Update: [AEA-5753] - path to live pipeline (#130)

## Summary

Routine Change
🤖 Operational or Infrastructure Change

### Details
https://nhsd-jira.digital.nhs.uk/browse/AEA-5753

This pull request implements a release pipeline for eps-assist-me that
aligns with our existing release process

**Pipeline Flow:**
- PR merge to main → automatic DEV deployment
- Manual approval gates for QA, INT, and PROD environments
- INT and PROD deploy in parallel with identical code

**Key changes:**
- Added `deploy-dev-auto.yml` for automatic DEV deployments
- Added `release.yml` for manual promotions with approval gates
- Fixed poetry export validation to prevent Dependabot-induced
deployment failures
- Updated shellcheck version for pre-commit compatibility

Author: bencegadanyi1-nhs

.github/config/settings.yml

@@ -0,0 +1 @@
+TAG_FORMAT: "v${version}"

.github/scripts/create_int_rc_release_notes.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+cat <<EOF > payload.json
+{
+  "currentTag": "$CURRENT_DEPLOYED_TAG",
+  "targetTag": "$RELEASE_TAG",
+  "repoName": "eps-assist-me",
+  "targetEnvironment": "INT",
+  "productName": "EPS Assist Me",
+  "releaseNotesPageId": "$PAGE_ID",
+  "releaseNotesPageTitle": "EPS-Assist-Me-$RELEASE_TAG - Deployed to [INT] on $(date +'%d-%m-%y')",
+  "createReleaseCandidate": "true",
+  "releasePrefix": "EPS-Assist-Me-"
+}
+EOF
+cat payload.json
+
+function_arn=$(aws cloudformation list-exports --query "Exports[?Name=='release-notes:CreateReleaseNotesLambdaArn'].Value" --output text)
+aws lambda invoke --function-name "${function_arn}" --cli-binary-format raw-in-base64-out --payload file://payload.json out.txt
+cat out.txt

.github/workflows/cdk_package_code.yml

@@ -26,25 +26,30 @@ jobs:
         with:
           ref: ${{ env.BRANCH_NAME }}
 
+      # using git commit sha for version of action to ensure we have stable version
+      - name: Get asdf version
+        id: asdf-version
+        run: echo "version=0.18.0" >> "$GITHUB_OUTPUT"
+
       # using git commit sha for version of action to ensure we have stable version
       - name: Install asdf
         uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302
         with:
-          asdf_branch: v0.14.1
-  
+          asdf_version: ${{ steps.asdf-version.outputs.version }}
+
       - name: Cache asdf
         uses: actions/cache@v4
         with:
           path: |
             ~/.asdf
-          key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}
+          key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}-${{ steps.asdf-version.outputs.version }}
           restore-keys: |
-            ${{ runner.os }}-asdf-
+            ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}-${{ steps.asdf-version.outputs.version }}
 
       - name: Install asdf dependencies in .tool-versions
         uses: asdf-vm/actions/install@1902764435ca0dd2f3388eea723a4f92a4eb8302
         with:
-          asdf_branch: v0.14.1
+          asdf_version: ${{ steps.asdf-version.outputs.version }}
         env:
           PYTHON_CONFIGURE_OPTS: --enable-shared
 
@@ -58,15 +63,24 @@ jobs:
       - name: make install
         run: |
           make install
+          make compile-node
 
       - name: Build Python Lambda Functions
         run: |
           poetry export --without-hashes --format=requirements.txt --with slackBotFunction > requirements_slackBotFunction
           poetry export --without-hashes --format=requirements.txt --with syncKnowledgeBaseFunction > requirements_syncKnowledgeBaseFunction
+          if [ ! -s requirements_slackBotFunction ]; then \
+            echo "Error: requirements_slackBotFunction is empty or missing"; \
+            exit 1; \
+          fi
+          if [ ! -s requirements_syncKnowledgeBaseFunction ]; then \
+            echo "Error: requirements_syncKnowledgeBaseFunction is empty or missing"; \
+            exit 1; \
+          fi
           pip3 install -r requirements_slackBotFunction -t .dependencies/slackBotFunction/python
           pip3 install -r requirements_syncKnowledgeBaseFunction -t .dependencies/syncKnowledgeBaseFunction/python
 
-      - name: 'Tar files'
+      - name: "Tar files"
         run: |
           tar -rf artifact.tar \
             .tool-versions \
@@ -75,10 +89,11 @@ jobs:
             package.json \
             package-lock.json \
             tsconfig.defaults.json \
+            Makefile \
             cdk.json \
             .dependencies
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v5
         name: upload build artifact
         with:
           name: build_artifact

.github/workflows/ci.yml

@@ -8,6 +8,25 @@ env:
   BRANCH_NAME: ${{ github.event.ref.BRANCH_NAME }}
 
 jobs:
+  get_asdf_version:
+    runs-on: ubuntu-22.04
+    outputs:
+      asdf_version: ${{ steps.asdf-version.outputs.version }}
+      tag_format: ${{ steps.load-config.outputs.TAG_FORMAT }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+
+      - name: Get asdf version
+        id: asdf-version
+        run: echo "version=$(awk '!/^#/ && NF {print $1; exit}' .tool-versions.asdf)" >> "$GITHUB_OUTPUT"
+
+      - name: Load config value
+        id: load-config
+        run: |
+          TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml)
+          echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT"
+
   quality_checks:
     uses: NHSDigital/eps-workflow-quality-checks/.github/workflows/[email protected]
     secrets:
@@ -24,75 +43,15 @@ jobs:
           echo "commit_id=${{ github.sha }}" >> "$GITHUB_OUTPUT"
 
   tag_release:
-    needs: quality_checks
-    runs-on: ubuntu-22.04
-    outputs:
-      version_tag: ${{ steps.output_version_tag.outputs.VERSION_TAG }}
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v5
-        with:
-          ref: ${{ env.BRANCH_NAME }}
-          fetch-depth: 0
-
-      # using git commit sha for version of action to ensure we have stable version
-      - name: Install asdf
-        uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302
-        with:
-          asdf_branch: v0.14.1
-  
-      - name: Cache asdf
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~/.asdf
-          key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}
-          restore-keys: |
-            ${{ runner.os }}-asdf-
-
-      - name: Install asdf dependencies in .tool-versions
-        uses: asdf-vm/actions/install@1902764435ca0dd2f3388eea723a4f92a4eb8302
-        with:
-          asdf_branch: v0.14.1
-        env:
-          PYTHON_CONFIGURE_OPTS: --enable-shared
-
-      - name: Setting up .npmrc
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          echo "//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}" >> ~/.npmrc
-          echo "@nhsdigital:registry=https://npm.pkg.github.com" >> ~/.npmrc
-
-      - name: Install Dependencies
-        run: make install
-
-      - name: Set VERSION_TAG env var to be short git SHA and get next tag varsion
-        id: output_version_tag
-        run: |
-          VERSION_TAG=$(git rev-parse --short HEAD)
-          npx semantic-release --dry-run > semantic-release-output.log
-          NEXT_VERSION=$(grep -i 'The next release version is' semantic-release-output.log | sed -E 's/.* ([[:digit:].]+)$/\1/')
-          if [ -z "${NEXT_VERSION}" ]
-          then
-            echo "Could not get next tag. Here is the log from semantic-release"
-            cat semantic-release-output.log
-            exit 1
-          fi
-          tagFormat=$(node -e "const config=require('./release.config.js'); console.log(config.tagFormat)")
-          if [ "${tagFormat}" = "null" ]
-          then
-            tagFormat="v\${version}"
-          fi
-          # disabling shellcheck as replace does not work
-          # shellcheck disable=SC2001
-          NEW_VERSION_TAG=$(echo "$tagFormat" | sed "s/\${version}/$NEXT_VERSION/")
-          echo "## VERSION TAG : ${VERSION_TAG}" >> "$GITHUB_STEP_SUMMARY"
-          echo "## NEXT TAG WILL BE : ${NEW_VERSION_TAG}" >> "$GITHUB_STEP_SUMMARY"
-          echo "VERSION_TAG=${VERSION_TAG}" >> "$GITHUB_OUTPUT"
-          echo "VERSION_TAG=${VERSION_TAG}" >> "$GITHUB_ENV"
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
+    needs: [quality_checks, get_commit_id, get_asdf_version]
+    uses: NHSDigital/eps-workflow-semantic-release/.github/workflows/tag-release.yml@361957c147279f5f0f68b64fde9927833363d5f7
+    with:
+      dry_run: true
+      asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}
+      branch_name: main
+      publish_package: false
+      tag_format: ${{ needs.get_asdf_version.outputs.tag_format }}
+    secrets: inherit
 
   package_code:
     needs: [get_commit_id, tag_release]
@@ -104,7 +63,7 @@ jobs:
 
   release_dev:
     needs: [get_commit_id, tag_release, package_code]
-    uses: ./.github/workflows/cdk_release_code.yml
+    uses: ./.github/workflows/release_all_stacks.yml
     with:
       STACK_NAME: epsam
       TARGET_ENVIRONMENT: dev
@@ -113,13 +72,47 @@ jobs:
       CDK_APP_NAME: EpsAssistMeApp
       DEPLOY_CODE: true
       LOG_RETENTION_IN_DAYS: 30
-      LOG_LEVEL: DEBUG
+      LOG_LEVEL: "DEBUG"
+      CREATE_INT_RELEASE_NOTES: false
+      CREATE_PROD_RELEASE_NOTES: false
       MARK_JIRA_RELEASED: false
+      CREATE_INT_RC_RELEASE_NOTES: false
+      IS_PULL_REQUEST: false
     secrets:
       CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_DEPLOY_ROLE }}
       CDK_PULL_IMAGE_ROLE: ${{ secrets.DEV_CDK_PULL_IMAGE_ROLE }}
+      DEV_CLOUD_FORMATION_CHECK_VERSION_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_CHECK_VERSION_ROLE }}
+      INT_CLOUD_FORMATION_CHECK_VERSION_ROLE: ${{ secrets.INT_CLOUD_FORMATION_CHECK_VERSION_ROLE }}
+      PROD_CLOUD_FORMATION_CHECK_VERSION_ROLE: ${{ secrets.PROD_CLOUD_FORMATION_CHECK_VERSION_ROLE }}
+      DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE }}
       REGRESSION_TESTS_PEM: ${{ secrets.REGRESSION_TESTS_PEM }}
+      SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
+      SLACK_SIGNING_SECRET: ${{ secrets.SLACK_SIGNING_SECRET }}
+
+  release_qa:
+    needs: [get_commit_id, tag_release, package_code, release_dev]
+    uses: ./.github/workflows/release_all_stacks.yml
+    with:
+      STACK_NAME: epsam
+      TARGET_ENVIRONMENT: qa
+      VERSION_NUMBER: ${{ needs.tag_release.outputs.version_tag }}
+      COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }}
+      CDK_APP_NAME: EpsAssistMeApp
+      DEPLOY_CODE: true
+      LOG_RETENTION_IN_DAYS: 30
+      LOG_LEVEL: "DEBUG"
+      CREATE_INT_RELEASE_NOTES: true
+      CREATE_PROD_RELEASE_NOTES: true
+      MARK_JIRA_RELEASED: false
+      CREATE_INT_RC_RELEASE_NOTES: false
+      IS_PULL_REQUEST: false
+    secrets:
+      CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.QA_CLOUD_FORMATION_DEPLOY_ROLE }}
+      CDK_PULL_IMAGE_ROLE: ${{ secrets.QA_CDK_PULL_IMAGE_ROLE }}
       DEV_CLOUD_FORMATION_CHECK_VERSION_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_CHECK_VERSION_ROLE }}
+      INT_CLOUD_FORMATION_CHECK_VERSION_ROLE: ${{ secrets.INT_CLOUD_FORMATION_CHECK_VERSION_ROLE }}
+      PROD_CLOUD_FORMATION_CHECK_VERSION_ROLE: ${{ secrets.PROD_CLOUD_FORMATION_CHECK_VERSION_ROLE }}
       DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE }}
+      REGRESSION_TESTS_PEM: ${{ secrets.REGRESSION_TESTS_PEM }}
       SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
       SLACK_SIGNING_SECRET: ${{ secrets.SLACK_SIGNING_SECRET }}

.github/workflows/pull_request.yml

@@ -8,6 +8,25 @@ env:
   BRANCH_NAME: ${{ github.event.pull_request.head.ref }}
 
 jobs:
+  get_asdf_version:
+    runs-on: ubuntu-22.04
+    outputs:
+      asdf_version: ${{ steps.asdf-version.outputs.version }}
+      tag_format: ${{ steps.load-config.outputs.TAG_FORMAT }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+
+      - name: Get asdf version
+        id: asdf-version
+        run: echo "version=0.18.0" >> "$GITHUB_OUTPUT"
+
+      - name: Load config value
+        id: load-config
+        run: |
+          TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml)
+          echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT"
+
   quality_checks:
     uses: NHSDigital/eps-workflow-quality-checks/.github/workflows/[email protected]
     secrets:
@@ -62,7 +81,7 @@ jobs:
 
   release_code:
     needs: [get_issue_number, package_code, get_commit_id]
-    uses: ./.github/workflows/cdk_release_code.yml
+    uses: ./.github/workflows/release_all_stacks.yml
     with:
       STACK_NAME: epsam-pr-${{needs.get_issue_number.outputs.issue_number}}
       TARGET_ENVIRONMENT: dev-pr
@@ -71,9 +90,19 @@ jobs:
       CDK_APP_NAME: EpsAssistMeApp
       DEPLOY_CODE: true
       LOG_RETENTION_IN_DAYS: 30
-      LOG_LEVEL: DEBUG
+      LOG_LEVEL: "DEBUG"
+      CREATE_INT_RELEASE_NOTES: false
+      CREATE_PROD_RELEASE_NOTES: false
+      MARK_JIRA_RELEASED: false
+      CREATE_INT_RC_RELEASE_NOTES: false
+      IS_PULL_REQUEST: true
     secrets:
       CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_DEPLOY_ROLE }}
       CDK_PULL_IMAGE_ROLE: ${{ secrets.DEV_CDK_PULL_IMAGE_ROLE }}
+      DEV_CLOUD_FORMATION_CHECK_VERSION_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_CHECK_VERSION_ROLE }}
+      INT_CLOUD_FORMATION_CHECK_VERSION_ROLE: ${{ secrets.INT_CLOUD_FORMATION_CHECK_VERSION_ROLE }}
+      PROD_CLOUD_FORMATION_CHECK_VERSION_ROLE: ${{ secrets.PROD_CLOUD_FORMATION_CHECK_VERSION_ROLE }}
+      DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE }}
+      REGRESSION_TESTS_PEM: ${{ secrets.REGRESSION_TESTS_PEM }}
       SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
       SLACK_SIGNING_SECRET: ${{ secrets.SLACK_SIGNING_SECRET }}