DMCAW-12119: merge test suite and sonarqube jobs (#811)

kikidawson-gds · web-flow · commit b3e84ef5fd93 · 2025-08-11T09:49:24.000+01:00
diff --git a/.github/workflows/backend-api-post-merge.yml b/.github/workflows/backend-api-post-merge.yml
@@ -38,24 +38,15 @@ jobs:
     with:
       PRIVATE_PACKAGES_REQUIRED: true
       RUN_PACT_TESTS: true
+      SONARQUBE_CONTINUE_ON_ERROR: true
       WORKING_DIRECTORY: backend-api
     secrets: inherit
 
-  sonarqube-scan:
-    name: Pre-deployment
-    needs: run-test-suite
-    with:
-      CONTINUE_ON_ERROR: true
-      WORKING_DIRECTORY: backend-api
-    uses:
-      ./.github/workflows/job_sonarqube.yml
-    secrets: inherit
-
   push-docker-image-dev:
     name: Dev
     needs: 
       - ci-checks
-      - sonarqube-scan
+      - run-test-suite
     uses:
       ./.github/workflows/job_push-docker-image.yml
     with:
@@ -83,7 +74,7 @@ jobs:
     name: Build
     needs: 
       - ci-checks
-      - sonarqube-scan
+      - run-test-suite
     uses:
       ./.github/workflows/job_push-docker-image.yml
     with:
diff --git a/.github/workflows/backend-api-pull-request.yml b/.github/workflows/backend-api-pull-request.yml
@@ -1,4 +1,4 @@
-name: backend-api pull request
+name: Backend API Pull Request
 on:
   pull_request:
     branches:
@@ -14,7 +14,6 @@ on:
       - ".github/workflows/workflow_pull-request.yml"
       - ".github/workflows/job_ci-checks.yml"
       - ".github/workflows/job_test-suite.yml"
-      - ".github/workflows/job_sonarqube.yml"
       - "!backend-api/**/*.md"
       - "!backend-api/**/*.png"
 
@@ -24,13 +23,22 @@ permissions:
   packages: read
 
 jobs:
-  backend-api-pull-request:
-    name: Backend-api pull request checks
+  ci-checks:
+    name: CI checks
     if: github.event.pull_request.draft == false
     uses:
-      ./.github/workflows/workflow_pull-request.yml
+      ./.github/workflows/job_ci-checks.yml
     with:
+      PRIVATE_PACKAGES_REQUIRED: true
       WORKING_DIRECTORY: backend-api
+
+  run-test-suite:
+    name: Run test suite
+    needs: ci-checks
+    uses:
+      ./.github/workflows/job_test-suite.yml
+    with:
       PRIVATE_PACKAGES_REQUIRED: true
       RUN_PACT_TESTS: true
-    secrets: inherit
+      WORKING_DIRECTORY: backend-api
+    secrets: inherit
diff --git a/.github/workflows/helper-scripts-pull-request.yml b/.github/workflows/helper-scripts-pull-request.yml
@@ -1,4 +1,4 @@
-name: helper-scripts pull request
+name: Helper Scripts Pull Request
 on:
   pull_request:
     branches:
@@ -18,8 +18,9 @@ on:
   workflow_dispatch:
 
 jobs:
-  helper-script-ci-checks:
-    name: Helper script CI checks
+  ci-checks:
+    name: CI checks
+    if: github.event.pull_request.draft == false
     uses:
       ./.github/workflows/job_ci-checks.yml
     with:
diff --git a/.github/workflows/job_ci-checks.yml b/.github/workflows/job_ci-checks.yml
@@ -94,7 +94,7 @@ jobs:
       - name: Validate SAM template
         if: inputs.RUN_SAM_VALIDATE == 'true'
         run: |
-          TEMPLATES="$(find . -name template.yaml)"
+          TEMPLATES="$(find . -name "template*.yaml")"
           for template in $TEMPLATES ; do
             sam validate --lint --template-file $template
           done
diff --git a/.github/workflows/job_sonarqube.yml b/.github/workflows/job_sonarqube.yml
diff --git a/.github/workflows/job_test-suite.yml b/.github/workflows/job_test-suite.yml
@@ -15,6 +15,10 @@ on:
         description: Whether to run unit tests using `test:unit` npm script
         type: string
         default: true
+      SONARQUBE_CONTINUE_ON_ERROR:
+        description: Whether to continue running the workflow if SonarQube quality gate fails
+        type: string
+        default: false
       WORKING_DIRECTORY:
         description: Path to working directory in repo
         required: true
@@ -27,57 +31,56 @@ on:
         description: Whether to run pact tests using `test:pact:ci` npm script
         type: string
         default: false
+    secrets:
+      SONAR_TOKEN:
+        description: The token used for secure access to the SonarQube platform
+        required: false
 
 jobs:
   run-test-suite:
-    name: Run test suite and upload coverage artifact
+    name: Run test suite and SonarQube
     runs-on: ubuntu-24.04
     defaults:
       run:
         shell: bash
         working-directory: ${{ inputs.WORKING_DIRECTORY }}
+    env:
+      CONTINUE_ON_ERROR: ${{ inputs.SONARQUBE_CONTINUE_ON_ERROR }}
     steps:
-      - name: Check out repository code
+      - name: Checkout Repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
+          fetch-depth: 0
           submodules: true
 
-      - name: Setup nodeJS
+      - name: Setup NodeJS
         uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           cache: npm
           cache-dependency-path: ${{ inputs.WORKING_DIRECTORY }}/package-lock.json
           node-version-file: ${{ inputs.WORKING_DIRECTORY }}/.nvmrc
 
-      - name: Configure authentication for private packages in .npmrc
-        if: inputs.PRIVATE_PACKAGES_REQUIRED == 'true'
+      - name: Configure Authentication for Private Packages in .npmrc
+        if: inputs.GENERATE_OPEN_PROXY_API_SPEC == 'true'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           echo "engine-strict=true" > .npmrc
           echo "@govuk-one-login:registry=https://npm.pkg.github.com/" >> .npmrc
           echo "//npm.pkg.github.com/:_authToken=$GITHUB_TOKEN" >> .npmrc
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Install dependencies
+      - name: Install Dependencies
         run: npm clean-install
 
-      - name: Run unit tests
+      - name: Run Unit Tests
         if: inputs.RUN_UNIT_TESTS == 'true'
         run: npm run test:unit
 
-      - name: Upload unit test coverage artifact for SonarQube scan
-        if: inputs.RUN_SONARQUBE == 'true'
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: test-coverage
-          path: ${{ inputs.WORKING_DIRECTORY }}/coverage/
-          retention-days: 1
-
-      - name: Run infra tests
+      - name: Run Infra Tests
         if: inputs.RUN_INFRA_TESTS == 'true'
         run: npm run test:infra
 
-      - name: Run pact tests
+      - name: Run Pact Tests
         if: inputs.RUN_PACT_TESTS == 'true'
         continue-on-error: true # Pact tests are currently failing - remove step once fixed
         env:
@@ -87,3 +90,22 @@ jobs:
           PACT_BROKER_SOURCE_SECRET: ${{ secrets.PACT_BROKER_SOURCE_SECRET }}
           PUBLISH_PACT_VERIFICATION_RESULTS: "false"
         run: npm run test:pact:ci
+
+      - name: Run SonarQube Scan
+        if: inputs.RUN_SONARQUBE == 'true'
+        uses: sonarsource/sonarqube-scan-action@8c71dc039c2dd71d3821e89a2b58ecc7fee6ced9 #v5.3.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        with:
+          projectBaseDir: ${{ inputs.WORKING_DIRECTORY }}
+
+      - name: Run SonarQube Quality Gate Check
+        if: inputs.RUN_SONARQUBE == 'true'
+        uses: Sonarsource/sonarqube-quality-gate-action@8406f4f1edaffef38e9fb9c53eb292fc1d7684fa #master
+        continue-on-error: ${{ fromJSON(env.CONTINUE_ON_ERROR) }}
+        timeout-minutes: 5
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        with:
+          scanMetadataReportFile: ${{ inputs.WORKING_DIRECTORY }}/.scannerwork/report-task.txt
diff --git a/.github/workflows/test-resources-post-merge.yml b/.github/workflows/test-resources-post-merge.yml
@@ -31,26 +31,19 @@ jobs:
 
   run-test-suite:
     name: Pre-deployment
+    needs: ci-checks
     uses:
       ./.github/workflows/job_test-suite.yml
     with:
+      SONARQUBE_CONTINUE_ON_ERROR: true
       WORKING_DIRECTORY: test-resources
-
-  sonarqube-scan:
-    name: Pre-deployment
-    needs: run-test-suite
-    with:
-      CONTINUE_ON_ERROR: true
-      WORKING_DIRECTORY: test-resources
-    uses:
-      ./.github/workflows/job_sonarqube.yml
     secrets: inherit
 
   push-docker-image-dev:
     name: Dev
     needs: 
       - ci-checks
-      - sonarqube-scan
+      - run-test-suite
     uses:
       ./.github/workflows/job_push-docker-image.yml
     with:
@@ -76,7 +69,7 @@ jobs:
     name: Build
     needs: 
       - ci-checks
-      - sonarqube-scan
+      - run-test-suite
     uses:
       ./.github/workflows/job_push-docker-image.yml
     with:
diff --git a/.github/workflows/test-resources-pull-request.yml b/.github/workflows/test-resources-pull-request.yml
@@ -1,4 +1,4 @@
-name: test-resources pull request
+name: Test Resources Pull Request
 on:
   pull_request:
     branches:
@@ -14,18 +14,25 @@ on:
       - ".github/workflows/workflow_pull-request.yml"
       - ".github/workflows/job_ci-checks.yml"
       - ".github/workflows/job_test-suite.yml"
-      - ".github/workflows/job_sonarqube.yml"
       - "!test-resources/**/*.md"
       - "!test-resources/**/*.png"
 
   workflow_dispatch:
 
 jobs:
-  test-resources-pull-request:
-    name: Test resources pull request checks
+  ci-checks:
+    name: CI checks
     if: github.event.pull_request.draft == false
     uses:
-      ./.github/workflows/workflow_pull-request.yml
+      ./.github/workflows/job_ci-checks.yml
+    with:
+      WORKING_DIRECTORY: test-resources
+
+  run-test-suite:
+    name: Run test suite
+    needs: ci-checks
+    uses:
+      ./.github/workflows/job_test-suite.yml
     with:
       WORKING_DIRECTORY: test-resources
     secrets: inherit
diff --git a/.github/workflows/workflow_pull-request.yml b/.github/workflows/workflow_pull-request.yml
