Merge pull request #401 from co-cddo/chore/serialize-and-svc-catalog

feat(ci-lease): reuse_account_id to skip acquire/release while debugging

Author: chrisns

.github/workflows/scenario-ai-contact-centre.yml

@@ -9,7 +9,12 @@ on:
       - 'scripts/isb/**'
       - 'tests/smoke/**'
   workflow_dispatch:
-
+    inputs:
+      reuse_account_id:
+        description: 'DEBUG: reuse an already-leased account (set via `isb assign` locally). Skips acquire/release.'
+        required: false
+        type: string
+        default: ''
 concurrency:
   # Repo-wide group across ALL scenario callers because ISB caps ci-bot
   # at 1 active lease at a time (maxLeasesPerUser). Concurrent dispatches
@@ -26,4 +31,5 @@ jobs:
     uses: ./.github/workflows/scenario-ci.yml
     with:
       scenario: ai-contact-centre
+      reuse_account_id: ${{ inputs.reuse_account_id || '' }}
     secrets: inherit

.github/workflows/scenario-bops-planning.yml

@@ -9,7 +9,12 @@ on:
       - 'scripts/isb/**'
       - 'tests/smoke/**'
   workflow_dispatch:
-
+    inputs:
+      reuse_account_id:
+        description: 'DEBUG: reuse an already-leased account (set via `isb assign` locally). Skips acquire/release.'
+        required: false
+        type: string
+        default: ''
 concurrency:
   # Repo-wide group across ALL scenario callers because ISB caps ci-bot
   # at 1 active lease at a time (maxLeasesPerUser). Concurrent dispatches
@@ -26,4 +31,5 @@ jobs:
     uses: ./.github/workflows/scenario-ci.yml
     with:
       scenario: bops-planning
+      reuse_account_id: ${{ inputs.reuse_account_id || '' }}
     secrets: inherit

.github/workflows/scenario-ci.yml

@@ -31,6 +31,16 @@ on:
         required: false
         type: string
         default: ci-bot@ndx-try.local
+      reuse_account_id:
+        description: |
+          DEBUG: skip acquire/release; use this already-leased pool account.
+          Lease the account locally first (`isb assign` then look at
+          assigned account_id) and paste here. Workflow will assume
+          CIDeployRole directly. Lease is NOT released — call `isb terminate`
+          when done. Used during CI iteration to avoid burning pool accounts.
+        required: false
+        type: string
+        default: ''
 
 permissions:
   id-token: write
@@ -86,19 +96,27 @@ jobs:
 
       - name: Acquire ISB lease
         id: lease
+        if: inputs.reuse_account_id == ''
         run: |
           python3 scripts/isb/ci_lease.py acquire \
             --template '${{ inputs.lease_template }}' \
             --user-email '${{ inputs.ci_lease_email }}'
 
+      - name: Use reused lease account
+        id: reuse
+        if: inputs.reuse_account_id != ''
+        run: |
+          echo "::notice::Reusing already-leased account ${{ inputs.reuse_account_id }} — acquire+release skipped"
+          echo "account_id=${{ inputs.reuse_account_id }}" >> "$GITHUB_OUTPUT"
+
       # Now assume the in-lease CIDeployRole. role-chaining=true tells
       # configure-aws-credentials to sigv4-sign from the already-loaded
       # hub creds (sts:AssumeRole) instead of trying OIDC against the
       # leased account (which has no OIDC provider).
       - uses: aws-actions/configure-aws-credentials@v6
         id: lease-creds
         with:
-          role-to-assume: arn:aws:iam::${{ steps.lease.outputs.account_id }}:role/InnovationSandbox-ndx-CIDeployRole
+          role-to-assume: arn:aws:iam::${{ steps.lease.outputs.account_id || steps.reuse.outputs.account_id }}:role/InnovationSandbox-ndx-CIDeployRole
           role-session-name: scenario-ci-deploy-${{ github.run_id }}
           aws-region: us-east-1
           # Chained assumes (sigv4 from already-assumed creds) are capped
@@ -117,7 +135,7 @@ jobs:
         env:
           SCENARIO: ${{ inputs.scenario }}
           TEMPLATE: ${{ steps.paths.outputs.template_path }}
-          ACCOUNT_ID: ${{ steps.lease.outputs.account_id }}
+          ACCOUNT_ID: ${{ steps.lease.outputs.account_id || steps.reuse.outputs.account_id }}
         run: |
           set -euo pipefail
           STACK_NAME="ndx-try-${SCENARIO}"

.github/workflows/scenario-council-chatbot.yml

@@ -12,7 +12,12 @@ on:
       - 'scripts/isb/**'
       - 'tests/smoke/**'
   workflow_dispatch:
-
+    inputs:
+      reuse_account_id:
+        description: 'DEBUG: reuse an already-leased account (set via `isb assign` locally). Skips acquire/release.'
+        required: false
+        type: string
+        default: ''
 concurrency:
   # Repo-wide group across ALL scenario callers because ISB caps ci-bot
   # at 1 active lease at a time (maxLeasesPerUser). Concurrent dispatches
@@ -29,4 +34,5 @@ jobs:
     uses: ./.github/workflows/scenario-ci.yml
     with:
       scenario: council-chatbot
+      reuse_account_id: ${{ inputs.reuse_account_id || '' }}
     secrets: inherit

.github/workflows/scenario-digital-planning-register.yml

@@ -9,7 +9,12 @@ on:
       - 'scripts/isb/**'
       - 'tests/smoke/**'
   workflow_dispatch:
-
+    inputs:
+      reuse_account_id:
+        description: 'DEBUG: reuse an already-leased account (set via `isb assign` locally). Skips acquire/release.'
+        required: false
+        type: string
+        default: ''
 concurrency:
   # Repo-wide group across ALL scenario callers because ISB caps ci-bot
   # at 1 active lease at a time (maxLeasesPerUser). Concurrent dispatches
@@ -26,4 +31,5 @@ jobs:
     uses: ./.github/workflows/scenario-ci.yml
     with:
       scenario: digital-planning-register
+      reuse_account_id: ${{ inputs.reuse_account_id || '' }}
     secrets: inherit

.github/workflows/scenario-fixmystreet.yml

@@ -9,7 +9,12 @@ on:
       - 'scripts/isb/**'
       - 'tests/smoke/**'
   workflow_dispatch:
-
+    inputs:
+      reuse_account_id:
+        description: 'DEBUG: reuse an already-leased account (set via `isb assign` locally). Skips acquire/release.'
+        required: false
+        type: string
+        default: ''
 concurrency:
   # Repo-wide group across ALL scenario callers because ISB caps ci-bot
   # at 1 active lease at a time (maxLeasesPerUser). Concurrent dispatches
@@ -26,4 +31,5 @@ jobs:
     uses: ./.github/workflows/scenario-ci.yml
     with:
       scenario: fixmystreet
+      reuse_account_id: ${{ inputs.reuse_account_id || '' }}
     secrets: inherit

.github/workflows/scenario-foi-redaction.yml

@@ -9,7 +9,12 @@ on:
       - 'scripts/isb/**'
       - 'tests/smoke/**'
   workflow_dispatch:
-
+    inputs:
+      reuse_account_id:
+        description: 'DEBUG: reuse an already-leased account (set via `isb assign` locally). Skips acquire/release.'
+        required: false
+        type: string
+        default: ''
 concurrency:
   # Repo-wide group across ALL scenario callers because ISB caps ci-bot
   # at 1 active lease at a time (maxLeasesPerUser). Concurrent dispatches
@@ -26,4 +31,5 @@ jobs:
     uses: ./.github/workflows/scenario-ci.yml
     with:
       scenario: foi-redaction
+      reuse_account_id: ${{ inputs.reuse_account_id || '' }}
     secrets: inherit

.github/workflows/scenario-localgov-drupal.yml

@@ -9,7 +9,12 @@ on:
       - 'scripts/isb/**'
       - 'tests/smoke/**'
   workflow_dispatch:
-
+    inputs:
+      reuse_account_id:
+        description: 'DEBUG: reuse an already-leased account (set via `isb assign` locally). Skips acquire/release.'
+        required: false
+        type: string
+        default: ''
 concurrency:
   # Repo-wide group across ALL scenario callers because ISB caps ci-bot
   # at 1 active lease at a time (maxLeasesPerUser). Concurrent dispatches
@@ -26,4 +31,5 @@ jobs:
     uses: ./.github/workflows/scenario-ci.yml
     with:
       scenario: localgov-drupal
+      reuse_account_id: ${{ inputs.reuse_account_id || '' }}
     secrets: inherit

.github/workflows/scenario-localgov-ims.yml

@@ -9,7 +9,12 @@ on:
       - 'scripts/isb/**'
       - 'tests/smoke/**'
   workflow_dispatch:
-
+    inputs:
+      reuse_account_id:
+        description: 'DEBUG: reuse an already-leased account (set via `isb assign` locally). Skips acquire/release.'
+        required: false
+        type: string
+        default: ''
 concurrency:
   # Repo-wide group across ALL scenario callers because ISB caps ci-bot
   # at 1 active lease at a time (maxLeasesPerUser). Concurrent dispatches
@@ -26,4 +31,5 @@ jobs:
     uses: ./.github/workflows/scenario-ci.yml
     with:
       scenario: localgov-ims
+      reuse_account_id: ${{ inputs.reuse_account_id || '' }}
     secrets: inherit

.github/workflows/scenario-minute.yml

@@ -9,7 +9,12 @@ on:
       - 'scripts/isb/**'
       - 'tests/smoke/**'
   workflow_dispatch:
-
+    inputs:
+      reuse_account_id:
+        description: 'DEBUG: reuse an already-leased account (set via `isb assign` locally). Skips acquire/release.'
+        required: false
+        type: string
+        default: ''
 concurrency:
   # Repo-wide group across ALL scenario callers because ISB caps ci-bot
   # at 1 active lease at a time (maxLeasesPerUser). Concurrent dispatches
@@ -26,4 +31,5 @@ jobs:
     uses: ./.github/workflows/scenario-ci.yml
     with:
       scenario: minute
+      reuse_account_id: ${{ inputs.reuse_account_id || '' }}
     secrets: inherit