NHSDigital · rhyscoxnhs · Mar 4, 2026 · Mar 4, 2026 · Mar 5, 2026 · Mar 5, 2026
@@ -0,0 +1,53 @@
+name: Acceptance tests
+description: "Run acceptance tests for this repo"
+
+inputs:
+  testType:
+    description: Type of test to run
+    required: true
+
+  targetEnvironment:
+    description: Name of the environment under test
+    required: true
+
+  targetAccountGroup:
+    description: Name of the account group under test
+    default: nhs-notify-client-callbacks-dev
+    required: true
+
+  targetComponent:
+    description: Name of the component under test
+    required: true
+
+runs:
+  using: "composite"
+
+  steps:
+    - name: Fetch terraform output
+      uses: actions/download-artifact@v4
+      with:
+        name: terraform-output-${{ inputs.targetComponent }}
+
+    - name: Get Node version
+      id: nodejs_version
+      shell: bash
+      run: |
+        echo "nodejs_version=$(grep "^nodejs\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
+
+    - name: "Repo setup"
+      uses: ./.github/actions/node-install
+      with:
+        GITHUB_TOKEN: ${{ env.GITHUB_TOKEN }}
+
+    - name: "Set PR NUMBER environment variable"
+      shell: bash
+      run: |
+          echo "PR_NUMBER=${{ inputs.targetEnvironment }}" >> $GITHUB_ENV
+
+    - name: Run test - ${{ inputs.testType }}
+      shell: bash
+      env:
+        PROJECT: nhs
+        COMPONENT: ${{ inputs.targetComponent }}
+      run: |
+        make test-${{ inputs.testType }}
@@ -0,0 +1,24 @@
+name: 'npm install and setup'
+description: 'Setup node, authenticate github package repository and perform clean npm install'
+
+inputs:
+  GITHUB_TOKEN:
+    description: "Token for access to github package registry"
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+    - name: 'Use Node.js'
+      uses: actions/setup-node@v4
+      with:
+        node-version-file: '.tool-versions'
+        registry-url: 'https://npm.pkg.github.com'
+        scope: '@nhsdigital'
+
+    - name: 'Install dependencies'
+      shell: bash
+      env:
+        NODE_AUTH_TOKEN: ${{ inputs.GITHUB_TOKEN }}
+      run: |
+        npm ci
@@ -0,0 +1,3 @@
+[
+  "integration"
+]
@@ -174,9 +174,11 @@ jobs:
             --overrides "branch_name=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}"
   acceptance-stage: # Recommended maximum execution time is 10 minutes
     name: "Acceptance stage"
-    needs: [metadata, build-stage]
+    needs: [metadata, build-stage, pr-create-dynamic-environment]
     uses: ./.github/workflows/stage-4-acceptance.yaml
-    if: needs.metadata.outputs.does_pull_request_exist == 'true' || (github.event_name == 'pull_request' && (github.event.action == 'opened' || github.event.action == 'reopened')) || (github.event_name == 'push' && github.ref == 'refs/heads/main')
+    if: >-
+      contains(fromJSON('["success", "skipped"]'), needs.pr-create-dynamic-environment.result) &&
+      (needs.metadata.outputs.does_pull_request_exist == 'true' || (github.event_name == 'pull_request' && (github.event.action == 'opened' || github.event.action == 'reopened')) || (github.event_name == 'push' && github.ref == 'refs/heads/main'))
     with:
       build_datetime: "${{ needs.metadata.outputs.build_datetime }}"
       build_timestamp: "${{ needs.metadata.outputs.build_timestamp }}"

@@ -36,139 +36,37 @@ on:
         required: true
         type: string
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
-  environment-set-up:
-    name: "Environment set up"
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    steps:
-      - name: "Checkout code"
-        uses: actions/checkout@v4
-      - name: "Create infractructure"
-        run: |
-          echo "Creating infractructure..."
-      - name: "Update database"
-        run: |
-          echo "Updating database..."
-      - name: "Deploy application"
-        run: |
-          echo "Deploying application..."
-  test-contract:
-    name: "Contract test"
-    runs-on: ubuntu-latest
-    needs: environment-set-up
-    timeout-minutes: 10
-    steps:
-      - name: "Checkout code"
-        uses: actions/checkout@v4
-      - name: "Run contract test"
-        run: |
-          make test-contract
-      - name: "Save result"
-        run: |
-          echo "Nothing to save"
-  test-security:
-    name: "Security test"
+  run-acceptance-tests:
+    name: Run Acceptance Tests
     runs-on: ubuntu-latest
-    needs: environment-set-up
-    timeout-minutes: 10
     steps:
-      - name: "Checkout code"
-        uses: actions/checkout@v4
-      - name: "Run security test"
-        run: |
-          make test-security
-      - name: "Save result"
-        run: |
-          echo "Nothing to save"
-  test-ui:
-    name: "UI test"
-    runs-on: ubuntu-latest
-    needs: environment-set-up
-    timeout-minutes: 10
-    steps:
-      - name: "Checkout code"
-        uses: actions/checkout@v4
-      - name: "Run UI test"
-        run: |
-          make test-ui
-      - name: "Save result"
-        run: |
-          echo "Nothing to save"
-  test-ui-performance:
-    name: "UI performance test"
-    runs-on: ubuntu-latest
-    needs: environment-set-up
-    timeout-minutes: 10
-    steps:
-      - name: "Checkout code"
-        uses: actions/checkout@v4
-      - name: "Run UI performance test"
-        run: |
-          make test-ui-performance
-      - name: "Save result"
-        run: |
-          echo "Nothing to save"
-  test-integration:
-    name: "Integration test"
-    runs-on: ubuntu-latest
-    needs: environment-set-up
-    timeout-minutes: 10
-    steps:
-      - name: "Checkout code"
-        uses: actions/checkout@v4
-      - name: "Run integration test"
-        run: |
-          make test-integration
-      - name: "Save result"
-        run: |
-          echo "Nothing to save"
-  test-accessibility:
-    name: "Accessibility test"
-    runs-on: ubuntu-latest
-    needs: environment-set-up
-    timeout-minutes: 10
-    steps:
-      - name: "Checkout code"
-        uses: actions/checkout@v4
-      - name: "Run accessibility test"
-        run: |
-          make test-accessibility
-      - name: "Save result"
-        run: |
-          echo "Nothing to save"
-  test-load:
-    name: "Load test"
-    runs-on: ubuntu-latest
-    needs: environment-set-up
-    timeout-minutes: 10
-    steps:
-      - name: "Checkout code"
-        uses: actions/checkout@v4
-      - name: "Run load tests"
-        run: |
-          make test-load
-      - name: "Save result"
-        run: |
-          echo "Nothing to save"
-  environment-tear-down:
-    name: "Environment tear down"
-    runs-on: ubuntu-latest
-    needs:
-      [
-        test-accessibility,
-        test-contract,
-        test-integration,
-        test-load,
-        test-security,
-        test-ui-performance,
-        test-ui,
-      ]
-    if: always()
-    timeout-minutes: 5
-    steps:
-      - name: "Checkout code"
-        uses: actions/checkout@v4
-      - name: "Tear down environment"
-        run: |
-          echo "Tearing down environment..."
+      - uses: actions/checkout@v4
+
+      - name: "Use Node.js"
+        uses: actions/setup-node@v4
+        with:
+          node-version: "${{ inputs.nodejs_version }}"
+          registry-url: "https://npm.pkg.github.com"
+          scope: "@nhsdigital"
+
+      - name: Trigger Acceptance Tests
+        shell: bash
+        env:
+          APP_PEM_FILE: ${{ secrets.APP_PEM_FILE }}
+          APP_CLIENT_ID: ${{ secrets.APP_CLIENT_ID }}
+          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TARGET_ENVIRONMENT: ${{ inputs.target_environment }}
+        run: |
+          .github/scripts/dispatch_internal_repo_workflow.sh \
+            --targetWorkflow "dispatch-contextual-tests-dynamic-env.yaml" \
+            --infraRepoName "nhs-notify-client-callbacks" \
+            --releaseVersion "${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" \
+            --overrideProjectName "nhs" \
+            --targetEnvironment "$TARGET_ENVIRONMENT" \
+            --targetAccountGroup "nhs-notify-client-callbacks-dev" \
+            --targetComponent "callbacks"
@@ -239,6 +239,20 @@ export default defineConfig([
       ],
     },
   },
+  {
+    files: ["tools/client-subscriptions-management/**/*.ts"],
+    rules: {
+      "no-console": "off",
+      "import-x/first": "off",
+    },
+  },
+  {
+    files: ["lambdas/client-transform-filter-lambda/**/*.ts"],
+    rules: {
+      "no-console": "off",
+      "import-x/first": "off",
+    },
+  },
 
   // misc rule overrides
   {

@@ -47,7 +47,11 @@
 | <a name="module_sqs_inbound_event"></a> [sqs\_inbound\_event](#module\_sqs\_inbound\_event) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.29/terraform-sqs.zip | n/a |
 ## Outputs
 
-No outputs.
+| Name | Description |
+|------|-------------|
+| <a name="output_deployment"></a> [deployment](#output\_deployment) | Deployment details used for post-deployment scripts |
+| <a name="output_mock_webhook_lambda_log_group_name"></a> [mock\_webhook\_lambda\_log\_group\_name](#output\_mock\_webhook\_lambda\_log\_group\_name) | CloudWatch log group name for mock webhook lambda (for integration test queries) |
+| <a name="output_mock_webhook_url"></a> [mock\_webhook\_url](#output\_mock\_webhook\_url) | URL endpoint for mock webhook (for TEST\_WEBHOOK\_URL environment variable) |
 <!-- vale on -->
 <!-- markdownlint-enable -->
 <!-- END_TF_DOCS -->
@@ -35,8 +35,11 @@ module "client_transform_filter_lambda" {
   log_subscription_role_arn = local.acct.log_subscription_role_arn
 
   lambda_env_vars = {
-    ENVIRONMENT       = var.environment
-    METRICS_NAMESPACE = "nhs-notify-client-callbacks"
+    ENVIRONMENT                           = var.environment
+    METRICS_NAMESPACE                     = "nhs-notify-client-callbacks-metrics"
+    CLIENT_SUBSCRIPTION_CONFIG_BUCKET     = module.client_config_bucket.id
+    CLIENT_SUBSCRIPTION_CONFIG_PREFIX     = "client_subscriptions/"
+    CLIENT_SUBSCRIPTION_CACHE_TTL_SECONDS = "60"
   }
 }
 

@@ -0,0 +1,29 @@
+##
+# Deployment details
+##
+
+output "deployment" {
+  description = "Deployment details used for post-deployment scripts"
+  value = {
+    aws_region     = var.region
+    aws_account_id = var.aws_account_id
+    project        = var.project
+    environment    = var.environment
+    group          = var.group
+    component      = var.component
+  }
+}
+
+##
+# Mock Webhook Lambda Outputs (test/dev environments only)
+##
+
+output "mock_webhook_lambda_log_group_name" {
+  description = "CloudWatch log group name for mock webhook lambda (for integration test queries)"
+  value       = var.deploy_mock_webhook ? module.mock_webhook_lambda[0].cloudwatch_log_group_name : null
+}
+
+output "mock_webhook_url" {
+  description = "URL endpoint for mock webhook (for TEST_WEBHOOK_URL environment variable)"
+  value       = var.deploy_mock_webhook ? aws_lambda_function_url.mock_webhook[0].function_url : null
+}
@@ -5,7 +5,7 @@ export const baseJestConfig: Config = {
   clearMocks: true,
   collectCoverage: true,
   coverageDirectory: "./.reports/unit/coverage",
-  coverageProvider: "v8",
+  coverageProvider: "babel",
   coveragePathIgnorePatterns: ["/__tests__/", "/node_modules/"],
   transform: { "^.+\\.ts$": "ts-jest" },
   testPathIgnorePatterns: [".build"],

@@ -1,5 +1,6 @@
 {
   "dependencies": {
+    "@aws-sdk/client-s3": "^3.821.0",
     "@nhs-notify-client-callbacks/models": "*",
     "aws-embedded-metrics": "^4.2.1",
     "cloudevents": "^8.0.2",

@@ -0,0 +1,11 @@
+import { resolveCacheTtlMs } from "services/config-loader-service";
+
+describe("cache ttl configuration", () => {
+  it("falls back to default TTL when invalid", () => {
+    const ttlMs = resolveCacheTtlMs({
+      CLIENT_SUBSCRIPTION_CACHE_TTL_SECONDS: "not-a-number",
+    } as NodeJS.ProcessEnv);
+
+    expect(ttlMs).toBe(60_000);
+  });
+});
@@ -0,0 +1,11 @@
+import { resolveCacheTtlMs } from "services/config-loader-service";
+
+describe("cache ttl configuration", () => {
+  it("uses the configured TTL when valid", () => {
+    const ttlMs = resolveCacheTtlMs({
+      CLIENT_SUBSCRIPTION_CACHE_TTL_SECONDS: "120",
+    } as NodeJS.ProcessEnv);
+
+    expect(ttlMs).toBe(120_000);
+  });
+});