From e70bf070ae7ce5ce9201dade3655dc0a75341e86 Mon Sep 17 00:00:00 2001
From: neil-sproston <neil.sproston1@nhs.net>
Date: Thu, 2 Apr 2026 16:30:49 +0100
Subject: [PATCH 1/2] [GPCAPIM-194] Final configuration for the alpha internal
 integration environment

---
 .github/workflows/alpha-integration-env.yml | 30 +++++++++------------
 .github/workflows/preview-env.yml           |  8 ++++++
 scripts/tests/run-test.sh                   | 12 ++++++++-
 3 files changed, 31 insertions(+), 19 deletions(-)

diff --git a/.github/workflows/alpha-integration-env.yml b/.github/workflows/alpha-integration-env.yml
index e13327be..8c2a11b4 100644
--- a/.github/workflows/alpha-integration-env.yml
+++ b/.github/workflows/alpha-integration-env.yml
@@ -13,7 +13,7 @@ env:
   TF_STATE_BUCKET: "cds-cdg-dev-tfstate-900119715266"
   TF_STATE_KEY: "dev/preview/alpha-integration.tfstate"
   BRANCH_NAME: "alpha-integration"
-  ALB_RULE_PRIORITY: "2000"
+  ALB_RULE_PRIORITY: "900"
   BASE_URL: "https://internal-dev.api.service.nhs.uk/clinical-data-gateway-api-poc-alpha-integration"
   python_version: "3.14"
   PROXYGEN_API_NAME: ${{ vars.PROXYGEN_API_NAME }}
@@ -220,6 +220,8 @@ jobs:
 
       - name: Run contract tests
         uses: ./.github/actions/run-test-suite
+        env:
+          PROXY_BASE_PATH: "clinical-data-gateway-api-poc-alpha-integration"
         with:
           test-type: contract
           apigee-access-token: ${{ steps.apigee-token.outputs.apigee-access-token }}
@@ -227,6 +229,8 @@ jobs:
 
       - name: Run schema validation tests
         uses: ./.github/actions/run-test-suite
+        env:
+          PROXY_BASE_PATH: "clinical-data-gateway-api-poc-alpha-integration"
         with:
           test-type: schema
           apigee-access-token: ${{ steps.apigee-token.outputs.apigee-access-token }}
@@ -234,6 +238,8 @@ jobs:
 
       - name: Run integration tests
         uses: ./.github/actions/run-test-suite
+        env:
+          PROXY_BASE_PATH: "clinical-data-gateway-api-poc-alpha-integration"
         with:
           test-type: integration
           apigee-access-token: ${{ steps.apigee-token.outputs.apigee-access-token }}
@@ -241,6 +247,8 @@ jobs:
 
       - name: Run acceptance tests
         uses: ./.github/actions/run-test-suite
+        env:
+          PROXY_BASE_PATH: "clinical-data-gateway-api-poc-alpha-integration"
         with:
           test-type: acceptance
           apigee-access-token: ${{ steps.apigee-token.outputs.apigee-access-token }}
@@ -249,20 +257,6 @@ jobs:
       - name: Remove mTLS temp files
         run: rm -f /tmp/client1-key.pem /tmp/client1-cert.pem
 
-      # - name: Trivy IaC scan
-      #   uses: nhs-england-tools/trivy-action/iac-scan@289984b2f03034233a347d6dbadecd5ca9ea9634
-      #   with:
-      #       scan-ref: infrastructure/environments/preview
-      #       artifact-name: trivy-iac-scan-alpha-integration
-
-      # - name: Trivy image scan
-      #   uses: nhs-england-tools/trivy-action/image-scan@289984b2f03034233a347d6dbadecd5ca9ea9634
-      #   with:
-      #       image-ref: ${{ steps.meta.outputs.ecr_url }}:${{ env.BRANCH_NAME }}
-      #       artifact-name: trivy-image-scan-alpha-integration
-
-      # - name: Generate SBOM
-      #   uses: nhs-england-tools/trivy-action/image-scan@289984b2f03034233a347d6dbadecd5ca9ea9634
-      #   with:
-      #       image-ref: ${{ steps.meta.outputs.ecr_url }}:${{ env.BRANCH_NAME }}
-      #       artifact-name: trivy-sbom-alpha-integration
+      # - name: Trivy IaC scan - replacement
+      # - name: Trivy image scan - replacement
+      # - name: Generate SBOM - replacement
diff --git a/.github/workflows/preview-env.yml b/.github/workflows/preview-env.yml
index e5e3230c..6c8de958 100644
--- a/.github/workflows/preview-env.yml
+++ b/.github/workflows/preview-env.yml
@@ -340,6 +340,8 @@ jobs:
       - name: "Run contract tests"
         if: github.event.action != 'closed'
         uses: ./.github/actions/run-test-suite
+        env:
+          PROXY_BASE_PATH: "clinical-data-gateway-api-poc-pr-${{ github.event.pull_request.number }}"
         with:
           test-type: contract
           apigee-access-token: ${{ steps.apigee-token.outputs.apigee-access-token }}
@@ -348,6 +350,8 @@ jobs:
       - name: "Run schema validation tests"
         if: github.event.action != 'closed'
         uses: ./.github/actions/run-test-suite
+        env:
+          PROXY_BASE_PATH: "clinical-data-gateway-api-poc-pr-${{ github.event.pull_request.number }}"
         with:
           test-type: schema
           apigee-access-token: ${{ steps.apigee-token.outputs.apigee-access-token }}
@@ -356,6 +360,8 @@ jobs:
       - name: "Run integration tests"
         if: github.event.action != 'closed'
         uses: ./.github/actions/run-test-suite
+        env:
+          PROXY_BASE_PATH: "clinical-data-gateway-api-poc-pr-${{ github.event.pull_request.number }}"
         with:
           test-type: integration
           apigee-access-token: ${{ steps.apigee-token.outputs.apigee-access-token }}
@@ -364,6 +370,8 @@ jobs:
       - name: "Run acceptance tests"
         if: github.event.action != 'closed'
         uses: ./.github/actions/run-test-suite
+        env:
+          PROXY_BASE_PATH: "clinical-data-gateway-api-poc-pr-${{ github.event.pull_request.number }}"
         with:
           test-type: acceptance
           apigee-access-token: ${{ steps.apigee-token.outputs.apigee-access-token }}
diff --git a/scripts/tests/run-test.sh b/scripts/tests/run-test.sh
index 97d5cb69..92b8394c 100755
--- a/scripts/tests/run-test.sh
+++ b/scripts/tests/run-test.sh
@@ -44,16 +44,26 @@ else
 fi
 
 if [[ "${ENV:-local}" = "remote" ]] && [[ "$TEST_TYPE" != "unit" ]]; then
+  echo "[run-test] Branch: remote non-unit path"
+  echo "[run-test] ENV=${ENV:-local}, TEST_TYPE=${TEST_TYPE}"
+  echo "[run-test] Running via APIM proxy options"
+  if [[ -z "${PROXY_BASE_PATH:-}" ]]; then
+    echo "Error: PROXY_BASE_PATH must be set when ENV=remote and TEST_TYPE is not unit" >&2
+    exit 1
+  fi
   # Note: TEST_PATH is intentionally unquoted to allow glob expansion
   poetry run pytest ${TEST_PATH} --env="remote" -v \
     --api-name="${PROXYGEN_API_NAME}" \
-    --proxy-name="${PROXYGEN_API_NAME}--internal-dev--${PROXYGEN_API_NAME}-pr-${PR_NUMBER}" \
+    --proxy-name="${PROXYGEN_API_NAME}--internal-dev--${PROXY_BASE_PATH}" \
     --cov="${COV_PATH}" \
     --cov-report=html:test-artefacts/coverage-html \
     --cov-report=term \
     --junit-xml="test-artefacts/${TEST_TYPE}-tests.xml" \
     --html="test-artefacts/${TEST_TYPE}-tests.html" --self-contained-html
 else
+  echo "[run-test] Branch: local/default path"
+  echo "[run-test] ENV=${ENV:-local}, TEST_TYPE=${TEST_TYPE}"
+  echo "[run-test] Running direct tests without APIM proxy options"
   poetry run pytest ${TEST_PATH} -v \
     --api-name="clinical-data-gateway-api" \
     --cov="${COV_PATH}" \

From ece9de005e02f68809284cb6ee9a78ea3acef9a4 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 2 Apr 2026 15:41:53 +0000
Subject: [PATCH 2/2] Bump aws-actions/configure-aws-credentials

Bumps [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials) from 84e497037868db1737eb2907599d3f61e8899373 to 51635dbf418c2cdd8b3e1497529334d8db7e4063.
- [Release notes](https://github.com/aws-actions/configure-aws-credentials/releases)
- [Changelog](https://github.com/aws-actions/configure-aws-credentials/blob/main/CHANGELOG.md)
- [Commits](https://github.com/aws-actions/configure-aws-credentials/compare/84e497037868db1737eb2907599d3f61e8899373...51635dbf418c2cdd8b3e1497529334d8db7e4063)

---
updated-dependencies:
- dependency-name: aws-actions/configure-aws-credentials
  dependency-version: 51635dbf418c2cdd8b3e1497529334d8db7e4063
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/alpha-integration-env.yml | 2 +-
 .github/workflows/preview-env.yml           | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/alpha-integration-env.yml b/.github/workflows/alpha-integration-env.yml
index 8c2a11b4..d31ffe99 100644
--- a/.github/workflows/alpha-integration-env.yml
+++ b/.github/workflows/alpha-integration-env.yml
@@ -39,7 +39,7 @@ jobs:
           ref: alpha-integration
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@84e497037868db1737eb2907599d3f61e8899373
+        uses: aws-actions/configure-aws-credentials@51635dbf418c2cdd8b3e1497529334d8db7e4063
         with:
           role-to-assume: ${{ secrets.DEV_AWS_CREDENTIALS }}
           aws-region: ${{ env.AWS_REGION }}
diff --git a/.github/workflows/preview-env.yml b/.github/workflows/preview-env.yml
index 6c8de958..fbcf8e9b 100644
--- a/.github/workflows/preview-env.yml
+++ b/.github/workflows/preview-env.yml
@@ -52,7 +52,7 @@ jobs:
 
       # Configure AWS credentials (OIDC recommended)
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@84e497037868db1737eb2907599d3f61e8899373
+        uses: aws-actions/configure-aws-credentials@51635dbf418c2cdd8b3e1497529334d8db7e4063
         with:
           role-to-assume: ${{ steps.role-select.outputs.aws_role }}
           aws-region: ${{ env.AWS_REGION }}