ELI-338: Adding workflow setup for dev, sandbox, preprod and prod

.github/workflows/dev_sandbox_publish_deploy.yaml

@@ -23,7 +23,8 @@ jobs:
           echo "Deploying to: DEV & Sandbox"
           echo "VERSION=${{ steps.variables.outputs.version }}"
 
-  dev:
+  internal-dev:
+    name: "Publish spec & deploy to dev"
     needs: metadata
     runs-on: ubuntu-latest
     steps:
@@ -71,7 +72,8 @@ jobs:
           proxygen instance deploy internal-dev eligibility-signposting-api build/specification/internal-dev/eligibility-signposting-api.yaml --no-confirm
 
   sandbox:
-    needs: dev
+    name: "Publish spec & deploy to sandbox"
+    needs: internal-dev
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
@@ -118,28 +120,49 @@ jobs:
           proxygen instance deploy sandbox eligibility-signposting-api build/specification/sandbox/eligibility-signposting-api.yaml --no-confirm
 
   publish_postman:
+    name: "Publish to Postman"
     needs: sandbox
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
-      - name: Install dependencies
-        run: make install
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Set up Python 3.11
+        uses: actions/setup-python@v6
+        with:
+          python-version: '3.11'
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: '20'
+
+      - name: Install Poetry
+        run: curl -sSL https://install.python-poetry.org | python3 -
+
+      - name: Install Python and Node dependencies
+        run: |
+          make install
       - name: Generate Postman Collection
         run: make convert-postman
       - name: Publish Postman Collection
         env:
           POSTMAN_API_KEY: ${{ secrets.POSTMAN_API_KEY }}
         run: |
-          curl --fail -X PUT \
-            https://api.getpostman.com/collections/{{YOUR_COLLECTION_UID}} \
+          jq -c '{collection: .}' specification/postman/collection.json > wrapped_collection.json
+          curl -X PUT \
+            https://api.getpostman.com/collections/44595835-573a42db-b7a5-4b69-9f62-696b6df3f12f \
             -H "X-Api-Key: $POSTMAN_API_KEY" \
             -H "Content-Type: application/json" \
-            -d @specification/postman/collection.json
+            -d @wrapped_collection.json
 
-  publish:
-    needs: publish_postman
+  tag_deployment:
+    name: "Tag Dev & Sandbox deployment"
+    needs: [metadata, publish_postman]
     runs-on: ubuntu-latest
     steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
       - name: "Tag the dev & sandbox deployment"
         run: |
           git config user.name "github-actions"
@@ -148,7 +171,8 @@ jobs:
           git push origin ${{ needs.metadata.outputs.version }}
 
   notify_slack:
-    needs: publish
+    name: "Notify Slack"
+    needs: tag_deployment
     runs-on: ubuntu-latest
     steps:
       - name: "Notify Slack on PR merge"

.github/workflows/preprod_publish_deploy.yaml

@@ -12,7 +12,6 @@ jobs:
   preprod:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
       - name: Set tag to deploy
         id: set_tag
         run: |
@@ -27,13 +26,35 @@ jobs:
         uses: actions/checkout@v6
         with:
           ref: ${{ steps.set_tag.outputs.tag }}
-      - uses: actions/setup-python@v6
+      - name: Set up Python 3.11
+        uses: actions/setup-python@v6
         with:
           python-version: '3.11'
-      - uses: actions/setup-node@v6
+      - name: Set up Node.js
+        uses: actions/setup-node@v6
         with:
           node-version: '20'
-      - run: make install
-      - run: make construct-spec APIM_ENV=preprod
-      - run: make publish-spec APIM_ENV=preprod
-      - run: make deploy-spec APIM_ENV=preprod
+      - name: Install Poetry
+        run: curl -sSL https://install.python-poetry.org | python3 -
+      - name: Install Python and Node dependencies
+        run: |
+          make install
+      - name: Install proxygen-cli
+        run: |
+          pip install proxygen-cli
+      - name: Set up Proxygen credentials
+        env:
+          PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY }}
+        run: |
+          mkdir -p ~/.proxygen
+          echo "$PROXYGEN_PRIVATE_KEY" > ~/.proxygen/eligibility-signposting-api.pem
+          make setup-proxygen-credentials
+      - name: Generate specification
+        run: |
+          make construct-spec APIM_ENV=preprod
+      - name: Publish preprod spec to Proxygen
+        run: |
+          proxygen spec publish build/specification/preprod/eligibility-signposting-api.yaml --uat --no-confirm
+      - name: Deploy preprod spec to Proxygen
+        run: |
+          proxygen instance deploy preprod eligibility-signposting-api build/specification/preprod/eligibility-signposting-api.yaml --no-confirm

.github/workflows/prod_publish_deploy.yaml

@@ -11,21 +11,52 @@ jobs:
   prod:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - name: Set tag to deploy
+        id: set_tag
+        run: |
+          if [ "${{ github.event.inputs.ref }}" = "latest" ]; then
+            TAG=$(git tag --list 'spec-*' --sort=-v:refname | head -n 1)
+            echo "Using latest tag: $TAG"
+            echo "tag=$TAG" >> $GITHUB_OUTPUT
+          else
+            echo "tag=${{ github.event.inputs.ref }}" >> $GITHUB_OUTPUT
+          fi
       - name: Checkout tag
         uses: actions/checkout@v6
         with:
-          ref: ${{ inputs.ref }}
-      - uses: actions/setup-python@v6
+          ref: ${{ steps.set_tag.outputs.tag }}
+      - name: Set up Python 3.11
+        uses: actions/setup-python@v6
         with:
           python-version: '3.11'
-      - uses: actions/setup-node@v6
+      - name: Set up Node.js
+        uses: actions/setup-node@v6
         with:
           node-version: '20'
-      - run: make install
-      - run: make construct-spec APIM_ENV=prod
-      - run: make publish-spec APIM_ENV=prod
-      - run: make deploy-spec APIM_ENV=prod
+      - name: Install Poetry
+        run: curl -sSL https://install.python-poetry.org | python3 -
+      - name: Install Python and Node dependencies
+        run: |
+          make install
+      - name: Install proxygen-cli
+        run: |
+          pip install proxygen-cli
+      - name: Set up Proxygen credentials
+        env:
+          PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY }}
+        run: |
+          mkdir -p ~/.proxygen
+          echo "$PROXYGEN_PRIVATE_KEY" > ~/.proxygen/eligibility-signposting-api.pem
+          make setup-proxygen-credentials
+      - name: Generate specification
+        run: |
+          make construct-spec APIM_ENV=prod
+      - name: Publish prod spec to Proxygen
+        run: |
+          proxygen spec publish build/specification/prod/eligibility-signposting-api.yaml --no-confirm
+      - name: Deploy prod spec to Proxygen
+        run: |
+          proxygen instance deploy prod eligibility-signposting-api build/specification/prod/eligibility-signposting-api.yaml --no-confirm
 
   create_release:
     needs: prod
@@ -38,5 +69,7 @@ jobs:
         with:
           tag_name: ${{ inputs.ref }}
           release_name: Release ${{ inputs.ref }}
+          body: |
+            Auto-release created during production deployment.
           draft: false
           prerelease: false

Makefile

@@ -114,13 +114,13 @@ set-ratelimit: guard-APIM_ENV
 	< specification/x-nhsd-apim/ratelimit-template.yaml > specification/x-nhsd-apim/ratelimit.yaml
 
 update-spec-template: guard-APIM_ENV
-ifeq ($(APIM_ENV), $(filter $(APIM_ENV), sandbox internal-dev test int ref preprod prod ))
+ifeq ($(APIM_ENV), $(filter $(APIM_ENV), sandbox internal-dev test int ref preprod prod dev))
 	@ $(MAKE) set-target APIM_ENV=$$APIM_ENV
 	@ $(MAKE) set-access APIM_ENV=$$APIM_ENV
 	@ $(MAKE) set-security APIM_ENV=$$APIM_ENV
 	@ $(MAKE) set-ratelimit APIM_ENV=$$APIM_ENV
 else
-	@ echo ERROR: $$APIM_ENV is not a valid environment. Please use one of [sandbox, internal-dev, int, ref, preprod, prod]
+	@ echo ERROR: $$APIM_ENV is not a valid environment. Please use one of [sandbox, internal-dev, test, int, ref, preprod, prod, dev]
 	@ exit 1;
 endif
 

specification/components/security/security-internal-dev.yaml

@@ -0,0 +1,4 @@
+nhs-login-p9:
+  $ref: https://proxygen.prod.api.platform.nhs.uk/components/securitySchemes/nhs-login-p9
+app-level3:
+  $ref: https://proxygen.prod.api.platform.nhs.uk/components/securitySchemes/app-level3

specification/x-nhsd-apim/access-internal-dev.yaml

@@ -0,0 +1,6 @@
+- title: Eligibility Signposting API (Dev Environment)
+  grants:
+    nhs-login-p9: []
+- title: Eligibility Signposting API (Dev Environment) app Level 3 Access
+  grants:
+    app-level3: []

specification/x-nhsd-apim/ratelimit-internal-dev.yaml

@@ -0,0 +1,3 @@
+proxy:
+  limit: 5
+  timeunit: second

specification/x-nhsd-apim/target-dev.yaml

@@ -1,5 +1,5 @@
 type: external
-url: "TBC"
+url: "https://dev.eligibility-signposting-api.nhs.uk"
 healthcheck: /patient-check/_status
 security:
   type: mtls

specification/x-nhsd-apim/target-internal-dev.yaml

@@ -0,0 +1,6 @@
+type: external
+url: "https://internal-dev.eligibility-signposting-api.nhs.uk"
+healthcheck: /patient-check/_status
+security:
+  type: mtls
+  secret: eligibility-signposting-api

specification/x-nhsd-apim/target-preprod.yaml

@@ -1,5 +1,5 @@
 type: external
-url: "preprod.eligibility-signposting-api.nhs.uk"
+url: "https://preprod.eligibility-signposting-api.nhs.uk"
 healthcheck: /patient-check/_status
 security:
   type: mtls

specification/x-nhsd-apim/target-prod.yaml

@@ -1,5 +1,5 @@
 type: external
-url: "prod.eligibility-signposting-api.national.nhs.uk"
+url: "https://prod.eligibility-signposting-api.national.nhs.uk"
 healthcheck: /patient-check/_status
 security:
   type: mtls

specification/x-nhsd-apim/target-test.yaml

@@ -1,5 +1,5 @@
 type: external
-url: "test.eligibility-signposting-api.nhs.uk"
+url: "https://test.eligibility-signposting-api.nhs.uk"
 healthcheck: /patient-check/_status
 security:
   type: mtls