[CDAPI-100]: Run remote tests as part of CI

nhsd-rebecca-flynn · nhsd-rebecca-flynn · commit 84ef272e6cb4 · 2026-02-23T11:09:09.000Z
diff --git a/.github/actions/proxy/generate-apigee-token/action.yaml b/.github/actions/proxy/generate-apigee-token/action.yaml
@@ -0,0 +1,43 @@
+name: Generate Apigee Token
+description: Generate the Apigee Token needed to run the tests
+
+inputs:
+  proxygen-key-secret:
+    description: 'Proxygen private key secret'
+    required: true
+  proxygen-key-id:
+    description: 'Proxygen key ID'
+    required: true
+  proxygen-client-id:
+    description: 'Proxygen client ID'
+    required: true
+  proxygen-api-name:
+    description: 'Proxygen API name'
+    required: true
+outputs:
+  apigee-access-token:
+    description: "The token needed to use apigee in our testing"
+    value: ${{ steps.retrieve_apigee_token.outputs.apigee-access-token }}
+
+runs:
+  using: composite
+  steps:
+    - name: Configure Proxygen
+      uses: ./.github/actions/proxy/configure-proxygen
+      with:
+        proxygen-key-secret: ${{ inputs.proxygen-key-secret }}
+        proxygen-key-id: ${{ inputs.proxygen-key-id }}
+        proxygen-client-id: ${{ inputs.proxygen-client-id }}
+        proxygen-api-name: ${{ inputs.proxygen-api-name }}
+
+    - id: retrieve_apigee_token
+      name: Retrieve token
+      shell: bash
+      run: |
+        TOKEN=$(proxygen pytest-nhsd-apim get-token | jq -r '.pytest_nhsd_apim_token')
+        if [ -z "$TOKEN" ] || [ "$TOKEN" = "null" ]; then
+          echo "::error::Failed to retrieve Apigee token"
+          exit 1
+        fi
+        echo "apigee-access-token=$TOKEN" >> $GITHUB_OUTPUT
+        echo "Token retrieved successfully (length: ${#TOKEN})"
diff --git a/.github/actions/retrieve-apigee-token/action.yaml b/.github/actions/retrieve-apigee-token/action.yaml
@@ -0,0 +1,49 @@
+name: Retrieve Apigee Token from Secrets Manager
+description: Configure AWS credentials and retrieve the Apigee token from AWS Secrets Manager
+
+inputs:
+  secret-name:
+    description: 'The name of the secret in AWS Secrets Manager'
+    required: true
+  aws-role-arn:
+    description: 'AWS IAM role ARN to assume'
+    required: true
+  aws-region:
+    description: 'AWS region'
+    required: true
+    default: 'eu-west-2'
+
+outputs:
+  apigee-access-token:
+    description: "The Apigee access token retrieved from Secrets Manager"
+    value: ${{ steps.set-token.outputs.token }}
+
+runs:
+  using: composite
+  steps:
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@a7a2c1125c67f40a1e95768f4e4a7d8f019f87af
+      with:
+        role-to-assume: ${{ inputs.aws-role-arn }}
+        aws-region: ${{ inputs.aws-region }}
+
+    - name: Retrieve token from Secrets Manager
+      uses: aws-actions/aws-secretsmanager-get-secrets@a9a7eb4e2f2871d30dc5b892576fde60a2ecc802
+      with:
+        secret-ids: ${{ inputs.secret-name }}
+        parse-json-secrets: false
+
+    - name: Set token output
+      id: set-token
+      shell: bash
+      run: |
+        SECRET_NAME="${{ inputs.secret-name }}"
+        # AWS action creates env var with secret name (hyphens→underscores, lowercase→uppercase)
+        ENV_VAR_NAME=$(echo "$SECRET_NAME" | tr '-' '_' | tr '[:lower:]' '[:upper:]')
+        TOKEN_VALUE="${!ENV_VAR_NAME}"
+        if [ -z "$TOKEN_VALUE" ]; then
+          echo "::error::Failed to retrieve token from Secrets Manager"
+          exit 1
+        fi
+        echo "token=$TOKEN_VALUE" >> $GITHUB_OUTPUT
+        echo "Token retrieved successfully from Secrets Manager"
diff --git a/.github/actions/setup-python-project/action.yaml b/.github/actions/setup-python-project/action.yaml
@@ -7,6 +7,11 @@ inputs:
 runs:
   using: "composite"
   steps:
+    - name: Install system dependencies
+      shell: bash
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y libxml2-dev libxslt-dev
     - name: "Set up Python"
       uses: actions/setup-python@v6
       with:
diff --git a/.github/workflows/stage-2-test.yaml b/.github/workflows/stage-2-test.yaml
@@ -1,8 +1,18 @@
 name: "Test stage"
 
+permissions:
+  id-token: write
+  contents: read
+
 env:
-  BASE_URL: "http://localhost:5002"
+  BASE_URL: "https://internal-dev.api.service.nhs.uk/pathology-laboratory-reporting-pr-32"
   HOST: "localhost"
+  ENV: "remote"
+  PR_NUMBER: "32"
+  AWS_REGION: eu-west-2
+  PROXYGEN_KEY_ID: ${{ vars.PREVIEW_ENV_PROXYGEN_KEY_ID }}
+  PROXYGEN_CLIENT_ID: ${{ vars.PREVIEW_ENV_PROXYGEN_CLIENT_ID }}
+  PROXYGEN_API_NAME: ${{ vars.PROXYGEN_API_NAME }}
 
 on:
   workflow_call:
@@ -27,13 +37,97 @@ jobs:
         with:
           prefix: coverage
 
+  generate-apigee-token:
+    name: "Generate Apigee token"
+    runs-on: ubuntu-latest
+    outputs:
+      secret-name: ${{ steps.store-token.outputs.secret-name }}
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v6
+
+      - name: "Set up Python"
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548
+        with:
+          python-version: ${{ inputs.python_version }}
+
+      - name: Select AWS role inputs
+        id: role-select
+        env:
+          DEPENDABOT_AWS_ROLE_ARN: ${{ secrets.DEPENDABOT_AWS_ROLE_ARN }}
+          DEPENDABOT_LAMBDA_ROLE_ARN: ${{ secrets.DEPENDABOT_LAMBDA_ROLE_ARN }}
+          AWS_ROLE_ARN: ${{ secrets.AWS_ROLE_ARN }}
+          LAMBDA_ROLE_ARN: ${{ secrets.LAMBDA_ROLE_ARN }}
+        run: |
+          if [ "${{ github.actor }}" = "dependabot[bot]" ]; then
+            echo "aws_role=$DEPENDABOT_AWS_ROLE_ARN" >> "$GITHUB_OUTPUT"
+            echo "lambda_role=$DEPENDABOT_LAMBDA_ROLE_ARN" >> "$GITHUB_OUTPUT"
+          else
+            echo "aws_role=$AWS_ROLE_ARN" >> "$GITHUB_OUTPUT"
+            echo "lambda_role=$LAMBDA_ROLE_ARN" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Configure AWS credentials (OIDC)
+        uses: aws-actions/configure-aws-credentials@a7a2c1125c67f40a1e95768f4e4a7d8f019f87af
+        with:
+          role-to-assume: ${{ steps.role-select.outputs.aws_role }}
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Get proxygen machine user details
+        id: proxygen-machine-user
+        uses: aws-actions/aws-secretsmanager-get-secrets@a9a7eb4e2f2871d30dc5b892576fde60a2ecc802
+        with:
+          secret-ids: /cds/pathology/dev/proxygen/proxygen-key-secret
+          name-transformation: lowercase
+
+      - name: Generate Apigee token
+        id: generate-token
+        uses: ./.github/actions/proxy/generate-apigee-token
+        with:
+          proxygen-key-secret: ${{ env._cds_pathology_dev_proxygen_proxygen_key_secret }}
+          proxygen-key-id: ${{ env.PROXYGEN_KEY_ID }}
+          proxygen-client-id: ${{ env.PROXYGEN_CLIENT_ID }}
+          proxygen-api-name: ${{ env.PROXYGEN_API_NAME }}
+
+      - name: Store token in AWS Secrets Manager
+        id: store-token
+        shell: bash
+        env:
+          TOKEN: ${{ steps.generate-token.outputs.apigee-access-token }}
+        run: |
+          if [ -z "$TOKEN" ]; then
+            echo "::error::Token is empty"
+            exit 1
+          fi
+          SECRET_NAME="apigee-token-${{ github.run_id }}-${{ github.run_attempt }}"
+          aws secretsmanager create-secret \
+            --name "$SECRET_NAME" \
+            --description "Temporary Apigee token for workflow run ${{ github.run_id }}" \
+            --secret-string "$TOKEN" \
+            --region ${{ env.AWS_REGION }}
+          echo "secret-name=$SECRET_NAME" >> $GITHUB_OUTPUT
+          echo "Token stored securely in AWS Secrets Manager: $SECRET_NAME"
+
   test-unit:
     name: "Unit tests"
     runs-on: ubuntu-latest
     timeout-minutes: 5
+    needs: [generate-apigee-token]
+    env:
+      ENV: "local"
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v6
+      - name: Retrieve Apigee token
+        id: get-token
+        uses: ./.github/actions/retrieve-apigee-token
+        with:
+          secret-name: ${{ needs.generate-apigee-token.outputs.secret-name }}
+          aws-role-arn: ${{ secrets.AWS_ROLE_ARN }}
+          aws-region: ${{ env.AWS_REGION }}
+      - name: Set token environment variable
+        shell: bash
+        run: echo "APIGEE_ACCESS_TOKEN=${{ steps.get-token.outputs.apigee-access-token }}" >> $GITHUB_ENV
       - name: "Setup Python project"
         uses: ./.github/actions/setup-python-project
         with:
@@ -57,9 +151,20 @@ jobs:
     name: "Contract tests"
     runs-on: ubuntu-latest
     timeout-minutes: 5
+    needs: [generate-apigee-token]
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v6
+      - name: Retrieve Apigee token
+        id: get-token
+        uses: ./.github/actions/retrieve-apigee-token
+        with:
+          secret-name: ${{ needs.generate-apigee-token.outputs.secret-name }}
+          aws-role-arn: ${{ secrets.AWS_ROLE_ARN }}
+          aws-region: ${{ env.AWS_REGION }}
+      - name: Set token environment variable
+        shell: bash
+        run: echo "APIGEE_ACCESS_TOKEN=${{ steps.get-token.outputs.apigee-access-token }}" >> $GITHUB_ENV
       - name: "Setup Python project"
         uses: ./.github/actions/setup-python-project
         with:
@@ -87,9 +192,20 @@ jobs:
     name: "Schema validation tests"
     runs-on: ubuntu-latest
     timeout-minutes: 5
+    needs: [generate-apigee-token]
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v6
+      - name: Retrieve Apigee token
+        id: get-token
+        uses: ./.github/actions/retrieve-apigee-token
+        with:
+          secret-name: ${{ needs.generate-apigee-token.outputs.secret-name }}
+          aws-role-arn: ${{ secrets.AWS_ROLE_ARN }}
+          aws-region: ${{ env.AWS_REGION }}
+      - name: Set token environment variable
+        shell: bash
+        run: echo "APIGEE_ACCESS_TOKEN=${{ steps.get-token.outputs.apigee-access-token }}" >> $GITHUB_ENV
       - name: "Setup Python project"
         uses: ./.github/actions/setup-python-project
         with:
@@ -117,9 +233,20 @@ jobs:
     name: "Integration tests"
     runs-on: ubuntu-latest
     timeout-minutes: 10
+    needs: [generate-apigee-token]
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v6
+      - name: Retrieve Apigee token
+        id: get-token
+        uses: ./.github/actions/retrieve-apigee-token
+        with:
+          secret-name: ${{ needs.generate-apigee-token.outputs.secret-name }}
+          aws-role-arn: ${{ secrets.AWS_ROLE_ARN }}
+          aws-region: ${{ env.AWS_REGION }}
+      - name: Set token environment variable
+        shell: bash
+        run: echo "APIGEE_ACCESS_TOKEN=${{ steps.get-token.outputs.apigee-access-token }}" >> $GITHUB_ENV
       - name: "Setup Python project"
         uses: ./.github/actions/setup-python-project
         with:
@@ -129,6 +256,7 @@ jobs:
         with:
           python-version: ${{ inputs.python_version }}
       - name: "Run integration test"
+        shell: bash
         run: make test-integration
       - name: "Upload integration test results"
         if: always()
@@ -147,9 +275,20 @@ jobs:
     name: "Acceptance tests"
     runs-on: ubuntu-latest
     timeout-minutes: 10
+    needs: [generate-apigee-token]
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v6
+      - name: Retrieve Apigee token
+        id: get-token
+        uses: ./.github/actions/retrieve-apigee-token
+        with:
+          secret-name: ${{ needs.generate-apigee-token.outputs.secret-name }}
+          aws-role-arn: ${{ secrets.AWS_ROLE_ARN }}
+          aws-region: ${{ env.AWS_REGION }}
+      - name: Set token environment variable
+        shell: bash
+        run: echo "APIGEE_ACCESS_TOKEN=${{ steps.get-token.outputs.apigee-access-token }}" >> $GITHUB_ENV
       - name: "Setup Python project"
         uses: ./.github/actions/setup-python-project
         with:
@@ -230,3 +369,30 @@ jobs:
             -Dsonar.organization=${{ vars.SONAR_ORGANISATION_KEY }}
             -Dsonar.projectKey=${{ vars.SONAR_PROJECT_KEY }}
             -Dsonar.python.coverage.reportPaths=coverage-reports/${{ needs.create-coverage-name.outputs.coverage-name }}.xml
+
+  cleanup-apigee-token:
+    name: "Cleanup Apigee token"
+    runs-on: ubuntu-latest
+    needs: [generate-apigee-token, test-unit, test-contract, test-schema, test-integration, test-acceptance]
+    if: always()
+    timeout-minutes: 2
+    steps:
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@a7a2c1125c67f40a1e95768f4e4a7d8f019f87af
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Delete secret from AWS Secrets Manager
+        shell: bash
+        run: |
+          SECRET_NAME="${{ needs.generate-apigee-token.outputs.secret-name }}"
+          if [ -n "$SECRET_NAME" ]; then
+            aws secretsmanager delete-secret \
+              --secret-id "$SECRET_NAME" \
+              --force-delete-without-recovery \
+              --region ${{ env.AWS_REGION }} || true
+            echo "Secret $SECRET_NAME deleted from Secrets Manager"
+          else
+            echo "No secret name provided, skipping cleanup"
+          fi
diff --git a/.gitleaksignore b/.gitleaksignore
@@ -6,3 +6,5 @@ cd9c0efec38c5d63053dd865e5d4e207c0760d91:docs/guides/Perform_static_analysis.md:
 
 pathology-api/pyproject.toml:ipv4:51
 pathology-api/pyproject.toml:ipv4:50
+mocks/pyproject.toml:ipv4:54
+mocks/pyproject.toml:ipv4:55
diff --git a/scripts/tests/run-test.sh b/scripts/tests/run-test.sh
@@ -42,13 +42,23 @@ else
   COV_PATH="src/pathology_api"
 fi
 
-# Note: TEST_PATH is intentionally unquoted to allow glob expansion for unit tests
-poetry run pytest ${TEST_PATH} -v \
-  --cov=${COV_PATH} \
-  --cov-report=html:test-artefacts/coverage-html \
-  --cov-report=term \
-  --junit-xml="test-artefacts/${TEST_TYPE}-tests.xml" \
-  --html="test-artefacts/${TEST_TYPE}-tests.html" --self-contained-html
+if [ "$ENV" = "remote" ]; then
+  # Note: TEST_PATH is intentionally unquoted to allow glob expansion for unit tests
+  poetry run pytest ${TEST_PATH} --env="remote" -v \
+    --api-name=pathology-laboratory-reporting --proxy-name=pathology-laboratory-reporting--internal-dev--pathology-laboratory-reporting-pr-${PR_NUMBER} \
+    --cov=${COV_PATH} \
+    --cov-report=html:test-artefacts/coverage-html \
+    --cov-report=term \
+    --junit-xml="test-artefacts/${TEST_TYPE}-tests.xml" \
+    --html="test-artefacts/${TEST_TYPE}-tests.html" --self-contained-html
+else
+  poetry run pytest ${TEST_PATH} -v \
+    --cov=${COV_PATH} \
+    --cov-report=html:test-artefacts/coverage-html \
+    --cov-report=term \
+    --junit-xml="test-artefacts/${TEST_TYPE}-tests.xml" \
+    --html="test-artefacts/${TEST_TYPE}-tests.html" --self-contained-html
+fi
 
 # Save coverage data file for merging
 mv .coverage "test-artefacts/coverage.${TEST_TYPE}"
