From 6ea43af4bd60afc7171ba633c898cf8483f92c25 Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Fri, 13 Feb 2026 14:15:16 +0000 Subject: [PATCH 01/10] [NRL-1922] Generate coverage report when running unit tests. Fixup sonar cloud config --- Makefile | 2 +- sonar-project.properties | 13 ++++++++----- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/Makefile b/Makefile index 394150e3a..8b44ad164 100644 --- a/Makefile +++ b/Makefile @@ -6,7 +6,7 @@ MAKEFLAGS := --no-print-directory SHELL := /bin/bash DIST_PATH ?= ./dist -TEST_ARGS ?= --cov --cov-report=term-missing +TEST_ARGS ?= --cov --cov-report=term-missing --cov-report=xml:$(DIST_PATH)/test-coverage.xml SMOKE_TEST_ARGS ?= FEATURE_TEST_ARGS ?= ./tests/features --format progress2 TF_WORKSPACE_NAME ?= $(shell terraform -chdir=terraform/infrastructure workspace show) diff --git a/sonar-project.properties b/sonar-project.properties index cac876215..9e9655496 100644 --- a/sonar-project.properties +++ b/sonar-project.properties @@ -1,11 +1,14 @@ sonar.projectKey=NHSDigital_NRLF sonar.organization=nhsdigital sonar.projectName=NRLF -sonar.python.version=3.9.5 -sonar.terraform.provider.aws.version=4.63.0 -# TODO: Some paths here are outdated and perhaps we don't want to exclude everything -sonar.cpd.exclusions=api/tests/**, tests/**, api/**/tests/**, feature_tests/**, cron/seed_sandbox/tests/**, data_contracts/**/tests/**, firehose/**/tests/**, firehose/**/scripts/**, helpers/tests/**, mi/**/tests/** -sonar.exclusions=scripts/**, **/scripts/**, api/tests/**, tests/**, api/**/tests/**, feature_tests/**, cron/seed_sandbox/tests/**, data_contracts/**/tests/**, firehose/**/tests/**, firehose/**/scripts/**, helpers/tests/**, mi/**/tests/** + +sonar.python.version=3.12.10 + +sonar.exclusions=scripts/** +sonar.coverage.exclusions=scripts/**, test/**, **/tests/** +sonar.cpd.exclusions=tests/**, **/tests/** + +sonar.python.coverage.reportPaths=coverage.xml # Exclude snomed urls as being unsafe sonar.issue.ignore.multicriteria=exclude_snomed_urls From 8c2ecd81ff51bc51e3379f54dfeab28255f31571 Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Fri, 13 Feb 2026 14:41:27 +0000 Subject: [PATCH 02/10] [NRL-1922] Add new workflow for PR checks --- .github/workflows/pr-checks.yml | 75 +++++++++++++++++++++++++++++++++ sonar-project.properties | 2 +- 2 files changed, 76 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/pr-checks.yml diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml new file mode 100644 index 000000000..c9bfebf8e --- /dev/null +++ b/.github/workflows/pr-checks.yml @@ -0,0 +1,75 @@ +name: Run PR checks +run-name: "Running checks for PR #${{ github.event.pull_request.number }} (${{ github.event.pull_request.title }})" + +on: + pull_request: + types: [opened, reopened, synchronize] + +concurrency: + cancel-in-progress: false + +permissions: + id-token: write + contents: read + actions: write + pull-requests: write + +jobs: + build: + name: Build and test + runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }} + + steps: + - name: Git clone - ${{ github.ref }} + uses: actions/checkout@v4 + with: + ref: ${{ github.ref }} + + - name: Setup environment + run: | + echo "${HOME}/.asdf/bin" >> $GITHUB_PATH + poetry install --no-root + + - name: Build + run: make build + + - name: Test + run: make test + + - name: Upload build artifacts + uses: actions/upload-artifact@v3 + with: + name: build-artifacts + path: dist + + sonar: + name: SonarQube analysis and quality gate check + runs-on: ubuntu-latest + after: build + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.ref }} + + - name: Get build artifacts + uses: actions/download-artifact@v3 + with: + name: build-artifacts + path: dist + + # Triggering SonarQube analysis as results of it are required by Quality Gate check. + - name: SonarQube Scan + uses: sonarsource/sonarqube-scan-action@master + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} + + # Check the Quality Gate status. + - name: SonarQube Quality Gate check + id: sonarqube-quality-gate-check + uses: sonarsource/sonarqube-quality-gate-action@master + with: + pollingTimeoutSec: 600 + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} #OPTIONAL diff --git a/sonar-project.properties b/sonar-project.properties index 9e9655496..a4df9452b 100644 --- a/sonar-project.properties +++ b/sonar-project.properties @@ -8,7 +8,7 @@ sonar.exclusions=scripts/** sonar.coverage.exclusions=scripts/**, test/**, **/tests/** sonar.cpd.exclusions=tests/**, **/tests/** -sonar.python.coverage.reportPaths=coverage.xml +sonar.python.coverage.reportPaths=dist/test-coverage.xml # Exclude snomed urls as being unsafe sonar.issue.ignore.multicriteria=exclude_snomed_urls From b6a467790beaafe52eda7b1d5912434ec58bf5fc Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Fri, 13 Feb 2026 14:45:35 +0000 Subject: [PATCH 03/10] [NRL-1922] Remove unused sonarcloud url config --- .github/workflows/pr-checks.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index c9bfebf8e..24e05034f 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -62,7 +62,6 @@ jobs: uses: sonarsource/sonarqube-scan-action@master env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} # Check the Quality Gate status. - name: SonarQube Quality Gate check @@ -72,4 +71,3 @@ jobs: pollingTimeoutSec: 600 env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} #OPTIONAL From 7a137573a3faf39234e87edd4621a0419602b493 Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Fri, 13 Feb 2026 14:47:39 +0000 Subject: [PATCH 04/10] [NRL-1922] Fix pr-checks workflow issues --- .github/workflows/pr-checks.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index 24e05034f..e83ef8ddf 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -5,9 +5,6 @@ on: pull_request: types: [opened, reopened, synchronize] -concurrency: - cancel-in-progress: false - permissions: id-token: write contents: read @@ -45,7 +42,7 @@ jobs: sonar: name: SonarQube analysis and quality gate check runs-on: ubuntu-latest - after: build + needs: build steps: - uses: actions/checkout@v4 with: From 3d813a665649114065ac3b87657b6d727f9e3640 Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Fri, 13 Feb 2026 14:49:29 +0000 Subject: [PATCH 05/10] [NRL-1922] Fix pr-checks workflow issues --- .github/workflows/pr-checks.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index e83ef8ddf..fedb1c707 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -37,7 +37,7 @@ jobs: uses: actions/upload-artifact@v3 with: name: build-artifacts - path: dist + path: dist sonar: name: SonarQube analysis and quality gate check @@ -52,7 +52,7 @@ jobs: uses: actions/download-artifact@v3 with: name: build-artifacts - path: dist + path: dist # Triggering SonarQube analysis as results of it are required by Quality Gate check. - name: SonarQube Scan From 42a49592e4c023ab9a75c8c77162064ea3580cd1 Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Fri, 13 Feb 2026 14:51:18 +0000 Subject: [PATCH 06/10] [NRL-1922] Fix pr-checks workflow issues --- .github/workflows/pr-checks.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index fedb1c707..ea156252c 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -34,7 +34,7 @@ jobs: run: make test - name: Upload build artifacts - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: build-artifacts path: dist @@ -49,7 +49,7 @@ jobs: ref: ${{ github.ref }} - name: Get build artifacts - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: build-artifacts path: dist From d7c309ac57f1d9a7482ab0ed6677462cd1192295 Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Fri, 13 Feb 2026 14:58:47 +0000 Subject: [PATCH 07/10] [NRL-1922] Fix pr-checks workflow issues --- .github/workflows/pr-checks.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index ea156252c..2fed5737e 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -5,16 +5,13 @@ on: pull_request: types: [opened, reopened, synchronize] -permissions: - id-token: write - contents: read - actions: write - pull-requests: write - jobs: build: name: Build and test runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }} + permissions: + contents: read + actions: write steps: - name: Git clone - ${{ github.ref }} @@ -43,6 +40,9 @@ jobs: name: SonarQube analysis and quality gate check runs-on: ubuntu-latest needs: build + permissions: + contents: read + actions: write steps: - uses: actions/checkout@v4 with: From 5dd52d7e3ef3cc6559f038bdcc833291e475def8 Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Fri, 13 Feb 2026 15:15:12 +0000 Subject: [PATCH 08/10] [NRL-1922] Fix pr-checks workflow issues --- .github/workflows/pr-checks.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index 2fed5737e..a9eb33170 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -56,14 +56,14 @@ jobs: # Triggering SonarQube analysis as results of it are required by Quality Gate check. - name: SonarQube Scan - uses: sonarsource/sonarqube-scan-action@master + uses: sonarsource/sonarqube-scan-action@v7.0.0 env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Check the Quality Gate status. - name: SonarQube Quality Gate check id: sonarqube-quality-gate-check - uses: sonarsource/sonarqube-quality-gate-action@master + uses: sonarsource/sonarqube-quality-gate-action@v1.2.0 with: pollingTimeoutSec: 600 env: From f1305f795e5173237bd186057d86ee5b0696953c Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Fri, 13 Feb 2026 15:20:52 +0000 Subject: [PATCH 09/10] [NRL-1922] Fix pr-checks workflow issues --- .github/workflows/pr-checks.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index a9eb33170..c20dcb961 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -56,14 +56,14 @@ jobs: # Triggering SonarQube analysis as results of it are required by Quality Gate check. - name: SonarQube Scan - uses: sonarsource/sonarqube-scan-action@v7.0.0 + uses: sonarsource/sonarqube-scan-action@a31c9398be7ace6bbfaf30c0bd5d415f843d45e9 #v7.0.0 env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Check the Quality Gate status. - name: SonarQube Quality Gate check id: sonarqube-quality-gate-check - uses: sonarsource/sonarqube-quality-gate-action@v1.2.0 + uses: sonarsource/sonarqube-quality-gate-action@cf038b0e0cdecfa9e56c198bbb7d21d751d62c3b #v1.2.0 with: pollingTimeoutSec: 600 env: From 636ed4f16ed578d3ba54d09d48e24399d740c29d Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Fri, 13 Feb 2026 15:47:49 +0000 Subject: [PATCH 10/10] [NRL-1922] Fix pr-checks workflow issues --- .github/workflows/pr-checks.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index c20dcb961..0a65ccf3a 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -9,6 +9,7 @@ jobs: build: name: Build and test runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }} + environment: pull-request permissions: contents: read actions: write @@ -40,6 +41,7 @@ jobs: name: SonarQube analysis and quality gate check runs-on: ubuntu-latest needs: build + environment: pull-request permissions: contents: read actions: write