Re-enable end-to-end tests, sourcing status endpoint from github secret, rather than fetching from APIM

Author: stevebux

.env.template

@@ -18,6 +18,7 @@ PROXY_NAME=
 export NON_PROD_API_KEY=xxx
 export INTEGRATION_API_KEY=xxx
 export PRODUCTION_API_KEY=xxx
+export STATUS_ENDPOINT_API_KEY=xxx
 
 # Private Keys
 # ============

.github/actions/acceptance-tests/action.yml

@@ -24,11 +24,13 @@ runs:
 
   steps:
     - name: Fetch terraform output
+      if: ${{ inputs.testType != 'e2e' }}
       uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5
       with:
         name: terraform-output-${{ inputs.targetComponent }}
 
     - name: Get Node version
+      if: ${{ inputs.testType != 'e2e' }}
       id: nodejs_version
       shell: bash
       run: |
@@ -40,11 +42,80 @@ runs:
         GITHUB_TOKEN: ${{ env.GITHUB_TOKEN }}
 
     - name: "Set PR NUMBER"
+      if: ${{ inputs.testType == 'e2e' }}
+      id: set_pr_number
       shell: bash
       run: |
-          echo "PR_NUMBER=${{ inputs.targetEnvironment }}" >> $GITHUB_ENV
+        env="${{ inputs.targetEnvironment }}"
+        if [[ "$env" == main ]]; then
+          echo "pr_number=" >> $GITHUB_OUTPUT
+        elif [[ "$env" == pr* ]]; then
+          echo "pr_number=${env#pr}" >> $GITHUB_OUTPUT
+        else
+          echo "pr_number=$env" >> $GITHUB_OUTPUT
+        fi
+
+    - name: Install poetry and e2e test dependencies
+      if: ${{ inputs.testType == 'e2e' }}
+      shell: bash
+      run: |
+        pipx install poetry
+        cd tests/e2e-tests && poetry install
+
+    - name: "Determine if proxy has been deployed"
+      if: ${{ inputs.testType == 'e2e' }}
+      id: check_proxy_deployed
+      env:
+        GITHUB_TOKEN: ${{ env.GITHUB_TOKEN }}
+        PR_NUMBER: ${{ steps.set_pr_number.outputs.pr_number }}
+      shell: bash
+      run: |
+        if [[ -z "$PR_NUMBER" ]]; then
+          echo "No pull request detected; proxy was deployed."
+          echo "proxy_deployed=true" >> $GITHUB_OUTPUT
+          exit 0
+        fi
+
+        branch_name=${GITHUB_HEAD_REF:-$(echo $GITHUB_REF | sed 's#refs/heads/##')}
+
+        labels=$(gh pr view "$PR_NUMBER" --json labels --jq '.labels[].name')
+        echo "Labels on PR #$PR_NUMBER: $labels"
+
+        if echo "$labels" | grep -Fxq 'deploy-proxy'; then
+          echo "proxy_deployed=true" >> $GITHUB_OUTPUT
+        else
+          echo "proxy_deployed=false" >> $GITHUB_OUTPUT
+        fi
 
     - name: Run test - ${{ inputs.testType }}
+      if: ${{ inputs.testType != 'e2e'}}
       shell: bash
+      env:
+        TARGET_ENVIRONMENT: ${{ inputs.targetEnvironment }}
       run: |
         make test-${{ inputs.testType }}
+
+    - name: Run test - e2e
+      if: ${{ inputs.testType == 'e2e' && steps.check_proxy_deployed.outputs.proxy_deployed == 'true'}}
+      shell: bash
+      env:
+        TARGET_ENVIRONMENT: ${{ inputs.targetEnvironment }}
+        PR_NUMBER: ${{ steps.set_pr_number.outputs.pr_number }}
+      run: |
+        PR_NUMBER=""
+        echo "$SUPPLIER_API_PRIVATE_KEY" > "${GITHUB_WORKSPACE}/internal-dev-test-1.pem"
+        chmod 600 "${GITHUB_WORKSPACE}/internal-dev-test-1.pem"
+        BASE_PROXY_NAME=nhs-notify-supplier--internal-dev--nhs-notify-supplier
+
+        export API_ENVIRONMENT=internal-dev
+        if [[ -z "$PR_NUMBER" ]]; then
+          export PROXY_NAME="${BASE_PROXY_NAME}"
+          export NON_PROD_API_KEY="${APIM_API_KEY}"
+        else
+          export PROXY_NAME="${BASE_PROXY_NAME}-PR-${PR_NUMBER}"
+          export NON_PROD_API_KEY="${APIM_PR_API_KEY}"
+        fi
+
+        export STATUS_ENDPOINT_API_KEY="${APIM_STATUS_API_KEY}"
+        export NON_PROD_PRIVATE_KEY="${GITHUB_WORKSPACE}/internal-dev-test-1.pem"
+        make .internal-dev-test

.github/actions/build-proxies/action.yml

@@ -113,6 +113,7 @@ runs:
           --targetComponent "${{ inputs.targetComponent }}" \
           --targetWorkflow "proxy-deploy.yaml" \
           --targetEnvironment "${{ inputs.environment }}" \
+          --internalRef "feature/CCM-14778" \
           --runId "${{ inputs.runId }}" \
           --buildSandbox ${{ inputs.buildSandbox }} \
           --apimEnvironment "${{ env.APIM_ENV }}" \

.github/actions/e2e-tests/action.yml

@@ -1,4 +1,5 @@
 [
   "component",
+  "e2e",
   "sandbox"
 ]

.github/actions/test-types.json

@@ -6,7 +6,7 @@
 #   ./dispatch_internal_repo_workflow.sh \
 #     --infraRepoName <repo> \
 #     --releaseVersion <version> \
-#     --targetWorkflow <workflow.yaml> \
+#     --targetWorkflow "deploy.yaml" \
 #     --targetEnvironment <env> \
 #     --targetComponent <component> \
 #     --targetAccountGroup <group> \
@@ -17,7 +17,11 @@
 #     --overrideRoleName <name>
 
 #
-# All arguments are required except terraformAction, and internalRef.
+# Required arguments are:
+# infraRepoName, releaseVersion, targetWorkflow, targetEnvironment, targetComponent, targetAccountGroup.
+#
+# All other arguments are optional.
+#
 # Example:
 #   ./dispatch_internal_repo_workflow.sh \
 #     --infraRepoName "nhs-notify-web-template-management" \
@@ -30,7 +34,9 @@
 #     --internalRef "main" \
 #     --overrides "tf_var=someString" \
 #     --overrideProjectName nhs \
-#     --overrideRoleName nhs-service-iam-role
+#     --overrideRoleName nhs-service-iam-role \
+#     --extraSecretNames '["MY_API_KEY"]'
+
 
 set -e
 
@@ -104,6 +110,10 @@ while [[ $# -gt 0 ]]; do
       version="$2"
       shift 2
       ;;
+    --extraSecretNames) # JSON array of secret names to fetch in the internal repo (optional)
+      extraSecretNames="$2"
+      shift 2
+      ;;
     *)
     echo "[ERROR] Unknown argument: $1"
       exit 1
@@ -202,6 +212,10 @@ if [[ -z "$version" ]]; then
   version=""
 fi
 
+if [[ -z "$extraSecretNames" ]]; then
+  extraSecretNames=""
+fi
+
 echo "==================== Workflow Dispatch Parameters ===================="
 echo "  infraRepoName:      $infraRepoName"
 echo "  releaseVersion:     $releaseVersion"
@@ -240,6 +254,7 @@ DISPATCH_EVENT=$(jq -ncM \
   --arg boundedContext "$boundedContext" \
   --arg targetDomain "$targetDomain" \
   --arg version "$version" \
+  --argjson extraSecretNames "${extraSecretNames:-null}" \
   '{
     "ref": "'"$internalRef"'",
     "inputs": (
@@ -255,6 +270,7 @@ DISPATCH_EVENT=$(jq -ncM \
       (if $boundedContext != "" then { "boundedContext": $boundedContext } else {} end) +
       (if $targetDomain != "" then { "targetDomain": $targetDomain } else {} end) +
       (if $version != "" then { "version": $version } else {} end) +
+      (if $extraSecretNames != null then { "extraSecretNames": ($extraSecretNames | tojson) } else {} end) +
       (if $targetAccountGroup != "" then { "targetAccountGroup": $targetAccountGroup } else {} end) +
       {
         "releaseVersion": $releaseVersion,
@@ -269,16 +285,22 @@ echo "[INFO] Triggering workflow '$targetWorkflow' in nhs-notify-internal..."
 echo "[DEBUG] Dispatch event payload: $DISPATCH_EVENT"
 
 trigger_response=$(curl -s -L \
-  --fail \
+  -w "\nHTTP_STATUS:%{http_code}" \
   -X POST \
   -H "Accept: application/vnd.github+json" \
   -H "Authorization: Bearer ${PR_TRIGGER_PAT}" \
   -H "X-GitHub-Api-Version: 2022-11-28" \
   "https://api.github.com/repos/NHSDigital/nhs-notify-internal/actions/workflows/$targetWorkflow/dispatches" \
   -d "$DISPATCH_EVENT" 2>&1)
 
-if [[ $? -ne 0 ]]; then
-  echo "[ERROR] Failed to trigger workflow. Response: $trigger_response"
+http_status=$(echo "$trigger_response" | grep "HTTP_STATUS:" | cut -d: -f2)
+body=$(echo "$trigger_response" | grep -v "HTTP_STATUS:")
+
+echo "[DEBUG] HTTP status: $http_status"
+echo "[DEBUG] Response body: $body"
+
+if [[ "$http_status" -lt 200 || "$http_status" -ge 300 ]]; then
+  echo "[ERROR] Failed to trigger workflow. HTTP $http_status. Response: $body"
   exit 1
 fi
 

.github/scripts/dispatch_internal_repo_workflow.sh

@@ -59,8 +59,8 @@ jobs:
           version: "${{ inputs.version }}"
           NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-  artefact-oas-spec:
-    name: "Build OAS spec (${{ matrix.apimEnv }})"
+  artefact-oas-spec-main:
+    name: "Build OAS spec for main"
     if: (github.event_name == 'push' && github.ref == 'refs/heads/main')
     runs-on: ubuntu-latest
     needs: [artefact-jekyll-docs]
@@ -80,6 +80,24 @@ jobs:
           nodejs_version: ${{ inputs.nodejs_version }}
           NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+  artefact-oas-spec-pr:
+    name: "Build OAS spec for PR"
+    if: (inputs.pr_number != '')
+    runs-on: ubuntu-latest
+    needs: [artefact-jekyll-docs]
+    timeout-minutes: 10
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - name: "Build OAS spec"
+        uses: ./.github/actions/build-oas-spec
+        with:
+          version: "${{ inputs.version }}"
+          apimEnv: internal-dev-pr
+          buildSandbox: false
+          nodejs_version: ${{ inputs.nodejs_version }}
+          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
   artefact-oas-spec-sandbox:
     name: "Build OAS spec for sandbox"
     runs-on: ubuntu-latest
@@ -97,9 +115,18 @@ jobs:
           nodejs_version: ${{ inputs.nodejs_version }}
           NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+  artefact-oas-spec:
+    name: "OAS spec ready"
+    runs-on: ubuntu-latest
+    needs: [artefact-oas-spec-pr, artefact-oas-spec-main]
+    if: always() && !failure()
+    steps:
+      - run: echo "OAS spec build complete"
+
   artefact-sdks:
     name: "Build SDKs"
     runs-on: ubuntu-latest
+    if: always() && !failure()
     needs: [artefact-oas-spec]
     timeout-minutes: 10
     steps:
@@ -162,11 +189,11 @@ jobs:
             --terraformAction "apply" \
             --overrideProjectName "nhs" \
             --overrideRoleName "nhs-main-acct-supplier-api-github-deploy"
-  artefact-proxies:
-    name: "Build proxies"
+  artefact-proxy:
+    name: "Build proxy"
     runs-on: ubuntu-latest
-    if: inputs.deploy_proxy == 'true'
-    needs: [artefact-oas-spec-sandbox, pr-create-dynamic-environment]
+    if: always() && !failure() && inputs.deploy_proxy == 'true'
+    needs: [artefact-oas-spec, pr-create-dynamic-environment]
     timeout-minutes: 10
     env:
       PROXYGEN_API_NAME: nhs-notify-supplier
@@ -175,7 +202,29 @@ jobs:
     steps:
       - name: "Checkout code"
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-      - name: "Build proxies"
+      - name: "Build proxy"
+        uses: ./.github/actions/build-proxies
+        with:
+          version: "${{ inputs.version }}"
+          environment: ${{ needs.pr-create-dynamic-environment.outputs.environment_name }}
+          apimEnv: "internal-dev-pr"
+          runId: "${{ github.run_id }}"
+          buildSandbox: false
+          releaseVersion: ${{ github.head_ref || github.ref_name }}
+  artefact-sandbox-proxy:
+    name: "Build proxy for sandbox"
+    runs-on: ubuntu-latest
+    if: always() && !failure() && inputs.deploy_proxy == 'true'
+    needs: [artefact-oas-spec-sandbox, artefact-oas-spec, pr-create-dynamic-environment]
+    timeout-minutes: 10
+    env:
+      PROXYGEN_API_NAME: nhs-notify-supplier
+      APP_CLIENT_ID: ${{ secrets.APP_CLIENT_ID }}
+      APP_PEM_FILE: ${{ secrets.APP_PEM_FILE }}
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - name: "Build proxy for sandbox"
         uses: ./.github/actions/build-proxies
         with:
           version: "${{ inputs.version }}"

.github/workflows/stage-3-build.yaml

@@ -77,24 +77,9 @@ jobs:
             --targetWorkflow "dispatch-contextual-tests-dynamic-env.yaml" \
             --infraRepoName "nhs-notify-supplier-api" \
             --releaseVersion "${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" \
+            --internalRef "feature/CCM-14778" \
             --overrideProjectName "nhs" \
             --targetEnvironment "$ENVIRONMENT" \
             --targetAccountGroup "nhs-notify-supplier-api-dev" \
-            --targetComponent "api"
-
-  run-e2e-tests:
-    name: Run End-to-End Tests
-    runs-on: ubuntu-latest
-    if: inputs.proxy_deployed == 'true'
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-
-      - name: "Run e2e tests"
-        #uses: ./.github/actions/e2e-tests
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NON_PROD_API_KEY: ${{ secrets.NON_PROD_API_KEY }}
-          INTERNAL_DEV_TEST_PEM: ${{ secrets.INTERNAL_DEV_TEST_PEM }}
-        shell: bash
-        run: |
-          echo "E2E tests are currently disabled. See CCM-14778"
+            --targetComponent "api" \
+            --extraSecretNames '["SUPPLIER_API_PRIVATE_KEY","APIM_API_KEY","APIM_PR_API_KEY", "APIM_STATUS_API_KEY"]'

.github/workflows/stage-4-acceptance.yaml

@@ -131,6 +131,7 @@ ${VERBOSE}.SILENT: \
 #####################
 
 TEST_CMD := APIGEE_ACCESS_TOKEN="$(APIGEE_ACCESS_TOKEN)" \
+	STATUS_ENDPOINT_API_KEY="$(STATUS_ENDPOINT_API_KEY)" \
 	PYTHONPATH=. poetry run pytest --disable-warnings -vv \
 	--color=yes \
 	-n 4 \

Makefile

@@ -0,0 +1,3 @@
+When asking me questions, ask one at a time, or at most two.
+
+Don't tell me to raise JIRA tickets - I can decide for myself when to do this.