NHSDigital · PedroSoaresNHS · Feb 10, 2026 · Feb 10, 2026 · Feb 10, 2026 · Feb 10, 2026
@@ -7,25 +7,6 @@ on:
     types: [opened, edited, synchronize]
 
 jobs:
-  changes:
-    runs-on: ubuntu-latest
-    permissions:
-      pull-requests: read
-    outputs:
-      frontend: ${{ steps.filter.outputs.frontend }}
-      backend: ${{ steps.filter.outputs.backend }}
-    steps:
-    - uses: dorny/paths-filter@v3
-      id: filter
-      with:
-        filters: |
-          frontend:
-            - 'app/src/**'
-          backend:
-            - '*.py'
-            - 'lambdas/*.py'
-            - 'lambdas/**/*.py'
-
   checklist_validator:
     runs-on: ubuntu-latest
     permissions:
@@ -160,82 +141,3 @@ jobs:
           BRANCH_NAME=${{ github.event.repository.default_branch }}
           chmod +x scripts/markdown-validator.sh
           scripts/markdown-validator.sh
-
-  react_lint_and_build:
-    name: React Lint and Build
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    needs: changes
-    if: needs.changes.outputs.frontend == 'true'
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-
-      - name: Install packages
-        id: install
-        run: |
-          make install
-
-      - name: Run Lint
-        id: lint
-        working-directory: app
-        run: |
-          npm run lint
-
-      - name: Run Build
-        id: build
-        working-directory: app
-        if: always()
-        run: |
-          npm run build
-
-  python_lint:
-    name: Python Lint
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    needs: changes
-    if: needs.changes.outputs.backend == 'true'
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-
-      - name: Set up Python 3.11
-        uses: actions/setup-python@v6
-        with:
-          python-version: 3.11
-
-      - name: Setup env
-        run: |
-          make env
-
-      - name: Get changed files
-        id: changed-files
-        run: |
-          git remote set-branches origin main && git fetch --depth 1 origin main && git branch main origin/main
-          echo "CHANGED_FILES=$(git diff main --name-status | grep -E '^[^D].*\.py$' | cut -f2 | tr '\n' ' ')" >> $GITHUB_OUTPUT
-
-      - name: Run black
-        id: black
-        run: |
-          if [ -z "${{ steps.changed-files.outputs.CHANGED_FILES }}" ]; then echo "No changed Python files to format"; exit 0; fi; \
-          ./lambdas/venv/bin/python3 -m black --check --diff --color ${{ steps.changed-files.outputs.CHANGED_FILES }}
-
-      - name: Run ruff
-        id: ruff
-        if: always()
-        run: |
-          if [ -z "${{ steps.changed-files.outputs.CHANGED_FILES }}" ]; then echo "No changed Python files to lint"; exit 0; fi; \
-          ./lambdas/venv/bin/ruff check ${{ steps.changed-files.outputs.CHANGED_FILES }}
-
-      - name: Run isort with black
-        id: isort
-        if: always()
-        run: |
-          if [ -z "${{ steps.changed-files.outputs.CHANGED_FILES }}" ]; then echo "No changed Python files to sort imports"; exit 0; fi; \
-          ./lambdas/venv/bin/python3 -m isort --profile black --check-only ${{ steps.changed-files.outputs.CHANGED_FILES }}
@@ -60,6 +60,12 @@ jobs:
           echo "::add-mask::$container_port"
           echo "CONTAINER_PORT=$container_port" >> $GITHUB_ENV
 
+      - name: Get CloudFront domain name
+        id: cloudfront-domain-name
+        run: |
+          cloudfront_domain_name=$(aws cloudfront list-distributions --query "DistributionList.Items[?starts_with(Origins.Items[0].DomainName, '${{ inputs.sandbox }}')].DomainName" --output text)
+          echo "Cloudfront domain name found for environment: $cloudfront_domain_name"
+          echo "CLOUDFRONT_DOMAIN_NAME=$cloudfront_domain_name" >> $GITHUB_ENV
 
       - name: Login to Amazon ECR
         id: login-ecr
@@ -106,6 +112,7 @@ jobs:
         run: |
           docker build \
             --build-arg="CONTAINER_PORT=$CONTAINER_PORT" \
+            --build-arg="CLOUDFRONT_DOMAIN_NAME=$CLOUDFRONT_DOMAIN_NAME" \
             --build-arg="BUILD_ENV=$BUILD_ENV" \
             -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG \
             -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG_SHA .

@@ -87,15 +87,3 @@ jobs:
       lambda_layer_name: alerting_lambda_layer
     secrets:
       AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }}
-
-  deploy_files_lambda_layer:
-    name: Deploy files_lambda_layer
-    uses: ./.github/workflows/base-lambda-layer-reusable-publish.yml
-    with:
-        environment: ${{ inputs.environment}}
-        python_version: ${{ inputs.python_version }}
-        build_branch: ${{ inputs.build_branch }}
-        sandbox: ${{ inputs.sandbox }}
-        lambda_layer_name: files_lambda_layer
-    secrets:
-        AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }}
@@ -695,7 +695,7 @@ jobs:
       sandbox: ${{ inputs.sandbox }}
       lambda_handler_name: document_reference_virus_scan_handler
       lambda_aws_name: DocumentReferenceVirusScanCheck
-      lambda_layer_names: "core_lambda_layer,files_lambda_layer"
+      lambda_layer_names: "core_lambda_layer"
     secrets:
       AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }}
 
@@ -838,3 +838,17 @@ jobs:
       lambda_layer_names: "core_lambda_layer"
     secrets:
       AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }}
+
+  deploy_report_s3_content_lambda:
+    name: Deploy Report S3 Content Lambda
+    uses: ./.github/workflows/base-lambdas-reusable-deploy.yml
+    with:
+      environment: ${{ inputs.environment }}
+      python_version: ${{ inputs.python_version }}
+      build_branch: ${{ inputs.build_branch }}
+      sandbox: ${{ inputs.sandbox }}
+      lambda_handler_name: report_s3_content_handler
+      lambda_aws_name: ReportS3Content
+      lambda_layer_names: "core_lambda_layer"
+    secrets:
+      AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }}
@@ -53,6 +53,10 @@ jobs:
           source ./lambdas/venv/bin/activate
           echo PATH=$PATH >> $GITHUB_ENV
 
+      - name: Format Code and ruff check
+        run: |
+          make format
+
       - name: Test with pytest
         run: |
           make test-unit
@@ -7,8 +7,8 @@
     "./app/node_modules/prettier/bin/prettier.cjs --write"
     ],
   "*.py": [
-    "./lambdas/venv/bin/ruff check --fix",
-    "./lambdas/venv/bin/python3 -m black",
     "./lambdas/venv/bin/python3 -m isort --profile black",
+    "./lambdas/venv/bin/python3 -m black",
+    "./lambdas/venv/bin/ruff check ./lambdas"
   ]
 }
@@ -7,7 +7,6 @@ GITHUB_REQUIREMENTS=$(REQUIREMENTS_PATH)/requirements_github_runner.txt
 TEST_REQUIREMENTS=$(REQUIREMENTS_PATH)/requirements_test.txt
 CORE_REQUIREMENTS=$(LAMBDA_LAYER_REQUIREMENTS_PATH)/requirements_core_lambda_layer.txt
 DATA_REQUIREMENTS=$(LAMBDA_LAYER_REQUIREMENTS_PATH)/requirements_data_lambda_layer.txt
-FILES_REQUIREMENTS=$(LAMBDA_LAYER_REQUIREMENTS_PATH)/requirements_files_lambda_layer.txt
 REPORTS_REQUIREMENTS=$(LAMBDA_LAYER_REQUIREMENTS_PATH)/requirements_reports_lambda_layer.txt
 ALERTING_REQUIREMENTS=$(LAMBDA_LAYER_REQUIREMENTS_PATH)/requirements_alerting_lambda_layer.txt
 EDGE_REQUIREMENTS=$(REQUIREMENTS_PATH)/requirements_edge_lambda.txt
@@ -18,8 +17,6 @@ LAMBDA_LAYER_PYTHON_PATH=python/lib/python$(PYTHON_VERSION)/site-packages
 ZIP_BASE_PATH = ./$(LAMBDAS_BUILD_PATH)/$(lambda_name)/tmp
 ZIP_COMMON_FILES = lambdas/utils lambdas/models lambdas/services lambdas/repositories lambdas/enums lambdas/scripts
 CONTAINER ?= false
-VENV_PATH_PREFIX := $(if $(filter true,$(CONTAINER)),./.venv,./lambdas/venv)
-FORMAT_ALL ?= false
 
 .PHONY: \
 	install clean help format list requirements ruff build-and-deploy-sandbox \
@@ -84,22 +81,21 @@ clean-test:
 	find . -name '.cache' -exec rm -fr {} +
 
 format:
-	@if [ $(FORMAT_ALL) = true ]; then \
-		CHANGED_FILES=''; \
-	else \
-		CHANGED_FILES=$$(git diff main --name-status | grep -E '^[^D].*\.py$$' | cut -f2 | xargs); \
-		echo $$CHANGED_FILES; \
-		if [ -z "$$CHANGED_FILES" ]; then echo "No changed files to format"; exit 0; fi; \
-	fi; \
-	$(VENV_PATH_PREFIX)/bin/ruff check $$CHANGED_FILES --fix; \
-	$(VENV_PATH_PREFIX)/bin/python3 -m black $$CHANGED_FILES; \
-	$(VENV_PATH_PREFIX)/bin/python3 -m isort --profile black $$CHANGED_FILES
+ifeq ($(CONTAINER), true)
+	./.venv/bin/python3 -m isort --profile black lambdas/
+	./.venv/bin/python3 -m black lambdas/
+	./.venv/bin/ruff check lambdas/ --fix
+else
+	./lambdas/venv/bin/python3 -m isort --profile black lambdas/
+	./lambdas/venv/bin/python3 -m black lambdas/
+	./lambdas/venv/bin/ruff check lambdas/ --fix
+endif
+
 
 sort-requirements:
 	sort -o $(TEST_REQUIREMENTS) $(TEST_REQUIREMENTS)
 	sort -o $(CORE_REQUIREMENTS) $(CORE_REQUIREMENTS)
 	sort -o $(DATA_REQUIREMENTS) $(DATA_REQUIREMENTS)
-	sort -o $(FILES_REQUIREMENTS) $(FILES_REQUIREMENTS)
 	sort -o $(REPORTS_REQUIREMENTS) $(REPORTS_REQUIREMENTS)
 	sort -o $(ALERTING_REQUIREMENTS) $(ALERTING_REQUIREMENTS)
 
@@ -108,7 +104,6 @@ check-packages:
 	./lambdas/venv/bin/pip-audit -r $(TEST_REQUIREMENTS)
 	./lambdas/venv/bin/pip-audit -r $(CORE_REQUIREMENTS)
 	./lambdas/venv/bin/pip-audit -r $(DATA_REQUIREMENTS)
-	./lambdas/venv/bin/pip-audit -r $(FILES_REQUIREMENTS)
 	./lambdas/venv/bin/pip-audit -r $(REPORTS_REQUIREMENTS)
 	./lambdas/venv/bin/pip-audit -r $(ALERTING_REQUIREMENTS)
 
@@ -209,7 +204,6 @@ env:
 	@./lambdas/venv/bin/pip3 install -r $(TEST_REQUIREMENTS) --no-cache-dir
 	@./lambdas/venv/bin/pip3 install -r $(CORE_REQUIREMENTS) --no-cache-dir
 	@./lambdas/venv/bin/pip3 install -r $(DATA_REQUIREMENTS) --no-cache-dir
-	@./lambdas/venv/bin/pip3 install -r $(FILES_REQUIREMENTS) --no-cache-dir
 	@./lambdas/venv/bin/pip3 install -r $(REPORTS_REQUIREMENTS) --no-cache-dir
 	@./lambdas/venv/bin/pip3 install -r $(ALERTING_REQUIREMENTS) --no-cache-dir
 	@echo " "
@@ -309,25 +303,13 @@ docker-down:
 	docker-compose -f ./app/docker-compose.yml down
 
 cypress-open:
-ifeq ($(CONTAINER), true)
 	xvfb-run -- npm --prefix ./app run cypress
-else
-	npm --prefix ./app run cypress
-endif
 
 cypress-run:
-ifeq ($(CONTAINER), true)
 	xvfb-run -- npm --prefix ./app run cypress-run
-else
-	npm --prefix ./app run cypress-run
-endif
 
 cypress-report:
-ifeq ($(CONTAINER), true)
 	xvfb-run -- npm --prefix ./app run cypress-report
-else
-	npm --prefix ./app run cypress-report
-endif
 
 install-cypress:
 	npm install --save-dev cypress
@@ -84,8 +84,7 @@
                 "import/no-extraneous-dependencies": [
                     "error",
                     { "devDependencies": true }
-                ],
-                "@typescript-eslint/explicit-function-return-type": "off"
+                ]
             }
         },
         {

@@ -22,6 +22,7 @@ RUN npm run build -- --mode $BUILD_ENV
 FROM nginx:latest
 RUN apt update && apt list --upgradable && apt upgrade -y && rm -rf /var/lib/apt/lists/*
 ARG CONTAINER_PORT
+ARG CLOUDFRONT_DOMAIN_NAME
 WORKDIR /usr/share/nginx/html
 RUN rm -rf ./*
 COPY --from=builder /app/dist .
@@ -30,7 +31,7 @@ WORKDIR /etc/nginx
 COPY --from=builder ./app/docker/nginx.conf ./nginx.conf.template
 
 RUN sed -i "s/\$CONTAINER_PORT/${CONTAINER_PORT}/g" ./nginx.conf.template
-RUN cp ./nginx.conf.template ./nginx.conf
+RUN sed "s/\$CLOUDFRONT_DOMAIN_NAME/${CLOUDFRONT_DOMAIN_NAME}/g" ./nginx.conf.template > ./nginx.conf
 
 EXPOSE ${CONTAINER_PORT}
 ENTRYPOINT ["nginx", "-g", "daemon off;"]
@@ -122,10 +122,7 @@ describe('GP Workflow: View Lloyd George record', () => {
 
         cy.intercept('GET', '/SearchDocumentReferences*', {
             statusCode: 200,
-            body: {
-                references: testFiles,
-                nextPageToken: 'abc',
-            },
+            body: testFiles,
         }).as('searchDocumentReferences');
 
         cy.get('#verify-submit').click();
@@ -145,10 +142,7 @@ describe('GP Workflow: View Lloyd George record', () => {
 
                 cy.intercept('GET', '/SearchDocumentReferences*', {
                     statusCode: 200,
-                    body: {
-                        references: testFiles,
-                        nextPageToken: 'abc',
-                    },
+                    body: testFiles,
                 }).as('searchDocumentReferences');
 
                 setUpDownloadManifestIntercepts();
@@ -265,10 +259,7 @@ describe('GP Workflow: View Lloyd George record', () => {
 
                 cy.intercept('GET', '/SearchDocumentReferences*', {
                     statusCode: 200,
-                    body: {
-                        references: singleTestFile,
-                        nextPageToken: 'abc',
-                    },
+                    body: singleTestFile,
                 }).as('searchDocumentReferences');
 
                 setUpDownloadManifestIntercepts();
@@ -360,7 +351,7 @@ describe('GP Workflow: View Lloyd George record', () => {
                     statusCode: 200,
                     body: { jobStatus: 'Pending' },
                 });
-                if (pendingCounts >= 10) {
+                if (pendingCounts >= 3) {
                     req.alias = 'documentManifestThirdTimePending';
                 }
             });
@@ -372,7 +363,7 @@ describe('GP Workflow: View Lloyd George record', () => {
             cy.getByTestId('toggle-selection-btn').click();
             cy.getByTestId('download-selected-files-btn').click();
 
-            cy.wait('@documentManifestThirdTimePending', { timeout: 20000 });
+            cy.wait('@documentManifestThirdTimePending');
 
             cy.title().should('have.string', 'Service error');
             cy.url().should('have.string', '/server-error?encodedError=');

@@ -40,10 +40,7 @@ describe('PCSE Workflow: Access and download found files', () => {
 
             cy.intercept('GET', '/SearchDocumentReferences*', {
                 statusCode: 200,
-                body: {
-                    references: searchDocumentReferencesResponse,
-                    nextPageToken: 'abc',
-                },
+                body: searchDocumentReferencesResponse,
             }).as('documentSearch');
 
             cy.get('#verify-submit').click();

@@ -18,7 +18,7 @@ http {
         add_header Cache-Control "no-store, no-cache, must-revalidate" always;
         add_header Pragma "no-cache" always;
         add_header Strict-Transport-Security "max-age=63072000" always;
-        add_header Content-Security-Policy "frame-ancestors 'self'; img-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; object-src 'self' blob:;" always;
+        add_header Content-Security-Policy "frame-ancestors 'self'; img-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; object-src 'self' blob: https://$CLOUDFRONT_DOMAIN_NAME;" always;
         add_header Referrer-Policy "no-referrer" always;
         add_header Permissions-Policy "accelerometer=(self), autoplay=(self), camera=(self), cross-origin-isolated=(self), display-capture=(self), encrypted-media=(self), fullscreen=(self), geolocation=(self), gyroscope=(self), keyboard-map=(self), magnetometer=(self), microphone=(self), midi=(self), payment=(self), picture-in-picture=(self), publickey-credentials-get=(self), screen-wake-lock=(self), sync-xhr=(self), usb=(self), xr-spatial-tracking=(self), clipboard-read=(self), clipboard-write=(self), gamepad=(self), hid=(self), idle-detection=(self), interest-cohort=(self), serial=(self), unload=(self) " always;
         add_header X-Content-Type-Options "nosniff" always;