CCM-11938: Move Proxygen Deploy to Internal (#177)

* CCM-11938: Setting calls for proxygen workflow in internal

* CCM-11938: Fix sonar issues

* CCM-11938: Fix apim env var export

* CCM-11938: Fix apim env var export

* CCM-11938: Push to main default

* CCM-11938: Push to main default

Author: sidnhs

.github/actions/build-proxies/action.yml

@@ -4,7 +4,27 @@ description: "Build Proxies"
 inputs:
   version:
     description: "Version number"
+    required: false
+  releaseVersion:
+    description: "Release, tag, branch, or commit ID to be used for deployment"
     required: true
+  environment:
+    description: "Deployment environment"
+    required: true
+  apimEnv:
+    description: "APIM environment"
+    required: true
+  runId:
+    description: "GitHub Actions run ID to fetch the OAS artifact from"
+    required: true
+  buildSandbox:
+    description: "Whether to build the sandbox OAS spec"
+    required: false
+    default: false
+  targetComponent:
+    description: "Name of the Component to deploy"
+    required: true
+    default: 'api'
 
 runs:
   using: composite
@@ -25,46 +45,71 @@ runs:
       shell: bash
       run: |
 
+        ENV="${{ inputs.apimEnv }}"
+        if [[ "$ENV" == "internal-dev" || "$ENV" == *pr ]]; then
+          echo "TARGET_DOMAIN=suppliers.dev.nhsnotify.national.nhs.uk" >> $GITHUB_ENV
+        elif [[ "$ENV" == "int" ]]; then
+          echo "TARGET_DOMAIN=suppliers.nonprod.nhsnotify.national.nhs.uk" >> $GITHUB_ENV
+        elif [[ "$ENV" == "prod" ]]; then
+          echo "TARGET_DOMAIN=suppliers.prod.nhsnotify.national.nhs.uk" >> $GITHUB_ENV
+        else
+          echo "TARGET_DOMAIN=suppliers.dev.nhsnotify.national.nhs.uk" >> $GITHUB_ENV
+        fi
+
         if [ -z $PR_NUMBER ]
         then
           echo "INSTANCE=$PROXYGEN_API_NAME" >> $GITHUB_ENV
-          echo "TARGET=https://main.suppliers.dev.nhsnotify.national.nhs.uk" >> $GITHUB_ENV
+          echo "TARGET=https://main.$TARGET_DOMAIN" >> $GITHUB_ENV
           echo "SANDBOX_TAG=latest" >> $GITHUB_ENV
           echo "MTLS_NAME=notify-supplier-mtls" >> $GITHUB_ENV
         else
-          echo "TARGET=https://pr$PR_NUMBER.suppliers.dev.nhsnotify.national.nhs.uk" >> $GITHUB_ENV
+          echo "TARGET=https://pr$PR_NUMBER.$TARGET_DOMAIN" >> $GITHUB_ENV
           echo "INSTANCE=$PROXYGEN_API_NAME-PR-$PR_NUMBER" >> $GITHUB_ENV
           echo "SANDBOX_TAG=pr$PR_NUMBER" >> $GITHUB_ENV
           echo "MTLS_NAME=notify-supplier-mtls-pr$PR_NUMBER" >> $GITHUB_ENV
         fi
 
-    - name: Install Proxygen client
-      shell: bash
-      run: |
-        # Install proxygen cli
-        pip install pipx
-        pipx install proxygen-cli
-
-        # Setup proxygen auth and settings
-        mkdir -p ${HOME}/.proxygen
-        echo -n $PROXYGEN_PRIVATE_KEY | base64 --decode > ${HOME}/.proxygen/key
-        envsubst < ./.github/proxygen-credentials-template.yaml > ${HOME}/.proxygen/credentials.yaml
-        envsubst < ./.github/proxygen-credentials-template.yaml | cat
-        envsubst < ./.github/proxygen-settings.yaml > ${HOME}/.proxygen/settings.yaml
-        envsubst < ./.github/proxygen-settings.yaml | cat
-
-    - name: Build sandbox oas
+    - name: Build ${{ inputs.apimEnv }} oas
       working-directory: .
+      env:
+        APIM_ENV: ${{ inputs.apimEnv }}
       shell: bash
       run: |
-        make build-json-oas-spec APIM_ENV=sandbox
+        if [ ${{ env.APIM_ENV }} == "internal-dev-sandbox" ] && [ ${{ inputs.buildSandbox }} == true ]
+        then
+          echo "Building sandbox OAS spec"
+          make build-json-oas-spec APIM_ENV=sandbox
+        else
+          echo "Building env specific OAS spec"
+          make build-json-oas-spec APIM_ENV=${{ env.APIM_ENV }}
+        fi
 
-    - name: Set docker tag
-      shell: bash
-      run: |
-        jq --arg newtag "$SANDBOX_TAG" '.["x-nhsd-apim"].target.containers[0].image.tag = $newtag' build/notify-supplier.json > build/notify-supplier_target.json && mv build/notify-supplier_target.json build/notify-supplier.json
+        if [[ $APIM_ENV == *-pr ]]; then
+          echo "Removing pr suffix from APIM_ENV after building OAS and calling proxygen"
+          APIM_ENV=$(echo "$APIM_ENV" | sed 's/-pr$//')
+        fi
+        echo "APIM_ENV=$APIM_ENV" >> $GITHUB_ENV
+
+    - name: Upload OAS Spec
+      uses: actions/upload-artifact@v4
+      with:
+        name: ${{ env.APIM_ENV }}-build-output
+        path: ./build
 
-    - name: Deploy to Internal Dev Sandbox
+    - name: Trigger deploy proxy
+      env:
+        PR_TRIGGER_PAT: ${{ env.PR_TRIGGER_PAT }}
       shell: bash
       run: |
-        proxygen instance deploy internal-dev-sandbox $INSTANCE build/notify-supplier.json --no-confirm
+        .github/scripts/dispatch_internal_repo_workflow.sh \
+          --infraRepoName "nhs-notify-supplier-api" \
+          --releaseVersion "${{ inputs.releaseVersion }}" \
+          --targetComponent "${{ inputs.targetComponent }}" \
+          --targetWorkflow "proxy-deploy.yaml" \
+          --targetEnvironment "${{ inputs.environment }}" \
+          --runId "${{ inputs.runId }}" \
+          --buildSandbox ${{ inputs.buildSandbox }} \
+          --apimEnvironment "${{ env.APIM_ENV }}" \
+          --boundedContext "notify-supplier" \
+          --targetDomain "$TARGET_DOMAIN" \
+          --version "${{ inputs.version }}"

.github/scripts/dispatch_internal_repo_workflow.sh

@@ -68,6 +68,10 @@ while [[ $# -gt 0 ]]; do
       internalRef="$2"
       shift 2
       ;;
+    --runId) # Github Run ID (optional)
+      runId="$2"
+      shift 2
+      ;;
     --overrides) # Terraform overrides for passing in extra variables (optional)
       overrides="$2"
       shift 2
@@ -80,6 +84,26 @@ while [[ $# -gt 0 ]]; do
       overrideRoleName="$2"
       shift 2
       ;;
+    --buildSandbox) # Build sandbox flag (optional)
+      buildSandbox="$2"
+      shift 2
+      ;;
+    --apimEnvironment) # APIM environment (optional)
+      apimEnvironment="$2"
+      shift 2
+      ;;
+    --boundedContext) # Bounded context (optional)
+      boundedContext="$2"
+      shift 2
+      ;;
+    --targetDomain) # Target domain (optional)
+      targetDomain="$2"
+      shift 2
+      ;;
+    --version) # Version (optional)
+      version="$2"
+      shift 2
+      ;;
     *)
     echo "[ERROR] Unknown argument: $1"
       exit 1
@@ -101,6 +125,30 @@ if [[ -z "$internalRef" ]]; then
   internalRef="main"
 fi
 
+if [[ -z "$runId" ]]; then
+  runId=""
+fi
+
+if [[ -z "$buildSandbox" ]]; then
+  buildSandbox=""
+fi
+
+if [[ -z "$apimEnvironment" ]]; then
+  apimEnvironment=""
+fi
+
+if [[ -z "$boundedContext" ]]; then
+  boundedContext=""
+fi
+
+if [[ -z "$targetDomain" ]]; then
+  targetDomain=""
+fi
+
+if [[ -z "$version" ]]; then
+  version=""
+fi
+
 echo "==================== Workflow Dispatch Parameters ===================="
 echo "  infraRepoName:      $infraRepoName"
 echo "  releaseVersion:     $releaseVersion"
@@ -114,6 +162,12 @@ echo "  overrides:          $overrides"
 echo "  overrideProjectName: $overrideProjectName"
 echo "  overrideRoleName:   $overrideRoleName"
 echo "  targetProject:      $targetProject"
+echo "  runId:              $runId"
+echo "  buildSandbox:        $buildSandbox"
+echo "  apimEnvironment:     $apimEnvironment"
+echo "  boundedContext:       $boundedContext"
+echo "  targetDomain:         $targetDomain"
+echo "  version:              $version"
 
 DISPATCH_EVENT=$(jq -ncM \
   --arg infraRepoName "$infraRepoName" \
@@ -127,6 +181,12 @@ DISPATCH_EVENT=$(jq -ncM \
   --arg overrideProjectName "$overrideProjectName" \
   --arg overrideRoleName "$overrideRoleName" \
   --arg targetProject "$targetProject" \
+  --arg runId "$runId" \
+  --arg buildSandbox "$buildSandbox" \
+  --arg apimEnvironment "$apimEnvironment" \
+  --arg boundedContext "$boundedContext" \
+  --arg targetDomain "$targetDomain" \
+  --arg version "$version" \
   '{
     "ref": "'"$internalRef"'",
     "inputs": (
@@ -135,18 +195,26 @@ DISPATCH_EVENT=$(jq -ncM \
       (if $overrideProjectName != "" then { "overrideProjectName": $overrideProjectName } else {} end) +
       (if $overrideRoleName != "" then { "overrideRoleName": $overrideRoleName } else {} end) +
       (if $targetProject != "" then { "targetProject": $targetProject } else {} end) +
+      (if $overrides != "" then { "overrides": $overrides } else {} end) +
+      (if $runId != "" then { "runId": $runId } else {} end) +
+      (if $buildSandbox != "" then { "buildSandbox": $buildSandbox } else {} end) +
+      (if $apimEnvironment != "" then { "apimEnvironment": $apimEnvironment } else {} end) +
+      (if $boundedContext != "" then { "boundedContext": $boundedContext } else {} end) +
+      (if $targetDomain != "" then { "targetDomain": $targetDomain } else {} end) +
+      (if $version != "" then { "version": $version } else {} end) +
+      (if $targetAccountGroup != "" then { "targetAccountGroup": $targetAccountGroup } else {} end) +
       {
         "releaseVersion": $releaseVersion,
         "targetEnvironment": $targetEnvironment,
-        "targetAccountGroup": $targetAccountGroup,
         "targetComponent": $targetComponent,
-        "overrides": $overrides,
       }
     )
   }')
 
 echo "[INFO] Triggering workflow '$targetWorkflow' in nhs-notify-internal..."
 
+echo "[DEBUG] Dispatch event payload: $DISPATCH_EVENT"
+
 trigger_response=$(curl -s -L \
   --fail \
   -X POST \
@@ -185,16 +253,12 @@ for _ in {1..18}; do
   workflow_run_url=$(echo "$response" | jq -r \
     --arg targetWorkflow "$targetWorkflow" \
     --arg targetEnvironment "$targetEnvironment" \
-    --arg targetAccountGroup "$targetAccountGroup" \
     --arg targetComponent "$targetComponent" \
-    --arg terraformAction "$terraformAction" \
     '.workflow_runs[]
       | select(.path == ".github/workflows/" + $targetWorkflow)
       | select(.name
           | contains($targetEnvironment)
-          and contains($targetAccountGroup)
           and contains($targetComponent)
-          and contains($terraformAction)
       )
       | .url')
 

.github/workflows/manual-proxy-environment-deploy.yaml

@@ -0,0 +1,83 @@
+name: Deploy proxy to environment
+run-name: Proxygen Deployment for ${{ inputs.proxy_environment }}
+
+on:
+  workflow_dispatch:
+    inputs:
+      proxy_environment:
+        description: Name of the proxygen environment to deploy to
+        required: true
+        type: choice
+        default: internal-dev
+        options:
+          - internal-dev
+          - int
+          - prod
+
+permissions:
+  contents: read
+
+jobs:
+  deploy-environment:
+    runs-on: ubuntu-latest
+    name: Deploy to Environment
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 24
+
+      - name: Npm install
+        working-directory: .
+        run: npm ci
+        shell: bash
+
+      - name: "Check if pull request exists for this branch and set ENVIRONMENT/APIM_ENV"
+        id: pr_exists
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          branch_name=${GITHUB_HEAD_REF:-$(echo $GITHUB_REF | sed 's#refs/heads/##')}
+          echo "Current branch is '$branch_name'"
+
+          if [ -z "${{ inputs.proxy_environment }}" ]; then
+            ENVIRONMENT="internal-dev"
+          else
+            ENVIRONMENT="${{ inputs.proxy_environment }}"
+          fi
+
+          pr_json=$(gh pr list --head "$branch_name" --state open --json number --limit 1)
+          pr_number=$(echo "$pr_json" | jq -r '.[0].number // empty')
+
+          if [[ -n "$pr_number" ]]; then
+            echo "Pull request exists: #$pr_number"
+            echo "does_pull_request_exist=true" >> $GITHUB_OUTPUT
+            echo "pr_number=$pr_number" >> $GITHUB_OUTPUT
+            APIM_ENV="$ENVIRONMENT-pr"
+            echo "changing environment variable so that PR number is used in proxy pipeline for setting env vars"
+            ENVIRONMENT="pr$pr_number"
+          else
+            echo "Pull request doesn't exist, setting target env to main"
+            echo "does_pull_request_exist=false" >> $GITHUB_OUTPUT
+            echo "pr_number=" >> $GITHUB_OUTPUT
+            APIM_ENV="$ENVIRONMENT"
+            $ENVIRONMENT='main'
+          fi
+
+          echo "ENVIRONMENT=$ENVIRONMENT" >> $GITHUB_ENV
+          echo "APIM_ENV=$APIM_ENV" >> $GITHUB_ENV
+
+      - name: "Build proxies"
+        env:
+          PROXYGEN_API_NAME: nhs-notify-supplier
+          PR_NUMBER: ${{ steps.pr_exists.outputs.pr_number }}
+          PR_TRIGGER_PAT: ${{ secrets.PR_TRIGGER_PAT }}
+        uses: ./.github/actions/build-proxies
+        with:
+          environment: "${{ env.ENVIRONMENT }}"
+          apimEnv: "${{ env.APIM_ENV }}"
+          runId: "${{ github.run_id }}"
+          buildSandbox: false
+          releaseVersion: ${{ github.ref_name }}