NHSDigital · davidhamill1-nhs · Jan 14, 2026 · Jan 14, 2026 · Jan 14, 2026 · Jan 14, 2026
@@ -0,0 +1,50 @@
+name: "Start local app"
+description: "Start Flask app that will handle requests"
+inputs:
+  deploy-command:
+    description: "Command to start app"
+    required: false
+    default: "make deploy"
+  health-path:
+    description: "Health check path"
+    required: false
+    default: "/health"
+  max-seconds:
+    description: "Maximum seconds to wait for readiness"
+    required: false
+    default: "60"
+  python-version:
+      description: "Python version to install"
+      required: true
+runs:
+  using: "composite"
+  steps:
+    - name: "Start app"
+      shell: bash
+      env:
+        PYTHON_VERSION: ${{ inputs.python-version }}
+      run: |
+        set -euo pipefail
+        echo "Starting app: '${{ inputs.deploy-command }}'"
+        nohup ${{ inputs.deploy-command }} > /tmp/app.log 2>&1 &
+        echo $! > /tmp/app.pid
+        echo "PID: $(cat /tmp/app.pid)"
+    - name: "Wait for app to be ready"
+      shell: bash
+      run: |
+        set -euo pipefail
+        BASE_URL="${BASE_URL:-http://localhost:5000}"
+        HEALTH_URL="${BASE_URL}${{ inputs.health-path }}"
+        MAX="${{ inputs.max-seconds }}"
+        echo "Waiting for app at ${HEALTH_URL} (max ${MAX}s)..."
+        for i in $(seq 1 "${MAX}"); do
+          if curl -sSf -X GET "${HEALTH_URL}" >/dev/null; then
+            echo "App is ready"
+            exit 0
+          fi
+          sleep 1
+        done
+        echo "App did not become ready in time"
+        echo "---- recent app log ----"
+        tail -n 200 /tmp/app.log || true
+        exit 1
@@ -9,7 +9,6 @@ env:
   AWS_ACCOUNT_ID: "900119715266"
   ECR_REPOSITORY_NAME: "whoami"
   TF_STATE_BUCKET: "cds-cdg-dev-tfstate-900119715266"
-  CORE_STATE_KEY: "dev/terraform.tfstate"
   PREVIEW_STATE_PREFIX: "dev/preview/"
   python_version: "3.14"
 
@@ -22,6 +21,7 @@ jobs:
     permissions:
       id-token: write
       contents: read
+      pull-requests: write
 
     # One job per branch at a time
     concurrency:
@@ -78,7 +78,6 @@ jobs:
           echo "tf_state_key=$TF_STATE_KEY" >> $GITHUB_OUTPUT
 
           # ALB listener rule priority - derive from PR number (must be unique per listener)
-          # You can tweak this formula if you like.
           if [ -n "${{ github.event.number }}" ]; then
             PRIORITY=$(( 1000 + ${{ github.event.number }} ))
           else
@@ -134,10 +133,40 @@ jobs:
           TF_VAR_image_tag: ${{ steps.meta.outputs.branch_name }}
           TF_VAR_alb_rule_priority: ${{ steps.meta.outputs.alb_rule_priority }}
         run: |
-          terraform apply -auto-approve
+          terraform apply \
+            -auto-approve
 
-      # ---------- DESTROY (PR closed) ----------
+      - name: Capture preview TF outputs
+        if: github.event.action != 'closed'
+        id: tf-output
+        working-directory: infrastructure/environments/preview
+        run: |
+          terraform output -json > tf-output.json
+
+          URL=$(jq -r '.url.value' tf-output.json)
+          echo "preview_url=$URL" >> $GITHUB_OUTPUT
+
+          TG=$(jq -r '.target_group_arn.value' tf-output.json)
+          echo "target_group=$TG" >> $GITHUB_OUTPUT
+
+          ECS_SERVICE=$(jq -r '.ecs_service_name.value' tf-output.json)
+          echo "ecs_service=$ECS_SERVICE" >> $GITHUB_OUTPUT
+
+          ECS_CLUSTER=$(jq -r '.ecs_cluster_name.value' tf-output.json)
+          echo "ecs_cluster=$ECS_CLUSTER" >> $GITHUB_OUTPUT
 
+      # ---------- Ensure re-deployment (PR updated) ----------
+      - name: Force ECS service redeployment
+        if: github.event.action == 'synchronize'
+        id: await-redeployment
+        run: |
+          aws ecs update-service \
+            --cluster ${{ steps.tf-output.outputs.ecs_cluster }} \
+            --service ${{ steps.tf-output.outputs.ecs_service }} \
+            --force-new-deployment \
+            --region ${{ env.AWS_REGION }}
+
+      # ---------- DESTROY (PR closed) ----------
       - name: Terraform init (destroy)
         if: github.event.action == 'closed'
         working-directory: infrastructure/environments/preview
@@ -156,3 +185,60 @@ jobs:
           TF_VAR_alb_rule_priority: ${{ steps.meta.outputs.alb_rule_priority }}
         run: |
           terraform destroy -auto-approve
+
+      # ---------- Wait on AWS tasks and notify ----------
+      - name: Await deployment completion
+        if: github.event.action != 'closed'
+        run: |
+          aws ecs wait services-stable \
+          --cluster ${{ steps.tf-output.outputs.ecs_cluster }} \
+          --services ${{ steps.tf-output.outputs.ecs_service }} \
+          --region ${{ env.AWS_REGION }}
+
+      - name: Comment function name on PR
+        if: github.event_name == 'pull_request' && github.event.action != 'closed'
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd
+        with:
+          script: |
+            const alb = '${{ steps.tf-output.outputs.target_group }}';
+            const url = '${{ steps.tf-output.outputs.preview_url }}';
+            const cluster = '${{ steps.tf-output.outputs.ecs_cluster }}';
+            const service = '${{ steps.tf-output.outputs.ecs_service }}';
+            const owner = context.repo.owner;
+            const repo = context.repo.repo;
+            const issueNumber = context.issue.number;
+
+            const { data: comments } = await github.rest.issues.listComments({
+              owner,
+              repo,
+              issue_number: issueNumber,
+              per_page: 100,
+            });
+
+            for (const comment of comments) {
+              const isBot = comment.user?.login === 'github-actions[bot]';
+              const isPreviewUpdate = comment.body?.includes('Deployment Complete');
+
+              if (isBot && isPreviewUpdate) {
+                await github.rest.issues.deleteComment({
+                  owner,
+                  repo,
+                  comment_id: comment.id,
+                });
+              }
+            }
+
+            const lines = [
+              '**Deployment Complete**',
+              `- Preview URL: [${url}](${url})`,
+              `- ECS Cluster: \`${cluster}\``,
+              `- ECS Service: \`${service}\``,
+              `- ALB Target: \`${alb}\``,
+            ];
+
+            await github.rest.issues.createComment({
+              owner,
+              repo,
+              issue_number: issueNumber,
+              body: lines.join('\n'),
+            });
@@ -68,8 +68,8 @@ jobs:
         uses: ./.github/actions/setup-python-project
         with:
           python-version: ${{ inputs.python_version }}
-      - name: "Start local Lambda"
-        uses: ./.github/actions/start-local-lambda
+      - name: "Start app"
+        uses: ./.github/actions/start-app
         with:
           python-version: ${{ inputs.python_version }}
       - name: "Run contract tests"
@@ -98,8 +98,8 @@ jobs:
         uses: ./.github/actions/setup-python-project
         with:
           python-version: ${{ inputs.python_version }}
-      - name: "Start local Lambda"
-        uses: ./.github/actions/start-local-lambda
+      - name: "Start app"
+        uses: ./.github/actions/start-app
         with:
           python-version: ${{ inputs.python_version }}
       - name: "Run schema validation tests"
@@ -128,8 +128,8 @@ jobs:
         uses: ./.github/actions/setup-python-project
         with:
           python-version: ${{ inputs.python_version }}
-      - name: "Start local Lambda"
-        uses: ./.github/actions/start-local-lambda
+      - name: "Start app"
+        uses: ./.github/actions/start-app
         with:
           python-version: ${{ inputs.python_version }}
       - name: "Run integration test"
@@ -158,8 +158,8 @@ jobs:
         uses: ./.github/actions/setup-python-project
         with:
           python-version: ${{ inputs.python_version }}
-      - name: "Start local Lambda"
-        uses: ./.github/actions/start-local-lambda
+      - name: "Start app"
+        uses: ./.github/actions/start-app
         with:
           python-version: ${{ inputs.python_version }}
           max-seconds: 90

@@ -18,6 +18,8 @@ IMAGE_REPOSITORY := ${ECR_URL}
 endif
 
 IMAGE_NAME := ${IMAGE_REPOSITORY}:${IMAGE_TAG}
+COMMIT_VERSION := $(shell git rev-parse --short HEAD)
+BUILD_DATE := $(shell date -u +"%Y%m%d")
 # ==============================================================================
 
 # Example CI/CD targets are: dependencies, build, publish, deploy, clean, etc.
@@ -34,9 +36,8 @@ build-gateway-api: dependencies
 	@poetry run mypy --no-namespace-packages .
 	@echo "Packaging dependencies..."
 	@poetry build --format=wheel
-	@pip install "dist/gateway_api-0.1.0-py3-none-any.whl" --target "./target/gateway-api" --platform musllinux_1_1_x86_64 --only-binary=:all:
+	@pip install "dist/gateway_api-0.1.0-py3-none-any.whl" --target "./target/gateway-api" --platform musllinux_1_2_x86_64 --only-binary=:all:
 	# Copy main file separately as it is not included within the package.
-	@cp lambda_handler.py ./target/gateway-api/
 	@rm -rf ../infrastructure/images/gateway-api/resources/build/
 	@mkdir ../infrastructure/images/gateway-api/resources/build/
 	@cp -r ./target/gateway-api ../infrastructure/images/gateway-api/resources/build/
@@ -46,7 +47,7 @@ build-gateway-api: dependencies
 .PHONY: build
 build: build-gateway-api # Build the project artefact @Pipeline
 	@echo "Building Docker x86 image using Docker. Utilising python version: ${PYTHON_VERSION} ..."
-	@$(docker) buildx build --platform linux/amd64 --load --provenance=false --build-arg PYTHON_VERSION=${PYTHON_VERSION} -t ${IMAGE_NAME} infrastructure/images/gateway-api
+	@$(docker) buildx build --platform linux/amd64 --load --provenance=false --build-arg PYTHON_VERSION=${PYTHON_VERSION} --build-arg COMMIT_VERSION=${COMMIT_VERSION} --build-arg BUILD_DATE=${BUILD_DATE} -t ${IMAGE_NAME} infrastructure/images/gateway-api
 	@echo "Docker image '${IMAGE_NAME}' built successfully!"
 
 publish: # Publish the project artefact @Pipeline