_run:
+    workflows: ["3. CD | Deploy to Test"]
+    types: [completed]
+  workflow_dispatch:
+    inputs:
+      ref:
+        description: "dev-* tag to deploy to PreProd"
+        required: true
+      release_type:
+        description: "rc|patch|minor|major"
+        required: true
+        default: "rc"
+      reason:
+        description: "Why are you doing a manual deployment?"
+        required: true
+        default: "To roll back to a previous commit"
+
+permissions:
+  contents: write
+  id-token: write
+  actions: read
+
+jobs:
+  metadata:
+    name: "Resolve ref + stale guard + release type"
+    runs-on: ubuntu-latest
+    outputs:
+      ref:          ${{ steps.resolver.outputs.this_ref }}
+      this_sha:     ${{ steps.resolver.outputs.this_sha }}
+      latest_sha:   ${{ steps.resolver.outputs.latest_test_sha }}
+      release_type: ${{ steps.release_type.outputs.release_type }}
+
+    env:
+      TEST_WORKFLOW_ID: "190123511" # this will need updating if the workflow is recreated
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+    steps:
+      - name: Checkout (full history & tags)
+        uses: actions/checkout@v4
+        with: { fetch-depth: 0 }
+
+      - name: Force HTTPS remote for act
+        if: env.ACT == 'true'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          echo "::add-mask::${GITHUB_TOKEN}"
+          git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@github.com/${{ github.repository }}.git"
+          git ls-remote --tags origin >/dev/null
+
+      - name: Debug event
+        if: env.ACT == 'true'
+        run: |
+          echo "GITHUB_EVENT_NAME=${GITHUB_EVENT_NAME}"
+          echo "Payload:" && cat "$GITHUB_EVENT_PATH" || true
+
+      - name: Resolve THIS vs LATEST TEST + stale guard (auto only)
+        id: resolver
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          EVENT_NAME: ${{ github.event_name }}
+          WORKFLOW_RUN_HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
+          MANUAL_REF: ${{ github.event.inputs.ref }}
+          WORKFLOW_NAME: "3. CD | Deploy to Test"
+          BRANCH: "main"
+          LIMIT: "100"
+        run: python3 scripts/workflow/pre-release_resolver.py
+
+      - name: Resolve release_type (labels → default rc)
+        id: release_type
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          BRANCH: "main"
+          AGGREGATE: "true"
+          THIS_SHA: ${{ steps.resolver.outputs.this_sha }}
+          LATEST_TEST_SHA: ${{ steps.resolver.outputs.latest_test_sha }}
+          MANUAL_RELEASE_TYPE: ${{ github.event.inputs.release_type }}
+        run: python3 scripts/workflow/release_type_resolver.py
+
+  deploy:
+    name: "Call base-deploy.yml (PreProd)"
+    needs: [metadata]
+    uses: ./.github/workflows/base-deploy.yml
+    with:
+      environment: preprod
+      ref:          ${{ needs.metadata.outputs.ref }}
+      release_type: ${{ needs.metadata.outputs.release_type }}
+    secrets: inherit