NHSDigital · mattdean3-nhs · Feb 25, 2026 · Feb 13, 2026 · Feb 13, 2026 · Feb 13, 2026
@@ -1,11 +1,10 @@
 name: Build NRL Project on Environment
 run-name: Build NRL Project on ${{ inputs.environment || 'dev' }}
-permissions:
-  id-token: write
-  contents: read
-  actions: write
 
 on:
+  push:
+    branches:
+      - develop
   schedule:
     - cron: "0 1 * * *"
   workflow_dispatch:
@@ -18,8 +17,12 @@ on:
 
 jobs:
   build:
-    name: Build - ${{ github.ref }}
+    name: Build and test - ${{ github.ref }}
     runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
+    permissions:
+      contents: read
+      actions: write
+      id-token: write
 
     steps:
       - name: Git clone - ${{ github.ref }}
@@ -35,12 +38,12 @@ jobs:
       - name: Run Linting
         run: make lint
 
-      - name: Run Unit Tests
-        run: make test
-
       - name: Build Project
         run: make build
 
+      - name: Run Unit Tests
+        run: make test
+
       - name: Configure Management Credentials
         uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
         with:
@@ -60,10 +63,43 @@ jobs:
           name: build-artifacts
           path: |
             dist/*.zip
+            dist/test-coverage.xml
             !dist/nrlf_permissions.zip
 
       - name: Save NRLF Permissions cache
         uses: actions/cache/save@v4
         with:
           key: ${{ github.run_id }}-nrlf-permissions
           path: dist/nrlf_permissions.zip
+
+  sonar:
+    name: SonarQube scan
+    runs-on: ubuntu-latest
+    needs: build
+    environment: pull-request
+    permissions:
+      contents: read
+      actions: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.ref }}
+
+      - name: Get build artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: build-artifacts
+          path: dist
+
+      - name: SonarQube scan
+        uses: sonarsource/sonarqube-scan-action@a31c9398be7ace6bbfaf30c0bd5d415f843d45e9 #v7.0.0
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+
+      - name: SonarQube quality gate check
+        id: sonarqube-quality-gate-check
+        uses: sonarsource/sonarqube-quality-gate-action@cf038b0e0cdecfa9e56c198bbb7d21d751d62c3b #v1.2.0
+        with:
+          pollingTimeoutSec: 600
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
@@ -0,0 +1,73 @@
+name: Run PR checks
+run-name: "Running checks for PR #${{ github.event.pull_request.number }} (${{ github.event.pull_request.title }})"
+
+on:
+  pull_request:
+    types: [opened, reopened, synchronize]
+
+jobs:
+  build:
+    name: Build and test
+    runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
+    environment: pull-request
+    permissions:
+      contents: read
+      actions: write
+
+    steps:
+      - name: Git clone - ${{ github.ref }}
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.ref }}
+
+      - name: Setup environment
+        run: |
+          echo "${HOME}/.asdf/bin" >> $GITHUB_PATH
+          poetry install --no-root
+
+      - name: Lint
+        run: make lint
+
+      - name: Build
+        run: make build
+
+      - name: Test
+        run: make test
+
+      - name: Upload build artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: build-artifacts
+          path: dist
+
+  sonar:
+    name: SonarQube scan
+    runs-on: ubuntu-latest
+    needs: build
+    environment: pull-request
+    permissions:
+      contents: read
+      actions: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.ref }}
+
+      - name: Get build artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: build-artifacts
+          path: dist
+
+      - name: SonarQube scan
+        uses: sonarsource/sonarqube-scan-action@a31c9398be7ace6bbfaf30c0bd5d415f843d45e9 #v7.0.0
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+
+      - name: SonarQube quality gate check
+        id: sonarqube-quality-gate-check
+        uses: sonarsource/sonarqube-quality-gate-action@cf038b0e0cdecfa9e56c198bbb7d21d751d62c3b #v1.2.0
+        with:
+          pollingTimeoutSec: 600
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
@@ -6,7 +6,7 @@ MAKEFLAGS := --no-print-directory
 SHELL := /bin/bash
 
 DIST_PATH ?= ./dist
-TEST_ARGS ?= --cov --cov-report=term-missing
+TEST_ARGS ?= --cov --cov-report=term-missing --cov-report=xml:$(DIST_PATH)/test-coverage.xml
 SMOKE_TEST_ARGS ?=
 FEATURE_TEST_ARGS ?= ./tests/features --format progress2
 TF_WORKSPACE_NAME ?= $(shell terraform -chdir=terraform/infrastructure workspace show)

@@ -86,6 +86,7 @@ docstring-code-format = true
 docstring-code-line-length = 80
 
 [tool.coverage.run]
+relative_files = true
 branch = true
 omit = [
     "*/tests/*",

@@ -1,13 +1,14 @@
 sonar.projectKey=NHSDigital_NRLF
 sonar.organization=nhsdigital
 sonar.projectName=NRLF
-sonar.python.version=3.9.5
-sonar.terraform.provider.aws.version=4.63.0
-# TODO: Some paths here are outdated and perhaps we don't want to exclude everything
-sonar.cpd.exclusions=api/tests/**, tests/**, api/**/tests/**, feature_tests/**, cron/seed_sandbox/tests/**, data_contracts/**/tests/**, firehose/**/tests/**, firehose/**/scripts/**, helpers/tests/**, mi/**/tests/**
-sonar.exclusions=scripts/**, **/scripts/**, api/tests/**, tests/**, api/**/tests/**, feature_tests/**, cron/seed_sandbox/tests/**, data_contracts/**/tests/**, firehose/**/tests/**, firehose/**/scripts/**, helpers/tests/**, mi/**/tests/**
 
-# Exclude snomed urls as being unsafe
-sonar.issue.ignore.multicriteria=exclude_snomed_urls
-sonar.issue.ignore.multicriteria.exclude_snomed_urls.ruleKey=python:S5332
-sonar.issue.ignore.multicriteria.exclude_snomed_urls.pattern=**http://snomed\.info(/sct)?**
+sonar.python.version=3.12
+
+sonar.sources=.
+sonar.exclusions=scripts/**
+sonar.tests=.
+sonar.tests.inclusions=**/tests/**
+sonar.coverage.exclusions=scripts/**, tests/**, **/tests/**
+sonar.cpd.exclusions=tests/**, **/tests/**
+
+sonar.python.coverage.reportPaths=dist/test-coverage.xml