(ELI-466) pulling in main

Author: TOEL2

.github/workflows/base-deploy.yml

@@ -154,7 +154,7 @@ jobs:
               --region eu-west-2
 
         - name: "Upload lambda artifact for the current workflow"
-          uses: actions/upload-artifact@v4
+          uses: actions/upload-artifact@v5
           with:
             name: lambda-${{ needs.metadata.outputs.tag }}
             path: ./dist/lambda.zip
@@ -182,7 +182,7 @@ jobs:
           terraform_version: ${{ needs.metadata.outputs.terraform_version }}
 
       - name: "Download Lambda Artifact"
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v6
         with:
           name: lambda-${{ needs.metadata.outputs.tag }}
           path: ./dist
@@ -220,12 +220,6 @@ jobs:
           echo "bucket_name=$BUCKET" >> $GITHUB_OUTPUT
         working-directory: ./infrastructure/stacks/api-layer
 
-      - name: "Upload lambda artifact to S3"
-        run: |
-          aws s3 cp ./dist/lambda.zip \
-            s3://${{ steps.tf_output.outputs.bucket_name }}/artifacts/${{ needs.metadata.outputs.tag }}/lambda.zip \
-            --region eu-west-2
-
       - name: "Validate Feature Toggles"
         env:
           ENV: ${{ needs.metadata.outputs.environment }}
@@ -245,6 +239,17 @@ jobs:
           pip install requests
           python scripts/workflow/tag_and_release.py
 
+      - name: "Capture release tag"
+        id: release_tag
+        run: |
+          echo "release_tag=$(cat release_tag.txt)" >> $GITHUB_OUTPUT
+
+      - name: "Upload lambda artifact to S3"
+        run: |
+          aws s3 cp ./dist/lambda.zip \
+            s3://${{ steps.tf_output.outputs.bucket_name }}/artifacts/${{ steps.release_tag.outputs.release_tag }}/lambda.zip \
+            --region eu-west-2
+
 
   regression-tests:
     name: "Regression Tests"

.github/workflows/cicd-2-publish.yaml

@@ -82,7 +82,7 @@ jobs:
           make build
 
       - name: "Upload lambda artefact for cross-workflow use"
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: lambda-${{ needs.metadata.outputs.version }}
           path: dist/lambda.zip

.github/workflows/cicd-3-test-deploy.yaml

@@ -73,7 +73,7 @@ jobs:
           aws-region: eu-west-2
 
       - name: "Download lambda artefact from dev workflow"
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v6
         with:
           name: lambda-${{ needs.metadata.outputs.tag }}
           path: ./dist

.github/workflows/sonarcube-scan-main-branch.yaml

@@ -28,7 +28,7 @@ jobs:
         run: |
           make test-unit
       - name: "Save the coverage check result"
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: coverage.xml
           path: coverage.xml
@@ -41,7 +41,7 @@ jobs:
         with:
           fetch-depth: 0
       - name: "Get the coverage report"
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v6
         with:
           name: coverage.xml
       - name: Run static analysis script

.github/workflows/stage-1-commit.yaml

@@ -101,7 +101,7 @@ jobs:
           output_format: sarif
           output_file_path: checkov-report.sarif
       - name: Upload Checkov results to GitHub Security tab
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: checkov_results
           path: checkov-report.sarif

.github/workflows/stage-2-test.yaml

@@ -48,7 +48,7 @@ jobs:
         run: |
           make test-unit
       - name: "Save the coverage check result"
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: coverage.xml
           path: coverage.xml
@@ -83,7 +83,7 @@ jobs:
         with:
           fetch-depth: 0 # Full history is needed to improving relevancy of reporting
       - name: "Get the coverage report"
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v6
         with:
           name: coverage.xml
       - name: "Perform static analysis"

.github/workflows/stage-3-build.yaml

@@ -49,7 +49,7 @@ jobs:
           make dependencies install-python
           make build
       - name: "Upload lambda artefact"
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: lambda
           path: dist/lambda.zip

.github/workflows/stage-4-acceptance.yaml

@@ -120,7 +120,7 @@ jobs:
         with:
           python-version: '3.13'
       - name: "Get lambda artefact"
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v6
         with:
           name: lambda
           path: dist
@@ -132,13 +132,13 @@ jobs:
           echo "Nothing to save"
       - name: Upload Integration Test Results
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: integration-test-results
           path: integration-test-results.xml
       - name: Gather Integration Test Summaries
         if: always()
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v6
         with:
           path: summary
           pattern: ci-summary-*

Makefile

@@ -43,7 +43,7 @@ check-licenses:
 build: dist/lambda.zip # Build lambda.zip in dist/
 
 dist/lambda.zip: $(MAKE_DIR)/pyproject.toml $(MAKE_DIR)/poetry.lock $(shell find src -type f)
-	poetry build-lambda -vv
+	poetry build-lambda -vv && poetry run clean-lambda
 
 deploy: # Deploy the project artefact to the target environment @Pipeline
 	# TODO: Implement the artefact deployment step

infrastructure/stacks/api-layer/api_gateway.tf

@@ -51,9 +51,11 @@ resource "aws_api_gateway_stage" "eligibility-signposting-api" {
   stage_name           = "${local.workspace}-eligibility-signposting-api-live"
   xray_tracing_enabled = true
 
+  # Access log settings
+  # A subscription filter (see csoc_log_forwarding.tf) forwards these logs to CSOC
   access_log_settings {
     destination_arn = module.eligibility_signposting_api_gateway.cloudwatch_destination_arn
-    format          = "{ \"requestId\":\"$context.requestId\", \"ip\": \"$context.identity.sourceIp\", \"caller\":\"$context.identity.caller\", \"user\":\"$context.identity.user\", \"requestTime\":\"$context.requestTime\", \"httpMethod\":\"$context.httpMethod\", \"resourcePath\":\"$context.resourcePath\", \"status\":\"$context.status\", \"protocol\":\"$context.protocol\", \"responseLength\":\"$context.responseLength\", \"accountId\":\"$context.accountId\", \"apiId\":\"$context.apiId\", \"stage\":\"$context.stage\", \"domainName\":\"$context.domainName\", \"error_message\":\"$context.error.message\", \"clientCertSerialNumber\":\"$context.identity.clientCert.serialNumber\", \"clientCertValidityNotBefore\":\"$context.identity.clientCert.validity.notBefore\", \"clientCertValidityNotAfter\":\"$context.identity.clientCert.validity.notAfter\" }"
+    format          = "{ \"requestId\":\"$context.requestId\", \"ip\": \"$context.identity.sourceIp\", \"caller\":\"$context.identity.caller\", \"user\":\"$context.identity.user\", \"requestTime\":\"$context.requestTime\", \"httpMethod\":\"$context.httpMethod\", \"resourcePath\":\"$context.resourcePath\", \"status\":\"$context.status\", \"protocol\":\"$context.protocol\", \"responseLength\":\"$context.responseLength\", \"accountId\":\"$context.accountId\", \"apiId\":\"$context.apiId\", \"stage\":\"$context.stage\", \"api_key\":\"$context.identity.apiKey\" }"
   }
 
   depends_on = [