Feature/ccm 13428 trigger proxy deploy (#310)

* CCM-13419 Refactor build steps

* CCM-13419 Generate specification variants on build

* CCM-13428 OnRelease workflow triggers proxy deploy

---------

Co-authored-by: Mark Slowey <113013138+masl2@users.noreply.github.com>

Author: stevebux

.github/actions/build-oas-spec/action.yml

@@ -0,0 +1,68 @@
+name: "Build OAS Spec"
+description: "Build OAS Spec"
+
+inputs:
+  version:
+    description: "Version number"
+    required: true
+  apimEnv:
+    description: "APIM environment"
+    required: true
+  buildSandbox:
+    description: "Whether to build the sandbox OAS spec"
+    required: false
+    default: false
+  nodejs_version:
+    description: "Node.js version, set by the CI/CD pipeline workflow"
+    required: true
+  NODE_AUTH_TOKEN:
+    description: "Token for access to github package registry"
+    required: true
+
+runs:
+  using: composite
+
+  steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+    - uses: actions/setup-node@v4
+      with:
+        node-version: ${{ inputs.nodejs_version }}
+        registry-url: 'https://npm.pkg.github.com'
+
+    - name: "Cache node_modules"
+      uses: actions/cache@v4
+      with:
+        path: |
+          **/node_modules
+        key: ${{ runner.os }}-node-${{ inputs.nodejs_version }}-${{ hashFiles('**/package-lock.json') }}
+        restore-keys: |
+          ${{ runner.os }}-node-${{ inputs.nodejs_version }}-
+
+    - name: Npm install
+      working-directory: .
+      env:
+        NODE_AUTH_TOKEN: ${{ inputs.NODE_AUTH_TOKEN }}
+      run: npm ci
+      shell: bash
+
+    - name: Build ${{ inputs.apimEnv }} oas
+      working-directory: .
+      env:
+        APIM_ENV: ${{ inputs.apimEnv }}
+      shell: bash
+      run: |
+        if [ ${{ env.APIM_ENV }} == "internal-dev-sandbox" ] && [ ${{ inputs.buildSandbox }} == true ]
+        then
+          echo "Building sandbox OAS spec"
+          make build-json-oas-spec APIM_ENV=sandbox
+        else
+          echo "Building env specific OAS spec"
+          make build-json-oas-spec APIM_ENV=${{ env.APIM_ENV }}
+        fi
+
+    - name: Upload API OAS specification artifact
+      uses: actions/upload-artifact@v4
+      with:
+        path: "build"
+        name: api-oas-specification-${{ inputs.apimEnv }}${{ inputs.version != '' && format('-{0}', inputs.version) || '' }}

.github/actions/build-proxies/action.yml

@@ -8,6 +8,10 @@ inputs:
   releaseVersion:
     description: "Release, tag, branch, or commit ID to be used for deployment"
     required: true
+  isRelease:
+    description: "True if releaseVersion is a release tag (if set, downloads from release assets instead of workflow artifacts)"
+    required: false
+    default: false
   environment:
     description: "Deployment environment"
     required: true
@@ -25,39 +29,33 @@ inputs:
     description: "Name of the Component to deploy"
     required: true
     default: 'api'
-  nodejs_version:
-    description: "Node.js version, set by the CI/CD pipeline workflow"
-    required: true
-  NODE_AUTH_TOKEN:
-    description: "Token for access to github package registry"
-    required: true
 
 runs:
   using: composite
 
   steps:
-    - name: Checkout
-      uses: actions/checkout@v4
-    - uses: actions/setup-node@v4
+    - name: Download OAS Spec artifact from workflow
+      if: ${{ inputs.isRelease == 'false' }}
+      uses: actions/download-artifact@v4
       with:
-        node-version: ${{ inputs.nodejs_version }}
-        registry-url: 'https://npm.pkg.github.com'
-
-    - name: "Cache node_modules"
-      uses: actions/cache@v4
-      with:
-        path: |
-          **/node_modules
-        key: ${{ runner.os }}-node-${{ inputs.nodejs_version }}-${{ hashFiles('**/package-lock.json') }}
-        restore-keys: |
-          ${{ runner.os }}-node-${{ inputs.nodejs_version }}-
+        name: api-oas-specification-${{ inputs.apimEnv }}${{ inputs.version != '' && format('-{0}', inputs.version) || '' }}
+        path: ./build
 
-    - name: Npm install
-      working-directory: .
-      env:
-        NODE_AUTH_TOKEN: ${{ inputs.NODE_AUTH_TOKEN }}
-      run: npm ci
+    - name: Download OAS Spec artifact from release
+      if: ${{ inputs.isRelease == 'true' }}
       shell: bash
+      run: |
+        mkdir ./build
+        ASSET_PATTERN="api-oas-specification-${{ inputs.apimEnv }}-*.zip"
+        gh release download "${{ inputs.releaseVersion }}" \
+          --pattern "$ASSET_PATTERN" \
+          --dir ./build
+        # Unzip the downloaded file (there should be exactly one match)
+        ASSET_FILE=$(ls ./build/api-oas-specification-${{ inputs.apimEnv }}-*.zip)
+        unzip "$ASSET_FILE" -d ./build
+        rm "$ASSET_FILE"
+      env:
+        GH_TOKEN: ${{ github.token }}
 
     - name: Setup Proxy Name and target
       shell: bash
@@ -87,21 +85,10 @@ runs:
           echo "MTLS_NAME=notify-supplier-mtls-pr$PR_NUMBER" >> $GITHUB_ENV
         fi
 
-    - name: Build ${{ inputs.apimEnv }} oas
-      working-directory: .
-      env:
-        APIM_ENV: ${{ inputs.apimEnv }}
+    - name: Set APIM_ENV
       shell: bash
       run: |
-        if [ ${{ env.APIM_ENV }} == "internal-dev-sandbox" ] && [ ${{ inputs.buildSandbox }} == true ]
-        then
-          echo "Building sandbox OAS spec"
-          make build-json-oas-spec APIM_ENV=sandbox
-        else
-          echo "Building env specific OAS spec"
-          make build-json-oas-spec APIM_ENV=${{ env.APIM_ENV }}
-        fi
-
+        APIM_ENV="${{ inputs.apimEnv }}"
         if [[ $APIM_ENV == *-pr ]]; then
           echo "Removing pr suffix from APIM_ENV after building OAS and calling proxygen"
           APIM_ENV=$(echo "$APIM_ENV" | sed 's/-pr$//')

.github/actions/build-sdk/action.yml

@@ -55,12 +55,6 @@ runs:
       run: |
         make build VERSION="${{ inputs.version }}"
 
-    - name: Upload API OAS specification artifact
-      uses: actions/upload-artifact@v4
-      with:
-        path: "build"
-        name: api-oas-specification-${{ inputs.version }}
-
     - name: Upload html artifact
       uses: actions/upload-artifact@v4
       with:

.github/workflows/manual-proxy-environment-deploy.yaml

@@ -77,6 +77,13 @@ jobs:
           echo "ENVIRONMENT=$ENVIRONMENT" >> $GITHUB_ENV
           echo "APIM_ENV=$APIM_ENV" >> $GITHUB_ENV
 
+      - name: "Build OAS spec"
+        uses: ./.github/actions/build-oas-spec
+        with:
+          apimEnv: "${{ env.APIM_ENV }}"
+          buildSandbox: ${{ inputs.build_sandbox }}
+          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
       - name: "Build proxies"
         env:
           PROXYGEN_API_NAME: nhs-notify-supplier
@@ -90,4 +97,3 @@ jobs:
           runId: "${{ github.run_id }}"
           buildSandbox: ${{ inputs.build_sandbox }}
           releaseVersion: ${{ github.ref_name }}
-          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release_created.yaml

@@ -17,11 +17,6 @@ jobs:
       id-token: write
       contents: read
 
-    strategy:
-      max-parallel: 1
-      matrix:
-        component: [api]
-
     steps:
       - name: Checkout repository
         uses: actions/checkout@v5
@@ -36,5 +31,32 @@ jobs:
             --targetWorkflow "dispatch-deploy-static-notify-supplier-api-env.yaml" \
             --targetEnvironment "main" \
             --targetAccountGroup "nhs-notify-supplier-api-nonprod" \
-            --targetComponent "${{ matrix.component }}" \
+            --targetComponent "api" \
             --terraformAction "apply"
+  deploy-proxy:
+    name: "Deploy proxy"
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+
+    permissions:
+      id-token: write
+      contents: read
+      actions: read
+
+    env:
+      PROXYGEN_API_NAME: nhs-notify-supplier
+      APP_CLIENT_ID: ${{ secrets.APP_CLIENT_ID }}
+      APP_PEM_FILE: ${{ secrets.APP_PEM_FILE }}
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v5
+
+      - name: "Build proxies"
+        uses: ./.github/actions/build-proxies
+        with:
+          environment: "main"
+          apimEnv: "int"
+          runId: "${{ github.run_id }}"
+          releaseVersion: "${{ github.event.release.tag_name }}"
+          isRelease: true

.github/workflows/stage-3-build.yaml

@@ -55,9 +55,47 @@ jobs:
           version: "${{ inputs.version }}"
           NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+  artefact-oas-spec:
+    name: "Build OAS spec (${{ matrix.apimEnv }})"
+    runs-on: ubuntu-latest
+    needs: [artefact-jekyll-docs]
+    timeout-minutes: 10
+    strategy:
+      matrix:
+        apimEnv: [internal-dev-pr, internal-dev, int, ref, prod]
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v5
+      - name: "Build OAS spec"
+        uses: ./.github/actions/build-oas-spec
+        with:
+          version: "${{ inputs.version }}"
+          apimEnv: "${{ matrix.apimEnv }}"
+          buildSandbox: false
+          nodejs_version: ${{ inputs.nodejs_version }}
+          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  artefact-oas-spec-sandbox:
+    name: "Build OAS spec for sandbox"
+    runs-on: ubuntu-latest
+    needs: [artefact-jekyll-docs]
+    timeout-minutes: 10
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v5
+      - name: "Build proxies"
+        uses: ./.github/actions/build-oas-spec
+        with:
+          version: "${{ inputs.version }}"
+          apimEnv: "internal-dev-sandbox"
+          buildSandbox: true
+          nodejs_version: ${{ inputs.nodejs_version }}
+          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
   artefact-sdks:
     name: "Build SDKs"
     runs-on: ubuntu-latest
+    needs: [artefact-oas-spec]
     timeout-minutes: 10
     steps:
       - name: "Checkout code"
@@ -94,6 +132,7 @@ jobs:
   pr-create-dynamic-environment:
     name: Create Dynamic Environment
     runs-on: ubuntu-latest
+    if: inputs.pr_number != ''
     steps:
       - uses: actions/checkout@v5
       - name: Trigger dynamic environment creation
@@ -117,7 +156,8 @@ jobs:
   artefact-proxies:
     name: "Build proxies"
     runs-on: ubuntu-latest
-    needs: [pr-create-dynamic-environment]
+    if: inputs.pr_number != ''
+    needs: [artefact-oas-spec-sandbox, pr-create-dynamic-environment]
     timeout-minutes: 10
     env:
       PROXYGEN_API_NAME: nhs-notify-supplier
@@ -136,5 +176,3 @@ jobs:
           runId: "${{ github.run_id }}"
           buildSandbox: true
           releaseVersion: ${{ github.head_ref || github.ref_name }}
-          nodejs_version: ${{ inputs.nodejs_version }}
-          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/stage-5-publish.yaml

@@ -40,6 +40,9 @@ jobs:
     name: "Publish packages"
     runs-on: ubuntu-latest
     timeout-minutes: 10
+    outputs:
+      release_id: ${{ steps.create_release.outputs.id }}
+      upload_url: ${{ steps.create_release.outputs.upload_url }}
 
     steps:
       - name: "Checkout code"
@@ -87,12 +90,6 @@ jobs:
           path: ./artifacts/sdk-csharp-${{ inputs.version }}
           name: sdk-csharp-${{ inputs.version }}
 
-      - name: "Get the artefacts 8"
-        uses: actions/download-artifact@v6
-        with:
-          path: ./artifacts/api-oas-specification-${{ inputs.version }}
-          name: api-oas-specification-${{ inputs.version }}
-
       # Take out for now - might add again in the future
       # - name: "Get the artefacts 9"
       #   uses: actions/download-artifact@v6
@@ -207,22 +204,6 @@ jobs:
           asset_name: sdk-csharp-${{ inputs.version }}.zip
           asset_content_type: "application/gzip"
 
-      - name: "zip api OAS specification release asset"
-        # GitHub pages needs a single tar called artifact inside the zip.
-        working-directory: ./artifacts/api-oas-specification-${{ inputs.version }}
-        run: zip -r ../api-oas-specification-${{ inputs.version }}.zip .
-        shell: bash
-
-      - name: "Upload api OAS specification release asset"
-        uses: actions/upload-release-asset@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: "${{ steps.create_release.outputs.upload_url }}"
-          asset_path: ./artifacts/api-oas-specification-${{ inputs.version }}.zip
-          asset_name: api-oas-specification-${{ inputs.version }}.zip
-          asset_content_type: "application/gzip"
-
       # Take out for now - might add again in the future
       # - name: "zip csharp server release asset"
       #   # GitHub pages needs a single tar called artifact inside the zip.
@@ -241,6 +222,36 @@ jobs:
       #     asset_name: server-csharp-${{ inputs.version }}.zip
       #     asset_content_type: "application/gzip"
 
+  publish-oas-specs:
+    name: "Publish OAS spec (${{ matrix.apimEnv }})"
+    runs-on: ubuntu-latest
+    needs: [publish]
+    timeout-minutes: 10
+    strategy:
+      matrix:
+        apimEnv: [internal-dev, int, ref, prod]
+    steps:
+      - name: "Download OAS spec artifact"
+        uses: actions/download-artifact@v6
+        with:
+          path: ./artifacts/api-oas-specification-${{ matrix.apimEnv }}-${{ inputs.version }}
+          name: api-oas-specification-${{ matrix.apimEnv }}-${{ inputs.version }}
+
+      - name: "Zip OAS specification"
+        working-directory: ./artifacts/api-oas-specification-${{ matrix.apimEnv }}-${{ inputs.version }}
+        run: zip -r ../api-oas-specification-${{ matrix.apimEnv }}-${{ inputs.version }}.zip .
+        shell: bash
+
+      - name: "Upload OAS specification release asset"
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ needs.publish.outputs.upload_url }}
+          asset_path: ./artifacts/api-oas-specification-${{ matrix.apimEnv }}-${{ inputs.version }}.zip
+          asset_name: api-oas-specification-${{ matrix.apimEnv }}-${{ inputs.version }}.zip
+          asset_content_type: "application/zip"
+
   # Take out for now - might add again in the future
   # ### PUBLISH DOCKER  - THIS NEEDS CHANGING TO DO THE DOCKER BUILD IN THE BUILD STAGE AND ARTIFACT IT. SEE publishlibhostdocker below how how and the buildlibs action.
   #   publishdocker: