Merge remote-tracking branch 'origin/main' into feature/CCM-10432-multi-user-cleanup

Author: alexnuttall

.github/actions/node-modules-cache/action.yaml

@@ -0,0 +1,44 @@
+name: 'Node modules cache + setup'
+description: 'Setup Node, restore node_modules cache, and optionally run npm ci on cache miss'
+
+inputs:
+  node_version:
+    description: 'Node.js version'
+    required: true
+  cache_lock_path:
+    description: 'Path(s) to package-lock.json for cache key'
+    required: false
+    default: '**/package-lock.json'
+  skip_restore:
+    description: 'Skips restoring node_modules'
+    required: false
+    default: false
+
+runs:
+  using: 'composite'
+  steps:
+    - name: 'Use Node.js'
+      uses: actions/setup-node@v5
+      with:
+        cache: 'npm'
+        cache-dependency-path: '${{ inputs.cache_lock_path }}'
+        node-version: '${{ inputs.node_version }}'
+        package-manager-cache: true
+
+    - name: 'Restore node_modules from cache'
+      id: node-modules-cache
+      uses: actions/cache@v4
+      with:
+        path: |
+          node_modules
+          **/node_modules
+        key: ${{ runner.os }}-node-${{ inputs.node_version }}-${{ hashFiles(inputs.cache_lock_path) }}
+        restore-keys: |
+          ${{ runner.os }}-node-${{ inputs.node_version }}-
+        lookup-only: ${{ inputs.skip_restore }}
+
+    - name: 'Install dependencies (cache miss)'
+      if: steps.node-modules-cache.outputs.cache-hit != 'true'
+      shell: bash
+      run: |
+        npm ci

.github/workflows/cicd-1-pull-request.yaml

@@ -11,6 +11,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.ref_name }}
   cancel-in-progress: false
 
+permissions:
+  id-token: write
+  contents: write
+  packages: read
 
 jobs:
   metadata:
@@ -77,9 +81,23 @@ jobs:
           export DOES_PULL_REQUEST_EXIST="${{ steps.pr_exists.outputs.does_pull_request_exist }}"
           export IS_VERSION_PRERELEASE="${{ steps.variables.outputs.is_version_prerelease }}"
           make list-variables
+
+  dependencies:
+    name: Install / cache dependencies
+    needs: [metadata]
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Checkout code"
+        uses: actions/[email protected]
+      - name: "Install / cache node_modules"
+        uses: ./.github/actions/node-modules-cache
+        with:
+          node_version: "${{ inputs.nodejs_version }}"
+          skip_restore: true
+
   commit-stage: # Recommended maximum execution time is 2 minutes
     name: "Commit stage"
-    needs: [metadata]
+    needs: [metadata, dependencies]
     uses: ./.github/workflows/stage-1-commit.yaml
     with:
       build_datetime: "${{ needs.metadata.outputs.build_datetime }}"
@@ -92,7 +110,7 @@ jobs:
     secrets: inherit
   test-stage: # Recommended maximum execution time is 5 minutes
     name: "Test stage"
-    needs: [metadata, commit-stage]
+    needs: [metadata, dependencies, commit-stage]
     uses: ./.github/workflows/stage-2-test.yaml
     with:
       build_datetime: "${{ needs.metadata.outputs.build_datetime }}"
@@ -105,7 +123,7 @@ jobs:
     secrets: inherit
   acceptance-stage: # Recommended maximum execution time is 10 minutes
     name: "Acceptance stage"
-    needs: [metadata, test-stage]
+    needs: [metadata, dependencies, test-stage]
     uses: ./.github/workflows/stage-4-acceptance.yaml
     if: needs.metadata.outputs.does_pull_request_exist == 'true' || (github.event_name == 'pull_request' && (github.event.action == 'opened' || github.event.action == 'reopened')) || (github.event_name == 'push' && github.ref == 'refs/heads/main')
     secrets: inherit

.github/workflows/pr_closed.yaml

@@ -99,9 +99,29 @@ jobs:
             echo "version_changed=true" >> $GITHUB_OUTPUT
           fi
 
+  test-contract-provider:
+    name: "Test contracts (provider)"
+    needs: check-event-schemas-version-change
+    if: needs.check-event-schemas-version-change.outputs.version_changed == 'true'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: read
+    steps:
+      - name: "Checkout code"
+        uses: actions/[email protected]
+      - name: "Install dependencies"
+        run: npm ci
+      - name: "Run provider contract tests"
+        run: make test-contract-provider
+        env:
+          GITHUB_PACKAGES_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
   publish-event-schemas:
     name: Publish event schemas package to GitHub package registry
-    needs: check-event-schemas-version-change
+    needs:
+      - check-event-schemas-version-change
+      - test-contract-provider
     if: needs.check-event-schemas-version-change.outputs.version_changed == 'true'
     runs-on: ubuntu-latest
     permissions:

.github/workflows/stage-1-commit.yaml

@@ -72,7 +72,7 @@ jobs:
     needs: detect-terraform-changes
     if: needs.detect-terraform-changes.outputs.terraform_changed == 'true'
     permissions:
-        contents: write
+      contents: write
     steps:
       - name: "Checkout code"
         uses: actions/[email protected]
@@ -149,7 +149,7 @@ jobs:
   trivy:
     name: "Trivy Scan"
     runs-on: ubuntu-latest
-    timeout-minutes: 5
+    timeout-minutes: 10
     needs: detect-terraform-changes
     if: needs.detect-terraform-changes.outputs.terraform_changed == 'true'
     steps:
@@ -248,8 +248,10 @@ jobs:
       - name: "Checkout code"
         uses: actions/checkout@v4
 
-      - name: Install dependencies
-        run: npm ci
+      - name: "Restore node_modules from cache"
+        uses: ./.github/actions/node-modules-cache
+        with:
+          node_version: "${{ inputs.nodejs_version }}"
 
       - name: Re-generate schemas
         run: npm --workspace packages/event-schemas run generate-json-schemas

.github/workflows/stage-2-test.yaml

@@ -41,115 +41,183 @@ permissions:
   contents: read  # This is required for actions/checkout
 
 jobs:
+  discover-workspaces:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.get-workspaces.outputs.matrix }}
+    steps:
+      - name: "Checkout code"
+        uses: actions/[email protected]
+      - name: "Get workspaces"
+        id: "get-workspaces"
+        run: |
+          echo "matrix=$(jq -c '.workspaces' package.json)" >> "$GITHUB_OUTPUT"
+
   check-generated-dependencies:
     name: "Check generated dependencies"
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
       - name: "Checkout code"
         uses: actions/[email protected]
-      - name: "Repo setup"
-        run: |
-          npm ci
+      - name: "Restore node_modules from cache"
+        uses: ./.github/actions/node-modules-cache
+        with:
+          node_version: "${{ inputs.nodejs_version }}"
       - name: "Generate dependencies"
         run: |
           npm run generate-dependencies --workspaces --if-present
           git diff --exit-code
+
   test-unit:
     name: "Unit tests"
     runs-on: ubuntu-latest
     timeout-minutes: 5
+    needs: [discover-workspaces]
+    strategy:
+      fail-fast: false
+      matrix:
+        workspace: ${{ fromJSON(needs.discover-workspaces.outputs.matrix) }}
     steps:
       - name: "Checkout code"
         uses: actions/[email protected]
-      - name: "Repo setup"
-        run: |
-          npm ci
+      - name: "Restore node_modules from cache"
+        uses: ./.github/actions/node-modules-cache
+        with:
+          node_version: "${{ inputs.nodejs_version }}"
       - name: "Generate dependencies"
         run: |
           npm run generate-dependencies --workspaces --if-present
       - name: "Run unit test suite"
         run: |
-          make test-unit
-      - name: "Save the result of fast test suite"
+          WORKSPACE=${{ matrix.workspace }} make test-unit
+      - name: Compute safe artifact names
+        id: names
+        shell: bash
+        run: |
+          echo "safe=$(echo '${{ matrix.workspace }}' | tr '/' '-_')" >> "$GITHUB_OUTPUT"
+      - name: "Save the result of test suite"
         uses: actions/upload-artifact@v4
         with:
-          name: unit-tests
-          path: "**/.reports/unit"
+          name: unit-tests-${{ steps.names.outputs.safe }}
+          path: "${{ matrix.workspace }}/.reports/unit"
           include-hidden-files: true
+          if-no-files-found: ignore
         if: always()
       - name: "Save the result of code coverage"
         uses: actions/upload-artifact@v4
         with:
-          name: code-coverage-report
-          path: ".reports/lcov.info"
+          name: code-coverage-${{ steps.names.outputs.safe }}
+          path: "${{ matrix.workspace }}/.reports/unit/coverage/lcov.info"
+          if-no-files-found: ignore
         if: always()
+
   test-lint:
     name: "Linting"
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
       - name: "Checkout code"
         uses: actions/[email protected]
-      - name: "Repo setup"
-        run: |
-          npm ci
+      - name: "Restore node_modules from cache"
+        uses: ./.github/actions/node-modules-cache
+        with:
+          node_version: "${{ inputs.nodejs_version }}"
       - name: "Generate dependencies"
         run: |
           npm run generate-dependencies --workspaces --if-present
       - name: "Run linting"
         run: |
           make test-lint
+
   test-typecheck:
     name: "Typecheck"
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
       - name: "Checkout code"
         uses: actions/[email protected]
-      - name: "Repo setup"
-        run: |
-          npm ci
+      - name: "Restore node_modules from cache"
+        uses: ./.github/actions/node-modules-cache
+        with:
+          node_version: "${{ inputs.nodejs_version }}"
       - name: "Generate dependencies"
         run: |
           npm run generate-dependencies --workspaces --if-present
       - name: "Run typecheck"
         run: |
           make test-typecheck
-  test-coverage:
-    name: "Test coverage"
-    needs: [test-unit]
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    steps:
-      - name: "Checkout code"
-        uses: actions/[email protected]
-      - name: "Run test coverage check"
-        run: |
-          make test-coverage
-      - name: "Save the coverage check result"
-        run: |
-          echo "Nothing to save"
-  perform-static-analysis:
-    name: "Perform static analysis"
-    needs: [test-unit]
+
+  test-contract-provider:
+    name: "Test contracts (provider)"
     runs-on: ubuntu-latest
     permissions:
-      id-token: write
       contents: read
-    timeout-minutes: 5
+      packages: read
     steps:
       - name: "Checkout code"
         uses: actions/[email protected]
+      - name: "Restore node_modules from cache"
+        uses: ./.github/actions/node-modules-cache
         with:
-          fetch-depth: 0 # Full history is needed to improving relevancy of reporting
-      - name: "Download coverage report for SONAR"
-        uses: actions/download-artifact@v5
+          node_version: "${{ inputs.nodejs_version }}"
+      - name: "Run provider contract tests"
+        run: make test-contract-provider
+        env:
+          GITHUB_PACKAGES_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+
+  merge-coverage:
+    name: "Merge coverage"
+    runs-on: ubuntu-latest
+    needs: [test-unit]
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Download coverage artifacts
+        uses: actions/download-artifact@v4
         with:
-          name: code-coverage-report
-      - name: "Perform static analysis"
-        uses: ./.github/actions/perform-static-analysis
+          pattern: code-coverage-*
+          merge-multiple: false
+          path: ./_cov_parts
+
+      - name: Merge LCOV files
+        run: |
+          set -euo pipefail
+          mkdir -p .reports
+          npx --yes lcov-result-merger \
+            "./_cov_parts/**/lcov.info" \
+            ".reports/lcov.info" \
+            --ignore "node_modules" \
+            --prepend-source-files \
+            --prepend-path-fix "../../"
+
+      - name: Upload merged LCOV
+        uses: actions/upload-artifact@v4
         with:
-          sonar_organisation_key: "${{ vars.SONAR_ORGANISATION_KEY }}"
-          sonar_project_key: "${{ vars.SONAR_PROJECT_KEY }}"
-          sonar_token: "${{ secrets.SONAR_TOKEN }}"
+          name: code-coverage-report
+          path: .reports/lcov.info
+
+  # perform-static-analysis:
+  #   name: "Perform static analysis"
+  #   needs: [test-unit, merge-coverage]
+  #   runs-on: ubuntu-latest
+  #   permissions:
+  #     id-token: write
+  #     contents: read
+  #   timeout-minutes: 5
+  #   steps:
+  #     - name: "Checkout code"
+  #       uses: actions/[email protected]
+  #       with:
+  #         fetch-depth: 0 # Full history is needed to improving relevancy of reporting
+  #     - name: "Download coverage report for SONAR"
+  #       uses: actions/download-artifact@v5
+  #       with:
+  #         name: code-coverage-report
+  #     - name: "Perform static analysis"
+  #       uses: ./.github/actions/perform-static-analysis
+  #       with:
+  #         sonar_organisation_key: "${{ vars.SONAR_ORGANISATION_KEY }}"
+  #         sonar_project_key: "${{ vars.SONAR_PROJECT_KEY }}"
+  #         sonar_token: "${{ secrets.SONAR_TOKEN }}"

.gitleaksignore

@@ -7,3 +7,4 @@ b19d88d1d92b0530f065feefcf25d8cdd82a876a:tests/test-team/auth/user.json:jwt:15
 b19d88d1d92b0530f065feefcf25d8cdd82a876a:tests/test-team/auth/user.json:jwt:25
 bc79df4f82052918ae6bf69d36279e5dd391d61e:tests/test-team/auth/user.json:jwt:15
 bc79df4f82052918ae6bf69d36279e5dd391d61e:tests/test-team/auth/user.json:jwt:25
+306d9ec55d3498b86d5506da9a90ac486fc66563:frontend/src/components/molecules/MessagePlanFallbackConditions/MessagePlanFallbackConditions.tsx:ipv4:92