Invoke test from internal repo, so secrets are not in public repo

Author: stevebux

.github/actions/acceptance-tests/action.yml

@@ -24,11 +24,13 @@ runs:
 
   steps:
     - name: Fetch terraform output
+      if: ${{ inputs.testType != 'e2e' }}
       uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5
       with:
         name: terraform-output-${{ inputs.targetComponent }}
 
     - name: Get Node version
+      if: ${{ inputs.testType != 'e2e' }}
       id: nodejs_version
       shell: bash
       run: |
@@ -40,11 +42,75 @@ runs:
         GITHUB_TOKEN: ${{ env.GITHUB_TOKEN }}
 
     - name: "Set PR NUMBER"
+      if: ${{ inputs.testType == 'e2e' }}
+      id: set_pr_number
       shell: bash
       run: |
-          echo "PR_NUMBER=${{ inputs.targetEnvironment }}" >> $GITHUB_ENV
+        env="${{ inputs.targetEnvironment }}"
+        if [[ "$env" == main ]]; then
+          echo "pr_number=" >> $GITHUB_OUTPUT
+        elif [[ "$env" == pr* ]]; then
+          echo "pr_number=${env#pr}" >> $GITHUB_OUTPUT
+        else
+          echo "pr_number=$env" >> $GITHUB_OUTPUT
+        fi
+
+    - name: Install poetry and e2e test dependencies
+      if: ${{ inputs.testType == 'e2e' }}
+      shell: bash
+      run: |
+        pipx install poetry
+        cd tests/e2e-tests && poetry install
+
+    - name: "Determine if proxy has been deployed"
+      if: ${{ inputs.testType == 'e2e' }}
+      id: check_proxy_deployed
+      env:
+        GITHUB_TOKEN: ${{ env.GITHUB_TOKEN }}
+        PR_NUMBER: ${{ steps.set_pr_number.outputs.pr_number }}
+      shell: bash
+      run: |
+        if [[ -z "$PR_NUMBER" ]]; then
+          echo "No pull request detected; proxy was deployed."
+          echo "proxy_deployed=true" >> $GITHUB_OUTPUT
+          exit 0
+        fi
+
+        branch_name=${GITHUB_HEAD_REF:-$(echo $GITHUB_REF | sed 's#refs/heads/##')}
+
+        labels=$(gh pr view "$PR_NUMBER" --json labels --jq '.labels[].name')
+        echo "Labels on PR #$PR_NUMBER: $labels"
+
+        if echo "$labels" | grep -Fxq 'deploy-proxy'; then
+          echo "proxy_deployed=true" >> $GITHUB_OUTPUT
+        else
+          echo "proxy_deployed=false" >> $GITHUB_OUTPUT
+        fi
 
     - name: Run test - ${{ inputs.testType }}
+      if: ${{ inputs.testType != 'e2e'}}
       shell: bash
+      env:
+        TARGET_ENVIRONMENT: ${{ inputs.targetEnvironment }}
       run: |
         make test-${{ inputs.testType }}
+
+    - name: Run test - e2e
+      if: ${{ inputs.testType == 'e2e' && steps.check_proxy_deployed.outputs.proxy_deployed == 'true'}}
+      shell: bash
+      env:
+        TARGET_ENVIRONMENT: ${{ inputs.targetEnvironment }}
+      run: |
+        echo "$SUPPLIER_API_PRIVATE_KEY" > "${GITHUB_WORKSPACE}/internal-dev-test-1.pem"
+        chmod 600 "${GITHUB_WORKSPACE}/internal-dev-test-1.pem"
+        BASE_PROXY_NAME=nhs-notify-supplier--internal-dev--nhs-notify-supplier
+        if [[ "${{ inputs.targetEnvironment }}" == "main" ]]; then
+          export PROXY_NAME="${BASE_PROXY_NAME}"
+        else
+          export PROXY_NAME="${BASE_PROXY_NAME}-${{ inputs.targetEnvironment }}"
+        fi
+        export API_ENVIRONMENT=internal-dev
+        export NON_PROD_API_KEY="${APIM_API_KEY}"
+        export STATUS_ENDPOINT_API_KEY="${APIM_STATUS_API_KEY}"
+        export NON_PROD_PRIVATE_KEY="${GITHUB_WORKSPACE}/internal-dev-test-1.pem"
+        make .internal-dev-test

.github/actions/e2e-tests/action.yml

@@ -1,4 +1,5 @@
 [
   "component",
+  "e2e",
   "sandbox"
 ]

.github/actions/test-types.json

@@ -6,7 +6,7 @@
 #   ./dispatch_internal_repo_workflow.sh \
 #     --infraRepoName <repo> \
 #     --releaseVersion <version> \
-#     --targetWorkflow <workflow.yaml> \
+#     --targetWorkflow "deploy.yaml" \
 #     --targetEnvironment <env> \
 #     --targetComponent <component> \
 #     --targetAccountGroup <group> \
@@ -17,7 +17,11 @@
 #     --overrideRoleName <name>
 
 #
-# All arguments are required except terraformAction, and internalRef.
+# Required arguments are:
+# infraRepoName, releaseVersion, targetWorkflow, targetEnvironment, targetComponent, targetAccountGroup.
+#
+# All other arguments are optional.
+#
 # Example:
 #   ./dispatch_internal_repo_workflow.sh \
 #     --infraRepoName "nhs-notify-web-template-management" \
@@ -30,7 +34,9 @@
 #     --internalRef "main" \
 #     --overrides "tf_var=someString" \
 #     --overrideProjectName nhs \
-#     --overrideRoleName nhs-service-iam-role
+#     --overrideRoleName nhs-service-iam-role \
+#     --extraSecretNames '["MY_API_KEY"]'
+
 
 set -e
 
@@ -104,6 +110,10 @@ while [[ $# -gt 0 ]]; do
       version="$2"
       shift 2
       ;;
+    --extraSecretNames) # JSON array of secret names to fetch in the internal repo (optional)
+      extraSecretNames="$2"
+      shift 2
+      ;;
     *)
     echo "[ERROR] Unknown argument: $1"
       exit 1
@@ -202,6 +212,10 @@ if [[ -z "$version" ]]; then
   version=""
 fi
 
+if [[ -z "$extraSecretNames" ]]; then
+  extraSecretNames=""
+fi
+
 echo "==================== Workflow Dispatch Parameters ===================="
 echo "  infraRepoName:      $infraRepoName"
 echo "  releaseVersion:     $releaseVersion"
@@ -240,6 +254,7 @@ DISPATCH_EVENT=$(jq -ncM \
   --arg boundedContext "$boundedContext" \
   --arg targetDomain "$targetDomain" \
   --arg version "$version" \
+  --argjson extraSecretNames "${extraSecretNames:-null}" \
   '{
     "ref": "'"$internalRef"'",
     "inputs": (
@@ -255,6 +270,7 @@ DISPATCH_EVENT=$(jq -ncM \
       (if $boundedContext != "" then { "boundedContext": $boundedContext } else {} end) +
       (if $targetDomain != "" then { "targetDomain": $targetDomain } else {} end) +
       (if $version != "" then { "version": $version } else {} end) +
+      (if $extraSecretNames != null then { "extraSecretNames": ($extraSecretNames | tojson) } else {} end) +
       (if $targetAccountGroup != "" then { "targetAccountGroup": $targetAccountGroup } else {} end) +
       {
         "releaseVersion": $releaseVersion,
@@ -269,16 +285,22 @@ echo "[INFO] Triggering workflow '$targetWorkflow' in nhs-notify-internal..."
 echo "[DEBUG] Dispatch event payload: $DISPATCH_EVENT"
 
 trigger_response=$(curl -s -L \
-  --fail \
+  -w "\nHTTP_STATUS:%{http_code}" \
   -X POST \
   -H "Accept: application/vnd.github+json" \
   -H "Authorization: Bearer ${PR_TRIGGER_PAT}" \
   -H "X-GitHub-Api-Version: 2022-11-28" \
   "https://api.github.com/repos/NHSDigital/nhs-notify-internal/actions/workflows/$targetWorkflow/dispatches" \
   -d "$DISPATCH_EVENT" 2>&1)
 
-if [[ $? -ne 0 ]]; then
-  echo "[ERROR] Failed to trigger workflow. Response: $trigger_response"
+http_status=$(echo "$trigger_response" | grep "HTTP_STATUS:" | cut -d: -f2)
+body=$(echo "$trigger_response" | grep -v "HTTP_STATUS:")
+
+echo "[DEBUG] HTTP status: $http_status"
+echo "[DEBUG] Response body: $body"
+
+if [[ "$http_status" -lt 200 || "$http_status" -ge 300 ]]; then
+  echo "[ERROR] Failed to trigger workflow. HTTP $http_status. Response: $body"
   exit 1
 fi
 

.github/scripts/dispatch_internal_repo_workflow.sh

@@ -80,19 +80,5 @@ jobs:
             --overrideProjectName "nhs" \
             --targetEnvironment "$ENVIRONMENT" \
             --targetAccountGroup "nhs-notify-supplier-api-dev" \
-            --targetComponent "api"
-
-  run-e2e-tests:
-    name: Run End-to-End Tests
-    runs-on: ubuntu-latest
-    if: inputs.proxy_deployed == 'true'
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-
-      - name: "Run e2e tests"
-        uses: ./.github/actions/e2e-tests
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NON_PROD_API_KEY: ${{ secrets.NON_PROD_API_KEY }}
-          INTERNAL_DEV_TEST_PEM: ${{ secrets.INTERNAL_DEV_TEST_PEM }}
-          STATUS_ENDPOINT_API_KEY: ${{ secrets.STATUS_ENDPOINT_API_KEY }}
+            --targetComponent "api" \
+            --extraSecretNames '["SUPPLIER_API_PRIVATE_KEY","APIM_API_KEY","APIM_STATUS_API_KEY"]'

.github/workflows/stage-4-acceptance.yaml

@@ -2,7 +2,7 @@ export const SUPPLIER_LETTERS = "letters";
 export const SUPPLIER_API_URL_SANDBOX =
   "https://internal-dev-sandbox.api.service.nhs.uk/nhs-notify-supplier";
 export const AWS_REGION = "eu-west-2";
-export const envName = process.env.PR_NUMBER ?? "main";
+export const envName = process.env.TARGET_ENVIRONMENT ?? "main";
 export const API_NAME = `nhs-${envName}-supapi`;
 export const LETTERSTABLENAME = `nhs-${envName}-supapi-letters`;
 export const SUPPLIERID = "TestSupplier1";