From 8248b89f9e56caad5ddd1e5742f59d799f66b991 Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Fri, 13 Feb 2026 14:15:16 +0000 Subject: [PATCH 01/17] [NRL-1922] Generate coverage report when running unit tests. Fixup sonar cloud config --- Makefile | 2 +- sonar-project.properties | 13 ++++++++----- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/Makefile b/Makefile index 394150e3a..8b44ad164 100644 --- a/Makefile +++ b/Makefile @@ -6,7 +6,7 @@ MAKEFLAGS := --no-print-directory SHELL := /bin/bash DIST_PATH ?= ./dist -TEST_ARGS ?= --cov --cov-report=term-missing +TEST_ARGS ?= --cov --cov-report=term-missing --cov-report=xml:$(DIST_PATH)/test-coverage.xml SMOKE_TEST_ARGS ?= FEATURE_TEST_ARGS ?= ./tests/features --format progress2 TF_WORKSPACE_NAME ?= $(shell terraform -chdir=terraform/infrastructure workspace show) diff --git a/sonar-project.properties b/sonar-project.properties index cac876215..9e9655496 100644 --- a/sonar-project.properties +++ b/sonar-project.properties @@ -1,11 +1,14 @@ sonar.projectKey=NHSDigital_NRLF sonar.organization=nhsdigital sonar.projectName=NRLF -sonar.python.version=3.9.5 -sonar.terraform.provider.aws.version=4.63.0 -# TODO: Some paths here are outdated and perhaps we don't want to exclude everything -sonar.cpd.exclusions=api/tests/**, tests/**, api/**/tests/**, feature_tests/**, cron/seed_sandbox/tests/**, data_contracts/**/tests/**, firehose/**/tests/**, firehose/**/scripts/**, helpers/tests/**, mi/**/tests/** -sonar.exclusions=scripts/**, **/scripts/**, api/tests/**, tests/**, api/**/tests/**, feature_tests/**, cron/seed_sandbox/tests/**, data_contracts/**/tests/**, firehose/**/tests/**, firehose/**/scripts/**, helpers/tests/**, mi/**/tests/** + +sonar.python.version=3.12.10 + +sonar.exclusions=scripts/** +sonar.coverage.exclusions=scripts/**, test/**, **/tests/** +sonar.cpd.exclusions=tests/**, **/tests/** + +sonar.python.coverage.reportPaths=coverage.xml # Exclude snomed urls as being unsafe sonar.issue.ignore.multicriteria=exclude_snomed_urls From eedd3ef35f94e09143f66ca00894040e12b8d2f7 Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Fri, 13 Feb 2026 14:41:27 +0000 Subject: [PATCH 02/17] [NRL-1922] Add new workflow for PR checks --- .github/workflows/pr-checks.yml | 75 +++++++++++++++++++++++++++++++++ sonar-project.properties | 2 +- 2 files changed, 76 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/pr-checks.yml diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml new file mode 100644 index 000000000..c9bfebf8e --- /dev/null +++ b/.github/workflows/pr-checks.yml @@ -0,0 +1,75 @@ +name: Run PR checks +run-name: "Running checks for PR #${{ github.event.pull_request.number }} (${{ github.event.pull_request.title }})" + +on: + pull_request: + types: [opened, reopened, synchronize] + +concurrency: + cancel-in-progress: false + +permissions: + id-token: write + contents: read + actions: write + pull-requests: write + +jobs: + build: + name: Build and test + runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }} + + steps: + - name: Git clone - ${{ github.ref }} + uses: actions/checkout@v4 + with: + ref: ${{ github.ref }} + + - name: Setup environment + run: | + echo "${HOME}/.asdf/bin" >> $GITHUB_PATH + poetry install --no-root + + - name: Build + run: make build + + - name: Test + run: make test + + - name: Upload build artifacts + uses: actions/upload-artifact@v3 + with: + name: build-artifacts + path: dist + + sonar: + name: SonarQube analysis and quality gate check + runs-on: ubuntu-latest + after: build + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.ref }} + + - name: Get build artifacts + uses: actions/download-artifact@v3 + with: + name: build-artifacts + path: dist + + # Triggering SonarQube analysis as results of it are required by Quality Gate check. + - name: SonarQube Scan + uses: sonarsource/sonarqube-scan-action@master + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} + + # Check the Quality Gate status. + - name: SonarQube Quality Gate check + id: sonarqube-quality-gate-check + uses: sonarsource/sonarqube-quality-gate-action@master + with: + pollingTimeoutSec: 600 + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} #OPTIONAL diff --git a/sonar-project.properties b/sonar-project.properties index 9e9655496..a4df9452b 100644 --- a/sonar-project.properties +++ b/sonar-project.properties @@ -8,7 +8,7 @@ sonar.exclusions=scripts/** sonar.coverage.exclusions=scripts/**, test/**, **/tests/** sonar.cpd.exclusions=tests/**, **/tests/** -sonar.python.coverage.reportPaths=coverage.xml +sonar.python.coverage.reportPaths=dist/test-coverage.xml # Exclude snomed urls as being unsafe sonar.issue.ignore.multicriteria=exclude_snomed_urls From f395ed0ff06d8d76b17c6839457843a7af9c78aa Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Fri, 13 Feb 2026 14:45:35 +0000 Subject: [PATCH 03/17] [NRL-1922] Remove unused sonarcloud url config --- .github/workflows/pr-checks.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index c9bfebf8e..24e05034f 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -62,7 +62,6 @@ jobs: uses: sonarsource/sonarqube-scan-action@master env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} # Check the Quality Gate status. - name: SonarQube Quality Gate check @@ -72,4 +71,3 @@ jobs: pollingTimeoutSec: 600 env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} #OPTIONAL From 7c2e0038ed1a86861be760e35409335619d2bf33 Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Fri, 13 Feb 2026 14:47:39 +0000 Subject: [PATCH 04/17] [NRL-1922] Fix pr-checks workflow issues --- .github/workflows/pr-checks.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index 24e05034f..e83ef8ddf 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -5,9 +5,6 @@ on: pull_request: types: [opened, reopened, synchronize] -concurrency: - cancel-in-progress: false - permissions: id-token: write contents: read @@ -45,7 +42,7 @@ jobs: sonar: name: SonarQube analysis and quality gate check runs-on: ubuntu-latest - after: build + needs: build steps: - uses: actions/checkout@v4 with: From b435b77f6cf285e0f483442493da893030cda38c Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Fri, 13 Feb 2026 14:49:29 +0000 Subject: [PATCH 05/17] [NRL-1922] Fix pr-checks workflow issues --- .github/workflows/pr-checks.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index e83ef8ddf..fedb1c707 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -37,7 +37,7 @@ jobs: uses: actions/upload-artifact@v3 with: name: build-artifacts - path: dist + path: dist sonar: name: SonarQube analysis and quality gate check @@ -52,7 +52,7 @@ jobs: uses: actions/download-artifact@v3 with: name: build-artifacts - path: dist + path: dist # Triggering SonarQube analysis as results of it are required by Quality Gate check. - name: SonarQube Scan From 2bc1a0720a8b44cc985223086197fc769533b4c6 Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Fri, 13 Feb 2026 14:51:18 +0000 Subject: [PATCH 06/17] [NRL-1922] Fix pr-checks workflow issues --- .github/workflows/pr-checks.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index fedb1c707..ea156252c 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -34,7 +34,7 @@ jobs: run: make test - name: Upload build artifacts - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: build-artifacts path: dist @@ -49,7 +49,7 @@ jobs: ref: ${{ github.ref }} - name: Get build artifacts - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: build-artifacts path: dist From ee2231ec37c3bc781808aab6715d1b5e61120d6e Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Fri, 13 Feb 2026 14:58:47 +0000 Subject: [PATCH 07/17] [NRL-1922] Fix pr-checks workflow issues --- .github/workflows/pr-checks.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index ea156252c..2fed5737e 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -5,16 +5,13 @@ on: pull_request: types: [opened, reopened, synchronize] -permissions: - id-token: write - contents: read - actions: write - pull-requests: write - jobs: build: name: Build and test runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }} + permissions: + contents: read + actions: write steps: - name: Git clone - ${{ github.ref }} @@ -43,6 +40,9 @@ jobs: name: SonarQube analysis and quality gate check runs-on: ubuntu-latest needs: build + permissions: + contents: read + actions: write steps: - uses: actions/checkout@v4 with: From bcf3413b2b45cc71576f513032a5bcdfc2b98649 Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Fri, 13 Feb 2026 15:15:12 +0000 Subject: [PATCH 08/17] [NRL-1922] Fix pr-checks workflow issues --- .github/workflows/pr-checks.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index 2fed5737e..a9eb33170 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -56,14 +56,14 @@ jobs: # Triggering SonarQube analysis as results of it are required by Quality Gate check. - name: SonarQube Scan - uses: sonarsource/sonarqube-scan-action@master + uses: sonarsource/sonarqube-scan-action@v7.0.0 env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Check the Quality Gate status. - name: SonarQube Quality Gate check id: sonarqube-quality-gate-check - uses: sonarsource/sonarqube-quality-gate-action@master + uses: sonarsource/sonarqube-quality-gate-action@v1.2.0 with: pollingTimeoutSec: 600 env: From 58a47506e3b5336d500045830e415a6bbcbf8a2d Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Fri, 13 Feb 2026 15:20:52 +0000 Subject: [PATCH 09/17] [NRL-1922] Fix pr-checks workflow issues --- .github/workflows/pr-checks.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index a9eb33170..c20dcb961 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -56,14 +56,14 @@ jobs: # Triggering SonarQube analysis as results of it are required by Quality Gate check. - name: SonarQube Scan - uses: sonarsource/sonarqube-scan-action@v7.0.0 + uses: sonarsource/sonarqube-scan-action@a31c9398be7ace6bbfaf30c0bd5d415f843d45e9 #v7.0.0 env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Check the Quality Gate status. - name: SonarQube Quality Gate check id: sonarqube-quality-gate-check - uses: sonarsource/sonarqube-quality-gate-action@v1.2.0 + uses: sonarsource/sonarqube-quality-gate-action@cf038b0e0cdecfa9e56c198bbb7d21d751d62c3b #v1.2.0 with: pollingTimeoutSec: 600 env: From e94b7254ec7087f87ea57b0cd27afb1c7b76f30e Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Fri, 13 Feb 2026 15:47:49 +0000 Subject: [PATCH 10/17] [NRL-1922] Fix pr-checks workflow issues --- .github/workflows/pr-checks.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index c20dcb961..0a65ccf3a 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -9,6 +9,7 @@ jobs: build: name: Build and test runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }} + environment: pull-request permissions: contents: read actions: write @@ -40,6 +41,7 @@ jobs: name: SonarQube analysis and quality gate check runs-on: ubuntu-latest needs: build + environment: pull-request permissions: contents: read actions: write From 2ddb21dc6ffd4538d3f93815150e3da6a5ff6cdc Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Fri, 13 Feb 2026 16:37:27 +0000 Subject: [PATCH 11/17] [NRL-1922] Fix pr-checks workflow issues --- sonar-project.properties | 5 ----- 1 file changed, 5 deletions(-) diff --git a/sonar-project.properties b/sonar-project.properties index a4df9452b..609196529 100644 --- a/sonar-project.properties +++ b/sonar-project.properties @@ -9,8 +9,3 @@ sonar.coverage.exclusions=scripts/**, test/**, **/tests/** sonar.cpd.exclusions=tests/**, **/tests/** sonar.python.coverage.reportPaths=dist/test-coverage.xml - -# Exclude snomed urls as being unsafe -sonar.issue.ignore.multicriteria=exclude_snomed_urls -sonar.issue.ignore.multicriteria.exclude_snomed_urls.ruleKey=python:S5332 -sonar.issue.ignore.multicriteria.exclude_snomed_urls.pattern=**http://snomed\.info(/sct)?** From b9a9316638da0e72a8d9f40a9b8df400c0b37ef8 Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Fri, 13 Feb 2026 16:41:05 +0000 Subject: [PATCH 12/17] [NRL-1922] Fix pr-checks workflow issues --- sonar-project.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sonar-project.properties b/sonar-project.properties index 609196529..c1fe27002 100644 --- a/sonar-project.properties +++ b/sonar-project.properties @@ -2,7 +2,7 @@ sonar.projectKey=NHSDigital_NRLF sonar.organization=nhsdigital sonar.projectName=NRLF -sonar.python.version=3.12.10 +sonar.python.version=3.12 sonar.exclusions=scripts/** sonar.coverage.exclusions=scripts/**, test/**, **/tests/** From 366fa6bfa3da15a2dd776b6a8820ce93db2c75d1 Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Fri, 13 Feb 2026 17:10:04 +0000 Subject: [PATCH 13/17] [NRL-1922] Remove placeholder comments from pr-checks workflow --- .github/workflows/pr-checks.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index 0a65ccf3a..04993b154 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -56,13 +56,11 @@ jobs: name: build-artifacts path: dist - # Triggering SonarQube analysis as results of it are required by Quality Gate check. - name: SonarQube Scan uses: sonarsource/sonarqube-scan-action@a31c9398be7ace6bbfaf30c0bd5d415f843d45e9 #v7.0.0 env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - # Check the Quality Gate status. - name: SonarQube Quality Gate check id: sonarqube-quality-gate-check uses: sonarsource/sonarqube-quality-gate-action@cf038b0e0cdecfa9e56c198bbb7d21d751d62c3b #v1.2.0 From e2c60c641ccae6dcf4910c1218efafe167254b00 Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Fri, 20 Feb 2026 15:47:21 +0000 Subject: [PATCH 14/17] [NRL-1922] Set relative flag for coverage config. Rename workflow jobs --- .github/workflows/pr-checks.yml | 6 +++--- pyproject.toml | 1 + 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index 04993b154..5ddb4fb16 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -38,7 +38,7 @@ jobs: path: dist sonar: - name: SonarQube analysis and quality gate check + name: SonarQube scan runs-on: ubuntu-latest needs: build environment: pull-request @@ -56,12 +56,12 @@ jobs: name: build-artifacts path: dist - - name: SonarQube Scan + - name: SonarQube scan uses: sonarsource/sonarqube-scan-action@a31c9398be7ace6bbfaf30c0bd5d415f843d45e9 #v7.0.0 env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - - name: SonarQube Quality Gate check + - name: SonarQube quality gate check id: sonarqube-quality-gate-check uses: sonarsource/sonarqube-quality-gate-action@cf038b0e0cdecfa9e56c198bbb7d21d751d62c3b #v1.2.0 with: diff --git a/pyproject.toml b/pyproject.toml index 322d3a8b1..4e8612ad6 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -86,6 +86,7 @@ docstring-code-format = true docstring-code-line-length = 80 [tool.coverage.run] +relative_files = true branch = true omit = [ "*/tests/*", From 13679a5227d3814b4887e9215c81ab015c8f900e Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Fri, 20 Feb 2026 16:00:15 +0000 Subject: [PATCH 15/17] [NRL-1922] WIP add some workflow debug --- .github/workflows/pr-checks.yml | 5 +++++ sonar-project.properties | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index 5ddb4fb16..823508792 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -56,6 +56,11 @@ jobs: name: build-artifacts path: dist + - name: DEBUG - Check things are set up correctly + run: | + find . -name "test-coverage.xml" + ls -la dist + - name: SonarQube scan uses: sonarsource/sonarqube-scan-action@a31c9398be7ace6bbfaf30c0bd5d415f843d45e9 #v7.0.0 env: diff --git a/sonar-project.properties b/sonar-project.properties index c1fe27002..c2ec1f27a 100644 --- a/sonar-project.properties +++ b/sonar-project.properties @@ -5,7 +5,7 @@ sonar.projectName=NRLF sonar.python.version=3.12 sonar.exclusions=scripts/** -sonar.coverage.exclusions=scripts/**, test/**, **/tests/** +sonar.coverage.exclusions=scripts/**, tests/**, **/tests/** sonar.cpd.exclusions=tests/**, **/tests/** sonar.python.coverage.reportPaths=dist/test-coverage.xml From 22339543367415fb52006508ca726a9c39a69d02 Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Fri, 20 Feb 2026 16:09:24 +0000 Subject: [PATCH 16/17] [NRL-1922] Explicitly call our sonar sources and tests paths --- sonar-project.properties | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sonar-project.properties b/sonar-project.properties index c2ec1f27a..22f2742f5 100644 --- a/sonar-project.properties +++ b/sonar-project.properties @@ -4,6 +4,8 @@ sonar.projectName=NRLF sonar.python.version=3.12 +sonar.sources=. +sonar.tests=**/tests/** sonar.exclusions=scripts/** sonar.coverage.exclusions=scripts/**, tests/**, **/tests/** sonar.cpd.exclusions=tests/**, **/tests/** From 65b27981b6dc7dd7e572c767cbbcdab26d1d1598 Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Fri, 20 Feb 2026 16:15:00 +0000 Subject: [PATCH 17/17] [NRL-1922] Explicitly call our sonar sources and tests paths --- sonar-project.properties | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sonar-project.properties b/sonar-project.properties index 22f2742f5..746c4e678 100644 --- a/sonar-project.properties +++ b/sonar-project.properties @@ -5,8 +5,9 @@ sonar.projectName=NRLF sonar.python.version=3.12 sonar.sources=. -sonar.tests=**/tests/** sonar.exclusions=scripts/** +sonar.tests=. +sonar.tests.inclusions=**/tests/** sonar.coverage.exclusions=scripts/**, tests/**, **/tests/** sonar.cpd.exclusions=tests/**, **/tests/**