Merge remote-tracking branch 'origin/bugfix/CCM-19310-lte-constraints' into bugfix/CCM-19310-lte-constraints

Author: m-houston

.github/actions/bundle-eventbridge-publish/action.yml

@@ -0,0 +1,65 @@
+name: "Bundle eventbridge-publish"
+description: "Build and package the eventbridge-publish release bundle (eventbridge-publish-bundle.tgz) from the workspace sources."
+
+inputs:
+  node-version:
+    description: "Node.js version to use"
+    required: true
+  run-typecheck:
+    description: "Run workspace typecheck before bundling"
+    required: false
+    default: "true"
+
+outputs:
+  tarball-path:
+    description: "Path to the generated tarball"
+    value: ${{ steps.bundle.outputs.tarball_path }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Set up Node.js
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+      with:
+        node-version: "${{ inputs.node-version }}"
+        cache: npm
+
+    - name: Install dependencies
+      shell: bash
+      run: |
+        set -euo pipefail
+        npm ci
+
+    - name: Generate dependencies
+      shell: bash
+      run: |
+        set -euo pipefail
+        npm run generate-dependencies --workspaces --if-present
+
+    - name: Typecheck
+      if: inputs.run-typecheck == 'true'
+      shell: bash
+      run: |
+        set -euo pipefail
+        npm run typecheck --workspaces --if-present
+
+    - name: Build eventbridge-publish bundle
+      shell: bash
+      run: |
+        set -euo pipefail
+        npm run bundle:release --workspace @supplier-config/eventbridge-publisher
+
+    - name: Smoke-test bundle
+      shell: bash
+      run: |
+        set -euo pipefail
+        node packages/eventbridge-publisher/artifacts/eventbridge-publish/index.cjs --help > /dev/null
+
+    - name: Package tarball
+      id: bundle
+      shell: bash
+      run: |
+        set -euo pipefail
+        tarball="eventbridge-publish-bundle.tgz"
+        tar -czf "$tarball" -C packages/eventbridge-publisher/artifacts/eventbridge-publish .
+        echo "tarball_path=$tarball" >> "$GITHUB_OUTPUT"

.github/workflows/cicd-1-pull-request.yaml

@@ -16,6 +16,9 @@ jobs:
     name: "Set CI/CD metadata"
     runs-on: ubuntu-latest
     timeout-minutes: 1
+    permissions:
+      contents: read # for actions/checkout
+      pull-requests: read # for gh pr list
     outputs:
       build_datetime_london: ${{ steps.variables.outputs.build_datetime_london }}
       build_datetime: ${{ steps.variables.outputs.build_datetime }}

.github/workflows/release-eventbridge-publish.yml

@@ -0,0 +1,46 @@
+name: Release eventbridge-publish bundle
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+
+permissions:
+  contents: write
+
+jobs:
+  bundle-and-upload:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Read Node version
+        id: versions
+        shell: bash
+        run: |
+          set -euo pipefail
+          echo "node=$(grep '^nodejs\s' .tool-versions | awk '{print $2}')" >> "$GITHUB_OUTPUT"
+
+      - name: Bundle eventbridge-publish
+        id: bundle
+        uses: ./.github/actions/bundle-eventbridge-publish
+        with:
+          node-version: "${{ steps.versions.outputs.node }}"
+          run-typecheck: "true"
+
+      - name: Upload release asset
+        if: github.event_name == 'release'
+        env:
+          GH_TOKEN: ${{ github.token }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          gh release upload "${{ github.event.release.tag_name }}" "${{ steps.bundle.outputs.tarball-path }}" --clobber
+
+      - name: Upload bundle as workflow artifact
+        if: github.event_name != 'release'
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
+        with:
+          name: eventbridge-publish-bundle
+          path: "${{ steps.bundle.outputs.tarball-path }}"

.github/workflows/stage-3-build.yaml

@@ -45,25 +45,25 @@ jobs:
         with:
           version: "${{ inputs.version }}"
 
-  ddb-publish-bundle:
-    name: "Bundle ddb-publish CLI"
+  eventbridge-publish-bundle:
+    name: "Bundle eventbridge-publish CLI"
     runs-on: ubuntu-latest
     timeout-minutes: 3
     steps:
       - name: "Checkout code"
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - name: "Bundle ddb-publish"
+      - name: "Bundle eventbridge-publish"
         id: bundle
-        uses: ./.github/actions/bundle-ddb-publish
+        uses: ./.github/actions/bundle-eventbridge-publish
         with:
           node-version: "${{ inputs.nodejs_version }}"
           run-typecheck: "false"
 
       - name: "Upload bundle as workflow artifact"
         uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v5
         with:
-          name: ddb-publish-bundle
+          name: eventbridge-publish-bundle
           path: "${{ steps.bundle.outputs.tarball-path }}"
 
   artefact-1:

Makefile

@@ -23,7 +23,7 @@ clean:: # Clean-up project resources (main) @Operations
 	rm -f .version
 	# TODO: Implement project resources clean-up step
 
-config:: _install-dependencies version # Configure development environment (main) @Configuration
+config:: _install-dependencies # Configure development environment (main) @Configuration
 	(cd docs && make install)
 
 internal-config:

actions/eventbridge-publish/action.yml

@@ -0,0 +1,131 @@
+name: "Publish supplier config to EventBridge"
+description: "Reads config from a file store and publishes records to an event bus."
+author: "NHS Notify"
+
+inputs:
+  source-path:
+    description: "Path to the config store root directory"
+    required: true
+  event-bus-arn:
+    description: "ARN of event bus to publish to. Not required if dry-run is specified"
+    required: false
+  dry-run:
+    description: "Validate only (no AWS calls). Does not require credentials."
+    required: false
+    default: "false"
+
+runs:
+  using: "composite"
+  steps:
+    - name: Resolve and download eventbridge-publish bundle
+      shell: bash
+      env:
+        GH_TOKEN: ${{ github.token }}
+        CALLER_REPO: ${{ github.repository }}
+        ACTION_REPO: ${{ github.action_repository }}
+        ACTION_REF: ${{ github.action_ref }}
+        RELEASE_ASSET_NAME: eventbridge-publish-bundle.tgz
+        WORKFLOW_ARTIFACT_NAME: eventbridge-publish-bundle
+      run: |
+        set -euo pipefail
+
+        download_dir="${RUNNER_TEMP}/eventbridge-publish"
+        unpack_dir="${download_dir}/unpacked"
+
+        mkdir -p "${download_dir}" "${unpack_dir}"
+
+        echo "[eventbridge-publish] caller_repo=${CALLER_REPO}"
+        echo "[eventbridge-publish] action_repo=${ACTION_REPO}"
+        echo "[eventbridge-publish] action_ref=${ACTION_REF:-<empty>}"
+
+        if [[ -z "${ACTION_REF}" ]]; then
+          echo "ERROR: github.action_ref is empty; unable to locate release asset or branch artifact." >&2
+          exit 1
+        fi
+
+        if [[ -z "${ACTION_REPO}" ]]; then
+          echo "ERROR: github.action_repository is empty; unable to determine where to fetch bundle artifacts." >&2
+          exit 1
+        fi
+
+        # Prefer release assets when the action ref is a tag with a matching release in the action repo.
+        if gh release view "${ACTION_REF}" --repo "${ACTION_REPO}" >/dev/null 2>&1; then
+          echo "[eventbridge-publish] Found release for ref '${ACTION_REF}' in '${ACTION_REPO}'. Downloading '${RELEASE_ASSET_NAME}'."
+          gh release download "${ACTION_REF}" --repo "${ACTION_REPO}" --pattern "${RELEASE_ASSET_NAME}" --dir "${download_dir}"
+          tar -xzf "${download_dir}/${RELEASE_ASSET_NAME}" -C "${unpack_dir}"
+          echo "[eventbridge-publish] Bundle extracted from release asset."
+          exit 0
+        fi
+
+        # Otherwise treat the ref as a branch-like ref and fetch the latest successful CI artifact from the action repo.
+        branch="${ACTION_REF#refs/heads/}"
+        echo "[eventbridge-publish] No release found for ref '${ACTION_REF}'. Falling back to latest workflow artifact on branch '${branch}' from '${ACTION_REPO}'."
+
+        run_id=""
+        workflow_used=""
+
+        for workflow_file in "stage-3-build.yaml" "cicd-1-pull-request.yaml"; do
+          echo "[eventbridge-publish] Looking for successful runs in workflow '${workflow_file}'."
+
+          set +e
+          run_id_candidate="$(gh run list \
+            --repo "${ACTION_REPO}" \
+            --workflow "${workflow_file}" \
+            --branch "${branch}" \
+            --status success \
+            --json databaseId \
+            --jq '.[0].databaseId' 2>/tmp/eventbridge_publish_run_list_err.log)"
+          rc=$?
+          set -e
+
+          if [[ $rc -ne 0 ]]; then
+            if grep -q "HTTP 404" /tmp/eventbridge_publish_run_list_err.log; then
+              echo "[eventbridge-publish] Workflow '${workflow_file}' not found on default branch; trying next workflow candidate."
+              continue
+            fi
+
+            echo "ERROR: Failed to query workflow runs from '${ACTION_REPO}' for workflow '${workflow_file}'." >&2
+            cat /tmp/eventbridge_publish_run_list_err.log >&2 || true
+            echo "HINT: ensure the token has read access to '${ACTION_REPO}' and workflow permissions allow actions read." >&2
+            exit 1
+          fi
+
+          if [[ -n "${run_id_candidate}" && "${run_id_candidate}" != "null" ]]; then
+            run_id="${run_id_candidate}"
+            workflow_used="${workflow_file}"
+            break
+          fi
+        done
+
+        if [[ -z "${run_id}" || "${run_id}" == "null" ]]; then
+          echo "ERROR: Could not find a successful run on branch '${branch}' in '${ACTION_REPO}' containing artifact '${WORKFLOW_ARTIFACT_NAME}'. Checked workflows: stage-3-build.yaml, cicd-1-pull-request.yaml." >&2
+          exit 1
+        fi
+
+        echo "[eventbridge-publish] Downloading artifact '${WORKFLOW_ARTIFACT_NAME}' from workflow run ${run_id} (${workflow_used}) in '${ACTION_REPO}'."
+        gh run download "${run_id}" --repo "${ACTION_REPO}" --name "${WORKFLOW_ARTIFACT_NAME}" --dir "${download_dir}"
+
+        tarball_path="${download_dir}/${RELEASE_ASSET_NAME}"
+        if [[ ! -f "${tarball_path}" ]]; then
+          echo "ERROR: Downloaded artifact did not contain expected tarball '${RELEASE_ASSET_NAME}'." >&2
+          ls -la "${download_dir}" >&2
+          exit 1
+        fi
+
+        tar -xzf "${tarball_path}" -C "${unpack_dir}"
+        echo "[eventbridge-publish] Bundle extracted from workflow artifact."
+
+    - name: Run publisher
+      shell: bash
+      run: |
+        set -euo pipefail
+
+        echo "[eventbridge-publish] Starting publish run"
+        echo "[eventbridge-publish] source='${{ inputs.source-path }}' event-bus-arn='${{ inputs.event-bus-arn }}' dry-run='${{ inputs.dry-run }}'"
+
+        node "${RUNNER_TEMP}/eventbridge-publish/unpacked/index.cjs" \
+          --source "${{ inputs.source-path }}" \
+          $([[ -n "${{ inputs.event-bus-arn }}" ]] && echo "--event-bus-arn ${{ inputs.event-bus-arn }}") \
+          $([[ "${{ inputs.dry-run }}" == "true" ]] && echo "--dry-run")
+
+        echo "[eventbridge-publish] Publish run completed"

docs/Gemfile.lock

@@ -29,7 +29,7 @@ GEM
     ffi (1.16.3)
     forwardable-extended (2.6.0)
     gemoji (4.1.0)
-    google-protobuf (4.29.2-x86_64-linux)
+    google-protobuf (4.33.6-x86_64-linux-gnu)
       bigdecimal
       rake (>= 13)
     html-pipeline (2.14.3)