alphagov · whi-tw · Mar 19, 2026 · Jan 22, 2026 · Mar 19, 2026 · Mar 19, 2026
diff --git a/.github/workflows/review_apps_on_pr_change.yml b/.github/workflows/review_apps_on_pr_change.yml
@@ -1,113 +1,20 @@
 name: "Review apps: on PR change"
 on:
   pull_request:
-    # being explicit about what to trigger on.
-    # matches the docs for the default types
-    # https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request
     types: [opened, reopened, synchronize]
-jobs:
-  update-review-app:
-    # this references a codebuild project configured in forms-deploy
-    # see: https://docs.aws.amazon.com/codebuild/latest/userguide/action-runner.html
-    runs-on: codebuild-review-forms-runner-gha-runner-${{github.run_id}}-${{github.run_attempt}}
-
-    permissions:
-      pull-requests: write
-
-    steps:
-      - name: Generate container image URI
-        run: |
-          echo "CONTAINER_IMAGE_URI=842676007477.dkr.ecr.eu-west-2.amazonaws.com/forms-runner:pr-${{github.event.pull_request.number}}-${{github.event.pull_request.head.sha}}-$(date +%s)" >> "$GITHUB_ENV"
-
-      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-      - name: Build container
-        run: |
-          # Docker credentials are configured in CodeBuild
-          # CodeBuild retrieves the credentials from ParameterStore
-          echo "${DOCKER_PASSWORD}" | docker login -u "${DOCKER_USERNAME}" --password-stdin
-          docker build \
-            --tag "${{env.CONTAINER_IMAGE_URI}}" \
-            .
-
-      - name: Push container
-        id: build-container
-        run: |
-          aws ecr get-login-password --region eu-west-2 \
-          | docker login --username AWS --password-stdin 842676007477.dkr.ecr.eu-west-2.amazonaws.com
-
-          echo "Pushing container image"
-          echo "${{env.CONTAINER_IMAGE_URI}}"
-
-          docker push "${CONTAINER_IMAGE_URI}"
-
-      - name: Determine Terraform version
-        id: terraform-version
-        run: |
-          echo "TF_VERSION=$(< .review_apps/.terraform-version)" >> "$GITHUB_OUTPUT"
-
-      - uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v4.0.0
-        with:
-          terraform_version: ${{steps.terraform-version.outputs.TF_VERSION}}
-
-      - name: Deploy review app
-        id: deploy
-        run: |
-          cd .review_apps/
 
-          terraform init -backend-config="key=review-apps/forms-runner/pr-${{github.event.pull_request.number}}.tfstate"
+concurrency:
+  group: "review-apps-pr-${{ github.event.pull_request.number }}"
+  cancel-in-progress: false
 
-          terraform apply \
-            -var "pull_request_number=${{github.event.pull_request.number}}" \
-            -var "forms_runner_container_image=${{env.CONTAINER_IMAGE_URI}}" \
-            -no-color \
-            -auto-approve
+permissions:
+  id-token: write
+  contents: read
+  pull-requests: write
 
-            # shellcheck disable=SC2129 # SC2129 is "mainly a stylistic issue" and it breaks our flow
-            echo "REVIEW_APP_URL=$(terraform output -raw review_app_url)" >> "$GITHUB_OUTPUT"
-            echo "ADMIN_APP_URL=$(terraform output -raw admin_app_url)" >> "$GITHUB_OUTPUT"
-            echo "ECS_CLUSTER_ID=$(terraform output -raw review_app_ecs_cluster_id)" >> "$GITHUB_OUTPUT"
-            echo "ECS_SERVICE_NAME=$(terraform output -raw review_app_ecs_service_name)" >> "$GITHUB_OUTPUT"
-
-      - name: Wait for AWS ECS deployments to finish
-        run: |
-          aws ecs wait services-stable \
-            --cluster "${{steps.deploy.outputs.ECS_CLUSTER_ID}}" \
-            --services "${{steps.deploy.outputs.ECS_SERVICE_NAME}}"
-
-      - name: Comment on PR
-        env:
-          COMMENT_MARKER: <!-- review apps on pr change -->
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          cat <<EOF > "${{runner.temp}}/pr-comment.md"
-          :tada: A review copy of this PR has been deployed! It is made of up two components
-
-          1. [A review copy of forms-runner](${{steps.deploy.outputs.REVIEW_APP_URL}})
-          2. [A production copy of forms-admin](${{steps.deploy.outputs.ADMIN_APP_URL}})
-
-          > [!IMPORTANT]
-          > Not all of the functionality of forms-runner is present in review apps.
-          > Functionality such as sending emails, file upload, and S3 submission types are
-          > deliberately disabled for the sake of simplifying review apps.
-          >
-          > You should use the full dev environment to test the functionality which is disabled here.
-
-          It may take 5 minutes or so for the application to be fully deployed and working. If it still isn't ready
-          after 5 minutes, there may be something wrong with the ECS task. You will need to go to the integration AWS account
-          to debug, or otherwise ask an infrastructure person.
-
-          For the sign in details and more information, [see the review apps wiki page](https://github.com/alphagov/forms-team/wiki/Review-apps).
-
-          $COMMENT_MARKER
-          EOF
-
-          # shellcheck disable=SC2016
-          # `jq` uses single-quote characters on Unix shells
-          old_comment_ids=$(gh api "repos/{owner}/{repo}/issues/${{github.event.pull_request.number}}/comments" --jq 'map(select((.user.login == "github-actions[bot]") and (.body | endswith($ENV.COMMENT_MARKER + "\n")))) | .[].id')
-          for comment_id in $old_comment_ids; do
-            gh api -X DELETE "repos/{owner}/{repo}/issues/comments/${comment_id}"
-          done
-
-          gh pr comment "${{github.event.pull_request.html_url}}" --body-file "${{runner.temp}}/pr-comment.md"
+jobs:
+  update-review-app:
+    name: Update review app
+    uses: alphagov/forms-deploy/.github/workflows/reusable-review_apps_on_pr_change.yml@main
+    with:
+      app-name: forms-runner
diff --git a/.github/workflows/review_apps_on_pr_close.yml b/.github/workflows/review_apps_on_pr_close.yml
@@ -1,36 +1,20 @@
 name: "Review apps: on PR close"
 on:
   pull_request:
-    # only run when a PR is closed or merged
     types: [closed]
-env:
-  IMAGE_TAG: "842676007477.dkr.ecr.eu-west-2.amazonaws.com/forms-runner:pr-${{github.event.pull_request.number}}-${{github.event.pull_request.head.ref}}"
-jobs:
-  delete-review-app:
-    # this references a codebuild project configured in forms-deploy
-    # see: https://docs.aws.amazon.com/codebuild/latest/userguide/action-runner.html
-    runs-on: codebuild-review-forms-runner-gha-runner-${{github.run_id}}-${{github.run_attempt}}
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - name: Determine Terraform version
-        id: terraform-version
-        run: |
-          echo "TF_VERSION=$(< .review_apps/.terraform-version)" >> "$GITHUB_OUTPUT"
+concurrency:
+  group: "review-apps-pr-${{ github.event.pull_request.number }}"
+  cancel-in-progress: false
 
-      - uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v4.0.0
-        with:
-          terraform_version: ${{steps.terraform-version.outputs.TF_VERSION}}
+permissions:
+  id-token: write
+  contents: read
+  pull-requests: write
 
-      - name: Delete review app
-        run: |
-          cd .review_apps/
-
-          terraform init -backend-config="key=review-apps/forms-runner/pr-${{github.event.pull_request.number}}.tfstate"
-          terraform destroy \
-            -var "pull_request_number=${{github.event.pull_request.number}}" \
-            -var "forms_runner_container_image=${{env.IMAGE_TAG}}" \
-            -no-color \
-            -auto-approve
+jobs:
+  delete-review-app:
+    name: Delete review app
+    uses: alphagov/forms-deploy/.github/workflows/reusable-review_apps_on_pr_close.yml@main
+    with:
+      app-name: forms-runner
diff --git a/.review_apps/ecs_task_definition.tf b/.review_apps/ecs_task_definition.tf
@@ -93,11 +93,16 @@ resource "aws_ecs_task_definition" "task" {
       portMappings = [
         {
           containerPort = 3001
+          hostPort      = 3001
           protocol      = "tcp"
           appProtocol   = "http"
         }
       ]
 
+      mountPoints    = []
+      systemControls = []
+      volumesFrom    = []
+
       logConfiguration = {
         logDriver = "awslogs"
         options = {
@@ -112,6 +117,7 @@ resource "aws_ecs_task_definition" "task" {
         interval    = 30
         retries     = 5
         startPeriod = 180
+        timeout     = 5
       }
 
       dependsOn = [
@@ -155,11 +161,16 @@ resource "aws_ecs_task_definition" "task" {
       portMappings = [
         {
           containerPort = 3000
+          hostPort      = 3000
           protocol      = "tcp"
           appProtocol   = "http"
         }
       ]
 
+      mountPoints    = []
+      systemControls = []
+      volumesFrom    = []
+
       logConfiguration = {
         logDriver = "awslogs"
         options = {
@@ -174,6 +185,7 @@ resource "aws_ecs_task_definition" "task" {
         interval    = 30
         retries     = 5
         startPeriod = 180
+        timeout     = 5
       }
 
       dependsOn = [
@@ -195,7 +207,17 @@ resource "aws_ecs_task_definition" "task" {
       command   = []
       essential = true
 
-      portMappings = [{ containerPort = 5432 }]
+      portMappings = [
+        {
+          containerPort = 5432
+          hostPort      = 5432
+          protocol      = "tcp"
+        }
+      ]
+
+      mountPoints    = []
+      systemControls = []
+      volumesFrom    = []
 
       environment = [
         { name = "POSTGRES_PASSWORD", value = "postgres" }
@@ -211,7 +233,10 @@ resource "aws_ecs_task_definition" "task" {
       }
 
       healthCheck = {
-        command = ["CMD-SHELL", "psql -h localhost -p 5432 -U postgres -c \"SELECT current_timestamp - pg_postmaster_start_time();\""]
+        command  = ["CMD-SHELL", "psql -h localhost -p 5432 -U postgres -c \"SELECT current_timestamp - pg_postmaster_start_time();\""]
+        interval = 30
+        retries  = 3
+        timeout  = 5
       }
     },
 
@@ -226,7 +251,17 @@ resource "aws_ecs_task_definition" "task" {
       ],
       essential = true
 
-      portMappings = [{ containerPort = 6379 }]
+      portMappings = [
+        {
+          containerPort = 6379
+          hostPort      = 6379
+          protocol      = "tcp"
+        }
+      ]
+
+      mountPoints    = []
+      systemControls = []
+      volumesFrom    = []
 
       logConfiguration = {
         logDriver = "awslogs"
@@ -238,7 +273,10 @@ resource "aws_ecs_task_definition" "task" {
       }
 
       healthCheck = {
-        command = ["CMD-SHELL", "redis-cli", "ping"]
+        command  = ["CMD-SHELL", "redis-cli", "ping"]
+        interval = 30
+        retries  = 3
+        timeout  = 5
       }
     },
 
@@ -251,6 +289,10 @@ resource "aws_ecs_task_definition" "task" {
       environment            = local.forms_runner_env_vars
       readonlyRootFilesystem = true
 
+      mountPoints    = []
+      systemControls = []
+      volumesFrom    = []
+
       logConfiguration = {
         logDriver = "awslogs"
         options = {
@@ -277,6 +319,10 @@ resource "aws_ecs_task_definition" "task" {
       environment            = local.forms_admin_env_vars
       readonlyRootFilesystem = true
 
+      mountPoints    = []
+      systemControls = []
+      volumesFrom    = []
+
       logConfiguration = {
         logDriver = "awslogs"
         options = {