NHSDigital · JackCullen-nhs · Jan 22, 2026 · Jan 22, 2026 · Jan 22, 2026 · Jan 22, 2026
diff --git a/.github/actions/action-infrastructure-stack/action.yaml b/.github/actions/action-infrastructure-stack/action.yaml
@@ -28,6 +28,9 @@ inputs:
   mgmt_account_id:
     description: "The management account ID for the action"
     required: true
+  account_id_dev:
+    description: "AWS dev account ID"
+    required: false
   release_tag:
     description: "The release tag identifying the timeline in the repository to deploy from"
     required: false
@@ -59,6 +62,7 @@ runs:
         APPLICATION_TAG: ${{ inputs.application_tag }}
         RELEASE_TAG: ${{ inputs.release_tag }}
         COMMIT_HASH: ${{ inputs.commit_hash }}
+        AWS_ACCOUNT_ID_DEV: ${{ inputs.account_id_dev }}
       id: "action_stack"
       shell: bash
       run: |

diff --git a/.github/actions/artefact-cleardown/action.yaml b/.github/actions/artefact-cleardown/action.yaml
@@ -0,0 +1,20 @@
+name: "Cleardown redundant artefacts action"
+description: "Delete the redundant artefacts"
+inputs:
+  workspace:
+    description: "The name of the workspace to action the infrastructure into."
+    required: true
+  artefact_bucket_name:
+    description: "The name of the s3 bucket holding domain artefacts"
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Delete artefacts
+      id: delete_artefacts
+      shell: bash
+      run: |
+        export WORKSPACE=${{inputs.workspace}}
+        export ARTEFACT_BUCKET_NAME=${{inputs.artefact_bucket_name}}
+        ./scripts/workflow/cleardown-artefacts.sh
diff --git a/.github/actions/check-tf-state/action.yaml b/.github/actions/check-tf-state/action.yaml
@@ -0,0 +1,20 @@
+name: "Check terraform state cleardown action"
+description: "Check deletion of terraform state"
+inputs:
+  workspace:
+        description: "The name of the workspace to check."
+        required: true
+  environment:
+        description: "The name of the environment to action the infrastructure into."
+        required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Delete terraform state
+      id: delete_tf_state
+      shell: bash
+      run: |
+        export WORKSPACE=${{inputs.workspace}}
+        export ENVIRONMENT=${{inputs.environment}}
+        ./scripts/workflow/check-terraform-state.sh
diff --git a/.github/actions/configure-credentials/action.yaml b/.github/actions/configure-credentials/action.yaml
@@ -23,6 +23,6 @@ runs:
       - name: configure aws credentials
         uses: aws-actions/configure-aws-credentials@v5.1.1
         with:
-          role-to-assume: arn:aws:iam::${{ inputs.aws_account_id }}:role/saet-triage-api-dev-account-github-runner
+          role-to-assume: arn:aws:iam::${{ inputs.aws_account_id }}:role/${{ github.event.repository.name }}${{ inputs.environment != 'mgmt' && format('-{0}', inputs.environment) || '' }}-${{ inputs.type }}-github-runner
           role-session-name: GitHub_to_AWS_via_FederatedOIDC
           aws-region: ${{ inputs.aws_region }}
diff --git a/.github/actions/derive-workspace/action.yaml b/.github/actions/derive-workspace/action.yaml
@@ -0,0 +1,24 @@
+name: "Derive Workspace action"
+description: "Derives the name of the workspace for subsequent actions to run against"
+
+outputs:
+  workspace:
+    description: "The derived workspace name"
+    value: ${{ steps.derive-workspace.outputs.workspace }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: "Derive workspace"
+      id: "derive-workspace"
+      shell: bash
+      run: |
+        export TRIGGER=${{ github.ref_type }}
+        export TRIGGER_ACTION=${{ github.event_name }}
+        export TRIGGER_REFERENCE=${{ github.ref_name }}
+        export TRIGGER_HEAD_REFERENCE=${{ github.head_ref }}
+        export TRIGGER_EVENT_REF=${{ github.event.ref}}
+        export COMMIT_HASH=$(git rev-parse --short $GITHUB_SHA)
+        . scripts/workflow/derive-workspace.sh
+        echo "Workspace Name: ${WORKSPACE}"
+        echo "workspace=${WORKSPACE}" >> $GITHUB_OUTPUT
diff --git a/.github/actions/perform-static-analysis copy/action.yaml b/.github/actions/perform-static-analysis copy/action.yaml
@@ -0,0 +1,42 @@
+name: "Run SonarCloud static analysis"
+description: "Perform SonarCloud static analysis"
+
+inputs:
+  sonar_organisation_key:
+    description: "Sonar organisation key, used to identify the project"
+    required: false
+  sonar_project_key:
+    description: "Sonar project key, used to identify the project"
+    required: false
+  sonar_token:
+    description: "Sonar token, the API key"
+    required: false
+
+runs:
+  using: "composite"
+  steps:
+    - name: "Download code coverage reports"
+      uses: actions/download-artifact@v4
+      with:
+        path: coverage/
+        pattern: coverage-*.xml
+
+    - name: "Find coverage files"
+      id: coverage-files
+      shell: bash
+      run: |
+        FILES=$(find coverage -name 'coverage-*.xml' | paste -sd "," -)
+        echo "files=$FILES" >> $GITHUB_OUTPUT
+
+    - name: "Perform SonarCloud static analysis"
+      uses: sonarsource/sonarqube-scan-action@v5.3.1
+      env:
+        SONAR_TOKEN: ${{ inputs.sonar_token }}
+      with:
+        args: >
+          -Dsonar.organization=${{ inputs.sonar_organisation_key }}
+          -Dsonar.projectKey=${{ inputs.sonar_project_key }}
+          -Dsonar.branch.name=${{ github.ref_name }}
+          -Dsonar.python.coverage.reportPaths=${{ steps.coverage-files.outputs.files }}
+          -Dproject.settings=./scripts/config/sonar-scanner.properties
+      continue-on-error: true
diff --git a/.github/workflows/artefacts-cleardown.yaml b/.github/workflows/artefacts-cleardown.yaml
@@ -0,0 +1,56 @@
+name: Cleardown Artefacts
+
+permissions:
+      id-token: write
+      contents: read
+on:
+  workflow_call:
+    inputs:
+      environment:
+        description: "Defines the Github environment in which to pull environment variables from"
+        required: true
+        type: string
+      workspace:
+        description: "Name of the workspace"
+        required: true
+        type: string
+      workflow_timeout:
+        description: "Timeout duration in minutes"
+        required: false
+        default: 10
+        type: number
+      artefact_bucket_name:
+        description: "The name of the s3 bucket holding domain artefacts"
+        required: true
+        type: string
+      type:
+        description: "The type of permissions (e.g., account, app)"
+        required: true
+        type: string
+
+jobs:
+  cleardown-artefacts:
+    name: "Cleardown redundant artefacts"
+    runs-on: ubuntu-latest
+    timeout-minutes: ${{ inputs.workflow_timeout }}
+    environment: ${{ inputs.environment }}
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ inputs.tag }}
+
+      - name: "Configure AWS Credentials"
+        uses: ./.github/actions/configure-credentials
+        with:
+          aws_account_id: ${{ secrets.ACCOUNT_ID }}
+          aws_region: ${{ vars.AWS_REGION }}
+          type: ${{ inputs.type }}
+          environment: ${{ inputs.environment }}
+
+      - name: "Cleardown redundant artefacts"
+        uses: ./.github/actions/artefact-cleardown
+        with:
+          workspace: ${{ inputs.workspace }}
+          artefact_bucket_name: ${{ inputs.artefact_bucket_name }}
diff --git a/.github/workflows/build-project.yaml b/.github/workflows/build-project.yaml
@@ -0,0 +1,104 @@
+name: Build project workflow
+run-name: Build ${{ inputs.type }} - ${{ inputs.name }}
+
+permissions:
+  id-token: write
+  contents: read
+on:
+  workflow_call:
+    inputs:
+      build_type:
+        description: "The type of project to build (service, package)"
+        required: true
+        type: string
+      name:
+        description: "The name of the package to build"
+        required: true
+        type: string
+      python_version:
+        description: "The version of Python"
+        required: true
+        type: string
+      commit_hash:
+        description: "The commit hash, set by the CI/CD pipeline workflow"
+        required: false
+        type: string
+      environment:
+        description: "The deployment environment"
+        required: true
+        type: string
+      repo_name:
+        description: "The name of the Git repo"
+        required: true
+        type: string
+      workspace:
+        description: "The name of the workspace to deploy the infrastructure into"
+        required: true
+        type: string
+      application_tag:
+        description: "The application tag identifying the timeline in the repository to deploy from"
+        required: false
+        type: string
+      type:
+        description: "The type of permissions (e.g., account, app)"
+        required: true
+        type: string
+      release_build:
+        description: "Flag to indicate if this is a release build"
+        required: false
+        type: boolean
+        default: false
+
+jobs:
+  build-project:
+    name: "Build ${{ inputs.build_type }} - ${{ inputs.name }}"
+    runs-on: ubuntu-latest
+    environment: ${{ inputs.environment }}
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v6
+
+      - name: "Configure AWS Credentials"
+        uses: ./.github/actions/configure-credentials
+        with:
+          aws_account_id: ${{ secrets.ACCOUNT_ID }}
+          aws_region: ${{ vars.AWS_REGION }}
+          type: ${{ inputs.type }}
+          environment: ${{ inputs.environment }}
+
+      - name: "Set up Python"
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ inputs.python_version }}
+
+      - name: "Build project"
+        run: make build
+        env:
+          SERVICE: ${{ inputs.name }}
+          PACKAGE: ${{ inputs.name }}
+          COMMIT_HASH: ${{ inputs.commit_hash }}
+          ENVIRONMENT: ${{ inputs.environment }}
+          REPO_NAME: ${{ inputs.repo_name }}
+          WORKSPACE: ${{ inputs.workspace }}
+          APPLICATION_TAG: ${{ inputs.application_tag }}
+          RELEASE_BUILD: ${{ inputs.release_build }}
+
+      - name: "Publish artefacts to S3"
+        run: make publish
+        env:
+          SERVICE: ${{ inputs.name }}
+          PACKAGE: ${{ inputs.name }}
+          COMMIT_HASH: ${{ inputs.commit_hash }}
+          ENVIRONMENT: ${{ inputs.environment }}
+          REPO_NAME: ${{ inputs.repo_name }}
+          WORKSPACE: ${{ inputs.workspace }}
+          APPLICATION_TAG: ${{ inputs.application_tag }}
+          RELEASE_BUILD: ${{ inputs.release_build }}
+
+      - name: "Publish artefacts to GitHub"
+        uses: actions/upload-artifact@v6
+        with:
+          name: ${{ inputs.name }}-${{ inputs.build_type }}-artefacts
+          path: src/lambda_function.zip
+          if-no-files-found: error