VIA-283 AS/AJ Update workflows to remove refs for checkout, let deploy handle ref type logic, update variable names

anoop-surej-nhs · anoop-surej-nhs · commit 015a6902c000 · 2025-07-29T16:40:31.000+01:00
diff --git a/.github/workflows/cicd-1-pull-request.yaml b/.github/workflows/cicd-1-pull-request.yaml
@@ -114,7 +114,6 @@ jobs:
     with:
       environment: "dev"
       terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
-      tag: "${{ needs.build-stage.outputs.tag }}"
     secrets: inherit
   acceptance-stage: # Recommended maximum execution time is 10 minutes
     name: "Acceptance stage"
diff --git a/.github/workflows/cicd-3-deploy.yaml b/.github/workflows/cicd-3-deploy.yaml
@@ -26,10 +26,14 @@ jobs:
       version: ${{ steps.variables.outputs.version }}
       tag: ${{ steps.variables.outputs.tag }}
     steps:
+      - name: "Check ref"
+        run: |
+          if ${{ !startsWith(github.ref, 'refs/tags/') }}; then
+            echo "❌ Only tagged deployments allowed."
+            exit 1
+          fi
       - name: "Checkout code"
         uses: actions/checkout@v4
-        with:
-          ref: ${{ github.ref }}
       - name: "Set CI/CD variables"
         id: variables
         run: |
@@ -61,7 +65,6 @@ jobs:
     with:
       environment: ${{ github.event.inputs.environment }}
       terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
-      tag: "${{ needs.metadata.outputs.tag }}"
     secrets: inherit
   acceptance-stage:
     name: "Acceptance stage"
@@ -70,13 +73,10 @@ jobs:
     uses: ./.github/workflows/stage-5-acceptance.yaml
     with:
       environment: ${{ github.event.inputs.environment}}
-      tag: ${{ needs.metadata.outputs.tag }}
     secrets: inherit
   snapshot-test-stage:
     name: "Snapshot Test stage"
     if: ${{ github.event.inputs.environment == 'preprod' }}
     needs: [metadata, acceptance-stage]
     uses: ./.github/workflows/stage-7-snapshot-test.yaml
-    with:
-      tag: "${{ needs.metadata.outputs.tag }}"
     secrets: inherit
diff --git a/.github/workflows/stage-3-build.yaml b/.github/workflows/stage-3-build.yaml
@@ -31,10 +31,6 @@ on:
         description: "Version of the software, set by the CI/CD pipeline workflow"
         required: true
         type: string
-    outputs:
-      tag:
-        description: "SHA of the commit"
-        value: ${{ jobs.build-and-package.outputs.tag }}
 
 env:
   AWS_REGION: eu-west-2
@@ -50,16 +46,9 @@ jobs:
     permissions:
       id-token: write
       contents: read
-    outputs:
-      tag: ${{ steps.release-version.outputs.release_version }}
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v4
-      - name: "Get the release version"
-        id: release-version
-        run: |
-          echo "release_version=${{ github.sha }}" >> $GITHUB_OUTPUT
-          echo "RELEASE_VERSION=${{ github.sha }}" >> $GITHUB_ENV
       - name: "Build OpenNext Package"
         run: |
           npm ci --ignore-scripts
@@ -82,17 +71,17 @@ jobs:
           aws-region: ${{ env.AWS_REGION }}
       - name: "Upload Packages To S3"
         run: | # Prevent overwriting of existing artefacts
-          aws s3api put-object --bucket "${AWS_S3_ARTEFACTS_BUCKET}" --key "sha/${RELEASE_VERSION}/open-next.zip" --body "open-next.zip" --if-none-match '*' || {
+          aws s3api put-object --bucket "${AWS_S3_ARTEFACTS_BUCKET}" --key "sha/${{ github.sha }}/open-next.zip" --body "open-next.zip" --if-none-match '*' || {
             echo "❌ Uploading open-next.zip to S3 bucket failed!"
             exit 1
           }
 
-          aws s3api put-object --bucket "${AWS_S3_ARTEFACTS_BUCKET}" --key "sha/${RELEASE_VERSION}/lambda.zip" --body "lambda.zip" --if-none-match '*' || {
+          aws s3api put-object --bucket "${AWS_S3_ARTEFACTS_BUCKET}" --key "sha/${{ github.sha }}/lambda.zip" --body "lambda.zip" --if-none-match '*' || {
             echo "❌ Uploading lambda.zip to S3 bucket failed!"
             exit 1
           }
 
-          aws s3api put-object --bucket "${AWS_S3_ARTEFACTS_BUCKET}" --key "sha/${RELEASE_VERSION}/workflow.log" --body "workflow.log" --if-none-match '*' || {
+          aws s3api put-object --bucket "${AWS_S3_ARTEFACTS_BUCKET}" --key "sha/${{ github.sha }}/workflow.log" --body "workflow.log" --if-none-match '*' || {
             echo "❌ Uploading workflow.log to S3 bucket failed!"
             exit 1
           }
diff --git a/.github/workflows/stage-4-deploy.yaml b/.github/workflows/stage-4-deploy.yaml
@@ -6,18 +6,13 @@ on:
         description: "TF version"
         required: true
         type: string
-      tag:
-        description: "The commit SHA (DEV) or version tag (higher envs) to be deployed"
-        required: true
-        type: string
       environment:
         description: "Environment to deploy to"
         required: true
         type: string
 
 env:
   AWS_REGION: eu-west-2
-  TAG: ${{ inputs.tag }}
 
 jobs:
   deploy:
@@ -33,10 +28,16 @@ jobs:
       id-token: write
       contents: read
     steps:
+      - name: "Tag or SHA"
+        id: tag-or-sha
+        run: |
+          if [[ "${{ github.ref_type }}" == "tag" ]]; then
+            echo "value=${{ github.ref_name }}" >> $GITHUB_OUTPUT
+          else
+            echo "value=${{ github.sha }}" >> $GITHUB_OUTPUT
+          fi
       - name: "Checkout code"
         uses: actions/checkout@v4
-        with:
-          ref: ${{ env.TAG }}
       - name: "Install Terraform"
         uses: hashicorp/setup-terraform@v3
         with:
@@ -51,23 +52,23 @@ jobs:
         if: ${{ inputs.environment == 'dev' }}
         run: |
           AWS_S3_ARTEFACTS_BUCKET="vita-${{ secrets.AWS_ACCOUNT_ID }}-artefacts-${{ inputs.environment }}"
-          app_s3_path="s3://${AWS_S3_ARTEFACTS_BUCKET}/sha/${{ env.TAG }}/open-next.zip"
+          app_s3_path="s3://${AWS_S3_ARTEFACTS_BUCKET}/sha/${{ steps.tag-or-sha.outputs.value }}/open-next.zip"
           echo "Artefact path: $app_s3_path"
           aws s3 cp "$app_s3_path" .
-          lambda_s3_path="s3://${AWS_S3_ARTEFACTS_BUCKET}/sha/${{ env.TAG }}/lambda.zip"
+          lambda_s3_path="s3://${AWS_S3_ARTEFACTS_BUCKET}/sha/${{ steps.tag-or-sha.outputs.value }}/lambda.zip"
           echo "Artefact path: $lambda_s3_path"
           aws s3 cp "$lambda_s3_path" .
       - name: "Download packages from ${{ inputs.environment}} S3 Releases bucket"
         if: ${{ inputs.environment == 'preprod' || inputs.environment == 'prod' }}
         run: |
           AWS_S3_RELEASE_BUCKET="vita-${{ secrets.AWS_ACCOUNT_ID }}-releases-${{ inputs.environment }}"
-          app_s3_path="s3://${AWS_S3_RELEASE_BUCKET}/tag/${{ env.TAG }}/open-next.zip"
+          app_s3_path="s3://${AWS_S3_RELEASE_BUCKET}/tag/${{ steps.tag-or-sha.outputs.value }}/open-next.zip"
           echo "Artefact path: $app_s3_path"
           aws s3 cp "$app_s3_path" .
-          lambda_s3_path="s3://${AWS_S3_RELEASE_BUCKET}/tag/${{ env.TAG }}/lambda.zip"
+          lambda_s3_path="s3://${AWS_S3_RELEASE_BUCKET}/tag/${{ steps.tag-or-sha.outputs.value }}/lambda.zip"
           echo "Artefact path: $lambda_s3_path"
           aws s3 cp "$lambda_s3_path" .
-          workflow_s3_path="s3://${AWS_S3_RELEASE_BUCKET}/tag/${{ env.TAG }}/workflow.log"
+          workflow_s3_path="s3://${AWS_S3_RELEASE_BUCKET}/tag/${{ steps.tag-or-sha.outputs.value }}/workflow.log"
           echo "Artefact path: $workflow_s3_path"
           aws s3 cp "$workflow_s3_path" .
       - name: "Unzip OpenNext Package"
@@ -79,7 +80,7 @@ jobs:
       - name: "Set the Slack channel id where alarms are sent"
         run: echo "TF_VAR_alarms_slack_channel_id=${{ secrets.ALARMS_SLACK_CHANNEL_ID }}" >> $GITHUB_ENV
       - name: "Set the app version being deployed"
-        run: echo "TF_VAR_app_version=${{ env.TAG }}" >> $GITHUB_ENV
+        run: echo "TF_VAR_app_version=${{ steps.tag-or-sha.outputs.value }}" >> $GITHUB_ENV
       - name: "Terraform init"
         id: init
         run: TF_ENV=${{ inputs.environment }} make terraform-init
diff --git a/.github/workflows/stage-5-acceptance.yaml b/.github/workflows/stage-5-acceptance.yaml
@@ -7,13 +7,6 @@ on:
         description: "Environment to run tests against"
         required: true
         type: string
-      tag:
-        description: "The commit SHA (DEV) or version tag (higher envs) to be deployed"
-        required: false
-        type: string
-
-env:
-  TAG: ${{ inputs.tag || github.sha }}
 
 jobs:
   test-e2e:
@@ -31,8 +24,6 @@ jobs:
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v4
-        with:
-          ref: ${{ env.TAG }}
       - name: "Install dependencies"
         run: |
           npm ci --ignore-scripts
@@ -73,8 +64,6 @@ jobs:
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v4
-        with:
-          ref: ${{ env.TAG }}
       - name: "Install dependencies"
         run: |
           npm ci --ignore-scripts
diff --git a/.github/workflows/stage-7-snapshot-test.yaml b/.github/workflows/stage-7-snapshot-test.yaml
@@ -2,11 +2,6 @@ name: "Snapshot Test stage"
 
 on:
   workflow_call:
-    inputs:
-      tag:
-        description: "Tag of deployment"
-        required: true
-        type: string
 
 env:
   AWS_REGION: eu-west-2
@@ -31,8 +26,6 @@ jobs:
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v4
-        with:
-          ref: ${{ inputs.tag }}
 
       - name: "Configure AWS credentials for environment"
         uses: aws-actions/configure-aws-credentials@v4
@@ -57,10 +50,10 @@ jobs:
         run: |
           npm run e2e:snapshot
 
-      - name: "Upload snapshots to S3 bucket with tag ${{ inputs.tag }}"
+      - name: "Upload snapshots to S3 bucket with tag ${{ github.ref_name }}"
         if: failure()
         run: |
-          aws s3 sync ./e2e/snapshot/snapshot_review/ s3://${{ env.AWS_S3_ARTEFACTS_BUCKET }}/playwright/${{ inputs.tag }}/
+          aws s3 sync ./e2e/snapshot/snapshot_review/ s3://${{ env.AWS_S3_ARTEFACTS_BUCKET }}/playwright/${{ github.ref_name }}/
 
       - name: "Upload report"
         uses: actions/upload-artifact@v4
