Merge remote-tracking branch 'origin/main' into feature/CCM-11188

Author: francisco-videira-nhs

.github/CODEOWNERS

@@ -1,12 +1,19 @@
 # NHS Notify Code Owners
 
-*                                                                      @NHSDigital/nhs-notify-supplier-api
-/.github/                                                              @NHSDigital/nhs-notify-admins
-*.code-workspace                                                       @NHSDigital/nhs-notify-admins
+*                           @NHSDigital/nhs-notify-supplier-api
+
+/.github/                   @NHSDigital/nhs-notify-supplier-api-admins
+*.code-workspace            @NHSDigital/nhs-notify-supplier-api-admins
+/docs/                      @NHSDigital/nhs-notify-supplier-api
+/infrastructure/terraform/  @NHSDigital/nhs-notify-platform
 
 # Codeowners must be final check
-/.github/CODEOWNERS @NHSDigital/nhs-notify-code-owners
-/CODEOWNERS @NHSDigital/nhs-notify-code-owners
+/.github/CODEOWNERS         @NHSDigital/nhs-notify-code-owners
+/CODEOWNERS                 @NHSDigital/nhs-notify-code-owners
+
+# Each NHS Notify repository should have clear code owners set.
+# Do not use GitHub team names, instead use the GitHub usernames
+# of the people who are responsible for the code maintenance.
 
 # This is a comment.
 # Each line is a file pattern followed by one or more owners.

.github/actions/build-proxies/action.yml

@@ -1,9 +1,11 @@
 name: "Build Proxies"
 description: "Build Proxies"
+
 inputs:
   version:
     description: "Version number"
     required: true
+
 runs:
   using: composite
 
@@ -26,15 +28,16 @@ runs:
         if [ -z $PR_NUMBER ]
         then
           echo "INSTANCE=$PROXYGEN_API_NAME" >> $GITHUB_ENV
-          echo "TARGET=https://suppliers.dev.nhsnotify.national.nhs.uk" >> $GITHUB_ENV
+          echo "TARGET=https://main.suppliers.dev.nhsnotify.national.nhs.uk" >> $GITHUB_ENV
           echo "SANDBOX_TAG=latest" >> $GITHUB_ENV
+          echo "MTLS_NAME=notify-supplier-mtls" >> $GITHUB_ENV
         else
           echo "TARGET=https://pr$PR_NUMBER.suppliers.dev.nhsnotify.national.nhs.uk" >> $GITHUB_ENV
           echo "INSTANCE=$PROXYGEN_API_NAME-PR-$PR_NUMBER" >> $GITHUB_ENV
           echo "SANDBOX_TAG=pr$PR_NUMBER" >> $GITHUB_ENV
+          echo "MTLS_NAME=notify-supplier-mtls-pr$PR_NUMBER" >> $GITHUB_ENV
         fi
 
-
     - name: Install Proxygen client
       shell: bash
       run: |
@@ -50,28 +53,6 @@ runs:
         envsubst < ./.github/proxygen-settings.yaml > ${HOME}/.proxygen/settings.yaml
         envsubst < ./.github/proxygen-settings.yaml | cat
 
-    - name: Build internal dev oas
-      working-directory: .
-      shell: bash
-      run: |
-        if [ -z $PR_NUMBER ]
-        then
-          make build-json-oas-spec APIM_ENV=dev
-        else
-          make build-json-oas-spec APIM_ENV=dev-pr
-        fi
-
-    - name: Set target
-      shell: bash
-      run: |
-        jq --arg newurl "$TARGET" '.["x-nhsd-apim"].target.url = $newurl' build/notify-supplier.json > build/notify-supplier_target.json && mv build/notify-supplier_target.json build/notify-supplier.json
-
-
-    - name: Deploy to Internal Dev
-      shell: bash
-      run: |
-        proxygen instance deploy internal-dev $INSTANCE build/notify-supplier.json --no-confirm
-
     - name: Build sandbox oas
       working-directory: .
       shell: bash

.github/scripts/dispatch_internal_repo_workflow.sh

@@ -0,0 +1,252 @@
+#!/bin/bash
+
+# Triggers a remote GitHub workflow in nhs-notify-internal and waits for completion.
+
+# Usage:
+#   ./dispatch_internal_repo_workflow.sh \
+#     --infraRepoName <repo> \
+#     --releaseVersion <version> \
+#     --targetWorkflow <workflow.yaml> \
+#     --targetEnvironment <env> \
+#     --targetComponent <component> \
+#     --targetAccountGroup <group> \
+#     --terraformAction <action> \
+#     --internalRef <ref> \
+#     --overrides <overrides> \
+#     --overrideProjectName <name> \
+#     --overrideRoleName <name>
+
+#
+# All arguments are required except terraformAction, and internalRef.
+# Example:
+#   ./dispatch_internal_repo_workflow.sh \
+#     --infraRepoName "nhs-notify-web-template-management" \
+#     --releaseVersion "v1.2.3" \
+#     --targetWorkflow "deploy.yaml" \
+#     --targetEnvironment "prod" \
+#     --targetComponent "web" \
+#     --targetAccountGroup "core" \
+#     --terraformAction "apply" \
+#     --internalRef "main" \
+#     --overrides "tf_var=someString" \
+#     --overrideProjectName nhs \
+#     --overrideRoleName nhs-service-iam-role
+
+set -e
+
+while [[ $# -gt 0 ]]; do
+  case $1 in
+    --infraRepoName) # Name of the infrastructure repo in NHSDigital org (required)
+      infraRepoName="$2"
+      shift 2
+      ;;
+    --releaseVersion) # Release version, commit, or tag to deploy (required)
+      releaseVersion="$2"
+      shift 2
+      ;;
+    --targetWorkflow) # Name of the workflow file to call in nhs-notify-internal (required)
+      targetWorkflow="$2"
+      shift 2
+      ;;
+    --targetEnvironment) # Terraform environment to deploy (required)
+      targetEnvironment="$2"
+      shift 2
+      ;;
+    --targetComponent) # Terraform component to deploy (required)
+      targetComponent="$2"
+      shift 2
+      ;;
+    --targetAccountGroup) # Terraform account group to deploy (required)
+      targetAccountGroup="$2"
+      shift 2
+      ;;
+    --terraformAction) # Terraform action to run (optional)
+      terraformAction="$2"
+      shift 2
+      ;;
+    --internalRef) # Internal repo reference branch or tag (optional, default: "main")
+      internalRef="$2"
+      shift 2
+      ;;
+    --overrides) # Terraform overrides for passing in extra variables (optional)
+      overrides="$2"
+      shift 2
+      ;;
+    --overrideProjectName) # Override the project name (optional)
+      overrideProjectName="$2"
+      shift 2
+      ;;
+    --overrideRoleName) # Override the role name (optional)
+      overrideRoleName="$2"
+      shift 2
+      ;;
+    *)
+    echo "[ERROR] Unknown argument: $1"
+      exit 1
+      ;;
+  esac
+done
+
+# Set default values if not provided
+if [[ -z "$PR_TRIGGER_PAT" ]]; then
+  echo "[ERROR] PR_TRIGGER_PAT environment variable is not set or is empty."
+  exit 1
+fi
+
+if [[ -z "$overrides" ]]; then
+  overrides=""
+fi
+
+if [[ -z "$internalRef" ]]; then
+  internalRef="main"
+fi
+
+echo "==================== Workflow Dispatch Parameters ===================="
+echo "  infraRepoName:      $infraRepoName"
+echo "  releaseVersion:     $releaseVersion"
+echo "  targetWorkflow:     $targetWorkflow"
+echo "  targetEnvironment:  $targetEnvironment"
+echo "  targetComponent:    $targetComponent"
+echo "  targetAccountGroup: $targetAccountGroup"
+echo "  terraformAction:    $terraformAction"
+echo "  internalRef:        $internalRef"
+echo "  overrides:          $overrides"
+echo "  overrideProjectName: $overrideProjectName"
+echo "  overrideRoleName:   $overrideRoleName"
+echo "  targetProject:      $targetProject"
+
+DISPATCH_EVENT=$(jq -ncM \
+  --arg infraRepoName "$infraRepoName" \
+  --arg releaseVersion "$releaseVersion" \
+  --arg targetEnvironment "$targetEnvironment" \
+  --arg targetAccountGroup "$targetAccountGroup" \
+  --arg targetComponent "$targetComponent" \
+  --arg terraformAction "$terraformAction" \
+  --arg targetWorkflow "$targetWorkflow" \
+  --arg overrides "$overrides" \
+  --arg overrideProjectName "$overrideProjectName" \
+  --arg overrideRoleName "$overrideRoleName" \
+  --arg targetProject "$targetProject" \
+  '{
+    "ref": "'"$internalRef"'",
+    "inputs": (
+      (if $infraRepoName != "" then { "infraRepoName": $infraRepoName } else {} end) +
+      (if $terraformAction != "" then { "terraformAction": $terraformAction } else {} end) +
+      (if $overrideProjectName != "" then { "overrideProjectName": $overrideProjectName } else {} end) +
+      (if $overrideRoleName != "" then { "overrideRoleName": $overrideRoleName } else {} end) +
+      (if $targetProject != "" then { "targetProject": $targetProject } else {} end) +
+      {
+        "releaseVersion": $releaseVersion,
+        "targetEnvironment": $targetEnvironment,
+        "targetAccountGroup": $targetAccountGroup,
+        "targetComponent": $targetComponent,
+        "overrides": $overrides,
+      }
+    )
+  }')
+
+echo "[INFO] Triggering workflow '$targetWorkflow' in nhs-notify-internal..."
+
+trigger_response=$(curl -s -L \
+  --fail \
+  -X POST \
+  -H "Accept: application/vnd.github+json" \
+  -H "Authorization: Bearer ${PR_TRIGGER_PAT}" \
+  -H "X-GitHub-Api-Version: 2022-11-28" \
+  "https://api.github.com/repos/NHSDigital/nhs-notify-internal/actions/workflows/$targetWorkflow/dispatches" \
+  -d "$DISPATCH_EVENT" 2>&1)
+
+if [[ $? -ne 0 ]]; then
+  echo "[ERROR] Failed to trigger workflow. Response: $trigger_response"
+  exit 1
+fi
+
+echo "[INFO] Workflow trigger request sent successfully, waiting for completion..."
+
+sleep 10 # Wait a few seconds before checking for the presence of the api to account for GitHub updating
+
+# Poll GitHub API to check the workflow status
+workflow_run_url=""
+
+for _ in {1..18}; do
+
+  response=$(curl -s -L \
+    -H "Accept: application/vnd.github+json" \
+    -H "Authorization: Bearer ${PR_TRIGGER_PAT}" \
+    -H "X-GitHub-Api-Version: 2022-11-28" \
+    "https://api.github.com/repos/NHSDigital/nhs-notify-internal/actions/runs?event=workflow_dispatch")
+
+  if ! echo "$response" | jq empty 2>/dev/null; then
+    echo "[ERROR] Invalid JSON response from GitHub API during workflow polling:"
+    echo "$response"
+    exit 1
+  fi
+
+  workflow_run_url=$(echo "$response" | jq -r \
+    --arg targetWorkflow "$targetWorkflow" \
+    --arg targetEnvironment "$targetEnvironment" \
+    --arg targetAccountGroup "$targetAccountGroup" \
+    --arg targetComponent "$targetComponent" \
+    --arg terraformAction "$terraformAction" \
+    '.workflow_runs[]
+      | select(.path == ".github/workflows/" + $targetWorkflow)
+      | select(.name
+          | contains($targetEnvironment)
+          and contains($targetAccountGroup)
+          and contains($targetComponent)
+          and contains($terraformAction)
+      )
+      | .url')
+
+  if [[ -n "$workflow_run_url" && "$workflow_run_url" != null ]]; then
+    # Workflow_run_url is a list of all workflows which were run for this combination of inputs, but are the API uri
+    workflow_run_url=$(echo "$workflow_run_url" | head -n 1)
+
+    # Take the first and strip it back to being an accessible url
+    # Example https://api.github.com/repos/MyOrg/my-repo/actions/runs/12346789 becomes
+    # becomes https://github.com/MyOrg/my-repo/actions/runs/12346789
+    workflow_run_ui_url=${workflow_run_url/api./} # Strips the api. prefix
+    workflow_run_ui_url=${workflow_run_ui_url/\/repos/} # Strips the repos/ uri
+    echo "[INFO] Found workflow run url: $workflow_run_ui_url"
+    break
+  fi
+
+  echo "[$(date '+%Y-%m-%d %H:%M:%S')] Waiting for workflow to start..."
+  sleep 10
+done
+
+if [[ -z "$workflow_run_url" || "$workflow_run_url" == null ]]; then
+  echo "[ERROR] Failed to get the workflow run url. Exiting."
+  exit 1
+fi
+
+# Wait for workflow completion
+while true; do
+  sleep 10
+  response=$(curl -s -L \
+    -H "Authorization: Bearer ${PR_TRIGGER_PAT}" \
+    -H "Accept: application/vnd.github+json" \
+    "$workflow_run_url")
+
+  status=$(echo "$response" | jq -r '.status')
+  echo "[$(date '+%Y-%m-%d %H:%M:%S')] Workflow status: $status"
+
+  if [ "$status" == "completed" ]; then
+    conclusion=$(echo "$response" | jq -r '.conclusion')
+    echo "[$(date '+%Y-%m-%d %H:%M:%S')] Workflow conclusion: $conclusion"
+
+    if [ -z "$conclusion" ] || [ "$conclusion" == "null" ]; then
+      echo "[WARN] Workflow marked completed but conclusion not yet available, retrying..."
+      sleep 5
+      continue
+    fi
+
+    if [ "$conclusion" == "success" ]; then
+      echo "[SUCCESS] Workflow completed successfully!"
+      exit 0
+    else
+      echo "[FAIL] Workflow failed with conclusion: $conclusion"
+      exit 1
+    fi
+  fi
+done

.github/workflows/cicd-1-pull-request.yaml

@@ -46,22 +46,25 @@ jobs:
           echo "terraform_version=$(grep "^terraform\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
           echo "version=$(echo $version)" >> $GITHUB_OUTPUT
           echo "is_version_prerelease=$(if [[ $version == *-* ]]; then echo "true"; else echo "false"; fi)" >> $GITHUB_OUTPUT
-
       - name: "Check if pull request exists for this branch"
         id: pr_exists
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           branch_name=${GITHUB_HEAD_REF:-$(echo $GITHUB_REF | sed 's#refs/heads/##')}
           echo "Current branch is '$branch_name'"
-          if gh pr list --head $branch_name | grep -q .; then
-            echo "Pull request exists"
+
+          pr_json=$(gh pr list --head "$branch_name" --state open --json number --limit 1)
+          pr_number=$(echo "$pr_json" | jq -r '.[0].number // empty')
+
+          if [[ -n "$pr_number" ]]; then
+            echo "Pull request exists: #$pr_number"
             echo "does_pull_request_exist=true" >> $GITHUB_OUTPUT
-            PR_NUMBER=$(gh pr list --head "$branch_name" --state open --json number -q '.[0].number')
-            echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT
+            echo "pr_number=$pr_number" >> $GITHUB_OUTPUT
           else
             echo "Pull request doesn't exist"
             echo "does_pull_request_exist=false" >> $GITHUB_OUTPUT
+            echo "pr_number=" >> $GITHUB_OUTPUT
           fi
       - name: "List variables"
         run: |
@@ -75,7 +78,6 @@ jobs:
           export VERSION="${{ steps.variables.outputs.version }}"
           export DOES_PULL_REQUEST_EXIST="${{ steps.pr_exists.outputs.does_pull_request_exist }}"
           export IS_VERSION_PRERELEASE="${{ steps.variables.outputs.is_version_prerelease }}"
-          export PR_NUMBER="${{ steps.pr_exists.outputs.pr_number }}"
           make list-variables
   commit-stage: # Recommended maximum execution time is 2 minutes
     name: "Commit stage"
@@ -131,6 +133,7 @@ jobs:
       python_version: "${{ needs.metadata.outputs.python_version }}"
       terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
       version: "${{ needs.metadata.outputs.version }}"
+      pr_number: ${{ needs.metadata.outputs.pr_number }}
     secrets: inherit
   publish-stage: # Recommended maximum execution time is 10 minutes
     name: "Publish stage"