Merge remote-tracking branch 'origin/main' into feature/GPCAPIM-396-sds-int

Author: ian-robinson-35

.env.template

@@ -9,33 +9,25 @@ inputs:
   test-type:
     description: "Type of test to run"
     required: true
-  apigee-access-token:
-    description: "Apigee access token"
-    required: false
-  base-url:
-    description: "The URL of the environment to test"
-    required: false
   env:
-    description: "Environment: local or remote"
+    description: "Environment to run tests against: ci, alpha-int, pr-<number> - see env.mk"
     required: false
-    default: "remote"
+    default: "ci"
 
 runs:
   using: composite
   steps:
-    - name: "Run ${{ inputs.test-type }} tests"
+    - name: Set up environment
       shell: bash
       env:
-        APIGEE_ACCESS_TOKEN: ${{ inputs.apigee-access-token }}
-        BASE_URL: ${{ inputs.base-url }}
         ENV: ${{ inputs.env }}
+      run: make env-test-"${ENV}"
+
+    - name: "Run ${{ inputs.test-type }} tests"
+      shell: bash
+      env:
         TEST_TYPE: ${{ inputs.test-type }}
       run: |
-        if [[ -n "${APIGEE_ACCESS_TOKEN}" ]]; then
-          echo "::add-mask::${APIGEE_ACCESS_TOKEN}"
-        fi
-
-        # Clean test artefacts so each suite uploads only its own results
         rm -rf gateway-api/test-artefacts/* || true
         mkdir -p gateway-api/test-artefacts
         make test-"${TEST_TYPE}"

.github/SECURITY.md

@@ -4,7 +4,7 @@ inputs:
   deploy-command:
     description: "Command to start app"
     required: false
-    default: "make deploy"
+    default: "make deploy-ci"
   health-path:
     description: "Health check path"
     required: false

.github/actions/run-test-suite/action.yaml

@@ -8,7 +8,7 @@ This repository is for handling HTTP requests from "Consumer systems" and forwar
 
 We use other NHSE services to assist in the validation and processing of the requests including PDS FHIR API for obtaining GP practice codes for the patient, SDS FHIR API for obtaining the "Provider system" details of that GP practice and Healthcare Worker FHIR API for obtaining details of the requesting practitioner using the "Consumer System" that will then be added to the forwarded request.
 
-`make deploy` will build and start a container running Gateway API at `localhost:5000`.
+`make deploy-dev` will build and start a container running Gateway API at `localhost:5000`.
 
 After deploying the container locally, `make test` will run all tests and capture their coverage. Note: env variables control the use of stubs for the PDS FHIR API, SDS FHIR API, Healthcare Worker FHIR API and Provider system services.
 

.github/actions/start-app/action.yaml

@@ -14,7 +14,6 @@ env:
   TF_STATE_KEY: "dev/preview/alpha-integration.tfstate"
   BRANCH_NAME: "alpha-integration"
   ALB_RULE_PRIORITY: "900"
-  BASE_URL: "https://internal-dev.api.service.nhs.uk/clinical-data-gateway-api-poc-alpha-integration"
   python_version: "3.14"
   PROXYGEN_API_NAME: ${{ vars.PROXYGEN_API_NAME }}
 
@@ -196,63 +195,34 @@ jobs:
           echo "http_result=unexpected-status" >> "$GITHUB_OUTPUT"
           exit 0
 
-      - name: Retrieve Apigee Token
-        id: apigee-token
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          APIGEE_TOKEN="$(proxygen pytest-nhsd-apim get-token | jq -r '.pytest_nhsd_apim_token' 2>/dev/null)"
-          if [ -z "$APIGEE_TOKEN" ] || [ "$APIGEE_TOKEN" = "null" ]; then
-            echo "::error::Failed to retrieve Apigee token"
-            exit 1
-          fi
-
-          echo "::add-mask::$APIGEE_TOKEN"
-          printf 'apigee-access-token=%s\n' "$APIGEE_TOKEN" >> "$GITHUB_OUTPUT"
-          echo "Token retrieved successfully (length: ${#APIGEE_TOKEN})"
-
       - name: Run unit tests
         uses: ./.github/actions/run-test-suite
         with:
           test-type: unit
-          env: local
 
       - name: Run contract tests
         uses: ./.github/actions/run-test-suite
-        env:
-          PROXY_BASE_PATH: "clinical-data-gateway-api-poc-alpha-integration"
         with:
           test-type: contract
-          apigee-access-token: ${{ steps.apigee-token.outputs.apigee-access-token }}
-          base-url: ${{ env.BASE_URL }}
+          env: alpha-int
 
       - name: Run schema validation tests
         uses: ./.github/actions/run-test-suite
-        env:
-          PROXY_BASE_PATH: "clinical-data-gateway-api-poc-alpha-integration"
         with:
           test-type: schema
-          apigee-access-token: ${{ steps.apigee-token.outputs.apigee-access-token }}
-          base-url: ${{ env.BASE_URL }}
+          env: alpha-int
 
       - name: Run integration tests
         uses: ./.github/actions/run-test-suite
-        env:
-          PROXY_BASE_PATH: "clinical-data-gateway-api-poc-alpha-integration"
         with:
           test-type: integration
-          apigee-access-token: ${{ steps.apigee-token.outputs.apigee-access-token }}
-          base-url: ${{ env.BASE_URL }}
+          env: alpha-int
 
       - name: Run acceptance tests
         uses: ./.github/actions/run-test-suite
-        env:
-          PROXY_BASE_PATH: "clinical-data-gateway-api-poc-alpha-integration"
         with:
           test-type: acceptance
-          apigee-access-token: ${{ steps.apigee-token.outputs.apigee-access-token }}
-          base-url: ${{ env.BASE_URL }}
+          env: alpha-int
 
       - name: Remove mTLS temp files
         run: rm -f /tmp/client1-key.pem /tmp/client1-cert.pem

.github/instructions/copilot-instructions.md

@@ -10,7 +10,6 @@ env:
   ECR_REPOSITORY_NAME: "whoami"
   TF_STATE_BUCKET: "cds-cdg-dev-tfstate-900119715266"
   PREVIEW_STATE_PREFIX: "dev/preview/"
-  BASE_URL: "https://internal-dev.api.service.nhs.uk/clinical-data-gateway-api-poc-pr-${{ github.event.pull_request.number }}"
   python_version: "3.14"
   PROXYGEN_API_NAME: ${{ vars.PROXYGEN_API_NAME }}
   PR_NUMBER: ${{ github.event.pull_request.number }}
@@ -314,28 +313,11 @@ jobs:
 
       # ---------- QUALITY CHECKS (Test Suites) ----------
 
-      - name: Retrieve Apigee Token
-        id: apigee-token
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          APIGEE_TOKEN="$(proxygen pytest-nhsd-apim get-token | jq -r '.pytest_nhsd_apim_token' 2>/dev/null)"
-          if [ -z "$APIGEE_TOKEN" ] || [ "$APIGEE_TOKEN" = "null" ]; then
-            echo "::error::Failed to retrieve Apigee token"
-            exit 1
-          fi
-
-          echo "::add-mask::$APIGEE_TOKEN"
-          printf 'apigee-access-token=%s\n' "$APIGEE_TOKEN" >> "$GITHUB_OUTPUT"
-          echo "Token retrieved successfully (length: ${#APIGEE_TOKEN})"
-
       - name: "Run unit tests"
         if: github.event.action != 'closed'
         uses: ./.github/actions/run-test-suite
         with:
           test-type: unit
-          env: local
 
       - name: "Run load tests"
         if: github.event.action != 'closed' && steps.smoke-test.outputs.http_result != 'unexpected-status'
@@ -349,42 +331,30 @@ jobs:
       - name: "Run contract tests"
         if: github.event.action != 'closed'
         uses: ./.github/actions/run-test-suite
-        env:
-          PROXY_BASE_PATH: "clinical-data-gateway-api-poc-pr-${{ github.event.pull_request.number }}"
         with:
           test-type: contract
-          apigee-access-token: ${{ steps.apigee-token.outputs.apigee-access-token }}
-          base-url: ${{ env.BASE_URL }}
+          env: pr-${{ github.event.pull_request.number }}
 
       - name: "Run schema validation tests"
         if: github.event.action != 'closed'
         uses: ./.github/actions/run-test-suite
-        env:
-          PROXY_BASE_PATH: "clinical-data-gateway-api-poc-pr-${{ github.event.pull_request.number }}"
         with:
           test-type: schema
-          apigee-access-token: ${{ steps.apigee-token.outputs.apigee-access-token }}
-          base-url: ${{ env.BASE_URL }}
+          env: pr-${{ github.event.pull_request.number }}
 
       - name: "Run integration tests"
         if: github.event.action != 'closed'
         uses: ./.github/actions/run-test-suite
-        env:
-          PROXY_BASE_PATH: "clinical-data-gateway-api-poc-pr-${{ github.event.pull_request.number }}"
         with:
           test-type: integration
-          apigee-access-token: ${{ steps.apigee-token.outputs.apigee-access-token }}
-          base-url: ${{ env.BASE_URL }}
+          env: pr-${{ github.event.pull_request.number }}
 
       - name: "Run acceptance tests"
         if: github.event.action != 'closed'
         uses: ./.github/actions/run-test-suite
-        env:
-          PROXY_BASE_PATH: "clinical-data-gateway-api-poc-pr-${{ github.event.pull_request.number }}"
         with:
           test-type: acceptance
-          apigee-access-token: ${{ steps.apigee-token.outputs.apigee-access-token }}
-          base-url: ${{ env.BASE_URL }}
+          env: pr-${{ github.event.pull_request.number }}
 
       # Cleanup after tests
       - name: Remove mTLS temp files

.github/workflows/alpha-integration-env.yml

@@ -1,12 +1,5 @@
 name: "Test stage"
 
-env:
-  BASE_URL: "http://localhost:5000"
-  HOST: "localhost"
-  STUB_SDS: "true"
-  STUB_PDS: "true"
-  STUB_PROVIDER: "true"
-
 on:
   workflow_call:
     inputs:
@@ -45,6 +38,8 @@ jobs:
         uses: ./.github/actions/setup-python-project
         with:
           python-version: ${{ inputs.python_version }}
+      - name: Set environment variables
+        run: make env-test-ci
       - name: "Run unit test suite"
         run: make test-unit
       - name: "Upload unit test results"
@@ -75,6 +70,8 @@ jobs:
         uses: ./.github/actions/start-app
         with:
           python-version: ${{ inputs.python_version }}
+      - name: Set environment variables
+        run: make env-test-ci
       - name: "Run contract tests"
         run: make test-contract
       - name: "Upload contract test results"
@@ -105,6 +102,8 @@ jobs:
         uses: ./.github/actions/start-app
         with:
           python-version: ${{ inputs.python_version }}
+      - name: Set environment variables
+        run: make env-test-ci
       - name: "Run schema validation tests"
         run: make test-schema
       - name: "Upload schema test results"
@@ -135,6 +134,8 @@ jobs:
         uses: ./.github/actions/start-app
         with:
           python-version: ${{ inputs.python_version }}
+      - name: Set environment variables
+        run: make env-test-ci
       - name: "Run integration test"
         run: make test-integration
       - name: "Upload integration test results"
@@ -166,6 +167,8 @@ jobs:
         with:
           python-version: ${{ inputs.python_version }}
           max-seconds: 90
+      - name: Set environment variables
+        run: make env-test-ci
       - name: "Run acceptance test"
         run: make test-acceptance
       - name: "Upload acceptance test results"

.github/workflows/preview-env.yml

@@ -26,3 +26,7 @@ gateway-api/test-artefacts/
 **/.env.*
 **/.DS_Store
 **/.terraform.lock.hcl
+
+# Any file within .secrets
+.secrets/**
+!.secrets/README.md

.github/workflows/stage-2-test.yaml

@@ -0,0 +1,19 @@
+# Secrets
+
+This directory is used to store secrets.
+
+The secrets are accessed through `make env-<int|int-pds|int-sds>` which sets the secrets required for PDS FHIR API and SDS FHIR API to `.env` file, which is then fed in to the locally deployed application through `make deploy`.
+
+## PDS
+
+PDS FHIR API requires [signed JWT for application-resrtictecd access](https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation/application-restricted-restful-apis-signed-jwt-authentication). As such, the following three secrets enable the Gateway API to authenticate:
+
+* `.secrets/pds/api_token` - the API key of the application through which the Gateway API will consume NHSE APIs.
+* `.secrets/pds/api_secret` - the private key of the public/private key pair created for application identified by `api_token`
+* `.secrets/pds/api_kid` - the key identifier for the private/public key pair used for the `api_secret`.
+
+## SDS
+
+SDS FHIR API requires [API key authentication](https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation/application-restricted-restful-apis-api-key-authentication) for application-restricted access. As such, the only secret required is
+
+* `.secrets/sds/api_token` - the API key of the application through which the Gateway API will consume NHSE APIs.