[PRM-392] Workflow enhancements: Input cleanup, cron file renaming, prod releases limited to tags, sandbox name limit (9 characters), introducing run-names and tear down fix (Virus Scanner) (#433)

Author: chrisbloe

.github/workflows/base-cleanup-lambda-edge.yml

@@ -3,25 +3,18 @@ name: 'Z-BASE: Cleanup - Lambda@Edge'
 on:
   workflow_call:
     inputs:
-      sandbox_workspace:
-        description: 'The sandbox workspace name'
+      git_ref:
+        description: 'Branch, tag or SHA'
         required: true
         type: string
-      environment:
+      sandbox_name:
+        description: 'Sandbox name'
         required: true
         type: string
-      lambda_function_name:
-        description: 'The sandbox workspace name'
+      environment:
+        description: "GitHub Environment name"
         required: true
         type: string
-      python_version:
-        description: 'Version of Python to run the cleanup script against'
-        required: true
-        type: 'string'
-      build_branch:
-        description: 'Feature branch to push to sandbox.'
-        required: true
-        type: 'string'
     secrets:
       AWS_ASSUME_ROLE:
         required: true
@@ -39,23 +32,21 @@ jobs:
     steps:
       - name: Display passed variables
         run: |
-          echo Python Version: ${{ inputs.python_version }}
-          echo Build Branch: ${{ inputs.build_branch }}
+          echo Sandbox name: ${{ inputs.sandbox_name }}
+          echo Git branch/tag/sha: ${{ inputs.git_ref }}
           echo Environment: ${{ inputs.environment }}
-          echo Sandbox: ${{ inputs.sandbox_workspace }}
-          echo Lambda Function Name: ${{ inputs.lambda_function_name }}
 
       - name: Checkout
         uses: actions/checkout@v5
         with:
           repository: 'nhsconnect/national-document-repository-infrastructure'
-          ref: ${{ inputs.build_branch }}
+          ref: ${{ inputs.git_ref }}
           fetch-depth: '0'
 
-      - name: Set up Python ${{ inputs.python_version }}
+      - name: Set up Python 3.11
         uses: actions/setup-python@v6
         with:
-          python-version: ${{ inputs.python_version }}
+          python-version: 3.11
 
       - name: Configure AWS Credentials for ${{ vars.AWS_REGION }}
         uses: aws-actions/configure-aws-credentials@v5
@@ -69,11 +60,11 @@ jobs:
         id: cloudfront
         run: |
           aws cloudfront list-distributions > distributions.json
-          distribution_id=$(jq -r --arg origin_id "${{ inputs.sandbox_workspace }}-lloyd-george-store" \
+          distribution_id=$(jq -r --arg origin_id "${{ inputs.sandbox_name }}-lloyd-george-store" \
           '.DistributionList.Items[] | select(.Origins.Items[].Id==$origin_id) | .Id' distributions.json | head -n 1)
 
           if [ -z "$distribution_id" ]; then
-            echo "No distribution found for origin ID: ${{ inputs.sandbox_workspace }}-lloyd-george-store"
+            echo "No distribution found for origin ID: ${{ inputs.sandbox_name }}-lloyd-george-store"
           else
             echo "Distribution ID found: $distribution_id"
           fi
@@ -91,4 +82,4 @@ jobs:
         run: ./venv/bin/python3 -u scripts/remove_edge_associations.py
         env:
           DISTRIBUTION_ID: ${{ env.DISTRIBUTION_ID }}
-          LAMBDA_FUNCTION_NAME: ${{ inputs.lambda_function_name }}
+          LAMBDA_FUNCTION_NAME: "${{ inputs.sandbox_name }}_EdgePresignLambda"

.github/workflows/base-cleanup-workspace.yml

@@ -3,22 +3,18 @@ name: 'Z-BASE: Cleanup - Workspace'
 on:
   workflow_call:
     inputs:
-      build_branch:
-        description: 'Feature branch to push to sandbox.'
+      git_ref:
+        description: 'Branch, tag or SHA'
         required: true
-        type: 'string'
-      sandbox:
-        description: 'Which Sandbox to push to.'
+        type: string
+      sandbox_name:
+        description: 'Sandbox name'
         required: true
-        type: 'string'
+        type: string
       environment:
-        description: "Which environment should this run against"
+        description: "GitHub Environment name"
         required: true
-        type: "string"
-      python_version:
-        description: "Version of Python to run the cleanup script against"
-        required: true
-        type: "string"
+        type: string
     secrets:
       AWS_ASSUME_ROLE:
         required: true
@@ -35,10 +31,9 @@ jobs:
     steps:
       - name: Display client passed variables
         run: |
-          echo Python Version: ${{ inputs.python_version }}
-          echo Build Branch: ${{ inputs.build_branch }}
+          echo Sandbox name: ${{ inputs.sandbox_name }}
+          echo Git branch/tag/sha: ${{ inputs.git_ref }}
           echo Environment: ${{ inputs.environment }}
-          echo Sandbox: ${{ inputs.sandbox }}
 
   cleanup_process:
     name: Run Cleanup Versions script
@@ -50,13 +45,13 @@ jobs:
         uses: actions/checkout@v5
         with:
           repository: 'nhsconnect/national-document-repository-infrastructure'
-          ref: ${{ inputs.build_branch }}
+          ref: ${{ inputs.git_ref }}
           fetch-depth: '0'
 
-      - name: Set up Python ${{ inputs.python_version }}
+      - name: Set up Python 3.11
         uses: actions/setup-python@v6
         with:
-          python-version: ${{ inputs.python_version }}
+          python-version: 3.11
 
       - name: Make virtual environment
         run: |
@@ -74,4 +69,4 @@ jobs:
 
       - name: Run Version Cleanup Script
         run: |
-          ./venv/bin/python3 scripts/cleanup_versions.py ${{ inputs.sandbox }}
+          ./venv/bin/python3 scripts/cleanup_versions.py ${{ inputs.sandbox_name }}

…rkflows/automated-daily-health-check.yml …ub/workflows/cron-daily-health-check.yml.github/workflows/automated-daily-health-check.yml renamed to .github/workflows/cron-daily-health-check.yml .github/workflows/automated-daily-health-check.yml renamed to .github/workflows/cron-daily-health-check.yml

@@ -1,8 +1,8 @@
-name: 'Z-AUTOMATED: Daily health check'
+name: 'Z-CRON: Daily health check'
 
 on:
- schedule:
-   - cron: 30 4 * * 1-5
+  schedule:
+    - cron: 30 4 * * 1-5
 
 permissions:
   pull-requests: write
@@ -189,9 +189,7 @@ jobs:
     needs: [ 'set_workspace', 'deploy_ui', 'deploy_all_lambdas' ]
     uses: ./.github/workflows/tear-down-sandbox.yml
     with:
-      build_branch: main
+      git_ref: main
+      sandbox_name: ${{ needs.set_workspace.outputs.workspace }}
       environment: development
-      sandbox_workspace: ${{ needs.set_workspace.outputs.workspace }}
-      terraform_vars: dev.tfvars
-      backend: backend.conf
     secrets: inherit

…orkflows/automated-tear-down-sandbox.yml …hub/workflows/cron-tear-down-sandbox.yml.github/workflows/automated-tear-down-sandbox.yml renamed to .github/workflows/cron-tear-down-sandbox.yml .github/workflows/automated-tear-down-sandbox.yml renamed to .github/workflows/cron-tear-down-sandbox.yml

@@ -1,4 +1,4 @@
-name: 'Z-AUTOMATED: Tear down - Sandbox'
+name: 'Z-CRON: Tear down - Sandbox'
 
 on:
   schedule:

…b/workflows/automated-tear-down-test.yml .github/workflows/cron-tear-down-test.yml.github/workflows/automated-tear-down-test.yml renamed to .github/workflows/cron-tear-down-test.yml .github/workflows/automated-tear-down-test.yml renamed to .github/workflows/cron-tear-down-test.yml

@@ -1,4 +1,4 @@
-name: 'Z-AUTOMATED: Tear down - Test'
+name: 'Z-CRON: Tear down - Test'
 
 on:
   schedule:
@@ -14,10 +14,8 @@ jobs:
     name: Remove Lambda@Edge Associations
     uses: ./.github/workflows/base-cleanup-lambda-edge.yml
     with:
-      sandbox_workspace: ndr-test
-      lambda_function_name: 'ndr-test_EdgePresignLambda'
-      python_version: 3.11
-      build_branch: main
+      git_ref: main
+      sandbox_name: ndr-test
       environment: test
     secrets:
       AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }}
@@ -26,10 +24,9 @@ jobs:
     name: Cleanup Versions Process
     uses: ./.github/workflows/base-cleanup-workspace.yml
     with:
-      build_branch: main
-      sandbox: ndr-test
+      git_ref: main
+      sandbox_name: ndr-test
       environment: test
-      python_version: 3.11
     secrets:
       AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }}
 

.github/workflows/deploy-pre-prod.yml

@@ -1,10 +1,12 @@
 name: "Deploy - Pre-prod"
 
+run-name: "${{ github.event.inputs.branch_or_tag }}"
+
 on:
   workflow_dispatch:
     inputs:
       branch_or_tag:
-        description: "Which branch or tag do you want to deploy to pre-prod?"
+        description: "Branch or tag to deploy"
         required: true
         type: string
         default: main

.github/workflows/deploy-prod.yml

@@ -1,11 +1,12 @@
-# .github/workflows/terraform-dev
 name: "Deploy - Prod"
 
+run-name: "${{ github.event.inputs.git_tag }}"
+
 on:
   workflow_dispatch:
     inputs:
-      tagVersion:
-        description: "What tagged verison do you want to push to prod?"
+      git_tag:
+        description: "Git tag to deploy"
         required: true
         type: "string"
 
@@ -24,7 +25,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v5
         with:
-          ref: ${{ github.event.inputs.tagVersion}}
+          ref: refs/tags/${{ github.event.inputs.git_tag}}
           fetch-depth: "0"
 
       - name: Configure AWS Credentials

.github/workflows/deploy-sandbox.yml

@@ -1,20 +1,16 @@
-# .github/workflows/terraform-dev
 name: "Deploy - Sandbox"
 
+run-name: "${{ github.event.inputs.git_ref }} | ${{ github.event.inputs.sandbox_name }}"
+
 on:
   workflow_dispatch:
     inputs:
-      buildBranch:
-        description: "Feature branch to push to sandbox."
-        required: true
-        type: "string"
-      sandboxWorkspace:
-        description: "Which Sandbox to push to."
+      git_ref:
+        description: "Branch, tag or SHA to deploy"
         required: true
         type: "string"
-      environment:
-        default: "development"
-        description: "Which environment should this run against"
+      sandbox_name:
+        description: "Sandbox name [a-z0-9]{1,9}"
         required: true
         type: "string"
 
@@ -26,9 +22,18 @@ permissions:
 jobs:
   terraform_process:
     runs-on: ubuntu-latest
-    environment: ${{ github.event.inputs.environment }}
+    environment: development
 
     steps:
+      - name: Validate inputs
+        run: |
+          if ! [[ "$SANDBOX_NAME" =~ ^[a-z0-9]{1,9}$ ]]; then
+            echo "Sandbox name must match [a-z0-9]{1,9} (lowercase letters and digits only, 1-9 chars)."
+            exit 1
+          fi
+        env:
+          SANDBOX_NAME: ${{ github.event.inputs.sandbox_name }}
+
       # Checkout the repository to the GitHub Actions runner
       - name: Checkout Base
         uses: actions/checkout@v5
@@ -61,7 +66,7 @@ jobs:
 
       - name: Terraform Set Workspace Base
         id: base_workspace
-        run: terraform workspace select -or-create ${{ github.event.inputs.sandboxWorkspace}}
+        run: terraform workspace select -or-create ${{ github.event.inputs.sandbox_name}}
         working-directory: ./infrastructure
         shell: bash
 
@@ -79,7 +84,7 @@ jobs:
       - name: Checkout Branch
         uses: actions/checkout@v5
         with:
-          ref: ${{ github.event.inputs.buildBranch}}
+          ref: ${{ github.event.inputs.git_ref}}
 
         # Checks that all Terraform configuration files adhere to a canonical format.
       - name: Terraform Format
@@ -94,7 +99,7 @@ jobs:
 
       - name: Terraform Set Workspace
         id: workspace
-        run: terraform workspace select ${{ github.event.inputs.sandboxWorkspace}}
+        run: terraform workspace select ${{ github.event.inputs.sandbox_name}}
         working-directory: ./infrastructure
         shell: bash
 

.github/workflows/deploy-test.yml

@@ -1,11 +1,12 @@
-# .github/workflows/terraform-dev
 name: "Deploy - Test"
 
+run-name: "${{ github.event.inputs.git_ref }}"
+
 on:
   workflow_dispatch:
     inputs:
-      build_branch:
-        description: "Feature branch to push to test?"
+      git_ref:
+        description: "Branch, tag or SHA to deploy"
         required: true
         type: "string"
 
@@ -24,7 +25,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v5
         with:
-          ref: ${{ github.event.inputs.build_branch}}
+          ref: ${{ github.event.inputs.git_ref}}
 
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v5