[GPCAPIM-260]-[Steel Thread integration testing]-[RP]-4

Author: BJSS-russell-pollock

.github/workflows/cicd-1-pull-request.yaml

@@ -83,17 +83,9 @@ jobs:
         IDP_AWS_REPORT_UPLOAD_REGION: ${{ secrets.IDP_AWS_REPORT_UPLOAD_REGION }}
         IDP_AWS_REPORT_UPLOAD_ROLE_NAME: ${{ secrets.IDP_AWS_REPORT_UPLOAD_ROLE_NAME }}
         IDP_AWS_REPORT_UPLOAD_BUCKET_ENDPOINT: ${{ secrets.IDP_AWS_REPORT_UPLOAD_BUCKET_ENDPOINT }}
-  test-stage: # Recommended maximum execution time is 5 minutes
-    name: "Test stage"
-    needs: [metadata, commit-stage]
-    uses: ./.github/workflows/stage-2-test.yaml
-    with:
-      python_version: "${{ needs.metadata.outputs.python_version }}"
-    secrets:
-      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
   build-stage: # Recommended maximum execution time is 3 minutes
     name: "Build stage"
-    needs: [metadata, test-stage]
+    needs: [metadata]
     uses: ./.github/workflows/stage-3-build.yaml
     if: needs.metadata.outputs.does_pull_request_exist == 'true' || (github.event_name == 'pull_request' && (github.event.action == 'opened' || github.event.action == 'reopened'))
     with:
@@ -104,16 +96,3 @@ jobs:
       python_version: "${{ needs.metadata.outputs.python_version }}"
       terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
       version: "${{ needs.metadata.outputs.version }}"
-  acceptance-stage: # Recommended maximum execution time is 10 minutes
-    name: "Acceptance stage"
-    needs: [metadata, build-stage]
-    uses: ./.github/workflows/stage-4-acceptance.yaml
-    if: needs.metadata.outputs.does_pull_request_exist == 'true' || (github.event_name == 'pull_request' && (github.event.action == 'opened' || github.event.action == 'reopened'))
-    with:
-      build_datetime: "${{ needs.metadata.outputs.build_datetime }}"
-      build_timestamp: "${{ needs.metadata.outputs.build_timestamp }}"
-      build_epoch: "${{ needs.metadata.outputs.build_epoch }}"
-      nodejs_version: "${{ needs.metadata.outputs.nodejs_version }}"
-      python_version: "${{ needs.metadata.outputs.python_version }}"
-      terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
-      version: "${{ needs.metadata.outputs.version }}"

.github/workflows/preview-env.yml

@@ -17,13 +17,11 @@ jobs:
     name: Manage preview environment
     runs-on: ubuntu-latest
 
-    # Needed for OIDC → AWS (recommended)
     permissions:
       id-token: write
       contents: read
       pull-requests: write
 
-    # One job per branch at a time
     concurrency:
       group: preview-${{ github.head_ref || github.ref_name }}
       cancel-in-progress: true
@@ -35,7 +33,6 @@ jobs:
       - name: Checkout repo
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
 
-      # Configure AWS credentials (OIDC recommended)
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@4c2b9cc816c86555b61460789ac95da17d7e829b
         with:
@@ -49,35 +46,23 @@ jobs:
       - name: Compute branch metadata
         id: meta
         run: |
-          # For PRs, head_ref is the source branch name
           RAW_BRANCH="${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}}"
-
-          # Sanitize branch name for tags / hostnames (lowercase, only allowed chars)
           SANITIZED_BRANCH=$(
             printf '%s' "$RAW_BRANCH" \
               | tr '[:upper:]' '[:lower:]' \
               | tr '._' '-' \
               | tr -c 'a-z0-9-' '-' \
               | sed -E 's/-{2,}/-/g; s/^-+//; s/-+$//'
           )
-
-          # Last resort fallback if everything got stripped
           if [ -z "$SANITIZED_BRANCH" ]; then
             SANITIZED_BRANCH="invalid-branch-name"
           fi
-
           echo "raw_branch=$RAW_BRANCH" >> $GITHUB_OUTPUT
           echo "branch_name=$SANITIZED_BRANCH" >> $GITHUB_OUTPUT
-
-          # ECR repo URL (must match core stack's ECR repo)
           ECR_URL="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${ECR_REPOSITORY_NAME}"
           echo "ecr_url=$ECR_URL" >> $GITHUB_OUTPUT
-
-          # Terraform state key for this preview env
           TF_STATE_KEY="${PREVIEW_STATE_PREFIX}${SANITIZED_BRANCH}.tfstate"
           echo "tf_state_key=$TF_STATE_KEY" >> $GITHUB_OUTPUT
-
-          # ALB listener rule priority - derive from PR number (must be unique per listener)
           if [ -n "${{ github.event.number }}" ]; then
             PRIORITY=$(( 1000 + ${{ github.event.number }} ))
           else
@@ -98,24 +83,20 @@ jobs:
         run: |
           IMAGE_TAG="${{ steps.meta.outputs.branch_name }}"
           ECR_URL="${{ steps.meta.outputs.ecr_url }}"
-
           make build IMAGE_TAG="${IMAGE_TAG}" ECR_URL="${ECR_URL}"
 
       - name: Push Docker image to ECR
         if: github.event.action != 'closed'
         run: |
           IMAGE_TAG="${{ steps.meta.outputs.branch_name }}"
           ECR_URL="${{ steps.meta.outputs.ecr_url }}"
-
           docker push "${ECR_URL}:${IMAGE_TAG}"
 
       - name: Setup Terraform
         uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd
         with:
           terraform_version: 1.14.0
 
-      # ---------- APPLY (PR opened / updated) ----------
-
       - name: Terraform init (apply)
         if: github.event.action != 'closed'
         working-directory: infrastructure/environments/preview
@@ -133,25 +114,20 @@ jobs:
           TF_VAR_image_tag: ${{ steps.meta.outputs.branch_name }}
           TF_VAR_alb_rule_priority: ${{ steps.meta.outputs.alb_rule_priority }}
         run: |
-          terraform apply \
-            -auto-approve
+          terraform apply -auto-approve
 
       - name: Capture preview TF outputs
         if: github.event.action != 'closed'
         id: tf-output
         working-directory: infrastructure/environments/preview
         run: |
           terraform output -json > tf-output.json
-
           URL=$(jq -r '.url.value' tf-output.json)
           echo "preview_url=$URL" >> $GITHUB_OUTPUT
-
           TG=$(jq -r '.target_group_arn.value' tf-output.json)
           echo "target_group=$TG" >> $GITHUB_OUTPUT
-
           ECS_SERVICE=$(jq -r '.ecs_service_name.value' tf-output.json)
           echo "ecs_service=$ECS_SERVICE" >> $GITHUB_OUTPUT
-
           ECS_CLUSTER=$(jq -r '.ecs_cluster_name.value' tf-output.json)
           echo "ecs_cluster=$ECS_CLUSTER" >> $GITHUB_OUTPUT
 
@@ -184,7 +160,6 @@ jobs:
           proxygen-api-name: ${{ vars.PROXYGEN_API_NAME }}
           proxygen-client-id: ${{ vars.PREVIEW_ENV_PROXYGEN_CLIENT_ID }}
 
-      # ---------- Ensure re-deployment (PR updated) ----------
       - name: Force ECS service redeployment
         if: github.event.action == 'synchronize'
         id: await-redeployment
@@ -195,7 +170,6 @@ jobs:
             --force-new-deployment \
             --region ${{ env.AWS_REGION }}
 
-      # ---------- DESTROY (PR closed) ----------
       - name: Terraform init (destroy)
         if: github.event.action == 'closed'
         working-directory: infrastructure/environments/preview
@@ -215,14 +189,13 @@ jobs:
         run: |
           terraform destroy -auto-approve
 
-      # ---------- Wait on AWS tasks and notify ----------
       - name: Await deployment completion
         if: github.event.action != 'closed'
         run: |
           aws ecs wait services-stable \
-          --cluster ${{ steps.tf-output.outputs.ecs_cluster }} \
-          --services ${{ steps.tf-output.outputs.ecs_service }} \
-          --region ${{ env.AWS_REGION }}
+            --cluster ${{ steps.tf-output.outputs.ecs_cluster }} \
+            --services ${{ steps.tf-output.outputs.ecs_service }} \
+            --region ${{ env.AWS_REGION }}
 
       - name: Get mTLS certs for testing
         if: github.event.action != 'closed'
@@ -246,8 +219,6 @@ jobs:
             echo "http_result=missing-url" >> "$GITHUB_OUTPUT"
             exit 0
           fi
-
-          # Reachability check: allow 404 (app routes might not exist yet) but fail otherwise
           printf '%s' "$_cds_gateway_dev_mtls_client1_key_secret" > /tmp/client1-key.pem
           printf '%s' "$_cds_gateway_dev_mtls_client1_key_public" > /tmp/client1-cert.pem
           STATUS=$(curl \
@@ -285,6 +256,138 @@ jobs:
           echo "http_result=unexpected-status" >> "$GITHUB_OUTPUT"
           exit 0
 
+      - name: Prepare mTLS cert files for tests
+        if: github.event.action != 'closed'
+        run: |
+          printf '%s' "$_cds_gateway_dev_mtls_client1_key_secret" > /tmp/client1-key.pem
+          printf '%s' "$_cds_gateway_dev_mtls_client1_key_public" > /tmp/client1-cert.pem
+          chmod 600 /tmp/client1-key.pem /tmp/client1-cert.pem
+
+      - name: Run unit tests against preview
+        if: github.event.action != 'closed'
+        env:
+          BASE_URL: ${{ steps.tf-output.outputs.preview_url }}
+          MTLS_CERT: /tmp/client1-cert.pem
+          MTLS_KEY: /tmp/client1-key.pem
+        run: |
+          echo "Running unit tests pointing at ${BASE_URL}"
+          make test-unit
+
+      - name: Upload unit test results
+        if: always()
+        uses: actions/upload-artifact@v5
+        with:
+          name: unit-test-results
+          path: gateway-api/test-artefacts/
+          retention-days: 30
+
+      - name: Publish unit test results to summary
+        if: always()
+        uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86
+        with:
+          paths: gateway-api/test-artefacts/unit-tests.xml
+
+      - name: Run contract tests against preview
+        if: github.event.action != 'closed'
+        env:
+          BASE_URL: ${{ steps.tf-output.outputs.preview_url }}
+          MTLS_CERT: /tmp/client1-cert.pem
+          MTLS_KEY: /tmp/client1-key.pem
+        run: |
+          echo "Running contract tests pointing at ${BASE_URL}"
+          make test-contract
+
+      - name: Upload contract test results
+        if: always()
+        uses: actions/upload-artifact@v5
+        with:
+          name: contract-test-results
+          path: gateway-api/test-artefacts/
+          retention-days: 30
+
+      - name: Publish contract test results to summary
+        if: always()
+        uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86
+        with:
+          paths: gateway-api/test-artefacts/contract-tests.xml
+
+      - name: Run schema validation tests against preview
+        if: github.event.action != 'closed'
+        env:
+          BASE_URL: ${{ steps.tf-output.outputs.preview_url }}
+          MTLS_CERT: /tmp/client1-cert.pem
+          MTLS_KEY: /tmp/client1-key.pem
+        run: |
+          echo "Running schema validation tests pointing at ${BASE_URL}"
+          make test-schema
+
+      - name: Upload schema test results
+        if: always()
+        uses: actions/upload-artifact@v5
+        with:
+          name: schema-test-results
+          path: gateway-api/test-artefacts/
+          retention-days: 30
+
+      - name: Publish schema test results to summary
+        if: always()
+        uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86
+        with:
+          paths: gateway-api/test-artefacts/schema-tests.xml
+
+      - name: Run integration tests against preview
+        if: github.event.action != 'closed'
+        env:
+          BASE_URL: ${{ steps.tf-output.outputs.preview_url }}
+          MTLS_CERT: /tmp/client1-cert.pem
+          MTLS_KEY: /tmp/client1-key.pem
+        run: |
+          echo "Running integration tests pointing at ${BASE_URL}"
+          make test-integration
+
+      - name: Upload integration test results
+        if: always()
+        uses: actions/upload-artifact@v5
+        with:
+          name: integration-test-results
+          path: gateway-api/test-artefacts/
+          retention-days: 30
+
+      - name: Publish integration test results to summary
+        if: always()
+        uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86
+        with:
+          paths: gateway-api/test-artefacts/integration-tests.xml
+
+      - name: Run acceptance tests against preview
+        if: github.event.action != 'closed'
+        env:
+          BASE_URL: ${{ steps.tf-output.outputs.preview_url }}
+          MTLS_CERT: /tmp/client1-cert.pem
+          MTLS_KEY: /tmp/client1-key.pem
+        run: |
+          echo "Running acceptance tests pointing at ${BASE_URL}"
+          make test-acceptance
+
+      - name: Upload acceptance test results
+        if: always()
+        uses: actions/upload-artifact@v5
+        with:
+          name: acceptance-test-results
+          path: gateway-api/test-artefacts/
+          retention-days: 30
+
+      - name: Publish acceptance test results to summary
+        if: always()
+        uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86
+        with:
+          paths: gateway-api/test-artefacts/acceptance-tests.xml
+
+      - name: Remove mTLS temp files
+        if: github.event.action != 'closed'
+        run: |
+          rm -f /tmp/client1-key.pem /tmp/client1-cert.pem || true
+
       - name: Comment function name on PR
         if: github.event_name == 'pull_request' && github.event.action != 'closed'
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd
@@ -300,27 +403,22 @@ jobs:
             const issueNumber = context.issue.number;
             const smokeStatus = '${{ steps.smoke-test.outputs.http_status }}' || 'n/a';
             const smokeResult = '${{ steps.smoke-test.outputs.http_result }}' || 'not-run';
-
             const smokeLabels = {
               success: ':white_check_mark: Passed',
               'allowed-404': ':white_check_mark: Allowed 404',
               'unexpected-status': ':x: Unexpected status',
               'missing-url': ':x: Missing URL',
             };
-
             const smokeReadable = smokeLabels[smokeResult] ?? smokeResult;
-
             const { data: comments } = await github.rest.issues.listComments({
               owner,
               repo,
               issue_number: issueNumber,
               per_page: 100,
             });
-
             for (const comment of comments) {
               const isBot = comment.user?.login === 'github-actions[bot]';
               const isPreviewUpdate = comment.body?.includes('Deployment Complete');
-
               if (isBot && isPreviewUpdate) {
                 await github.rest.issues.deleteComment({
                   owner,
@@ -329,7 +427,6 @@ jobs:
                 });
               }
             }
-
             const lines = [
               '**Deployment Complete**',
               `- Preview URL: [${url}](${url}) — [Health endpoint](${url}/health)`,
@@ -339,15 +436,13 @@ jobs:
               `- ECS Service: \`${service}\``,
               `- ALB Target: \`${alb}\``,
             ];
-
             await github.rest.issues.createComment({
               owner,
               repo,
               issue_number: issueNumber,
               body: lines.join('\n'),
             });
 
-      # ---------- Security scanning ----------
       - name: Trivy filesystem scan
         if: github.event.action != 'closed'
         uses: nhs-england-tools/trivy-action/image-scan@3456c1657a37d500027fd782e6b08911725392da
@@ -356,8 +451,8 @@ jobs:
           artifact-name: trivy-scan-${{ steps.meta.outputs.branch_name }}
 
       - name: Generate SBOM
-        uses: nhs-england-tools/trivy-action/sbom-scan@3456c1657a37d500027fd782e6b08911725392da
         if: github.event.action != 'closed'
+        uses: nhs-england-tools/trivy-action/sbom-scan@3456c1657a37d500027fd782e6b08911725392da
         with:
           image-ref: ${{steps.meta.outputs.ecr_url}}:${{steps.meta.outputs.branch_name}}
           artifact-name: trivy-sbom-${{ steps.meta.outputs.branch_name }}