Merge remote-tracking branch 'origin/main' into fail_job_on_bad_pr_format

Author: anthony-nhs

.github/workflows/quality-checks.yml

@@ -109,6 +109,14 @@ jobs:
           echo "//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}" >> ~/.npmrc
           echo "@nhsdigital:registry=https://npm.pkg.github.com" >> ~/.npmrc
 
+      - name: Cache npm dependencies
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830
+        with:
+          path: ./node_modules
+          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-
+
       - name: make install
         run: |
           make install
@@ -143,6 +151,58 @@ jobs:
             echo "uses_java=false" >> "$GITHUB_OUTPUT"
           fi
 
+      - name: Check licenses (Makefile)
+        run: |
+          make check-licenses
+
+      - name: Run code lint
+        run: make lint
+
+      - name: actionlint
+        uses: raven-actions/actionlint@3a24062651993d40fed1019b58ac6fbdfbf276cc
+
+      - name: Run ShellCheck
+        uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38
+        with:
+          ignore_paths: >-
+            *test*
+            .venv
+            node_modules
+            .git
+
+      - name: Run unit tests
+        run: make test
+
+      - name: Generate and check SBOMs
+        uses: NHSDigital/eps-action-sbom@7684ce6314e515df7b7929fac08b4464f8a03d06
+
+      - name: "check is SONAR_TOKEN exists"
+        env:
+          super_secret: ${{ secrets.SONAR_TOKEN }}
+        if: ${{ env.super_secret != '' && inputs.run_sonar == true }}
+        run: echo "SONAR_TOKEN_EXISTS=true" >> "$GITHUB_ENV"
+
+      - name: Run SonarQube analysis
+        if: ${{ steps.check_java.outputs.uses_java == 'true' && env.SONAR_TOKEN_EXISTS == 'true' }}
+        run: mvn sonar:sonar -Dsonar.login=${{ secrets.SONAR_TOKEN }}
+
+      - name: SonarCloud Scan
+        uses: SonarSource/sonarqube-scan-action@fd88b7d7ccbaefd23d8f36f73b59db7a3d246602
+        if: ${{ steps.check_java.outputs.uses_java == 'false' && env.SONAR_TOKEN_EXISTS == 'true' }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+
+  # CloudFormation validation (runs only if templates exist, ~3-5 minutes)
+  cloudformation-validation:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+        with:
+          ref: ${{ env.BRANCH_NAME }}
+          fetch-depth: 0
+
       - name: Check for SAM templates
         id: check_sam_templates
         run: |
@@ -188,34 +248,34 @@ jobs:
             echo "cdk_exists=false" >> "$GITHUB_OUTPUT"
           fi
 
-      - name: Check licenses (Makefile)
-        run: |
-          make check-licenses
-
-      - name: Run code lint
-        run: make lint
-
-      - name: actionlint
-        uses: raven-actions/actionlint@3a24062651993d40fed1019b58ac6fbdfbf276cc
-
-      - name: Run ShellCheck
-        uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38
-        with:
-          ignore_paths: >-
-            *test*
-            .venv
-            node_modules
-            .git
-
       - name: Run cfn-lint
         if: steps.check_sam_templates.outputs.sam_exists == 'true' || steps.check_cf_templates.outputs.cf_exists == 'true'
         run: |
           pip install cfn-lint
           cfn-lint -I "cloudformation/**/*.y*ml" 2>&1 | awk '/Run scan/ { print } /^[EW][0-9]/ { print; getline; print }'
           cfn-lint -I "SAMtemplates/**/*.y*ml" 2>&1 | awk '/Run scan/ { print } /^[EW][0-9]/ { print; getline; print }'
 
-      - name: Run unit tests
-        run: make test
+      - name: Cache npm dependencies
+        if: steps.check_cdk.outputs.cdk_exists == 'true'
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-
+
+      - name: Setting up .npmrc
+        if: steps.check_cdk.outputs.cdk_exists == 'true'
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          echo "//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}" >> ~/.npmrc
+          echo "@nhsdigital:registry=https://npm.pkg.github.com" >> ~/.npmrc
+
+      - name: make install NodeJS
+        if: steps.check_cdk.outputs.cdk_exists == 'true'
+        run: |
+          make install-node && make compile
 
       - name: Run cdk-synth
         if: steps.check_cdk.outputs.cdk_exists == 'true'
@@ -347,23 +407,3 @@ jobs:
         with:
           name: cfn_guard_output
           path: cfn_guard_output
-
-      - name: Generate and check SBOMs
-        uses: NHSDigital/eps-action-sbom@7684ce6314e515df7b7929fac08b4464f8a03d06
-
-      - name: "check is SONAR_TOKEN exists"
-        env:
-          super_secret: ${{ secrets.SONAR_TOKEN }}
-        if: ${{ env.super_secret != '' && inputs.run_sonar == true }}
-        run: echo "SONAR_TOKEN_EXISTS=true" >> "$GITHUB_ENV"
-
-      - name: Run SonarQube analysis
-        if: ${{ steps.check_java.outputs.uses_java == 'true' && env.SONAR_TOKEN_EXISTS == 'true' }}
-        run: mvn sonar:sonar -Dsonar.login=${{ secrets.SONAR_TOKEN }}
-
-      - name: SonarCloud Scan
-        uses: SonarSource/sonarqube-scan-action@fd88b7d7ccbaefd23d8f36f73b59db7a3d246602
-        if: ${{ steps.check_java.outputs.uses_java == 'false' && env.SONAR_TOKEN_EXISTS == 'true' }}
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

.github/workflows/tag-release.yml

@@ -33,8 +33,16 @@ on:
                 description: "An extra artifact to include in the release"
                 required: false
                 type: string
-            extra_artifact_url:
-                description: "An url to download the extra artifact to include in the release"
+            extra_artifact_id:
+                description: "An id for the extra artifact"
+                required: false
+                type: string
+            extra_artifact_run_id:
+                description: "An run id for the extra artifact"
+                required: false
+                type: string
+            extra_artifact_repository:
+                description: "An repository for the extra artifact"
                 required: false
                 type: string
         outputs:
@@ -240,12 +248,14 @@ jobs:
                   make build
 
             - name: Download extra artifact
-              if: ${{ inputs.extra_artifact_url != '' }}
-              run: |
-                  curl -L -o "${EXTRA_ASSET}" "${EXTRA_ASSET_URL}"
-              env:
-                  EXTRA_ASSET: ${{ inputs.extra_artifact_name }}
-                  EXTRA_ASSET_URL: ${{ inputs.extra_artifact_url }}
+              if: ${{ inputs.extra_artifact_name != '' }}
+              uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53
+              with:
+                artifact-ids: ${{ inputs.extra_artifact_id }}
+                github-token: ${{ secrets.GITHUB_TOKEN }}
+                repository: ${{ inputs.extra_artifact_repository }}
+                run-id: ${{ inputs.extra_artifact_run_id }}
+  
             - name: Set VERSION_TAG based on dry_run flag
               id: output_version_tag
               run: |