Skip to content

AMCR-309 - Enable sonar step in other workflows#39

Open
dashkatuk wants to merge 18 commits into
mainfrom
AMCR-309-EnableSonarInPublishStep
Open

AMCR-309 - Enable sonar step in other workflows#39
dashkatuk wants to merge 18 commits into
mainfrom
AMCR-309-EnableSonarInPublishStep

Conversation

@dashkatuk

Copy link
Copy Markdown
Contributor

No description provided.

timabell and others added 3 commits July 13, 2026 16:49
timabell
timabell previously approved these changes Jul 14, 2026
timabell and others added 13 commits July 14, 2026 14:55
First step toward removing the unused `POST /approve` route: its coverage
must move onto the path the UI actually uses (`/accept`).

The two "approve flow" journey tests duplicate the accept-confirmation
`yes` tests apart from their banner assertions ("Important", and not a
success or cancelled banner). Move those assertions into the `yes` tests
and delete the two approve-flow tests. No coverage is lost.

https://eaflood.atlassian.net/browse/AMCR-338

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…prove`

This journey test checks the sign-in-and-retry flow: a submission made
while signed out is remembered (as `returnTo`), the user is redirected to
sign in, and afterwards the original request is retried and succeeds.
Re-point it at the `/accept` confirmation — the path a real submission
takes — so it no longer depends on the `/approve` route this branch
removes. Same behaviour, real path.

https://eaflood.atlassian.net/browse/AMCR-338

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Delete three `/approve` tests before removing the route. Each asserts a
guard exercised on `/accept`, the path approval now takes, so deleting
the `/approve` copies loses no coverage:

- "redirects unauthenticated users to sign in" — covered by the `/accept`
  `POST` test "redirects unauthenticated users to `/signin-oidc`".
- "rejects when the user is not authenticated" and "rejects a request
  with no CSRF token" are both the missing-`CSRFToken` guard, covered by
  the `/accept` `POST` test "rejects a request with no CSRF token".

https://eaflood.atlassian.net/browse/AMCR-338

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The `POST /approve` route is about to be removed, so the tests that drive
approval through it must first move onto the route that keeps doing the
work — the `/accept` confirmation.

Re-point the approval-behaviour tests at `/accept`: approving an
already-cancelled declaration shows no banner; the accepted banner
appears, clears after one view, and reflects API status on reload; and
repeat approval is idempotent. Same approval, performed in-process.

`/accept` submissions carry a form body (`confirm-accept=yes`), unlike
the body-less `/approve` and `/cancel` posts, so `postWithCrumb` gains a
`fields` argument and a new `acceptDeclaration` helper posts
`confirm-accept=yes`. After this, no test references `/approve`.

https://eaflood.atlassian.net/browse/AMCR-338

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
With the approval coverage moved onto `/accept` by the preceding commits,
nothing — test or caller — reaches `/approve`.

Certificate approval is only ever performed by the `/accept` confirmation
handler in-process. The standalone `POST /approve` route was left
registered but unreachable when the Yes/No confirmation page was re-added
under AMCR-229: its action URL was dropped from the detail view model,
and only the web UI calls these endpoints — it posts to `/accept` and
`/cancel`, never `/approve`.

Removes the route, its controller, and the unused `urls.approve`, together
with the two journey tests that only drove `/approve`. Their behaviour is
covered on `/accept`: the "no user" redirect by the `/accept` `POST` test
"redirects unauthenticated users to `/signin-oidc`", and the
sign-in-then-succeed happy path by the `/accept` full-flow test.

The approval logic is retained (still called by `/accept`) and relocated
in the next commit.

https://eaflood.atlassian.net/browse/AMCR-338

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
With `/approve` removed, the approval logic's only caller is the accept
confirmation handler, yet it still lived in `detail/actions-controller.js`
— a coupling left over from when `POST /approve` delegated to it.

Move it into `accept/controller.js` as `approveDeclaration`, using that
module's `detailPath` and the shared `handle-api-error` helper.
`detail/actions-controller.js` now owns only the cancel action and the
shared redirect helpers. No behaviour change.

https://eaflood.atlassian.net/browse/AMCR-338

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Replace the chained equality checks on the `confirm-accept` value with a
`switch`: `no` returns to the detail page, `yes` approves the
declaration, and any other value (including a missing choice) re-renders
the form with a validation error.

https://eaflood.atlassian.net/browse/AMCR-338

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@sonarqubecloud

Copy link
Copy Markdown

Quality Gate Failed Quality Gate failed

Failed conditions
32 New Critical Issues (required ≤ 0)
4 New Major Issues (required ≤ 0)

See analysis details on SonarQube Cloud

💡 Need a hand with PR review? Try Gitar by Sonar!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants