eli-759 adding secret inheritence

.github/workflows/base-deploy.yml

@@ -39,7 +39,7 @@ jobs:
         uses: actions/checkout@v6
         with:
           ref: ${{ inputs.ref }}
-          fetch-depth: 0  # get full history + tags
+          fetch-depth: 0 # get full history + tags
 
       - name: "Set CI/CD variables"
         id: variables
@@ -104,61 +104,60 @@ jobs:
           fi
 
   download-lambda-artifact:
-      name: "Fetch the lambda artifact from previous stage"
-      runs-on: ubuntu-latest
-      needs: [metadata]
-      timeout-minutes: 45
-      permissions:
-        id-token: write
-        contents: write
-      environment: ${{ needs.metadata.outputs.promoted_environment }}
-      steps:
-        - name: "Checkout repository at ref"
-          uses: actions/checkout@v6
-          with:
-            ref: ${{ needs.metadata.outputs.ref }}
-            fetch-depth: 0
-
-        - name: "Setup Terraform"
-          uses: hashicorp/setup-terraform@v3
-          with:
-            terraform_version: ${{ needs.metadata.outputs.terraform_version }}
+    name: "Fetch the lambda artifact from previous stage"
+    runs-on: ubuntu-latest
+    needs: [metadata]
+    timeout-minutes: 45
+    permissions:
+      id-token: write
+      contents: write
+    environment: ${{ needs.metadata.outputs.promoted_environment }}
+    steps:
+      - name: "Checkout repository at ref"
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ needs.metadata.outputs.ref }}
+          fetch-depth: 0
 
-        - name: "Configure AWS Credentials"
-          uses: aws-actions/configure-aws-credentials@v6
-          with:
-            role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role
-            aws-region: eu-west-2
+      - name: "Setup Terraform"
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ needs.metadata.outputs.terraform_version }}
 
-        - name: "Terraform Init"
-          env:
-            ENVIRONMENT: ${{ needs.metadata.outputs.promoted_environment }}
-            WORKSPACE: "default"
-          run: |
-            echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=init"
-            make terraform env=$ENVIRONMENT stack=api-layer tf-command=init workspace=$WORKSPACE
-          working-directory: ./infrastructure
+      - name: "Configure AWS Credentials"
+        uses: aws-actions/configure-aws-credentials@v6
+        with:
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role
+          aws-region: eu-west-2
 
-        - name: "Extract S3 bucket name from Terraform output"
-          id: tf_output
-          run: |
-            BUCKET=$(terraform output -raw lambda_artifact_bucket)
-            echo "bucket_name=$BUCKET" >> $GITHUB_OUTPUT
-          working-directory: ./infrastructure/stacks/api-layer
+      - name: "Terraform Init"
+        env:
+          ENVIRONMENT: ${{ needs.metadata.outputs.promoted_environment }}
+          WORKSPACE: "default"
+        run: |
+          echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=init"
+          make terraform env=$ENVIRONMENT stack=api-layer tf-command=init workspace=$WORKSPACE
+        working-directory: ./infrastructure
 
-        - name: "Download lambda artifact from S3"
-          run: |
-            aws s3 cp \
-              s3://${{ steps.tf_output.outputs.bucket_name }}/artifacts/${{ needs.metadata.outputs.tag }}/lambda.zip \
-              ./dist/lambda.zip \
-              --region eu-west-2
+      - name: "Extract S3 bucket name from Terraform output"
+        id: tf_output
+        run: |
+          BUCKET=$(terraform output -raw lambda_artifact_bucket)
+          echo "bucket_name=$BUCKET" >> $GITHUB_OUTPUT
+        working-directory: ./infrastructure/stacks/api-layer
 
-        - name: "Upload lambda artifact for the current workflow"
-          uses: actions/upload-artifact@v6
-          with:
-            name: lambda-${{ needs.metadata.outputs.tag }}
-            path: ./dist/lambda.zip
+      - name: "Download lambda artifact from S3"
+        run: |
+          aws s3 cp \
+            s3://${{ steps.tf_output.outputs.bucket_name }}/artifacts/${{ needs.metadata.outputs.tag }}/lambda.zip \
+            ./dist/lambda.zip \
+            --region eu-west-2
 
+      - name: "Upload lambda artifact for the current workflow"
+        uses: actions/upload-artifact@v6
+        with:
+          name: lambda-${{ needs.metadata.outputs.tag }}
+          path: ./dist/lambda.zip
 
   deploy:
     name: "Deploy to ${{ needs.metadata.outputs.environment }}"
@@ -264,7 +263,6 @@ jobs:
             s3://${{ steps.tf_output.outputs.bucket_name }}/artifacts/${{ steps.release_tag.outputs.release_tag }}/lambda.zip \
             --region eu-west-2
 
-
   regression-tests:
     name: "Regression Tests"
     if: ${{ needs.metadata.outputs.environment == 'preprod' }}
@@ -273,4 +271,5 @@ jobs:
     with:
       ENVIRONMENT: "preprod"
       VERSION_NUMBER: "main"
-    secrets: inherit
+    secrets:
+      AWS_ACCOUNT_ID: ${{ secrets.PREPROD_AWS_ACCOUNT_ID }}

.github/workflows/cicd-2-publish.yaml

@@ -69,7 +69,7 @@ jobs:
       - name: "Set up Python"
         uses: actions/setup-python@v6
         with:
-          python-version: '3.13'
+          python-version: "3.13"
 
       - name: "Checkout Repository"
         uses: actions/checkout@v6
@@ -158,4 +158,5 @@ jobs:
     with:
       ENVIRONMENT: "dev"
       VERSION_NUMBER: "main"
-    secrets: inherit
+    secrets:
+      AWS_ACCOUNT_ID: ${{ secrets.DEV_AWS_ACCOUNT_ID }}

.github/workflows/cicd-3-test-deploy.yaml

@@ -13,6 +13,8 @@ permissions:
   contents: read
   id-token: write
   actions: read
+  issues: write
+  pull-requests: write
 
 jobs:
   metadata:
@@ -254,5 +256,5 @@ jobs:
     with:
       ENVIRONMENT: "test"
       VERSION_NUMBER: "main"
-    secrets: inherit
-
+    secrets:
+      AWS_ACCOUNT_ID: ${{ secrets.TEST_AWS_ACCOUNT_ID }}

.github/workflows/regression-tests.yml

@@ -9,6 +9,9 @@ on:
       VERSION_NUMBER:
         required: true
         type: string
+    secrets:
+      AWS_ACCOUNT_ID:
+        required: true
 
 jobs:
   regression-tests:
@@ -19,6 +22,7 @@ jobs:
       issues: write
       pull-requests: write
     uses: NHSDigital/eligibility-signposting-api-regression-tests/.github/workflows/regression_tests.yml@main
+    secrets: inherit
     with:
       environment: ${{ inputs.ENVIRONMENT }}
       tags: "@regression"

.github/workflows/release-candidate.yml

@@ -31,6 +31,8 @@ permissions:
   contents: write
   id-token: write
   actions: read
+  issues: write
+  pull-requests: write
 
 jobs:
   validate:
@@ -278,7 +280,8 @@ jobs:
     with:
       ENVIRONMENT: "test"
       VERSION_NUMBER: "main"
-    secrets: inherit
+    secrets:
+      AWS_ACCOUNT_ID: ${{ secrets.TEST_AWS_ACCOUNT_ID }}
 
   deploy-to-preprod:
     name: "Deploy to PreProd and create RC"
@@ -394,7 +397,8 @@ jobs:
     with:
       ENVIRONMENT: "preprod"
       VERSION_NUMBER: "main"
-    secrets: inherit
+    secrets:
+      AWS_ACCOUNT_ID: ${{ secrets.PREPROD_AWS_ACCOUNT_ID }}
 
   summary:
     name: "Deployment Summary"