Merge branch 'main' into task/FTRS-2587-data-migration-toggles

Author: lukasz-jercha-nhs

.github/actions/authenticate-apim-pytest/action.yaml

@@ -0,0 +1,32 @@
+name: 'Proxygen Pytest APIM Token Auth'
+description: 'Request pytest APIM token from Proxygen and export it as environment variable'
+
+inputs:
+  api_name:
+    description: 'Name of the API to access via Proxygen'
+    required: true
+  access_token:
+    description: 'Access token for Proxygen API'
+    required: true
+  proxygen_base_url:
+    description: 'Base URL for Proxygen API'
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Fetch and export pytest APIM token
+      shell: bash
+      env:
+        API_NAME: ${{ inputs.api_name }}
+        ACCESS_TOKEN: ${{ inputs.access_token }}
+        PROXYGEN_BASE_URL: ${{ inputs.proxygen_base_url }}
+      run: |
+        # Mask secrets as early as possible
+        echo "::add-mask::$ACCESS_TOKEN"
+
+        APIGEE_ACCESS_TOKEN=$("${{ github.workspace }}/scripts/workflow/fetch-apigee-token.sh")
+
+        echo "::add-mask::$APIGEE_ACCESS_TOKEN"
+        echo "APIGEE_ACCESS_TOKEN=$APIGEE_ACCESS_TOKEN" >> "$GITHUB_ENV"
+        echo "✓ Apigee access token retrieved and exported successfully"

.github/actions/configure-credentials/action.yaml

@@ -19,7 +19,7 @@ runs:
   using: "composite"
   steps:
     - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@v5.1.1
+      uses: aws-actions/configure-aws-credentials@v6.0.0
       with:
         role-to-assume: arn:aws:iam::${{ inputs.aws_account_id }}:role/${{ github.event.repository.name }}${{ inputs.environment != 'mgmt' && format('-{0}', inputs.environment) || '' }}-${{ inputs.type }}-github-runner
         role-session-name: github-pipeline-session

.github/actions/create-lines-of-code-report/action.yaml

@@ -44,7 +44,7 @@ runs:
         echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT
     - name: "Authenticate to send the report"
       if: steps.check.outputs.secrets_exist == 'true'
-      uses: aws-actions/configure-aws-credentials@v2
+      uses: aws-actions/configure-aws-credentials@v6.0.0
       with:
         role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }}
         aws-region: ${{ inputs.idp_aws_report_upload_region }}

.github/actions/scan-dependencies/action.yaml

@@ -58,7 +58,7 @@ runs:
       run: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT
     - name: "Authenticate to send the reports"
       if: steps.check.outputs.secrets_exist == 'true'
-      uses: aws-actions/configure-aws-credentials@v2
+      uses: aws-actions/configure-aws-credentials@v6.0.0
       with:
         role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }}
         aws-region: ${{ inputs.idp_aws_report_upload_region }}

.github/actions/service-automation-test/action.yaml

@@ -12,11 +12,17 @@ inputs:
     description: "AWS region"
     required: true
   test_tag:
-    description: "feature tag that identifies tests to be run"
+    description: "The name of the feature tag that identifies the tests to run"
     required: true
   test_type:
-    description: "tag that identifies types of test and reports to be run"
+    description: "The name of the type of test report that will be generated (e.g., bdd, apim, ui)"
     required: true
+  api_name:
+    description: "The name of the API to test (for APIM tests, e.g., dos-search)"
+    required: false
+  apim_env:
+    description: "The APIM environment to test (for APIM tests, e.g., internal-dev, internal-qa)"
+    required: false
   commit_hash:
     description: "The commit hash, set by the CI/CD pipeline workflow"
     required: false
@@ -38,6 +44,8 @@ runs:
         TEST_TYPE: ${{ inputs.test_type }}
         COMMIT_HASH: ${{ inputs.commit_hash }}
         REF: ${{ inputs.ref }}
+        API_NAME: ${{ inputs.api_name }}
+        APIM_ENV: ${{ inputs.apim_env }}
       run: |
         set -euo pipefail
         /bin/bash ./scripts/workflow/service-automation-tests.sh

.github/workflows/aws-wafr-checks.yaml

@@ -72,7 +72,7 @@ jobs:
       # Assume steampipe-readonly-role using role chaining
       - name: Assume steampipe-readonly-role
         if: steps.should-run.outputs.should_run == 'true'
-        uses: aws-actions/configure-aws-credentials@v5.1.1
+        uses: aws-actions/configure-aws-credentials@v6.0.0
         with:
           role-to-assume: arn:aws:iam::${{ secrets.ACCOUNT_ID }}:role/${{ github.event.repository.name }}-steampipe-readonly-role
           role-chaining: true

.github/workflows/pipeline-deploy-application.yaml

@@ -75,7 +75,7 @@ jobs:
     with:
       environment: ${{ needs.metadata.outputs.environment }}
       workspace: ${{ needs.metadata.outputs.workspace }}
-      ref: ${{ inputs.ref }}    
+      ref: ${{ inputs.ref }}
 
   build-services:
     name: "Build ${{ matrix.name }}"
@@ -329,17 +329,22 @@ jobs:
     name: "Run ${{ matrix.tag }} service automation tests on ${{ needs.metadata.outputs.environment }}"
     strategy:
       fail-fast: false
+      max-parallel: 1
       matrix:
         include:
-          - tag: "ftrs-pipeline"
-            type: "api"
+          - tag: "integrated-search"
+            type: "bdd"
+            api_name: "dos-search"
           - tag: "data-migration"
-            type: "data-migration"
+            type: "bdd"
+          - tag: "data-sourcing"
+            type: "bdd"
     needs:
       - metadata
       - deploy-application-infrastructure
       - restore-dynamodb-from-s3
       - export-dynamodb-to-s3
+      - deploy-proxy-to-apim
     if: |
       always() &&
       !cancelled() &&
@@ -358,6 +363,7 @@ jobs:
       ref: ${{ inputs.ref }}
       test_tag: ${{ matrix.tag }}
       test_type: ${{ matrix.type }}
+      api_name: ${{ matrix.api_name || '' }}
       type: app
       deployment_type: "development"
     secrets: inherit

.github/workflows/service-automation-test.yaml

@@ -5,7 +5,7 @@ on:
   workflow_call:
     inputs:
       environment:
-        description: The relevant github environment (for secrets and variables)
+        description: "The relevant github environment (for secrets and variables)"
         required: true
         type: string
       workspace:
@@ -17,7 +17,15 @@ on:
         required: false
         type: string
       test_type:
-        description: "The name of the type of test report that will be generated"
+        description: "The name of the type of test report that will be generated (e.g., bdd, apim, ui)"
+        required: false
+        type: string
+      api_name:
+        description: "The name of the API to test (for APIM tests, e.g., dos-search)"
+        required: false
+        type: string
+      apim_env:
+        description: "The APIM environment to test (for APIM tests, e.g., internal-dev, internal-qa)"
         required: false
         type: string
       ref:
@@ -127,19 +135,21 @@ jobs:
         uses: actions/cache@v5
         with:
           path: ~/.asdf
-          key: asdf-${{ runner.os }}-${{ hashFiles('.tool-versions') }}
+          key: asdf-${{ runner.os }}-${{ hashFiles('.tool-versions', 'tests/service_automation/.tool-versions') }}
 
       - name: "Install tools from .tool-versions"
         if: steps.asdf-cache.outputs.cache-hit != 'true'
         uses: asdf-vm/actions/install@v4.0.1
 
       - name: "Cache Poetry dependencies"
+        id: poetry-cache
         uses: actions/cache@v5
         with:
           path: ~/.cache/pypoetry
           key: ${{ runner.os }}-poetry-${{ hashFiles('tests/service_automation/poetry.lock') }}
 
       - name: "Cache Playwright browsers"
+        id: playwright-cache
         uses: actions/cache@v5
         with:
           path: ~/.cache/ms-playwright
@@ -154,9 +164,27 @@ jobs:
           environment: ${{ inputs.environment }}
 
       - name: "Install project"
+        if: steps.asdf-cache.outputs.cache-hit != 'true' || steps.poetry-cache.outputs.cache-hit != 'true' || steps.playwright-cache.outputs.cache-hit != 'true'
         run: make install
         working-directory: "tests/service_automation"
 
+      - name: Authenticate with APIM
+        if: inputs.test_type == 'apim'
+        uses: ./.github/actions/authenticate-apim
+        id: apim-auth
+        with:
+          api_name: ${{ inputs.api_name }}
+          environment: ${{ inputs.environment }}
+          aws_region: ${{ vars.AWS_REGION }}
+
+      - name: Get Apigee access token
+        if: inputs.test_type == 'apim'
+        uses: ./.github/actions/authenticate-apim-pytest
+        with:
+          api_name: ${{ inputs.api_name }}
+          access_token: ${{ steps.apim-auth.outputs.access_token }}
+          proxygen_base_url: ${{ secrets.PROXYGEN_URL }}
+
       - name: Run ${{ inputs.test_tag }} service automation tests
         id: run-service_automation-tests
         uses: ./.github/actions/service-automation-test
@@ -166,6 +194,8 @@ jobs:
           workspace: ${{ inputs.workspace }}
           test_tag: ${{ inputs.test_tag }}
           test_type: ${{ inputs.test_type }}
+          api_name: ${{ inputs.api_name }}
+          apim_env: ${{ inputs.environment == 'dev' && 'internal-dev' || inputs.environment == 'test' && 'internal-qa' || inputs.environment }}
           commit_hash: ${{ inputs.commit_hash || github.sha }}
           ref: ${{ inputs.ref }}
 

docs/specification/dos-search.yaml

@@ -631,3 +631,15 @@ x-nhsd-apim:
     - name: application-name
       required: false
       header: application-name
+  # Request a proxy-level cap of 150 TPS (9000/min) to limit aggregate traffic to the backend.
+  # Note: proxy is a shared/global cap across all applications; no per-application default is requested here.
+  ratelimiting:
+    proxy:
+      # 150 transactions per second -> 150 * 60 = 9,000 per minute
+      timeunit: "minute"
+      limit: 9000
+    # Per-application (per-subscription / per-api-key) quota to ensure fair usage between clients.
+    # 10 transactions per second -> 10 * 60 = 600 per minute per application
+    app-default:
+      timeunit: "minute"
+      limit: 600

docs/user-guides/Test_GitHub_Actions_locally.md

@@ -49,7 +49,7 @@ $ make runner-act workflow="stage-1-commit" job="create-lines-of-code-report"
 [Commit stage/Count lines of code]   🐳  docker exec cmd=[bash --noprofile --norc -e -o pipefail /var/run/act/workflow/1-composite-check.sh] user= workdir=
 [Commit stage/Count lines of code]   ✅  Success - Main Check prerequisites for sending the report
 [Commit stage/Count lines of code]   ⚙  ::set-output:: secrets_exist=false
-[Commit stage/Count lines of code]   ☁  git clone 'https://github.com/aws-actions/configure-aws-credentials' # ref=v2
+[Commit stage/Count lines of code]   ☁  git clone 'https://github.com/aws-actions/configure-aws-credentials' # ref=v6.0.0
 [Commit stage/Count lines of code]   ✅  Success - Main Count lines of code
 [Commit stage/Count lines of code]   ⚙  ::set-output:: secrets_exist=false
 [Commit stage/Count lines of code] ⭐ Run Post Count lines of code