Merge branch 'main' into feature/APIM-tests

Author: Namitha-Prabhu

.editorconfig

@@ -67,3 +67,6 @@ trim_trailing_whitespace = unset
 indent_style = unset
 indent_size = unset
 generated_code = true
+
+[/internal/events/**/*.schema.json]
+insert_final_newline = unset

.github/actions/build-proxies/action.yml

@@ -25,6 +25,9 @@ inputs:
     description: "Name of the Component to deploy"
     required: true
     default: 'api'
+  nodejs_version:
+    description: "Node.js version, set by the CI/CD pipeline workflow"
+    required: true
 
 runs:
   using: composite
@@ -34,7 +37,16 @@ runs:
       uses: actions/checkout@v4
     - uses: actions/setup-node@v4
       with:
-        node-version: 24
+        node-version: ${{ inputs.nodejs_version }}
+
+    - name: "Cache node_modules"
+      uses: actions/cache@v4
+      with:
+        path: |
+          **/node_modules
+        key: ${{ runner.os }}-node-${{ inputs.nodejs_version }}-${{ hashFiles('**/package-lock.json') }}
+        restore-keys: |
+          ${{ runner.os }}-node-${{ inputs.nodejs_version }}-
 
     - name: Npm install
       working-directory: .

.github/workflows/pr_closed.yaml

@@ -62,3 +62,90 @@ jobs:
             --targetAccountGroup "nhs-notify-supplier-api-dev" \
             --targetComponent "${{ matrix.component }}" \
             --terraformAction "apply"
+
+  check-event-schemas-version-change:
+    name: Check for event schemas package version change
+    needs: check-merge-or-workflow-dispatch
+    if: needs.check-merge-or-workflow-dispatch.outputs.deploy == 'true'
+    outputs:
+      version_changed: ${{ steps.check-version.outputs.version_changed }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: read
+    steps:
+      - name: Checkout code
+        uses: actions/[email protected]
+
+      - name: Setup NodeJS
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ inputs.nodejs_version }}
+
+      - name: check if local version differs from latest published version
+        id: check-version
+        run: |
+          published_version=$(npm view @nhsdigital/nhs-notify-event-schemas-supplier-api --json 2>/dev/null | jq -r '.["dist-tags"].latest // "null"')
+          echo "Published version: $published_version"
+
+          local_version=$(jq -r '.version' internal/events/package.json)
+          echo "Local version: $local_version"
+
+          if [[ $local_version = $published_version ]]; then
+            echo "Local version is the same as the latest published version - skipping publish"
+            echo "version_changed=false" >> $GITHUB_OUTPUT
+          else
+            echo "Local version is different to the latest published version - publishing new version"
+            echo "version_changed=true" >> $GITHUB_OUTPUT
+          fi
+
+  test-contract-provider:
+    name: "Test contracts (provider)"
+    needs: check-event-schemas-version-change
+    if: needs.check-event-schemas-version-change.outputs.version_changed == 'true'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: read
+    steps:
+      - name: "Checkout code"
+        uses: actions/[email protected]
+      - name: Setup NodeJS
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ inputs.nodejs_version }}
+      - name: "Install dependencies"
+        run: npm ci
+      - name: "Run provider contract tests"
+        run: make test-contract-provider
+        env:
+          GITHUB_PACKAGES_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  publish-event-schemas:
+    name: Publish event schemas package to GitHub package registry
+    needs:
+      - check-event-schemas-version-change
+      - test-contract-provider
+    if: needs.check-event-schemas-version-change.outputs.version_changed == 'true'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/[email protected]
+
+      - name: Setup NodeJS
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ inputs.nodejs_version }}
+          registry-url: 'https://npm.pkg.github.com'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Publish to GitHub Packages
+        run: npm publish --workspace internal/events
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/pr_destroy_dynamic_env.yaml

@@ -8,8 +8,12 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: false
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
-  create-dynamic-environment:
+  destroy-dynamic-environment:
     name: Destroy Dynamic Environment
     runs-on: ubuntu-latest
 
@@ -32,3 +36,25 @@ jobs:
             --terraformAction "destroy" \
             --overrideProjectName "nhs" \
             --overrideRoleName "nhs-main-acct-supplier-api-github-deploy"
+
+  destroy-dynamic-proxy:
+    name: Destroy Dynamic Proxy
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Trigger dynamic proxy destruction
+        env:
+          APP_CLIENT_ID: ${{ secrets.APP_CLIENT_ID }}
+          APP_PEM_FILE: ${{ secrets.APP_PEM_FILE }}
+        shell: bash
+        run: |
+          .github/scripts/dispatch_internal_repo_workflow.sh \
+          --infraRepoName "nhs-notify-supplier-api" \
+          --releaseVersion "main" \
+          --targetComponent "api" \
+          --targetWorkflow "proxy-destroy.yaml" \
+          --targetEnvironment "pr${{ github.event.number }}" \
+          --apimEnvironment "internal-dev-sandbox" \
+          --boundedContext "notify-supplier"

.github/workflows/scorecard.yml

@@ -68,6 +68,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0
+        uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
         with:
           sarif_file: results.sarif

.github/workflows/stage-1-commit.yaml

@@ -199,3 +199,94 @@ jobs:
           idp_aws_report_upload_region: "${{ secrets.IDP_AWS_REPORT_UPLOAD_REGION }}"
           idp_aws_report_upload_role_name: "${{ secrets.IDP_AWS_REPORT_UPLOAD_ROLE_NAME }}"
           idp_aws_report_upload_bucket_endpoint: "${{ secrets.IDP_AWS_REPORT_UPLOAD_BUCKET_ENDPOINT }}"
+
+  detect-event-schema-package-changes:
+    name: "Check for changes to event schema package compared to main branch"
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    outputs:
+      changed: ${{ steps.check.outputs.changed }}
+      main_version: ${{ steps.check.outputs.main_version }}
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Detect package changes and current version
+        id: check
+        run: |
+          git fetch origin main
+
+          if git diff --quiet origin/main...HEAD -- internal/events; then
+            echo "No changes in event schemas package"
+            echo "changed=false" >> $GITHUB_OUTPUT
+          else
+            echo "Changes detected in event schemas"
+            echo "changed=true" >> $GITHUB_OUTPUT
+          fi
+
+          if content=$(git show origin/main:internal/events/package.json 2>/dev/null); then
+            version=$(jq -r .version <<< $content);
+          else
+            version=null;
+          fi
+
+          echo "Detected package version $version in main branch"
+          echo "main_version=$version" >> $GITHUB_OUTPUT
+
+#  check-schemas-generated:
+#    name: Check event schemas have been regenerated
+#    needs: detect-event-schema-package-changes
+#    if: needs.detect-event-schema-package-changes.outputs.changed == 'true'
+#    runs-on: ubuntu-latest
+#    permissions:
+#      contents: read
+#    steps:
+#      - name: "Checkout code"
+#        uses: actions/checkout@v4
+#
+#      - name: "Cache node_modules"
+#        uses: actions/cache@v4
+#        with:
+#          path: |
+#            **/node_modules
+#          key: ${{ runner.os }}-node-${{ inputs.nodejs_version }}-${{ hashFiles('**/package-lock.json') }}
+#          restore-keys: |
+#            ${{ runner.os }}-node-${{ inputs.nodejs_version }}-
+#
+#      - name: "Re-generate schemas"
+#        run: |
+#          npm ci
+#          npm --workspace internal/events run gen:jsonschema
+#
+#      - name: Check for schema changes
+#        run: git diff --quiet internal/events/schemas
+
+  check-schema-version-change:
+    name: Check event schema version has been updated
+    needs: detect-event-schema-package-changes
+    if: needs.detect-event-schema-package-changes.outputs.changed == 'true'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Check schema versions
+        run: |
+          source scripts/is_valid_increment.sh
+
+          main_version="${{ needs.detect-event-schema-package-changes.outputs.main_version }}"
+          echo "Main version: ${{ needs.detect-event-schema-package-changes.outputs.main_version }}"
+
+          local_version=$(jq -r '.version' internal/events/package.json)
+          echo "Local version: $local_version"
+
+          if ! is_valid_increment "$main_version" "$local_version" ; then
+            echo "Error: Event Schema package has changed, but new version ($local_version) is not a valid increment from latest version on main branch ($main_version)."
+            exit 1
+          fi

.github/workflows/stage-2-test.yaml

@@ -48,6 +48,14 @@ jobs:
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v5
+      - name: "Cache node_modules"
+        uses: actions/cache@v4
+        with:
+          path: |
+            **/node_modules
+          key: ${{ runner.os }}-node-${{ inputs.nodejs_version }}-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-${{ inputs.nodejs_version }}-
       - name: "Repo setup"
         run: |
           npm ci
@@ -62,6 +70,14 @@ jobs:
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v5
+      - name: "Cache node_modules"
+        uses: actions/cache@v4
+        with:
+          path: |
+            **/node_modules
+          key: ${{ runner.os }}-node-${{ inputs.nodejs_version }}-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-${{ inputs.nodejs_version }}-
       - name: "Repo setup"
         run: |
           npm ci
@@ -90,6 +106,14 @@ jobs:
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v5
+      - name: "Cache node_modules"
+        uses: actions/cache@v4
+        with:
+          path: |
+            **/node_modules
+          key: ${{ runner.os }}-node-${{ inputs.nodejs_version }}-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-${{ inputs.nodejs_version }}-
       - name: "Repo setup"
         run: |
           npm ci
@@ -106,6 +130,14 @@ jobs:
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v5
+      - name: "Cache node_modules"
+        uses: actions/cache@v4
+        with:
+          path: |
+            **/node_modules
+          key: ${{ runner.os }}-node-${{ inputs.nodejs_version }}-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-${{ inputs.nodejs_version }}-
       - name: "Repo setup"
         run: |
           npm ci
@@ -143,7 +175,7 @@ jobs:
         with:
           fetch-depth: 0 # Full history is needed to improving relevancy of reporting
       - name: "Download coverage report for SONAR"
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v6
         with:
           name: code-coverage-report
       - name: "Perform static analysis"

.github/workflows/stage-3-build.yaml

@@ -109,3 +109,4 @@ jobs:
           runId: "${{ github.run_id }}"
           buildSandbox: true
           releaseVersion: ${{ github.head_ref || github.ref_name }}
+          nodejs_version: ${{ inputs.nodejs_version }}