Merge remote-tracking branch 'origin/main' into ELI-785/audit_trail_status_override

dale-hodgson-nhs · dale-hodgson-nhs · commit 50619485244a · 2026-04-24T10:16:31.000+01:00
diff --git a/.github/workflows/base-deploy.yml b/.github/workflows/base-deploy.yml
@@ -267,6 +267,11 @@ jobs:
     name: "Regression Tests"
     if: ${{ needs.metadata.outputs.environment == 'preprod' }}
     needs: deploy
+    permissions:
+      id-token: write
+      contents: read
+      issues: write
+      pull-requests: write
     uses: ./.github/workflows/regression-tests.yml
     with:
       ENVIRONMENT: "preprod"
diff --git a/.github/workflows/cicd-2-publish.yaml b/.github/workflows/cicd-2-publish.yaml
@@ -154,6 +154,11 @@ jobs:
   regression-tests:
     name: "Regression Tests"
     needs: publish
+    permissions:
+      id-token: write
+      contents: read
+      issues: write
+      pull-requests: write
     uses: ./.github/workflows/regression-tests.yml
     with:
       ENVIRONMENT: "dev"
diff --git a/.github/workflows/cicd-3-test-deploy.yaml b/.github/workflows/cicd-3-test-deploy.yaml
@@ -252,6 +252,11 @@ jobs:
   regression-tests:
     name: "Regression Tests"
     needs: deploy
+    permissions:
+      id-token: write
+      contents: read
+      issues: write
+      pull-requests: write
     uses: ./.github/workflows/regression-tests.yml
     with:
       ENVIRONMENT: "test"
diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_iam_bootstrap_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_iam_bootstrap_policies.tf
@@ -54,6 +54,7 @@ data "aws_iam_policy_document" "iam_bootstrap_iam_management" {
     resources = [
       "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/service-roles/github-actions-api-deployment-role",
       "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/service-roles/github-actions-iam-bootstrap-role",
+      "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/service-roles/Eligibility-API-E2E-Regression-Tests",
       "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.project_name}-terraform-developer-role",
       "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/terraform-developer-role",
       "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/${upper(var.project_name)}-*",
diff --git a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf
@@ -352,6 +352,7 @@ data "aws_iam_policy_document" "iam_bootstrap_permissions_boundary" {
     resources = [
       "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/service-roles/github-actions-api-deployment-role",
       "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/service-roles/github-actions-iam-bootstrap-role",
+      "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/service-roles/Eligibility-API-E2E-Regression-Tests",
       "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.project_name}-terraform-developer-role",
       "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/terraform-developer-role",
       "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/${upper(var.project_name)}-*",
