NHSDigital · chrisbloe · Oct 22, 2025 · Oct 22, 2025 · Oct 22, 2025 · Oct 28, 2025
@@ -1,4 +1,4 @@
-name: 'Z-AUTOMATED: Deploy - Dev'
+name: "Z-AUTOMATED: Deploy - Dev"
 
 on:
   push:
@@ -10,10 +10,13 @@ on:
 
 permissions:
   pull-requests: write
-  actions: read   # This is required for Plan comment
+  actions: read # This is required for Plan comment
   id-token: write # This is required for requesting the JWT
   contents: write # This is required for SBOM action
-
+
+concurrency:
+  group: ndr-dev
+
 jobs:
   terraform_plan_apply:
     name: Terraform Plan/Apply (ndr-dev)
@@ -45,7 +48,7 @@ jobs:
 
       - name: Select Terraform Workspace
         id: workspace
-        run:  terraform workspace select ${{ secrets.AWS_WORKSPACE }}
+        run: terraform workspace select ${{ secrets.AWS_WORKSPACE }}
         working-directory: ./infrastructure
         shell: bash
 
@@ -73,7 +76,7 @@ jobs:
               echo "::add-mask::$cert_block"
             fi
           done || echo "No certificate blocks found to mask."
-          
+
           # Mask sensitive URLs in the Terraform Plan output
           grep -Eo 'https://[a-zA-Z0-9.-]+\.execute-api\.[a-zA-Z0-9.-]+\.amazonaws\.com/[a-zA-Z0-9/._-]*' tfplan.txt | while read -r api_url; do
             if [ -n "$api_url" ]; then
@@ -153,7 +156,7 @@ jobs:
 
             // 2. Prepare format of the comment
             const output = `### Report for environment: ndr-dev
-            
+
             #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
             <details><summary>Initialization Output</summary>
 
@@ -191,7 +194,7 @@ jobs:
                 body: output
               })
             }
-            
+
             github.rest.issues.createComment({
               issue_number: context.issue.number,
               owner: context.repo.owner,
@@ -207,15 +210,15 @@ jobs:
 
   deploy_lambdas:
     name: Deploy Lambdas (ndr-dev)
-    needs: ['terraform_plan_apply']
+    needs: ["terraform_plan_apply"]
     if: github.ref == 'refs/heads/main'
     uses: NHSDigital/national-document-repository/.github/workflows/lambdas-dev-to-main-ci.yml@main
     secrets:
       AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }}
 
   deploy_ui:
     name: Deploy UI (ndr-dev)
-    needs: ['terraform_plan_apply']
+    needs: ["terraform_plan_apply"]
     if: github.ref == 'refs/heads/main'
     uses: NHSDigital/national-document-repository/.github/workflows/ui-dev-to-main-ci.yml@main
     secrets:

@@ -1,11 +1,11 @@
-name: 'Z-AUTOMATED: SBOM Repo Scan'
+name: "Z-AUTOMATED: SBOM Repo Scan"
 
 on:
   pull_request:
     types: [opened, synchronize, reopened]
 
 permissions:
-  actions: read   # Required for anchore/sbom-action
+  actions: read # Required for anchore/sbom-action
   contents: write # Required for anchore/sbom-action
   id-token: write # Required for requesting the JWT
   pull-requests: write
@@ -17,7 +17,7 @@ jobs:
     steps:
       - uses: actions/checkout@v5
         with:
-          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
+          fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
 
       - uses: anchore/sbom-action@v0
         with:
@@ -51,14 +51,14 @@ jobs:
               repo: context.repo.repo,
               issue_number: context.issue.number,
             })
-            
+
             const botComment = comments.find(comment => {
               return comment.user.type === 'Bot' && comment.body.includes('Code security issues found')
             })
 
             // 2. Prepare format of the comment
             const output = `### Code security issues found
-            
+
             View full details [here](https://github.com/${{ github.repository }}/security/code-scanning?query=is%3Aopen+pr%3A${{ github.event.pull_request.number }}).`;
 
             // 3. If we have a comment, update it, otherwise create a new one
@@ -70,7 +70,7 @@ jobs:
                 body: output
               })
             }
-            
+
             github.rest.issues.createComment({
               issue_number: context.issue.number,
               owner: context.repo.owner,
@@ -89,7 +89,7 @@ jobs:
               repo: context.repo.repo,
               issue_number: context.issue.number,
             })
-            
+
             const botComment = comments.find(comment => {
               return comment.user.type === 'Bot' && comment.body.includes('Code security issues found')
             })

@@ -1,4 +1,4 @@
-name: 'Z-AUTOMATED: SonarQube Cloud Analysis'
+name: "Z-AUTOMATED: SonarQube Cloud Analysis"
 
 on:
   push:
@@ -19,10 +19,10 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v5
         with:
-          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
+          fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
 
       - name: SonarQube Cloud Scan
         uses: SonarSource/sonarqube-scan-action@v6
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
@@ -1,14 +1,14 @@
-name: 'Z-BASE: Cleanup - Lambda@Edge'
+name: "Z-BASE: Cleanup - Lambda@Edge"
 
 on:
   workflow_call:
     inputs:
       git_ref:
-        description: 'Branch, tag or SHA'
+        description: "Branch, tag or SHA"
         required: true
         type: string
       sandbox_name:
-        description: 'Sandbox name'
+        description: "Sandbox name"
         required: true
         type: string
       environment:
@@ -33,9 +33,9 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v5
         with:
-          repository: 'NHSDigital/national-document-repository-infrastructure'
+          repository: "NHSDigital/national-document-repository-infrastructure"
           ref: ${{ inputs.git_ref }}
-          fetch-depth: '0'
+          fetch-depth: 0
 
       - name: Setup Python 3.11
         uses: actions/setup-python@v6
@@ -62,7 +62,7 @@ jobs:
           else
             echo "Distribution ID found: $distribution_id"
           fi
-          
+
           echo "DISTRIBUTION_ID=$distribution_id" >> $GITHUB_ENV
 
       - name: Install Python Dependencies

@@ -1,14 +1,14 @@
-name: 'Z-BASE: Cleanup - Workspace'
+name: "Z-BASE: Cleanup - Workspace"
 
 on:
   workflow_call:
     inputs:
       git_ref:
-        description: 'Branch, tag or SHA'
+        description: "Branch, tag or SHA"
         required: true
         type: string
       sandbox_name:
-        description: 'Sandbox name'
+        description: "Sandbox name"
         required: true
         type: string
       environment:
@@ -33,9 +33,9 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v5
         with:
-          repository: 'NHSDigital/national-document-repository-infrastructure'
+          repository: "NHSDigital/national-document-repository-infrastructure"
           ref: ${{ inputs.git_ref }}
-          fetch-depth: '0'
+          fetch-depth: 0
 
       - name: Setup Python 3.11
         uses: actions/setup-python@v6

@@ -1,15 +1,18 @@
-name: 'Z-CRON: Daily health check'
+name: "Z-CRON: Daily health check"
 
 on:
   schedule:
     - cron: 30 4 * * 1-5
 
 permissions:
-  actions: read   # Required for anchore/sbom-action
+  actions: read # Required for anchore/sbom-action
   contents: write # Required for anchore/sbom-action
   pull-requests: write
   id-token: write
 
+concurrency:
+  group: ndrd
+
 jobs:
   set_workspace:
     name: Set Workspace (ndrd)
@@ -19,13 +22,13 @@ jobs:
     steps:
       - name: Set Output
         id: set-output
-        run: echo 'workspace=ndrd' >> $GITHUB_OUTPUT      
+        run: echo 'workspace=ndrd' >> $GITHUB_OUTPUT
 
   terraform_plan_apply:
     name: Terraform Plan/Apply (ndrd)
     runs-on: ubuntu-latest
     environment: development
-    needs: ['set_workspace']
+    needs: ["set_workspace"]
     steps:
       - name: Checkout
         uses: actions/checkout@v5
@@ -79,7 +82,7 @@ jobs:
     with:
       python_version: "3.11"
       build_branch: main
-      
+
   run_ui_unit_tests:
     name: Run UI Unit Tests
     uses: NHSDigital/national-document-repository/.github/workflows/base-vitest-test.yml@main
@@ -88,7 +91,7 @@ jobs:
 
   run_cypress_tests:
     name: Run Cypress Tests
-    runs-on: ubuntu-22.04 
+    runs-on: ubuntu-22.04
     steps:
       - name: Checkout
         uses: actions/checkout@v5
@@ -107,9 +110,9 @@ jobs:
           IDENTITY_PROVIDER_POOL_ID: not provided yet
           MONITOR_ACCOUNT_ID: not provided yet
           BUILD_ENV: development
-          IMAGE_VERSION: 'not-required'
+          IMAGE_VERSION: "not-required"
         run: |
-            ./react-environment-config.sh
+          ./react-environment-config.sh
         working-directory: ./app
 
       - name: Cypress Build
@@ -119,7 +122,7 @@ jobs:
           runTests: false
           build: npm run build
           working-directory: ./app
-      
+
       - name: npm install serve -g
         run: npm install serve -g
 
@@ -132,8 +135,8 @@ jobs:
           working-directory: ./app
         env:
           CYPRESS_BASE_URL: http://localhost:3000
-          CYPRESS_grepTags: 'regression'
-  
+          CYPRESS_grepTags: "regression"
+
       - name: Upload Artifacts (Screenshots)
         uses: actions/upload-artifact@v4
         if: failure()
@@ -152,20 +155,20 @@ jobs:
 
   publish_lambda_layers:
     name: Publish Lambda Layers
-    needs: ['set_workspace', 'terraform_plan_apply']
+    needs: ["set_workspace", "terraform_plan_apply"]
     uses: NHSDigital/national-document-repository/.github/workflows/base-lambda-layer-reusable-publish-all.yml@main
     with:
       build_branch: main
       sandbox: ${{ needs.set_workspace.outputs.workspace }}
       environment: development
       python_version: "3.11"
     secrets:
-        AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }}
-        
+      AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }}
+
   deploy_lambdas:
     name: Deploy Lambdas
     uses: NHSDigital/national-document-repository/.github/workflows/base-lambdas-reusable-deploy-all.yml@main
-    needs: ['set_workspace', 'publish_lambda_layers']
+    needs: ["set_workspace", "publish_lambda_layers"]
     with:
       build_branch: main
       sandbox: ${{ needs.set_workspace.outputs.workspace }}
@@ -178,7 +181,7 @@ jobs:
   deploy_ui:
     name: Deploy UI
     uses: NHSDigital/national-document-repository/.github/workflows/base-deploy-ui.yml@main
-    needs: ['terraform_plan_apply', 'set_workspace']
+    needs: ["terraform_plan_apply", "set_workspace"]
     with:
       build_branch: main
       sandbox: ${{ needs.set_workspace.outputs.workspace }}
@@ -188,8 +191,8 @@ jobs:
 
   destroy_test_environment:
     if: always()
-    name: Destroy Sandbox (ndrd) 
-    needs: ['set_workspace', 'deploy_ui', 'deploy_lambdas']
+    name: Destroy Sandbox (ndrd)
+    needs: ["set_workspace", "deploy_ui", "deploy_lambdas"]
     uses: ./.github/workflows/tear-down-sandbox.yml
     with:
       git_ref: main

@@ -1,4 +1,4 @@
-name: 'Z-CRON: Tear down - Sandboxes'
+name: "Z-CRON: Tear down - Sandboxes"
 
 on:
   schedule:

@@ -1,4 +1,4 @@
-name: 'Z-CRON: Tear down - Test'
+name: "Z-CRON: Tear down - Test"
 
 on:
   schedule:
@@ -9,6 +9,9 @@ permissions:
   id-token: write # This is required for requesting the JWT
   contents: read # This is required for actions/checkout
 
+concurrency:
+  group: ndr-test
+
 jobs:
   remove_edge_associations:
     name: Remove Lambda@Edge Associations