NHSDigital · BJSS-russell-pollock · Jan 27, 2026 · Jan 14, 2026 · Jan 29, 2026 · Feb 5, 2026
@@ -0,0 +1,41 @@
+name: Configure Proxygen
+description: Install yq for yaml, install proxygen-cli and configure the account
+
+inputs:
+  proxygen-key-secret:
+    description: 'Proxygen private key secret'
+    required: true
+  proxygen-key-id:
+    description: 'Proxygen key ID'
+    required: true
+  proxygen-api-name:
+    description: 'Proxygen API name'
+    required: true
+  proxygen-client-id:
+    description: 'Proxygen client ID'
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Install yq for YAML template processing
+      uses: mikefarah/yq@2be0094729a1006f61e8339ce9934bfb3cbb549f # v4.52.2
+
+    - name: Install Proxygen CLI
+      shell: bash
+      run: |
+        pip install proxygen-cli
+        proxygen --version
+
+    - name: Configure proxygen account details
+      shell: bash
+      working-directory: proxygen
+      run: |
+        cp settings.template.yaml $HOME/.proxygen/settings.yaml
+        yq eval '.api = "${{ inputs.proxygen-api-name }}"' -i $HOME/.proxygen/settings.yaml
+
+        printf "%s" "${{ inputs.proxygen-key-secret }}" > /tmp/proxygen_private_key.pem
+        cp credentials.template.yaml $HOME/.proxygen/credentials.yaml
+        yq eval '.private_key_path = "/tmp/proxygen_private_key.pem"' -i $HOME/.proxygen/credentials.yaml
+        yq eval '.key_id = "${{ inputs.proxygen-key-id }}"' -i $HOME/.proxygen/credentials.yaml
+        yq eval '.client_id = "${{ inputs.proxygen-client-id }}"' -i $HOME/.proxygen/credentials.yaml
@@ -0,0 +1,48 @@
+name: Deploy API Proxy
+description: Deploy the API proxy instance using Proxygen
+
+inputs:
+  mtls-secret-name:
+    description: 'mTLS secret name for the proxy'
+    required: true
+  target-url:
+    description: 'Target URL to which the proxy will forward requests'
+    required: true
+  proxy-base-path:
+    description: 'A unique base path for the proxy instance'
+    required: true
+  proxygen-key-secret:
+    description: 'Proxygen private key secret'
+    required: true
+  proxygen-key-id:
+    description: 'Proxygen key ID'
+    required: true
+  proxygen-api-name:
+    description: 'Proxygen API name'
+    required: true
+  proxygen-client-id:
+    description: 'Proxygen client ID'
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Configure Proxygen
+      uses: ./.github/actions/proxy/configure-proxygen
+      with:
+        proxygen-key-secret: ${{ inputs.proxygen-key-secret }}
+        proxygen-key-id: ${{ inputs.proxygen-key-id }}
+        proxygen-api-name: ${{ inputs.proxygen-api-name }}
+        proxygen-client-id: ${{ inputs.proxygen-client-id }}
+
+    - name: Inject secrets into openapi.yaml for deploying proxy
+      shell: bash
+      run: |
+        cat gateway-api/openapi.yaml proxygen/x-nhsd-apim.template.yaml > /tmp/proxy-specification.yaml
+
+        yq eval '.x-nhsd-apim.target.url = "${{ inputs.target-url }}" | .x-nhsd-apim.target.security.secret = "${{ inputs.mtls-secret-name }}"' -i /tmp/proxy-specification.yaml
+
+    - name: Deploy API proxy
+      shell: bash
+      run: |
+        proxygen instance deploy internal-dev ${{ inputs.proxy-base-path }} /tmp/proxy-specification.yaml --no-confirm
@@ -0,0 +1,35 @@
+name: Tear Down API Proxy
+description: Delete the API proxy instance using Proxygen
+
+inputs:
+  proxy-base-path:
+    description: 'A unique base path for the proxy instance'
+    required: true
+  proxygen-key-secret:
+    description: 'Proxygen private key secret'
+    required: true
+  proxygen-key-id:
+    description: 'Proxygen key ID'
+    required: true
+  proxygen-api-name:
+    description: 'Proxygen API name'
+    required: true
+  proxygen-client-id:
+    description: 'Proxygen client ID'
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Configure Proxygen
+      uses: ./.github/actions/proxy/configure-proxygen
+      with:
+        proxygen-key-secret: ${{ inputs.proxygen-key-secret }}
+        proxygen-key-id: ${{ inputs.proxygen-key-id }}
+        proxygen-api-name: ${{ inputs.proxygen-api-name }}
+        proxygen-client-id: ${{ inputs.proxygen-client-id }}
+
+    - name: Tear down preview API proxy
+      shell: bash
+      run: |
+        proxygen instance delete internal-dev ${{ inputs.proxy-base-path }} --no-confirm
@@ -0,0 +1,50 @@
+name: "Start local app"
+description: "Start Flask app that will handle requests"
+inputs:
+  deploy-command:
+    description: "Command to start app"
+    required: false
+    default: "make deploy"
+  health-path:
+    description: "Health check path"
+    required: false
+    default: "/health"
+  max-seconds:
+    description: "Maximum seconds to wait for readiness"
+    required: false
+    default: "60"
+  python-version:
+      description: "Python version to install"
+      required: true
+runs:
+  using: "composite"
+  steps:
+    - name: "Start app"
+      shell: bash
+      env:
+        PYTHON_VERSION: ${{ inputs.python-version }}
+      run: |
+        set -euo pipefail
+        echo "Starting app: '${{ inputs.deploy-command }}'"
+        nohup ${{ inputs.deploy-command }} > /tmp/app.log 2>&1 &
+        echo $! > /tmp/app.pid
+        echo "PID: $(cat /tmp/app.pid)"
+    - name: "Wait for app to be ready"
+      shell: bash
+      run: |
+        set -euo pipefail
+        BASE_URL="${BASE_URL:-http://localhost:5000}"
+        HEALTH_URL="${BASE_URL}${{ inputs.health-path }}"
+        MAX="${{ inputs.max-seconds }}"
+        echo "Waiting for app at ${HEALTH_URL} (max ${MAX}s)..."
+        for i in $(seq 1 "${MAX}"); do
+          if curl -sSf -X GET "${HEALTH_URL}" >/dev/null; then
+            echo "App is ready"
+            exit 0
+          fi
+          sleep 1
+        done
+        echo "App did not become ready in time"
+        echo "---- recent app log ----"
+        tail -n 200 /tmp/app.log || true
+        exit 1
@@ -83,17 +83,9 @@ jobs:
         IDP_AWS_REPORT_UPLOAD_REGION: ${{ secrets.IDP_AWS_REPORT_UPLOAD_REGION }}
         IDP_AWS_REPORT_UPLOAD_ROLE_NAME: ${{ secrets.IDP_AWS_REPORT_UPLOAD_ROLE_NAME }}
         IDP_AWS_REPORT_UPLOAD_BUCKET_ENDPOINT: ${{ secrets.IDP_AWS_REPORT_UPLOAD_BUCKET_ENDPOINT }}
-  test-stage: # Recommended maximum execution time is 5 minutes
-    name: "Test stage"
-    needs: [metadata, commit-stage]
-    uses: ./.github/workflows/stage-2-test.yaml
-    with:
-      python_version: "${{ needs.metadata.outputs.python_version }}"
-    secrets:
-      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
   build-stage: # Recommended maximum execution time is 3 minutes
     name: "Build stage"
-    needs: [metadata, test-stage]
+    needs: [metadata]
     uses: ./.github/workflows/stage-3-build.yaml
     if: needs.metadata.outputs.does_pull_request_exist == 'true' || (github.event_name == 'pull_request' && (github.event.action == 'opened' || github.event.action == 'reopened'))
     with:
@@ -104,16 +96,3 @@ jobs:
       python_version: "${{ needs.metadata.outputs.python_version }}"
       terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
       version: "${{ needs.metadata.outputs.version }}"
-  acceptance-stage: # Recommended maximum execution time is 10 minutes
-    name: "Acceptance stage"
-    needs: [metadata, build-stage]
-    uses: ./.github/workflows/stage-4-acceptance.yaml
-    if: needs.metadata.outputs.does_pull_request_exist == 'true' || (github.event_name == 'pull_request' && (github.event.action == 'opened' || github.event.action == 'reopened'))
-    with:
-      build_datetime: "${{ needs.metadata.outputs.build_datetime }}"
-      build_timestamp: "${{ needs.metadata.outputs.build_timestamp }}"
-      build_epoch: "${{ needs.metadata.outputs.build_epoch }}"
-      nodejs_version: "${{ needs.metadata.outputs.nodejs_version }}"
-      python_version: "${{ needs.metadata.outputs.python_version }}"
-      terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
-      version: "${{ needs.metadata.outputs.version }}"