govuk-one-login · MikeCollingwood · Feb 24, 2025 · Apr 10, 2025 · Apr 10, 2025 · Apr 10, 2025
@@ -2,11 +2,17 @@ name: Build api-tests image
 
 on:
   workflow_call:
+    inputs:
+      environment:
+        required: true
+        type: string
 
 jobs:
   build-image-and-push:
     runs-on: ubuntu-latest
     timeout-minutes: 60
+    env:
+      ENVIRONMENT: ${{ inputs.environment }}
     permissions:
       id-token: write
       packages: read
@@ -23,7 +29,7 @@ jobs:
       - name: Set up build AWS creds
         uses: aws-actions/configure-aws-credentials@v4
         with:
-          role-to-assume: ${{ secrets.BUILD_API_TESTS_IMAGE_ECR_REPO_GHA_ROLE_ARN }}
+          role-to-assume: ${{ env.ENVIRONMENT == 'build' && secrets.BUILD_API_TESTS_IMAGE_ECR_REPO_GHA_ROLE_ARN || secrets.BUILD_API_TESTS_IMAGE_ECR_REPO_GHA_ROLE_ARN_DEV }}
           aws-region: eu-west-2
 
       - name: Login to build ECR
@@ -33,9 +39,9 @@ jobs:
       - name: Build, tag, push, and sign api testing image to build
         env:
           BUILD_ECR_REG: ${{ steps.login-build-ecr.outputs.registry }}
-          BUILD_API_TESTS_ECR_REPO: ${{ secrets.BUILD_API_TESTS_IMAGE_ECR_REPO_NAME }}
+          BUILD_API_TESTS_ECR_REPO: ${{ env.ENVIRONMENT == 'build' && secrets.BUILD_API_TESTS_IMAGE_ECR_REPO_NAME || secrets.BUILD_API_TESTS_IMAGE_ECR_REPO_NAME_DEV }}
           SHA: ${{ github.sha }}
-          BUILD_CONTAINER_SIGN_KMS_KEY: ${{ secrets.CONTAINER_SIGN_KMS_KEY }}
+          BUILD_CONTAINER_SIGN_KMS_KEY: ${{ env.ENVIRONMENT == 'build' && secrets.CONTAINER_SIGN_KMS_KEY || secrets.CONTAINER_SIGN_KMS_KEY_DEV }}
         run: |
           docker build --build-arg GITHUB_PAT="${{ secrets.GITHUB_TOKEN }}" \
             -t "${BUILD_ECR_REG}/${BUILD_API_TESTS_ECR_REPO}:latest" \

@@ -39,7 +39,9 @@ jobs:
   build-test-images-if-needed:
     needs: check-if-api-tests-changed
     if: ${{ needs.check-if-api-tests-changed.outputs.api-tests-changed == 'true' }}
-    uses: govuk-one-login/ipv-core-back/.github/workflows/secure-pipeline-api-tests-image.yml@main
+    uses: govuk-one-login/ipv-core-back/.github/workflows/secure-pipeline-api-tests-image.yml@pyic-7872
+    with:
+      environment: ${{ github.event_name == 'workflow_dispatch' && 'dev01' || 'build' }}
     secrets: inherit # pragma: allowlist secret
     permissions:
       id-token: write

@@ -64,4 +64,5 @@ api-tests/.env*
 !api-tests/.env.template
 !api-tests/.env.dev.template
 !api-tests/.env.local
+!api-tests/.env.dev01
 !api-tests/.env.build
@@ -1,4 +1,4 @@
-# Build env config
+# Dev env config
 CORE_BACK_COMPONENT_ID="https://dev-danc.02.dev.identity.account.gov.uk"
 CORE_BACK_INTERNAL_API_URL="https://internal-test-api-dev-danc.02.dev.identity.account.gov.uk"
 CORE_BACK_EXTERNAL_API_URL="https://api-dev-danc.02.dev.identity.account.gov.uk"

@@ -0,0 +1,23 @@
+# Dev01 env config
+CORE_BACK_COMPONENT_ID="https://dev.01.dev.identity.account.gov.uk"
+CORE_BACK_INTERNAL_API_URL="https://internal-test-api-dev.01.dev.identity.account.gov.uk"
+CORE_BACK_INTERNAL_API_KEY=${CORE_BACK_INTERNAL_API_KEY}-dev
+CORE_BACK_EXTERNAL_API_URL="https://api-dev.01.dev.identity.account.gov.uk"
+CORE_BACK_CRI_CLIENT_ID="ipv-core-dev"
+ORCHESTRATOR_REDIRECT_URL="https://orch.stubs.account.gov.uk/callback"
+# The below private key is a test key that is already in the public domain. It is not used for anything sensitive.
+JAR_SIGNING_KEY='{"kty":"EC","d":"OXt0P05ZsQcK7eYusgIPsqZdaBCIJiW4imwUtnaAthU","crv":"P-256","x":"E9ZzuOoqcVU4pVB9rpmTzezjyOPRlOmPGJHKi8RSlIM","y":"KlTMZthHZUkYz5AleTQ8jff0TJiS3q2OB9L5Fw4xA04", "kid":"orch-signing-stubs-prod-FI4xysvMVdRtkt6xmO5gqcaTF4Tf9NKD1zdg3T8y69M"}' # pragma: allowlist secret
+ASYNC_QUEUE_NAME="stubQueue_criResponseQueue_dev"
+ASYNC_QUEUE_DELAY=5
+EVCS_STUB_BASE_URL="https://evcs.stubs.account.gov.uk"
+TICF_STUB_BASE_URL="https://ticf.stubs.account.gov.uk"
+CIMIT_INTERNAL_API_URL="https://cimit-api.stubs.account.gov.uk"
+CIMIT_STUB_BASE_URL="https://cimit.stubs.account.gov.uk"
+
+# Also requires the following to be specified in .env or as an env variable
+# CORE_BACK_INTERNAL_API_KEY
+# CRI_STUB_GEN_CRED_API_KEY
+# EVCS_STUB_API_KEY
+# MANAGEMENT_TICF_API_KEY
+# MANAGEMENT_CIMIT_STUB_API_KEY
+# CIMIT_INTERNAL_API_KEY
@@ -5,7 +5,7 @@
   "type": "module",
   "scripts": {
     "test": "cucumber-js",
-    "test:dev": "CORE_ENV=dev cucumber-js",
+    "test:dev01": "CORE_ENV=dev01 cucumber-js",
     "test:build": "CORE_ENV=build cucumber-js --tags '@Build'",
     "test:local": "CORE_ENV=local cucumber-js",
     "test:ci": "start-server-and-test run-local-core-back 'http://localhost:4502' test:local",

@@ -10,13 +10,20 @@ get_current_status() {
 generate_traffic() {
   while true; do
     echo "Running @TrafficGeneration tests"
-    npm run test:build -- --profile trafficGeneration --tags '@TrafficGeneration' || true
+    npm run test:"$TEST_ENV" -- --profile trafficGeneration --tags '@TrafficGeneration' || true
   done
 }
 
 # Ensure the test report dir exists
 [ -e "$TEST_REPORT_ABSOLUTE_DIR" ] && mkdir -p "$TEST_REPORT_ABSOLUTE_DIR"
 
+ENVIRONMENT_SECRET=$(aws secretsmanager get-secret-value --secret-id ApiTestEnvironment | jq -r .SecretString)
+if echo "$ENVIRONMENT_SECRET" | grep -qi "dev01"; then
+  TEST_ENV="dev01"
+else
+  TEST_ENV="build"
+fi
+
 CORE_BACK_INTERNAL_API_KEY=$(aws secretsmanager get-secret-value --secret-id CoreBackInternalTestingApiKey | jq -r .SecretString)
 export CORE_BACK_INTERNAL_API_KEY
 
@@ -60,14 +67,13 @@ if [[ "${DEV_PLATFORM_STAGE}" == "TRAFFIC_TEST" ]]; then
   exit 0
 
 else
-  echo "Running API tests against the build environment"
-  npm run test:build -- --profile codepipeline
+  echo "Running API tests against the $TEST_ENV environment"
+  npm run test:"$TEST_ENV" -- --profile codepipeline
 
   api_tests_exit_code=$?
   cp reports/api-tests-cucumber-report.json "$TEST_REPORT_ABSOLUTE_DIR"
 
-  if [ $api_tests_exit_code != 0 ]
-  then
+  if [ $api_tests_exit_code != 0 ]; then
     echo "API tests failed with exit code ${api_tests_exit_code}"
     exit $api_tests_exit_code
   else