govuk-one-login · JessWinterborne · Apr 14, 2026 · Mar 27, 2026
@@ -0,0 +1,78 @@
+name: Build and deploy
+
+on:
+  workflow_call:
+    secrets:
+      role_arn:
+        required: true
+      artifact_bucket:
+        required: true
+      ecr_repository_test:
+        required: true
+      ecr_repository_traffic_test:
+        required: true
+      container_sign_kms_key:
+        required: true
+      signing_profile:
+        required: true
+    inputs:
+      environment:
+        type: string
+        required: true
+
+permissions:
+  id-token: write
+  contents: read
+
+concurrency:
+  group: secure-deploy-${{ inputs.environment }}
+
+jobs:
+  test-images-build-and-push:
+    name: Build and push test images
+    runs-on: ubuntu-latest
+    steps:
+      - name: Test image build and push
+        uses: govuk-one-login/devplatform-upload-action-ecr@v1.5.0
+        with:
+          role-to-assume-arn: ${{ secrets.role_arn }}
+          build-and-push-image-only: true
+          working-directory: test/acceptance-tests
+          artifact-bucket-name: ''
+          ecr-repo-name: ${{ secrets.ecr_repository_test }}
+          dockerfile: test.Dockerfile
+          push-latest-tag: true
+          container-sign-kms-key-arn: ${{ secrets.container_sign_kms_key }}
+
+      - name: Traffic test image build and push
+        uses: govuk-one-login/devplatform-upload-action-ecr@v1.5.0
+        with:
+          role-to-assume-arn: ${{ secrets.role_arn }}
+          build-and-push-image-only: true
+          working-directory: test/acceptance-tests
+          artifact-bucket-name: ''
+          ecr-repo-name: ${{ secrets.ecr_repository_traffic_test }}
+          dockerfile: traffic-test.Dockerfile
+          push-latest-tag: true
+          container-sign-kms-key-arn: ${{ secrets.container_sign_kms_key }}
+
+  deploy:
+    name: Deploy stack
+    runs-on: ubuntu-latest
+    environment: ${{ inputs.environment }}
+    needs: test-images-build-and-push
+    steps:
+      - name: SAM build
+        uses: govuk-one-login/github-actions/sam/build-application@4c76410195b5fcb1804fc7c183ed20704252830f
+        with:
+          template: deploy/template.yaml
+          aws-role-arn: ${{ secrets.role_arn }}
+          pull-repository: true
+
+      - name: SAM package and upload to S3
+        uses: govuk-one-login/devplatform-upload-action@v3.13.0
+        with:
+          aws-role-arn: ${{ secrets.role_arn}}
+          artifact-bucket-name: ${{ secrets.artifact_bucket }}
+          signing-profile-name: ${{ secrets.signing_profile }}
+          working-directory: .aws-sam/build
@@ -0,0 +1,74 @@
+name: Clean up stacks and log groups
+
+on:
+  workflow_dispatch:
+  schedule:
+    # Every weekday at 9am
+    - cron: '0 9 * * 1-5'
+
+permissions:
+  id-token: write
+
+concurrency:
+  group: cleanup-dev
+
+jobs:
+  delete-stacks:
+    name: Delete stale stacks
+    runs-on: ubuntu-latest
+    steps:
+      - name: Assume AWS Role
+        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
+        with:
+          role-to-assume: ${{ secrets.DEV_GHA_PREVIEW_ROLE_ARN }}
+          aws-region: eu-west-2
+
+      - name: Get stale preview stacks
+        uses: govuk-one-login/github-actions/sam/get-stale-stacks@4c76410195b5fcb1804fc7c183ed20704252830f
+        with:
+          threshold-days: 14
+          stack-name-filter: preview
+          stack-tag-filters: |
+            cri:deployment-source=github-actions
+            cri:stack-type=preview
+          description: preview
+          env-var-name: PREVIEW_STACKS
+
+      - name: Get stale manually deployed stacks
+        uses: govuk-one-login/github-actions/sam/get-stale-stacks@4c76410195b5fcb1804fc7c183ed20704252830f
+        with:
+          threshold-days: 90
+          stack-tag-filters: |
+            cri:component=ipv-cri-ob-api
+            cri:stack-type=dev
+            cri:application=Lime
+            cri:deployment-source=manual
+          description: manually deployed
+          env-var-name: MANUALLY_DEPLOYED_STACKS
+
+      - name: Delete stale preview stacks
+        if: ${{ env.PREVIEW_STACKS != null }}
+        uses: govuk-one-login/github-actions/sam/delete-stacks@2518d831abb4ec03fa3125619507f932966f2833
+        with:
+          stack-names: ${{ env.PREVIEW_STACKS }}
+          verbose: true
+
+      - name: Delete stale manually deployed stacks
+        if: ${{ env.MANUALLY_DEPLOYED_STACKS != null }}
+        uses: govuk-one-login/github-actions/sam/delete-stacks@2518d831abb4ec03fa3125619507f932966f2833
+        with:
+          stack-names: ${{ env.MANUALLY_DEPLOYED_STACKS }}
+          verbose: true
+
+  delete-log-groups:
+    name: Delete stale log groups
+    runs-on: ubuntu-latest
+    steps:
+      - uses: govuk-one-login/github-actions/sam/delete-stale-log-groups@4c76410195b5fcb1804fc7c183ed20704252830f
+        with:
+          aws-role-arn: ${{ secrets.DEV_GHA_PREVIEW_ROLE_ARN }}
+          cutoff-days: 30
+          limit: 300
+          safe-patterns: '/preview-|^API-Gateway-Execution-Logs_'
+          destructive: true
+          verbose: true
@@ -0,0 +1,22 @@
+name: Deploy branch to dev
+on:
+  workflow_dispatch:
+
+jobs:
+  deploy-dev:
+    name: Deploy to dev
+    permissions:
+      id-token: write
+      contents: read
+    concurrency:
+      group: deploy-to-dev
+    uses: ./.github/workflows/_secure-pipeline-deploy.yml
+    secrets:
+      role_arn: ${{ secrets.DEV_GHA_ROLE_ARN }}
+      artifact_bucket: ${{ secrets.DEV_ARTIFACT_BUCKET }}
+      ecr_repository_test: ${{ secrets.DEV_ECR_TEST }}
+      ecr_repository_traffic_test: ${{ secrets.DEV_ECR_TRAFFIC_TEST }}
+      container_sign_kms_key: $ {{ secrets.DEV_CONTAINER_SIGN_KMS_KEY }}
+      signing_profile: ${{ secrets.DEV_SIGNING_PROFILE_NAME }}
+    with:
+      environment: development
@@ -0,0 +1,73 @@
+name: Deploy preview
+
+on:
+  workflow_dispatch:
+  workflow_call:
+    secrets:
+      role_arn:
+        required: true
+      bucket_name:
+        required: true
+    outputs:
+      stack-name:
+        value: ${{ jobs.deploy-preview.outputs.stack-name }}
+      aws-region:
+        value: ${{ jobs.deploy-preview.outputs.aws-region}}
+
+permissions: {}
+concurrency:
+  group: deploy-preview-${{ github.event.pull_request.number || github.ref_name || github.run_id }}
+
+jobs:
+  build-preview:
+    name: Build app
+    permissions:
+      id-token: write
+      contents: read
+    runs-on: ubuntu-latest
+    outputs:
+      sha-short: ${{ steps.get-sha.outputs.sha-short }}
+    steps:
+      - name: Get short SHA
+        id: get-sha
+        run: echo "sha-short=${GITHUB_SHA::7}" >> "$GITHUB_OUTPUT"
+
+      - name: Build app
+        uses: govuk-one-login/github-actions/sam/build-application@4c76410195b5fcb1804fc7c183ed20704252830f
+        with:
+          template: deploy/template.yaml
+          cache-name: ipv-cri-ob-api-${{ steps.get-sha.outputs.sha-short }}
+          aws-role-arn: ${{ secrets.role_arn || secrets.DEV_GHA_PREVIEW_ROLE_ARN }}
+          pull-repository: true
+
+  deploy-preview:
+    name: Deploy stack
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+    timeout-minutes: 15
+    needs: build-preview
+    outputs:
+      aws-region: ${{ steps.deploy.outputs.aws-region }}
+      stack-name: ${{ steps.deploy.outputs.stack-name }}
+    steps:
+      - name: Deploy stack
+        uses: govuk-one-login/github-actions/sam/deploy-stack@4c76410195b5fcb1804fc7c183ed20704252830f
+        id: deploy
+        with:
+          aws-role-arn: ${{ secrets.role_arn || secrets.DEV_GHA_PREVIEW_ROLE_ARN }}
+          s3-prefix: preview
+          sam-deployment-bucket: ${{ secrets.bucket_name || secrets.DEV_PREVIEW_ARTIFACT_BUCKET }}
+          stack-name: preview-${{ needs.build-preview.outputs.sha-short}}
+          cache-name: ipv-cri-ob-api-${{ needs.build-preview.outputs.sha-short}}
+          delete-failed-stack: true
+
+          tags: |
+            cri:component=ipv-cri-ob-api
+            cri:stack-type=preview
+            cri:application=Lime
+            cri:deployment-source=github-actions
+          parameters: |
+            DeploymentType=not-pipeline
+            Environment=dev
+            ParameterPrefix="ipv-cri-ob-api"
@@ -5,21 +5,90 @@ on:
     branches:
       - main
 
+permissions: {}
+
 jobs:
-  sonar-scan:
+  unit-tests:
     runs-on: ubuntu-latest
+    concurrency:
+      group: unit-tests-${{ github.ref }}
+      cancel-in-progress: true
     permissions:
       contents: read
     steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          fetch-depth: 0 # required for sonar
       - name: Setup Node
-        uses: ./.github/actions/node-setup
+        uses: govuk-one-login/github-actions/node/install-dependencies@4c76410195b5fcb1804fc7c183ed20704252830f
+
       - name: Unit tests
         run: npm run test:coverage
-      - name: Sonar scan
-        uses: SonarSource/sonarqube-scan-action@v7.0.0
-        env:
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+
+      - name: Upload coverage report
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage
+          path: coverage/
+          retention-days: 1
+
+  sonar-scan:
+    name: Sonar scan
+    runs-on: ubuntu-latest
+    concurrency:
+      group: sonar-${{ github.ref }}
+      cancel-in-progress: true
+    needs: unit-tests
+    permissions:
+      contents: read
+    steps:
+      - name: Run Sonar scan
+        uses: govuk-one-login/github-actions/code-quality/sonarcloud@9d6ee027d0b9167dfc25e67124951956278bb585
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          sonar-token: ${{ secrets.SONAR_TOKEN }}
+          coverage-artifact: coverage
+          coverage-run-id: ${{ github.run_id }}
+
+  codeql:
+    name: CodeQL scan
+    runs-on: ubuntu-latest
+    concurrency:
+      group: codeql-${{ github.ref }}
+      cancel-in-progress: true
+    permissions:
+      security-events: write
+    steps:
+      - name: Run CodeQL scan
+        uses: govuk-one-login/github-actions/code-quality/codeql@f5362528578198e7851e96e0594f593beff0162e
+
+  deploy-dev:
+    uses: ./.github/workflows/_secure-pipeline-deploy.yml
+    concurrency:
+      group: deploy-to-dev
+    permissions:
+      id-token: write
+      contents: read
+    secrets:
+      role_arn: ${{ secrets.DEV_GHA_ROLE_ARN }}
+      artifact_bucket: ${{ secrets.DEV_ARTIFACT_BUCKET }}
+      container_sign_kms_key: ${{ secrets.DEV_CONTAINER_SIGN_KMS_KEY }}
+      ecr_repository_test: ${{ secrets.DEV_ECR_TEST }}
+      ecr_repository_traffic_test: ${{ secrets.DEV_ECR_TRAFFIC_TEST }}
+      signing_profile: ${{ secrets.DEV_SIGNING_PROFILE_NAME }}
+    with:
+      environment: development
+
+  deploy-build:
+    uses: ./.github/workflows/_secure-pipeline-deploy.yml
+    concurrency:
+      group: deploy-to-build
+    permissions:
+      id-token: write
+      contents: read
+    secrets:
+      role_arn: ${{ secrets.BUILD_GHA_ROLE_ARN }}
+      artifact_bucket: ${{ secrets.BUILD_ARTIFACT_BUCKET }}
+      container_sign_kms_key: ${{ secrets.BUILD_CONTAINER_SIGN_KMS_KEY }}
+      ecr_repository_test: ${{ secrets.BUILD_ECR_TEST }}
+      ecr_repository_traffic_test: ${{ secrets.BUILD_ECR_TRAFFIC_TEST }}
+      signing_profile: $ {{ secrets.BUILD_SIGNING_PROFILE_NAME }}
+    with:
+      environment: build