Merge remote-tracking branch 'origin/feature/GPCAPIM-396-sds-int' into feature/GPCAPIM-396-sds-int

Author: ian-robinson-35

.devcontainer/devcontainer.json

@@ -1,10 +1,7 @@
 {
   "name": "gateway-api-build-container",
   "build": {
-    "dockerfile": "../infrastructure/images/build-container/Dockerfile",
-    "args": {
-      "INCLUDE_DEV_CERTS": "true"
-    }
+    "dockerfile": "../infrastructure/images/build-container/Dockerfile"
   },
   "customizations": {
     "vscode": {

.github/workflows/stage-2-test.yaml

@@ -49,7 +49,7 @@ jobs:
         run: make test-unit
       - name: "Upload unit test results"
         if: always()
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: unit-test-results
           path: gateway-api/test-artefacts/
@@ -79,7 +79,7 @@ jobs:
         run: make test-contract
       - name: "Upload contract test results"
         if: always()
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: contract-test-results
           path: gateway-api/test-artefacts/
@@ -109,7 +109,7 @@ jobs:
         run: make test-schema
       - name: "Upload schema test results"
         if: always()
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: schema-test-results
           path: gateway-api/test-artefacts/
@@ -139,7 +139,7 @@ jobs:
         run: make test-integration
       - name: "Upload integration test results"
         if: always()
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: integration-test-results
           path: gateway-api/test-artefacts/
@@ -170,7 +170,7 @@ jobs:
         run: make test-acceptance
       - name: "Upload acceptance test results"
         if: always()
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: acceptance-test-results
           path: gateway-api/test-artefacts/
@@ -214,7 +214,7 @@ jobs:
           mv coverage-merged.xml ${{ needs.create-coverage-name.outputs.coverage-name }}.xml
       - name: "Upload combined coverage report"
         if: always()
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: ${{ needs.create-coverage-name.outputs.coverage-name }}
           path: gateway-api/test-artefacts

.github/workflows/test-bruno-collection.yaml

@@ -41,7 +41,7 @@ jobs:
 
       - name: "Upload HTML results"
         if: always()
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: bruno-results
           path: bruno/gateway-api/collections/Steel_Thread/results.html

Makefile

@@ -20,7 +20,6 @@ endif
 IMAGE_NAME := ${IMAGE_REPOSITORY}:${IMAGE_TAG}
 COMMIT_VERSION := $(shell git rev-parse --short HEAD)
 BUILD_DATE := $(shell date -u +"%Y%m%d")
-INCLUDE_DEV_CERTS ?= ${DEV_CERTS_INCLUDED}
 # ==============================================================================
 
 # Example CI/CD targets are: dependencies, build, publish, deploy, clean, etc.
@@ -42,25 +41,13 @@ build-gateway-api: dependencies
 	@rm -rf ../infrastructure/images/gateway-api/resources/build/
 	@mkdir ../infrastructure/images/gateway-api/resources/build/
 	@cp -r ./target/gateway-api ../infrastructure/images/gateway-api/resources/build/
-	# If dev certificates are present inside the dev container, copy them into
-	# the gateway-api image build context so they can be installed there too.
-	@if [ -d "/resources/dev-certificates" ]; then \
-		rm -rf ../infrastructure/images/gateway-api/resources/dev-certificates; \
-		mkdir -p ../infrastructure/images/gateway-api/resources/dev-certificates; \
-		cp -r /resources/dev-certificates/* ../infrastructure/images/gateway-api/resources/dev-certificates/; \
-	fi
 	# Remove temporary build artefacts once build has completed
 	@rm -rf target && rm -rf dist
 
 .PHONY: build
 build: build-gateway-api # Build the project artefact @Pipeline
 	@echo "Building Docker x86 image using Docker. Utilising python version: ${PYTHON_VERSION} ..."
-	@if [[ -n "$${IN_BUILD_CONTAINER}" ]]; then \
-		echo "building with dev certs ..." ; \
-		$(docker) buildx build --platform linux/amd64 --load --provenance=false --build-arg PYTHON_VERSION=${PYTHON_VERSION} --build-arg COMMIT_VERSION=${COMMIT_VERSION} --build-arg BUILD_DATE=${BUILD_DATE} --build-arg INCLUDE_DEV_CERTS=${INCLUDE_DEV_CERTS} -t ${IMAGE_NAME} infrastructure/images/gateway-api
-	else \
-		$(docker) buildx build --platform linux/amd64 --load --provenance=false --build-arg PYTHON_VERSION=${PYTHON_VERSION} --build-arg COMMIT_VERSION=${COMMIT_VERSION} --build-arg BUILD_DATE=${BUILD_DATE} -t ${IMAGE_NAME} infrastructure/images/gateway-api
-	fi
+	$(docker) buildx build --platform linux/amd64 --load --provenance=false --build-arg PYTHON_VERSION=${PYTHON_VERSION} --build-arg COMMIT_VERSION=${COMMIT_VERSION} --build-arg BUILD_DATE=${BUILD_DATE} -t ${IMAGE_NAME} infrastructure/images/gateway-api
 	@echo "Docker image '${IMAGE_NAME}' built successfully!"
 
 publish: # Publish the project artefact @Pipeline
@@ -102,11 +89,6 @@ stop:
 	@$(docker) stop gateway-api || echo "No Gateway API container currently running."
 
 config:: # Configure development environment (main) @Configuration
-	# Configure poetry to trust dev certificate if specified
-	@if [[ -n "$${DEV_CERTS_INCLUDED}" ]]; then \
-		echo "Configuring poetry to trust the dev certificate..."  ; \
-		poetry config certificates.PyPI.cert /etc/ssl/cert.pem ; \
-	fi
 	make _install-dependencies
 
 # ==============================================================================

README.md

@@ -110,8 +110,6 @@ The project is configured to run inside a [Dev Container](https://containers.dev
 The dev container sits on the same network, `gateway-local`, as [the `gateway-api` container](infrastructure/README.md#docker-images), if deployed. Docker DNS will resolve <http://gateway-api> to the deployed Gateway API.
 
 > [!NOTE]
-> **Certificates:** If additional certificates are needed, add them to `infrastructure/images/build-container/resources/dev-certificates` and set the `INCLUDE_DEV_CERTS` Docker build argument to `true`.
->
 > **WSL users:** Configure the Dev Containers extension with `{"dev.containers.executeInWSL": true}`, clone the repository into the WSL filesystem, connect VS Code to WSL first, then open the repository folder and build the container.
 
 ### Prerequisites

gateway-api/poetry.lock

@@ -48,7 +48,7 @@ build-backend = "poetry.core.masonry.api"
 [dependency-groups]
 dev = [
     "mypy (>=1.18.2,<2.0.0)",
-    "pytest>=8.0.0",
+    "pytest>=9.0.3",
     "pytest-bdd (>=8.1.0,<9.0.0)",
     "pytest-cov (>=7.0.0,<8.0.0)",
     "pytest-html (>=4.1.1,<5.0.0)",

gateway-api/pyproject.toml

@@ -33,7 +33,7 @@ The `preview/` environment creates an isolated, per-branch deployment of the Gat
 Key input variables:
 
 | Variable | Description | Default |
-|---|---|---|
+| --- | --- | --- |
 | `branch_name` | Git branch name — used to derive the hostname and resource names | *(required)* |
 | `image_tag` | Docker image tag to deploy; defaults to `branch_name` if empty | `""` |
 | `base_domain` | Base domain for the preview URL | `dev.endpoints.clinical-data-gateway.national.nhs.uk` |
@@ -70,7 +70,6 @@ A dev container image used by CI/CD pipelines, based on the VS Code Alpine base
 - Python (via asdf)
 - Docker CLI and Buildx
 - Linters and checkers: vale, hadolint (via npm/markdownlint), ShellCheck
-- Development certificate support for machines behind corporate proxies
 
 ## Terraform Operations
 

infrastructure/README.md

@@ -1,31 +1,14 @@
-FROM mcr.microsoft.com/vscode/devcontainers/base:alpine3.23 AS gateway-build-container
+FROM mcr.microsoft.com/devcontainers/base:alpine3.23 AS gateway-build-container
 
 ENV PYTHON_VERSION="3.14"
 
 ENV ASDF_DOWNLOAD_URL="https://github.com/asdf-vm/asdf/releases/download/v0.18.1"
 ENV EDITORCONFIG_DOWNLOAD_URL="https://github.com/editorconfig-checker/editorconfig-checker/releases/download/v3.6.1"
 
-ARG INCLUDE_DEV_CERTS
-ARG DEV_CERT_FILENAME
-
-# Add development certificates to node if provided.
-ENV NODE_EXTRA_CA_CERTS=${INCLUDE_DEV_CERTS:+/etc/ssl/certs/ca-certificates.crt}
-ENV DEV_CERTS_INCLUDED=$INCLUDE_DEV_CERTS
-
 ENV IN_BUILD_CONTAINER=true
 
 COPY resources/ /resources
 
-# Install required certificates for dev machines.
-RUN if [ "$INCLUDE_DEV_CERTS" = "true" ] ; then \
-    cp -r /resources/dev-certificates/* /usr/local/share/ca-certificates/; \
-    update-ca-certificates; \
-
-    cp -r /resources/dev-certificates/* /etc/ssl/certs/; \
-else \
-    rm -r /resources/dev-certificates; \
-fi
-
 RUN apk update && \
     apk add --no-cache --update bash \
     # Required to manage user permissions.
@@ -52,14 +35,13 @@ RUN apk update && \
     readline-dev \
     sqlite-dev \
     tk-dev \
-    zstd-dev
-
-# Configure doas to allow members of the wheel group to run commands as root.
-RUN echo "permit :wheel" >> /etc/doas.conf \
-    && echo "permit nopass :wheel as root cmd apk" >> /etc/doas.conf \
-    && echo "permit nopass :wheel as root cmd docker" >> /etc/doas.conf \
+    zstd-dev && \
+    # Configure doas to allow members of the wheel group to run commands as root.
+    echo "permit :wheel" >> /etc/doas.conf && \
+    echo "permit nopass :wheel as root cmd apk" >> /etc/doas.conf && \
+    echo "permit nopass :wheel as root cmd docker" >> /etc/doas.conf && \
     # Change default shell to bash for root user.
-    && chsh -s /bin/bash root
+    chsh -s /bin/bash root
 
 # Ensure pyenv is on the PATH
 ENV PYENV_ROOT="/.pyenv"

infrastructure/images/build-container/Dockerfile

@@ -2,20 +2,9 @@
 ARG PYTHON_VERSION=invalid
 FROM python:${PYTHON_VERSION}-alpine3.23 AS gateway-api
 
-# Controls whether dev certificates (if present) are installed into this image.
-ARG INCLUDE_DEV_CERTS=false
-
 COPY resources/ /resources
 
-# Install required certificates for dev machines.
-RUN if [ "$INCLUDE_DEV_CERTS" = "true" ] && [ -d /resources/dev-certificates ]; then \
-        cp -r /resources/dev-certificates/* /usr/local/share/ca-certificates/; \
-        update-ca-certificates; \
-        cp -r /resources/dev-certificates/* /etc/ssl/certs/; \
-    else \
-        rm -rf /resources/dev-certificates || true; \
-    fi && \
-    apk upgrade --no-cache && \
+RUN apk upgrade --no-cache && \
     pip install --no-cache-dir --upgrade pip && \
     addgroup -S nonroot && \
     adduser -S gateway_api_user -G nonroot