[CDAPI-100]: Remote APIM testing completed in preview env

nhsd-rebecca-flynn · nhsd-rebecca-flynn · commit d769083d77db · 2026-02-23T16:16:30.000Z
diff --git a/.github/workflows/preview-env.yaml b/.github/workflows/preview-env.yaml
@@ -23,6 +23,9 @@ env:
   PROXYGEN_KEY_ID: ${{ vars.PREVIEW_ENV_PROXYGEN_KEY_ID }}
   PROXYGEN_CLIENT_ID: ${{ vars.PREVIEW_ENV_PROXYGEN_CLIENT_ID }}
   PROXYGEN_API_NAME: ${{ vars.PROXYGEN_API_NAME }}
+  BASE_URL: "https://internal-dev.api.service.nhs.uk/pathology-laboratory-reporting-pr-32"
+  ENV: "remote"
+  PR_NUMBER: ${{ github.event.pull_request.number }}
 
 jobs:
   pr-preview:
@@ -236,6 +239,127 @@ jobs:
           proxygen-client-id: ${{ env.PROXYGEN_CLIENT_ID }}
           proxygen-api-name: ${{ env.PROXYGEN_API_NAME }}
 
+      - name: Retrieve Apigee Token
+        id: apigee-token
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          APIGEE_TOKEN="$(proxygen pytest-nhsd-apim get-token | jq -r '.pytest_nhsd_apim_token' 2>/dev/null)"
+          if [ -z "$APIGEE_TOKEN" ] || [ "$APIGEE_TOKEN" = "null" ]; then
+            echo "::error::Failed to retrieve Apigee token"
+            exit 1
+          fi
+
+          echo "::add-mask::$APIGEE_TOKEN"
+          echo "mask-test: $APIGEE_TOKEN"
+          printf 'apigee-access-token=%s\n' "$APIGEE_TOKEN" >> "$GITHUB_OUTPUT"
+          echo "Token retrieved successfully (length: ${#APIGEE_TOKEN})"
+
+      - name: "Create coverage artefact name"
+        id: create-name
+        uses: ./.github/actions/create-artefact-name
+        with:
+          prefix: coverage
+
+      - name: "Run contract tests"
+        run: make test-contract
+      - name: "Upload contract test results"
+        if: always()
+        uses: actions/upload-artifact@v6
+        with:
+          name: contract-test-results
+          path: pathology-api/test-artefacts/
+          retention-days: 30
+      - name: "Publish contract test results to summary"
+        if: always()
+        uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86 # v2.4
+        with:
+          paths: pathology-api/test-artefacts/contract-tests.xml
+
+      - name: "Run schema validation tests"
+        run: make test-schema
+      - name: "Upload schema test results"
+        if: always()
+        uses: actions/upload-artifact@v6
+        with:
+          name: schema-test-results
+          path: pathology-api/test-artefacts/
+          retention-days: 30
+      - name: "Publish schema test results to summary"
+        if: always()
+        uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86 # v2.4
+        with:
+          paths: pathology-api/test-artefacts/schema-tests.xml
+
+      - name: "Run integration test"
+        run: make test-integration
+      - name: "Upload integration test results"
+        if: always()
+        uses: actions/upload-artifact@v6
+        with:
+          name: integration-test-results
+          path: pathology-api/test-artefacts/
+          retention-days: 30
+      - name: "Publish integration test results to summary"
+        if: always()
+        uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86 # v2.4
+        with:
+          paths: pathology-api/test-artefacts/integration-tests.xml
+
+      - name: "Run acceptance test"
+        run: make test-acceptance
+      - name: "Upload acceptance test results"
+        if: always()
+        uses: actions/upload-artifact@v6
+        with:
+          name: acceptance-test-results
+          path: pathology-api/test-artefacts/
+          retention-days: 30
+      - name: "Publish acceptance test results to summary"
+        if: always()
+        uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86 # v2.4
+        with:
+          paths: pathology-api/test-artefacts/acceptance-tests.xml
+
+      - name: "Download all test coverage artefacts"
+        uses: actions/download-artifact@v7
+        with:
+          path: pathology-api/test-artefacts/
+          merge-multiple: false
+      - name: "Merge coverage data"
+        run: make test-coverage
+      - name: "Rename coverage XML with unique name"
+        run: |
+          cd pathology-api/test-artefacts
+          mv coverage-merged.xml ${{ needs.create-coverage-name.outputs.coverage-name }}.xml
+      - name: "Upload combined coverage report"
+        if: always()
+        uses: actions/upload-artifact@v6
+        with:
+          name: ${{ needs.create-coverage-name.outputs.coverage-name }}
+          path: pathology-api/test-artefacts
+          retention-days: 30
+
+      - name: "Checkout code"
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0 # Full history is needed for better analysis
+      - name: "Download merged coverage report"
+        uses: actions/download-artifact@v7
+        with:
+          name: ${{ needs.create-coverage-name.outputs.coverage-name }}
+          path: coverage-reports/
+      - name: "SonarCloud Scan"
+        uses: SonarSource/sonarqube-scan-action@v7
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        with:
+          args: >
+            -Dsonar.organization=${{ vars.SONAR_ORGANISATION_KEY }}
+            -Dsonar.projectKey=${{ vars.SONAR_PROJECT_KEY }}
+            -Dsonar.python.coverage.reportPaths=coverage-reports/${{ needs.create-coverage-name.outputs.coverage-name }}.xml
+
       - name: Comment function name on PR
         if: github.event_name == 'pull_request' && github.event.action != 'closed'
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd
diff --git a/.github/workflows/stage-2-test.yaml b/.github/workflows/stage-2-test.yaml
@@ -1,18 +1,8 @@
 name: "Test stage"
 
-permissions:
-  id-token: write
-  contents: read
-
 env:
-  BASE_URL: "https://internal-dev.api.service.nhs.uk/pathology-laboratory-reporting-pr-32"
+  BASE_URL: "http://localhost:5002"
   HOST: "localhost"
-  ENV: "remote"
-  PR_NUMBER: "32"
-  AWS_REGION: eu-west-2
-  PROXYGEN_KEY_ID: ${{ vars.PREVIEW_ENV_PROXYGEN_KEY_ID }}
-  PROXYGEN_CLIENT_ID: ${{ vars.PREVIEW_ENV_PROXYGEN_CLIENT_ID }}
-  PROXYGEN_API_NAME: ${{ vars.PROXYGEN_API_NAME }}
 
 on:
   workflow_call:
@@ -37,97 +27,13 @@ jobs:
         with:
           prefix: coverage
 
-  generate-apigee-token:
-    name: "Generate Apigee token"
-    runs-on: ubuntu-latest
-    outputs:
-      secret-name: ${{ steps.store-token.outputs.secret-name }}
-    steps:
-      - name: "Checkout code"
-        uses: actions/checkout@v6
-
-      - name: "Set up Python"
-        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548
-        with:
-          python-version: ${{ inputs.python_version }}
-
-      - name: Select AWS role inputs
-        id: role-select
-        env:
-          DEPENDABOT_AWS_ROLE_ARN: ${{ secrets.DEPENDABOT_AWS_ROLE_ARN }}
-          DEPENDABOT_LAMBDA_ROLE_ARN: ${{ secrets.DEPENDABOT_LAMBDA_ROLE_ARN }}
-          AWS_ROLE_ARN: ${{ secrets.AWS_ROLE_ARN }}
-          LAMBDA_ROLE_ARN: ${{ secrets.LAMBDA_ROLE_ARN }}
-        run: |
-          if [ "${{ github.actor }}" = "dependabot[bot]" ]; then
-            echo "aws_role=$DEPENDABOT_AWS_ROLE_ARN" >> "$GITHUB_OUTPUT"
-            echo "lambda_role=$DEPENDABOT_LAMBDA_ROLE_ARN" >> "$GITHUB_OUTPUT"
-          else
-            echo "aws_role=$AWS_ROLE_ARN" >> "$GITHUB_OUTPUT"
-            echo "lambda_role=$LAMBDA_ROLE_ARN" >> "$GITHUB_OUTPUT"
-          fi
-
-      - name: Configure AWS credentials (OIDC)
-        uses: aws-actions/configure-aws-credentials@a7a2c1125c67f40a1e95768f4e4a7d8f019f87af
-        with:
-          role-to-assume: ${{ steps.role-select.outputs.aws_role }}
-          aws-region: ${{ env.AWS_REGION }}
-
-      - name: Get proxygen machine user details
-        id: proxygen-machine-user
-        uses: aws-actions/aws-secretsmanager-get-secrets@a9a7eb4e2f2871d30dc5b892576fde60a2ecc802
-        with:
-          secret-ids: /cds/pathology/dev/proxygen/proxygen-key-secret
-          name-transformation: lowercase
-
-      - name: Generate Apigee token
-        id: generate-token
-        uses: ./.github/actions/proxy/generate-apigee-token
-        with:
-          proxygen-key-secret: ${{ env._cds_pathology_dev_proxygen_proxygen_key_secret }}
-          proxygen-key-id: ${{ env.PROXYGEN_KEY_ID }}
-          proxygen-client-id: ${{ env.PROXYGEN_CLIENT_ID }}
-          proxygen-api-name: ${{ env.PROXYGEN_API_NAME }}
-
-      - name: Store token in AWS Secrets Manager
-        id: store-token
-        shell: bash
-        env:
-          TOKEN: ${{ steps.generate-token.outputs.apigee-access-token }}
-        run: |
-          if [ -z "$TOKEN" ]; then
-            echo "::error::Token is empty"
-            exit 1
-          fi
-          SECRET_NAME="apigee-token-${{ github.run_id }}-${{ github.run_attempt }}"
-          aws secretsmanager create-secret \
-            --name "$SECRET_NAME" \
-            --description "Temporary Apigee token for workflow run ${{ github.run_id }}" \
-            --secret-string "$TOKEN" \
-            --region ${{ env.AWS_REGION }}
-          echo "secret-name=$SECRET_NAME" >> $GITHUB_OUTPUT
-          echo "Token stored securely in AWS Secrets Manager: $SECRET_NAME"
-
   test-unit:
     name: "Unit tests"
     runs-on: ubuntu-latest
     timeout-minutes: 5
-    needs: [generate-apigee-token]
-    env:
-      ENV: "local"
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v6
-      - name: Retrieve Apigee token
-        id: get-token
-        uses: ./.github/actions/retrieve-apigee-token
-        with:
-          secret-name: ${{ needs.generate-apigee-token.outputs.secret-name }}
-          aws-role-arn: ${{ secrets.AWS_ROLE_ARN }}
-          aws-region: ${{ env.AWS_REGION }}
-      - name: Set token environment variable
-        shell: bash
-        run: echo "APIGEE_ACCESS_TOKEN=${{ steps.get-token.outputs.apigee-access-token }}" >> $GITHUB_ENV
       - name: "Setup Python project"
         uses: ./.github/actions/setup-python-project
         with:
@@ -151,20 +57,9 @@ jobs:
     name: "Contract tests"
     runs-on: ubuntu-latest
     timeout-minutes: 5
-    needs: [generate-apigee-token]
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v6
-      - name: Retrieve Apigee token
-        id: get-token
-        uses: ./.github/actions/retrieve-apigee-token
-        with:
-          secret-name: ${{ needs.generate-apigee-token.outputs.secret-name }}
-          aws-role-arn: ${{ secrets.AWS_ROLE_ARN }}
-          aws-region: ${{ env.AWS_REGION }}
-      - name: Set token environment variable
-        shell: bash
-        run: echo "APIGEE_ACCESS_TOKEN=${{ steps.get-token.outputs.apigee-access-token }}" >> $GITHUB_ENV
       - name: "Setup Python project"
         uses: ./.github/actions/setup-python-project
         with:
@@ -192,20 +87,9 @@ jobs:
     name: "Schema validation tests"
     runs-on: ubuntu-latest
     timeout-minutes: 5
-    needs: [generate-apigee-token]
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v6
-      - name: Retrieve Apigee token
-        id: get-token
-        uses: ./.github/actions/retrieve-apigee-token
-        with:
-          secret-name: ${{ needs.generate-apigee-token.outputs.secret-name }}
-          aws-role-arn: ${{ secrets.AWS_ROLE_ARN }}
-          aws-region: ${{ env.AWS_REGION }}
-      - name: Set token environment variable
-        shell: bash
-        run: echo "APIGEE_ACCESS_TOKEN=${{ steps.get-token.outputs.apigee-access-token }}" >> $GITHUB_ENV
       - name: "Setup Python project"
         uses: ./.github/actions/setup-python-project
         with:
@@ -233,20 +117,9 @@ jobs:
     name: "Integration tests"
     runs-on: ubuntu-latest
     timeout-minutes: 10
-    needs: [generate-apigee-token]
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v6
-      - name: Retrieve Apigee token
-        id: get-token
-        uses: ./.github/actions/retrieve-apigee-token
-        with:
-          secret-name: ${{ needs.generate-apigee-token.outputs.secret-name }}
-          aws-role-arn: ${{ secrets.AWS_ROLE_ARN }}
-          aws-region: ${{ env.AWS_REGION }}
-      - name: Set token environment variable
-        shell: bash
-        run: echo "APIGEE_ACCESS_TOKEN=${{ steps.get-token.outputs.apigee-access-token }}" >> $GITHUB_ENV
       - name: "Setup Python project"
         uses: ./.github/actions/setup-python-project
         with:
@@ -256,7 +129,6 @@ jobs:
         with:
           python-version: ${{ inputs.python_version }}
       - name: "Run integration test"
-        shell: bash
         run: make test-integration
       - name: "Upload integration test results"
         if: always()
@@ -275,20 +147,9 @@ jobs:
     name: "Acceptance tests"
     runs-on: ubuntu-latest
     timeout-minutes: 10
-    needs: [generate-apigee-token]
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v6
-      - name: Retrieve Apigee token
-        id: get-token
-        uses: ./.github/actions/retrieve-apigee-token
-        with:
-          secret-name: ${{ needs.generate-apigee-token.outputs.secret-name }}
-          aws-role-arn: ${{ secrets.AWS_ROLE_ARN }}
-          aws-region: ${{ env.AWS_REGION }}
-      - name: Set token environment variable
-        shell: bash
-        run: echo "APIGEE_ACCESS_TOKEN=${{ steps.get-token.outputs.apigee-access-token }}" >> $GITHUB_ENV
       - name: "Setup Python project"
         uses: ./.github/actions/setup-python-project
         with:
@@ -369,30 +230,3 @@ jobs:
             -Dsonar.organization=${{ vars.SONAR_ORGANISATION_KEY }}
             -Dsonar.projectKey=${{ vars.SONAR_PROJECT_KEY }}
             -Dsonar.python.coverage.reportPaths=coverage-reports/${{ needs.create-coverage-name.outputs.coverage-name }}.xml
-
-  cleanup-apigee-token:
-    name: "Cleanup Apigee token"
-    runs-on: ubuntu-latest
-    needs: [generate-apigee-token, test-unit, test-contract, test-schema, test-integration, test-acceptance]
-    if: always()
-    timeout-minutes: 2
-    steps:
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@a7a2c1125c67f40a1e95768f4e4a7d8f019f87af
-        with:
-          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
-          aws-region: ${{ env.AWS_REGION }}
-
-      - name: Delete secret from AWS Secrets Manager
-        shell: bash
-        run: |
-          SECRET_NAME="${{ needs.generate-apigee-token.outputs.secret-name }}"
-          if [ -n "$SECRET_NAME" ]; then
-            aws secretsmanager delete-secret \
-              --secret-id "$SECRET_NAME" \
-              --force-delete-without-recovery \
-              --region ${{ env.AWS_REGION }} || true
-            echo "Secret $SECRET_NAME deleted from Secrets Manager"
-          else
-            echo "No secret name provided, skipping cleanup"
-          fi
diff --git a/pathology-api/tests/integration/test_endpoints.py b/pathology-api/tests/integration/test_endpoints.py
@@ -17,7 +17,7 @@ def test_bundle_returns_200(self, client: Client) -> None:
             type="document",
             entry=[
                 Bundle.Entry(
-                    fullUrl="patient",
+                    fullUrl="composition",
                     resource=Composition.create(
                         subject=LogicalReference(
                             PatientIdentifier.from_nhs_number("nhs_number")
