From 84b9af9418952b7dd4c264ee8c6123c7af34f49b Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Fri, 13 Feb 2026 14:15:16 +0000 Subject: [PATCH 01/20] [NRL-1922] Generate coverage report when running unit tests. Fixup sonar cloud config --- Makefile | 2 +- sonar-project.properties | 13 ++++++++----- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/Makefile b/Makefile index 394150e3a..8b44ad164 100644 --- a/Makefile +++ b/Makefile @@ -6,7 +6,7 @@ MAKEFLAGS := --no-print-directory SHELL := /bin/bash DIST_PATH ?= ./dist -TEST_ARGS ?= --cov --cov-report=term-missing +TEST_ARGS ?= --cov --cov-report=term-missing --cov-report=xml:$(DIST_PATH)/test-coverage.xml SMOKE_TEST_ARGS ?= FEATURE_TEST_ARGS ?= ./tests/features --format progress2 TF_WORKSPACE_NAME ?= $(shell terraform -chdir=terraform/infrastructure workspace show) diff --git a/sonar-project.properties b/sonar-project.properties index cac876215..9e9655496 100644 --- a/sonar-project.properties +++ b/sonar-project.properties @@ -1,11 +1,14 @@ sonar.projectKey=NHSDigital_NRLF sonar.organization=nhsdigital sonar.projectName=NRLF -sonar.python.version=3.9.5 -sonar.terraform.provider.aws.version=4.63.0 -# TODO: Some paths here are outdated and perhaps we don't want to exclude everything -sonar.cpd.exclusions=api/tests/**, tests/**, api/**/tests/**, feature_tests/**, cron/seed_sandbox/tests/**, data_contracts/**/tests/**, firehose/**/tests/**, firehose/**/scripts/**, helpers/tests/**, mi/**/tests/** -sonar.exclusions=scripts/**, **/scripts/**, api/tests/**, tests/**, api/**/tests/**, feature_tests/**, cron/seed_sandbox/tests/**, data_contracts/**/tests/**, firehose/**/tests/**, firehose/**/scripts/**, helpers/tests/**, mi/**/tests/** + +sonar.python.version=3.12.10 + +sonar.exclusions=scripts/** +sonar.coverage.exclusions=scripts/**, test/**, **/tests/** +sonar.cpd.exclusions=tests/**, **/tests/** + +sonar.python.coverage.reportPaths=coverage.xml # Exclude snomed urls as being unsafe sonar.issue.ignore.multicriteria=exclude_snomed_urls From 00bbefa794e74038bfe383ee4fc448e5ded9d9f6 Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Fri, 13 Feb 2026 14:41:27 +0000 Subject: [PATCH 02/20] [NRL-1922] Add new workflow for PR checks --- .github/workflows/pr-checks.yml | 75 +++++++++++++++++++++++++++++++++ sonar-project.properties | 2 +- 2 files changed, 76 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/pr-checks.yml diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml new file mode 100644 index 000000000..c9bfebf8e --- /dev/null +++ b/.github/workflows/pr-checks.yml @@ -0,0 +1,75 @@ +name: Run PR checks +run-name: "Running checks for PR #${{ github.event.pull_request.number }} (${{ github.event.pull_request.title }})" + +on: + pull_request: + types: [opened, reopened, synchronize] + +concurrency: + cancel-in-progress: false + +permissions: + id-token: write + contents: read + actions: write + pull-requests: write + +jobs: + build: + name: Build and test + runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }} + + steps: + - name: Git clone - ${{ github.ref }} + uses: actions/checkout@v4 + with: + ref: ${{ github.ref }} + + - name: Setup environment + run: | + echo "${HOME}/.asdf/bin" >> $GITHUB_PATH + poetry install --no-root + + - name: Build + run: make build + + - name: Test + run: make test + + - name: Upload build artifacts + uses: actions/upload-artifact@v3 + with: + name: build-artifacts + path: dist + + sonar: + name: SonarQube analysis and quality gate check + runs-on: ubuntu-latest + after: build + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.ref }} + + - name: Get build artifacts + uses: actions/download-artifact@v3 + with: + name: build-artifacts + path: dist + + # Triggering SonarQube analysis as results of it are required by Quality Gate check. + - name: SonarQube Scan + uses: sonarsource/sonarqube-scan-action@master + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} + + # Check the Quality Gate status. + - name: SonarQube Quality Gate check + id: sonarqube-quality-gate-check + uses: sonarsource/sonarqube-quality-gate-action@master + with: + pollingTimeoutSec: 600 + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} #OPTIONAL diff --git a/sonar-project.properties b/sonar-project.properties index 9e9655496..a4df9452b 100644 --- a/sonar-project.properties +++ b/sonar-project.properties @@ -8,7 +8,7 @@ sonar.exclusions=scripts/** sonar.coverage.exclusions=scripts/**, test/**, **/tests/** sonar.cpd.exclusions=tests/**, **/tests/** -sonar.python.coverage.reportPaths=coverage.xml +sonar.python.coverage.reportPaths=dist/test-coverage.xml # Exclude snomed urls as being unsafe sonar.issue.ignore.multicriteria=exclude_snomed_urls From b7230f17c7987ef440acba11bb748798441ed81a Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Fri, 13 Feb 2026 14:45:35 +0000 Subject: [PATCH 03/20] [NRL-1922] Remove unused sonarcloud url config --- .github/workflows/pr-checks.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index c9bfebf8e..24e05034f 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -62,7 +62,6 @@ jobs: uses: sonarsource/sonarqube-scan-action@master env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} # Check the Quality Gate status. - name: SonarQube Quality Gate check @@ -72,4 +71,3 @@ jobs: pollingTimeoutSec: 600 env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} #OPTIONAL From 3980a114a24a518187642a50ba117af874d52be9 Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Fri, 13 Feb 2026 14:47:39 +0000 Subject: [PATCH 04/20] [NRL-1922] Fix pr-checks workflow issues --- .github/workflows/pr-checks.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index 24e05034f..e83ef8ddf 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -5,9 +5,6 @@ on: pull_request: types: [opened, reopened, synchronize] -concurrency: - cancel-in-progress: false - permissions: id-token: write contents: read @@ -45,7 +42,7 @@ jobs: sonar: name: SonarQube analysis and quality gate check runs-on: ubuntu-latest - after: build + needs: build steps: - uses: actions/checkout@v4 with: From f6f4dd3dffaa146551c419e6f7380c41246f9926 Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Fri, 13 Feb 2026 14:49:29 +0000 Subject: [PATCH 05/20] [NRL-1922] Fix pr-checks workflow issues --- .github/workflows/pr-checks.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index e83ef8ddf..fedb1c707 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -37,7 +37,7 @@ jobs: uses: actions/upload-artifact@v3 with: name: build-artifacts - path: dist + path: dist sonar: name: SonarQube analysis and quality gate check @@ -52,7 +52,7 @@ jobs: uses: actions/download-artifact@v3 with: name: build-artifacts - path: dist + path: dist # Triggering SonarQube analysis as results of it are required by Quality Gate check. - name: SonarQube Scan From 094192f306994e0c6ec3299729e78952bd2bbd4c Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Fri, 13 Feb 2026 14:51:18 +0000 Subject: [PATCH 06/20] [NRL-1922] Fix pr-checks workflow issues --- .github/workflows/pr-checks.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index fedb1c707..ea156252c 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -34,7 +34,7 @@ jobs: run: make test - name: Upload build artifacts - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: build-artifacts path: dist @@ -49,7 +49,7 @@ jobs: ref: ${{ github.ref }} - name: Get build artifacts - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: build-artifacts path: dist From 17f9f31ebb88235ff28c21be23be5fdb4975d507 Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Fri, 13 Feb 2026 14:58:47 +0000 Subject: [PATCH 07/20] [NRL-1922] Fix pr-checks workflow issues --- .github/workflows/pr-checks.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index ea156252c..2fed5737e 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -5,16 +5,13 @@ on: pull_request: types: [opened, reopened, synchronize] -permissions: - id-token: write - contents: read - actions: write - pull-requests: write - jobs: build: name: Build and test runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }} + permissions: + contents: read + actions: write steps: - name: Git clone - ${{ github.ref }} @@ -43,6 +40,9 @@ jobs: name: SonarQube analysis and quality gate check runs-on: ubuntu-latest needs: build + permissions: + contents: read + actions: write steps: - uses: actions/checkout@v4 with: From 3d5f28de3662d49e1448cf92578793c3bc57f8b5 Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Fri, 13 Feb 2026 15:15:12 +0000 Subject: [PATCH 08/20] [NRL-1922] Fix pr-checks workflow issues --- .github/workflows/pr-checks.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index 2fed5737e..a9eb33170 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -56,14 +56,14 @@ jobs: # Triggering SonarQube analysis as results of it are required by Quality Gate check. - name: SonarQube Scan - uses: sonarsource/sonarqube-scan-action@master + uses: sonarsource/sonarqube-scan-action@v7.0.0 env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Check the Quality Gate status. - name: SonarQube Quality Gate check id: sonarqube-quality-gate-check - uses: sonarsource/sonarqube-quality-gate-action@master + uses: sonarsource/sonarqube-quality-gate-action@v1.2.0 with: pollingTimeoutSec: 600 env: From 3c44d1b0ba460384842772fd62da3498fe06e711 Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Fri, 13 Feb 2026 15:20:52 +0000 Subject: [PATCH 09/20] [NRL-1922] Fix pr-checks workflow issues --- .github/workflows/pr-checks.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index a9eb33170..c20dcb961 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -56,14 +56,14 @@ jobs: # Triggering SonarQube analysis as results of it are required by Quality Gate check. - name: SonarQube Scan - uses: sonarsource/sonarqube-scan-action@v7.0.0 + uses: sonarsource/sonarqube-scan-action@a31c9398be7ace6bbfaf30c0bd5d415f843d45e9 #v7.0.0 env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Check the Quality Gate status. - name: SonarQube Quality Gate check id: sonarqube-quality-gate-check - uses: sonarsource/sonarqube-quality-gate-action@v1.2.0 + uses: sonarsource/sonarqube-quality-gate-action@cf038b0e0cdecfa9e56c198bbb7d21d751d62c3b #v1.2.0 with: pollingTimeoutSec: 600 env: From 2767b3dcd58b44b2ed92cdfe366ba07a03988ea4 Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Fri, 13 Feb 2026 15:47:49 +0000 Subject: [PATCH 10/20] [NRL-1922] Fix pr-checks workflow issues --- .github/workflows/pr-checks.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index c20dcb961..0a65ccf3a 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -9,6 +9,7 @@ jobs: build: name: Build and test runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }} + environment: pull-request permissions: contents: read actions: write @@ -40,6 +41,7 @@ jobs: name: SonarQube analysis and quality gate check runs-on: ubuntu-latest needs: build + environment: pull-request permissions: contents: read actions: write From db55f84c916d898bdea44fe5789829f6601c9c76 Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Fri, 13 Feb 2026 16:37:27 +0000 Subject: [PATCH 11/20] [NRL-1922] Fix pr-checks workflow issues --- sonar-project.properties | 5 ----- 1 file changed, 5 deletions(-) diff --git a/sonar-project.properties b/sonar-project.properties index a4df9452b..609196529 100644 --- a/sonar-project.properties +++ b/sonar-project.properties @@ -9,8 +9,3 @@ sonar.coverage.exclusions=scripts/**, test/**, **/tests/** sonar.cpd.exclusions=tests/**, **/tests/** sonar.python.coverage.reportPaths=dist/test-coverage.xml - -# Exclude snomed urls as being unsafe -sonar.issue.ignore.multicriteria=exclude_snomed_urls -sonar.issue.ignore.multicriteria.exclude_snomed_urls.ruleKey=python:S5332 -sonar.issue.ignore.multicriteria.exclude_snomed_urls.pattern=**http://snomed\.info(/sct)?** From 31faaf593a9cf997c3f50548c1001e98fda9a83c Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Fri, 13 Feb 2026 16:41:05 +0000 Subject: [PATCH 12/20] [NRL-1922] Fix pr-checks workflow issues --- sonar-project.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sonar-project.properties b/sonar-project.properties index 609196529..c1fe27002 100644 --- a/sonar-project.properties +++ b/sonar-project.properties @@ -2,7 +2,7 @@ sonar.projectKey=NHSDigital_NRLF sonar.organization=nhsdigital sonar.projectName=NRLF -sonar.python.version=3.12.10 +sonar.python.version=3.12 sonar.exclusions=scripts/** sonar.coverage.exclusions=scripts/**, test/**, **/tests/** From 1437ffcdd54c0a91023ff883cd6e1292cdc5b3d5 Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Fri, 13 Feb 2026 17:10:04 +0000 Subject: [PATCH 13/20] [NRL-1922] Remove placeholder comments from pr-checks workflow --- .github/workflows/pr-checks.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index 0a65ccf3a..04993b154 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -56,13 +56,11 @@ jobs: name: build-artifacts path: dist - # Triggering SonarQube analysis as results of it are required by Quality Gate check. - name: SonarQube Scan uses: sonarsource/sonarqube-scan-action@a31c9398be7ace6bbfaf30c0bd5d415f843d45e9 #v7.0.0 env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - # Check the Quality Gate status. - name: SonarQube Quality Gate check id: sonarqube-quality-gate-check uses: sonarsource/sonarqube-quality-gate-action@cf038b0e0cdecfa9e56c198bbb7d21d751d62c3b #v1.2.0 From 64db9ff5c9c2d85536ba5b0b58e8af477313e522 Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Fri, 20 Feb 2026 15:47:21 +0000 Subject: [PATCH 14/20] [NRL-1922] Set relative flag for coverage config. Rename workflow jobs --- .github/workflows/pr-checks.yml | 6 +++--- pyproject.toml | 1 + 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index 04993b154..5ddb4fb16 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -38,7 +38,7 @@ jobs: path: dist sonar: - name: SonarQube analysis and quality gate check + name: SonarQube scan runs-on: ubuntu-latest needs: build environment: pull-request @@ -56,12 +56,12 @@ jobs: name: build-artifacts path: dist - - name: SonarQube Scan + - name: SonarQube scan uses: sonarsource/sonarqube-scan-action@a31c9398be7ace6bbfaf30c0bd5d415f843d45e9 #v7.0.0 env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - - name: SonarQube Quality Gate check + - name: SonarQube quality gate check id: sonarqube-quality-gate-check uses: sonarsource/sonarqube-quality-gate-action@cf038b0e0cdecfa9e56c198bbb7d21d751d62c3b #v1.2.0 with: diff --git a/pyproject.toml b/pyproject.toml index 322d3a8b1..4e8612ad6 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -86,6 +86,7 @@ docstring-code-format = true docstring-code-line-length = 80 [tool.coverage.run] +relative_files = true branch = true omit = [ "*/tests/*", From 8e9587f71139024040ff6d5637512f88f69c9ed7 Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Fri, 20 Feb 2026 16:00:15 +0000 Subject: [PATCH 15/20] [NRL-1922] WIP add some workflow debug --- .github/workflows/pr-checks.yml | 5 +++++ sonar-project.properties | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index 5ddb4fb16..823508792 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -56,6 +56,11 @@ jobs: name: build-artifacts path: dist + - name: DEBUG - Check things are set up correctly + run: | + find . -name "test-coverage.xml" + ls -la dist + - name: SonarQube scan uses: sonarsource/sonarqube-scan-action@a31c9398be7ace6bbfaf30c0bd5d415f843d45e9 #v7.0.0 env: diff --git a/sonar-project.properties b/sonar-project.properties index c1fe27002..c2ec1f27a 100644 --- a/sonar-project.properties +++ b/sonar-project.properties @@ -5,7 +5,7 @@ sonar.projectName=NRLF sonar.python.version=3.12 sonar.exclusions=scripts/** -sonar.coverage.exclusions=scripts/**, test/**, **/tests/** +sonar.coverage.exclusions=scripts/**, tests/**, **/tests/** sonar.cpd.exclusions=tests/**, **/tests/** sonar.python.coverage.reportPaths=dist/test-coverage.xml From 3189872752e7d4b42e53cc2fdc8f122cf39cf2ca Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Fri, 20 Feb 2026 16:09:24 +0000 Subject: [PATCH 16/20] [NRL-1922] Explicitly call our sonar sources and tests paths --- sonar-project.properties | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sonar-project.properties b/sonar-project.properties index c2ec1f27a..22f2742f5 100644 --- a/sonar-project.properties +++ b/sonar-project.properties @@ -4,6 +4,8 @@ sonar.projectName=NRLF sonar.python.version=3.12 +sonar.sources=. +sonar.tests=**/tests/** sonar.exclusions=scripts/** sonar.coverage.exclusions=scripts/**, tests/**, **/tests/** sonar.cpd.exclusions=tests/**, **/tests/** From 7fa8b1ba3c8c684bc81f5276212452fb9f6e2d7d Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Fri, 20 Feb 2026 16:15:00 +0000 Subject: [PATCH 17/20] [NRL-1922] Explicitly call our sonar sources and tests paths --- sonar-project.properties | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sonar-project.properties b/sonar-project.properties index 22f2742f5..746c4e678 100644 --- a/sonar-project.properties +++ b/sonar-project.properties @@ -5,8 +5,9 @@ sonar.projectName=NRLF sonar.python.version=3.12 sonar.sources=. -sonar.tests=**/tests/** sonar.exclusions=scripts/** +sonar.tests=. +sonar.tests.inclusions=**/tests/** sonar.coverage.exclusions=scripts/**, tests/**, **/tests/** sonar.cpd.exclusions=tests/**, **/tests/** From 709e704e0e61c399250a1444f505fef0986fc832 Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Tue, 24 Feb 2026 11:19:00 +0000 Subject: [PATCH 18/20] [NRL-1922] Remove debug from pr-checks. Add linting to build job --- .github/workflows/pr-checks.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index 823508792..ad5b9e56e 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -25,6 +25,9 @@ jobs: echo "${HOME}/.asdf/bin" >> $GITHUB_PATH poetry install --no-root + - name: Lint + run: make lint + - name: Build run: make build @@ -56,11 +59,6 @@ jobs: name: build-artifacts path: dist - - name: DEBUG - Check things are set up correctly - run: | - find . -name "test-coverage.xml" - ls -la dist - - name: SonarQube scan uses: sonarsource/sonarqube-scan-action@a31c9398be7ace6bbfaf30c0bd5d415f843d45e9 #v7.0.0 env: From 27243cf5c659e3117cee7a8855975d7af455639b Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Tue, 24 Feb 2026 11:19:36 +0000 Subject: [PATCH 19/20] [NRL-1922] Add sonarqube scan to daily build. Trigger it on every push to develop --- .github/workflows/daily-build.yml | 44 ++++++++++++++++++++++++++++--- 1 file changed, 40 insertions(+), 4 deletions(-) diff --git a/.github/workflows/daily-build.yml b/.github/workflows/daily-build.yml index f7c84d787..6aff1bebf 100644 --- a/.github/workflows/daily-build.yml +++ b/.github/workflows/daily-build.yml @@ -6,6 +6,9 @@ permissions: actions: write on: + push: + branches: + - develop schedule: - cron: "0 1 * * *" workflow_dispatch: @@ -18,7 +21,7 @@ on: jobs: build: - name: Build - ${{ github.ref }} + name: Build and test - ${{ github.ref }} runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }} steps: @@ -35,12 +38,12 @@ jobs: - name: Run Linting run: make lint - - name: Run Unit Tests - run: make test - - name: Build Project run: make build + - name: Run Unit Tests + run: make test + - name: Configure Management Credentials uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: @@ -60,6 +63,7 @@ jobs: name: build-artifacts path: | dist/*.zip + dist/test-coverage.xml !dist/nrlf_permissions.zip - name: Save NRLF Permissions cache @@ -67,3 +71,35 @@ jobs: with: key: ${{ github.run_id }}-nrlf-permissions path: dist/nrlf_permissions.zip + + sonar: + name: SonarQube scan + runs-on: ubuntu-latest + needs: build + environment: pull-request + permissions: + contents: read + actions: write + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.ref }} + + - name: Get build artifacts + uses: actions/download-artifact@v4 + with: + name: build-artifacts + path: dist + + - name: SonarQube scan + uses: sonarsource/sonarqube-scan-action@a31c9398be7ace6bbfaf30c0bd5d415f843d45e9 #v7.0.0 + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + + - name: SonarQube quality gate check + id: sonarqube-quality-gate-check + uses: sonarsource/sonarqube-quality-gate-action@cf038b0e0cdecfa9e56c198bbb7d21d751d62c3b #v1.2.0 + with: + pollingTimeoutSec: 600 + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} From 8a60b37edd3e30dcc2b695d11270f74a6d0b8514 Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Tue, 24 Feb 2026 15:21:10 +0000 Subject: [PATCH 20/20] [NRL-1922] Move workflow permissions from top-level to job-level --- .github/workflows/daily-build.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/daily-build.yml b/.github/workflows/daily-build.yml index 6aff1bebf..2a74d63fd 100644 --- a/.github/workflows/daily-build.yml +++ b/.github/workflows/daily-build.yml @@ -1,9 +1,5 @@ name: Build NRL Project on Environment run-name: Build NRL Project on ${{ inputs.environment || 'dev' }} -permissions: - id-token: write - contents: read - actions: write on: push: @@ -23,6 +19,10 @@ jobs: build: name: Build and test - ${{ github.ref }} runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }} + permissions: + contents: read + actions: write + id-token: write steps: - name: Git clone - ${{ github.ref }}