From 5c7a281710e1f55b835edcbb52c5e2a84c984061 Mon Sep 17 00:00:00 2001 From: Steve Buxton Date: Wed, 18 Feb 2026 11:54:33 +0000 Subject: [PATCH 1/4] Refactor environment calculation --- .github/workflows/stage-3-build.yaml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/stage-3-build.yaml b/.github/workflows/stage-3-build.yaml index f8e34e8b..cc15d5ef 100644 --- a/.github/workflows/stage-3-build.yaml +++ b/.github/workflows/stage-3-build.yaml @@ -134,8 +134,13 @@ jobs: name: Create Dynamic Environment runs-on: ubuntu-latest if: inputs.pr_number != '' + outputs: + environment_name: ${{ steps.set-environment.outputs.environment_name }} steps: - uses: actions/checkout@v5 + - name: Set environment name + id: set-environment + run: echo "environment_name=${{ inputs.pr_number != '' && format('pr{0}', inputs.pr_number) || 'main' }}" >> $GITHUB_OUTPUT - name: Trigger dynamic environment creation env: APP_CLIENT_ID: ${{ secrets.APP_CLIENT_ID }} @@ -148,7 +153,7 @@ jobs: --infraRepoName "$(echo ${{ github.repository }} | cut -d'/' -f2)" \ --releaseVersion ${{ github.head_ref || github.ref_name }} \ --targetWorkflow "dispatch-deploy-dynamic-env.yaml" \ - --targetEnvironment "pr${PR_NUMBER}" \ + --targetEnvironment "${{ steps.set-environment.outputs.environment_name }}" \ --targetComponent "api" \ --targetAccountGroup "nhs-notify-supplier-api-dev" \ --terraformAction "apply" \ @@ -162,7 +167,6 @@ jobs: timeout-minutes: 10 env: PROXYGEN_API_NAME: nhs-notify-supplier - PR_NUMBER: ${{ inputs.pr_number }} APP_CLIENT_ID: ${{ secrets.APP_CLIENT_ID }} APP_PEM_FILE: ${{ secrets.APP_PEM_FILE }} steps: @@ -172,7 +176,7 @@ jobs: uses: ./.github/actions/build-proxies with: version: "${{ inputs.version }}" - environment: ${{ inputs.pr_number != '' && format('pr{0}', inputs.pr_number) || 'main' }} + environment: ${{ needs.pr-create-dynamic-environment.outputs.environment_name }} apimEnv: "internal-dev-sandbox" runId: "${{ github.run_id }}" buildSandbox: true From 56d527639a734c5fc60d5d7580c550c6d6dc1ef0 Mon Sep 17 00:00:00 2001 From: Steve Buxton Date: Wed, 18 Feb 2026 12:00:18 +0000 Subject: [PATCH 2/4] Fix fast-xml-parser vunerability --- package-lock.json | 6 ++++-- package.json | 3 +-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/package-lock.json b/package-lock.json index adf19f48..bd57a841 100644 --- a/package-lock.json +++ b/package-lock.json @@ -144,7 +144,7 @@ }, "internal/events": { "name": "@nhsdigital/nhs-notify-event-schemas-supplier-api", - "version": "1.0.11", + "version": "1.0.12", "license": "MIT", "dependencies": { "@asyncapi/bundler": "^0.6.4", @@ -10357,7 +10357,9 @@ "license": "BSD-3-Clause" }, "node_modules/fast-xml-parser": { - "version": "5.3.5", + "version": "5.3.6", + "resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.3.6.tgz", + "integrity": "sha512-QNI3sAvSvaOiaMl8FYU4trnEzCwiRr8XMWgAHzlrWpTSj+QaCSvOf1h82OEP1s4hiAXhnbXSyFWCf4ldZzZRVA==", "funding": [ { "type": "github", diff --git a/package.json b/package.json index ee994074..5cc4621c 100644 --- a/package.json +++ b/package.json @@ -53,13 +53,12 @@ "name": "nhs-notify-supplier-api", "overrides": { "axios": "^1.13.5", - "fast-xml-parser": "^5.3.4", "@isaacs/brace-expansion": "^5.0.1", "pretty-format": { "react-is": "19.0.0" }, "react": "^19.0.0", - "fast-xml-parser": "^5.3.4" + "fast-xml-parser": "^5.3.6" }, "scripts": { From 406aeea4d0b977889a6e9fea43d341879eed7f60 Mon Sep 17 00:00:00 2001 From: Steve Buxton Date: Wed, 18 Feb 2026 13:38:05 +0000 Subject: [PATCH 3/4] Conditionally deploy proxy --- .github/workflows/cicd-1-pull-request.yaml | 22 ++++++++++++++++++++++ .github/workflows/stage-3-build.yaml | 7 +++++-- 2 files changed, 27 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cicd-1-pull-request.yaml b/.github/workflows/cicd-1-pull-request.yaml index 877f3a59..747e76f4 100644 --- a/.github/workflows/cicd-1-pull-request.yaml +++ b/.github/workflows/cicd-1-pull-request.yaml @@ -29,6 +29,7 @@ jobs: does_pull_request_exist: ${{ steps.pr_exists.outputs.does_pull_request_exist }} pr_number: ${{ steps.pr_exists.outputs.pr_number }} skip_trivy_package: ${{ steps.skip_trivy.outputs.skip_trivy_package }} + deploy_proxy: ${{ steps.deploy_proxy.outputs.deploy_proxy }} steps: - name: "Checkout code" uses: actions/checkout@v5 @@ -87,6 +88,26 @@ jobs: else echo "skip_trivy_package=false" >> $GITHUB_OUTPUT fi + - name: "Determine if proxy should be deployed" + id: deploy_proxy + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PR_NUMBER: ${{ steps.pr_exists.outputs.pr_number }} + run: | + if [[ -z "$PR_NUMBER" ]]; then + echo "No pull request detected; proxy deployment will run." + echo "deploy_proxy=true" >> $GITHUB_OUTPUT + exit 0 + fi + + labels=$(gh pr view "$PR_NUMBER" --json labels --jq '.labels[].name') + echo "Labels on PR #$PR_NUMBER: $labels" + + if echo "$labels" | grep -Fxq 'deploy-proxy'; then + echo "deploy_proxy=true" >> $GITHUB_OUTPUT + else + echo "deploy_proxy=false" >> $GITHUB_OUTPUT + fi - name: "List variables" run: | export BUILD_DATETIME_LONDON="${{ steps.variables.outputs.build_datetime_london }}" @@ -141,6 +162,7 @@ jobs: terraform_version: "${{ needs.metadata.outputs.terraform_version }}" version: "${{ needs.metadata.outputs.version }}" pr_number: "${{ needs.metadata.outputs.pr_number }}" + deploy_proxy: "${{ needs.metadata.outputs.deploy_proxy }}" secrets: inherit acceptance-stage: # Recommended maximum execution time is 10 minutes name: "Acceptance stage" diff --git a/.github/workflows/stage-3-build.yaml b/.github/workflows/stage-3-build.yaml index cc15d5ef..a8441e7f 100644 --- a/.github/workflows/stage-3-build.yaml +++ b/.github/workflows/stage-3-build.yaml @@ -35,6 +35,10 @@ on: description: "PR Number if it exists" required: false type: string + deploy_proxy: + description: "True if the APIM proxy should be deployed" + required: true + type: string permissions: id-token: write # This is required for requesting the JWT @@ -133,7 +137,6 @@ jobs: pr-create-dynamic-environment: name: Create Dynamic Environment runs-on: ubuntu-latest - if: inputs.pr_number != '' outputs: environment_name: ${{ steps.set-environment.outputs.environment_name }} steps: @@ -162,7 +165,7 @@ jobs: artefact-proxies: name: "Build proxies" runs-on: ubuntu-latest - if: inputs.pr_number != '' + if: inputs.deploy_proxy == 'true' needs: [artefact-oas-spec-sandbox, pr-create-dynamic-environment] timeout-minutes: 10 env: From b1472d0986a1af29f57a018e6fe7ef9201e579c1 Mon Sep 17 00:00:00 2001 From: Steve Buxton Date: Wed, 18 Feb 2026 15:57:29 +0000 Subject: [PATCH 4/4] Run E2E tests if proxy deployed --- .github/actions/acceptance-tests/action.yml | 33 +++++++++++++++++++-- .github/actions/test-types.json | 2 +- 2 files changed, 32 insertions(+), 3 deletions(-) diff --git a/.github/actions/acceptance-tests/action.yml b/.github/actions/acceptance-tests/action.yml index 3a099869..8ccb8ccb 100644 --- a/.github/actions/acceptance-tests/action.yml +++ b/.github/actions/acceptance-tests/action.yml @@ -44,7 +44,36 @@ runs: run: | echo "PR_NUMBER=${{ inputs.targetEnvironment }}" >> $GITHUB_ENV - - name: Run test - ${{ inputs.testType }} + - name: Run component tests shell: bash run: | - make test-${{ inputs.testType }} + make test-component + + - name: Check if e2e tests should run + id: check_e2e + shell: bash + env: + GITHUB_TOKEN: ${{ env.GITHUB_TOKEN }} + run: | + # Extract PR number from environment name (e.g., pr123 -> 123) + if [[ "${{ inputs.targetEnvironment }}" =~ ^pr([0-9]+)$ ]]; then + pr_number="${BASH_REMATCH[1]}" + labels=$(gh pr view "$pr_number" --json labels --jq '.labels[].name' 2>/dev/null || echo "") + + if echo "$labels" | grep -Fxq 'deploy-proxy'; then + echo "deploy-proxy label found; e2e tests will run." + echo "run_e2e=true" >> $GITHUB_OUTPUT + else + echo "deploy-proxy label not found; e2e tests will be skipped." + echo "run_e2e=false" >> $GITHUB_OUTPUT + fi + else + echo "Not a PR environment; e2e tests will run." + echo "run_e2e=true" >> $GITHUB_OUTPUT + fi + + - name: Run e2e tests + if: steps.check_e2e.outputs.run_e2e == 'true' + shell: bash + run: | + make .internal-dev-test diff --git a/.github/actions/test-types.json b/.github/actions/test-types.json index 5530c31c..a82ea0d3 100644 --- a/.github/actions/test-types.json +++ b/.github/actions/test-types.json @@ -1,3 +1,3 @@ [ - "component" + "acceptance" ]