NHSDigital · BJSS-russell-pollock · Feb 5, 2026
@@ -83,17 +83,9 @@ jobs:
         IDP_AWS_REPORT_UPLOAD_REGION: ${{ secrets.IDP_AWS_REPORT_UPLOAD_REGION }}
         IDP_AWS_REPORT_UPLOAD_ROLE_NAME: ${{ secrets.IDP_AWS_REPORT_UPLOAD_ROLE_NAME }}
         IDP_AWS_REPORT_UPLOAD_BUCKET_ENDPOINT: ${{ secrets.IDP_AWS_REPORT_UPLOAD_BUCKET_ENDPOINT }}
-  test-stage: # Recommended maximum execution time is 5 minutes
-    name: "Test stage"
-    needs: [metadata, commit-stage]
-    uses: ./.github/workflows/stage-2-test.yaml
-    with:
-      python_version: "${{ needs.metadata.outputs.python_version }}"
-    secrets:
-      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
   build-stage: # Recommended maximum execution time is 3 minutes
     name: "Build stage"
-    needs: [metadata, test-stage]
+    needs: [metadata]
     uses: ./.github/workflows/stage-3-build.yaml
     if: needs.metadata.outputs.does_pull_request_exist == 'true' || (github.event_name == 'pull_request' && (github.event.action == 'opened' || github.event.action == 'reopened'))
     with:
@@ -104,16 +96,3 @@ jobs:
       python_version: "${{ needs.metadata.outputs.python_version }}"
       terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
       version: "${{ needs.metadata.outputs.version }}"
-  acceptance-stage: # Recommended maximum execution time is 10 minutes
-    name: "Acceptance stage"
-    needs: [metadata, build-stage]
-    uses: ./.github/workflows/stage-4-acceptance.yaml
-    if: needs.metadata.outputs.does_pull_request_exist == 'true' || (github.event_name == 'pull_request' && (github.event.action == 'opened' || github.event.action == 'reopened'))
-    with:
-      build_datetime: "${{ needs.metadata.outputs.build_datetime }}"
-      build_timestamp: "${{ needs.metadata.outputs.build_timestamp }}"
-      build_epoch: "${{ needs.metadata.outputs.build_epoch }}"
-      nodejs_version: "${{ needs.metadata.outputs.nodejs_version }}"
-      python_version: "${{ needs.metadata.outputs.python_version }}"
-      terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
-      version: "${{ needs.metadata.outputs.version }}"
@@ -234,6 +234,14 @@ jobs:
             /cds/gateway/dev/mtls/client1-key-public
           name-transformation: lowercase
 
+      # Prepare cert files for the following test suites
+      - name: Prepare mTLS cert files for tests
+        if: github.event.action != 'closed'
+        run: |
+          printf '%s' "$_cds_gateway_dev_mtls_client1_key_secret" > /tmp/client1-key.pem
+          printf '%s' "$_cds_gateway_dev_mtls_client1_key_public" > /tmp/client1-cert.pem
+          chmod 600 /tmp/client1-key.pem /tmp/client1-cert.pem
+
       - name: Smoke test preview URL
         if: github.event.action != 'closed'
         id: smoke-test
@@ -247,9 +255,6 @@ jobs:
             exit 0
           fi
 
-          # Reachability check: allow 404 (app routes might not exist yet) but fail otherwise
-          printf '%s' "$_cds_gateway_dev_mtls_client1_key_secret" > /tmp/client1-key.pem
-          printf '%s' "$_cds_gateway_dev_mtls_client1_key_public" > /tmp/client1-cert.pem
           STATUS=$(curl \
                       --cert /tmp/client1-cert.pem \
                       --key /tmp/client1-key.pem \
@@ -258,8 +263,6 @@ jobs:
                       --write-out '%{http_code}' \
                       --head \
                       --max-time 30 "$PREVIEW_URL"/health || true)
-          rm -f /tmp/client1-key.pem
-          rm -f /tmp/client1-cert.pem
 
           if [ "$STATUS" = "404" ]; then
             echo "Preview responded with expected 404"
@@ -285,6 +288,156 @@ jobs:
           echo "http_result=unexpected-status" >> "$GITHUB_OUTPUT"
           exit 0
 
+      # ---------- QUALITY CHECKS (Test Suites) ----------
+
+      # UNIT TESTS
+      - name: Run unit tests
+        if: github.event.action != 'closed'
+        run: make test-unit
+
+      - name: Upload unit test results
+        if: always()
+        uses: actions/upload-artifact@v5
+        with:
+          name: unit-test-results
+          path: gateway-api/test-artefacts/
+          retention-days: 30
+
+      - name: Check unit-tests.xml exists
+        id: check-unit
+        if: always()
+        run: |
+          [ -f "gateway-api/test-artefacts/unit-tests.xml" ] && echo "exists=true" >> "$GITHUB_OUTPUT" || echo "exists=false" >> "$GITHUB_OUTPUT"
+
+
+      - name: Publish unit test results to summary
+        if: ${{ always() && steps.check-unit.outputs.exists == 'true' }}
+        uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86
+        with:
+          paths: gateway-api/test-artefacts/unit-tests.xml
+
+      # CONTRACT TESTS
+      - name: Run contract tests against preview
+        if: github.event.action != 'closed'
+        env:
+          BASE_URL: ${{ steps.tf-output.outputs.preview_url }}
+          MTLS_CERT: /tmp/client1-cert.pem
+          MTLS_KEY: /tmp/client1-key.pem
+        run: make test-contract
+
+      - name: Upload contract test results
+        if: always()
+        uses: actions/upload-artifact@v5
+        with:
+          name: contract-test-results
+          path: gateway-api/test-artefacts/
+          retention-days: 30
+
+      - name: Check contract-tests.xml exists
+        id: check-contract
+        if: always()
+        run: |
+          [ -f "gateway-api/test-artefacts/contract-tests.xml" ] && echo "exists=true" >> "$GITHUB_OUTPUT" || echo "exists=false" >> "$GITHUB_OUTPUT"
+
+
+      - name: Publish contract test results to summary
+        if: ${{ always() && steps.check-contract.outputs.exists == 'true' }}
+        uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86
+        with:
+          paths: gateway-api/test-artefacts/contract-tests.xml
+
+      # SCHEMA TESTS
+      - name: Run schema validation against preview
+        if: github.event.action != 'closed'
+        env:
+          BASE_URL: ${{ steps.tf-output.outputs.preview_url }}
+          MTLS_CERT: /tmp/client1-cert.pem
+          MTLS_KEY: /tmp/client1-key.pem
+        run: make test-schema
+
+      - name: Upload schema test results
+        if: always()
+        uses: actions/upload-artifact@v5
+        with:
+          name: schema-test-results
+          path: gateway-api/test-artefacts/
+          retention-days: 30
+
+      - name: Check schema-tests.xml exists
+        id: check-schema
+        if: always()
+        run: |
+          [ -f "gateway-api/test-artefacts/schema-tests.xml" ] && echo "exists=true" >> "$GITHUB_OUTPUT" || echo "exists=false" >> "$GITHUB_OUTPUT"
+
+      - name: Publish schema test results to summary
+        if: ${{ always() && steps.check-schema.outputs.exists == 'true' }}
+        uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86
+        with:
+          paths: gateway-api/test-artefacts/schema-tests.xml
+
+      # INTEGRATION TESTS
+      - name: Run integration tests against preview
+        if: github.event.action != 'closed'
+        env:
+          BASE_URL: ${{ steps.tf-output.outputs.preview_url }}
+          MTLS_CERT: /tmp/client1-cert.pem
+          MTLS_KEY: /tmp/client1-key.pem
+        run: make test-integration
+
+      - name: Upload integration test results
+        if: always()
+        uses: actions/upload-artifact@v5
+        with:
+          name: integration-test-results
+          path: gateway-api/test-artefacts/
+          retention-days: 30
+
+      - name: Check integration-tests.xml exists
+        id: check-integration
+        if: always()
+        run: |
+            [ -f "gateway-api/test-artefacts/integration-tests.xml" ] && echo "exists=true" >> "$GITHUB_OUTPUT" || echo "exists=false" >> "$GITHUB_OUTPUT"
+
+      - name: Publish integration test results to summary
+        if: ${{ always() && steps.check-integration.outputs.exists == 'true' }}
+        uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86
+        with:
+          paths: gateway-api/test-artefacts/integration-tests.xml
+
+      # ACCEPTANCE TESTS
+      - name: Run acceptance tests against preview
+        if: github.event.action != 'closed'
+        env:
+          BASE_URL: ${{ steps.tf-output.outputs.preview_url }}
+          MTLS_CERT: /tmp/client1-cert.pem
+          MTLS_KEY: /tmp/client1-key.pem
+        run: make test-acceptance
+
+      - name: Upload acceptance test results
+        if: always()
+        uses: actions/upload-artifact@v5
+        with:
+          name: acceptance-test-results
+          path: gateway-api/test-artefacts/
+          retention-days: 30
+
+      - name: Check acceptance-tests.xml exists
+        id: check-acceptance
+        if: always()
+        run: |
+          [ -f "gateway-api/test-artefacts/acceptance-tests.xml" ] && echo "exists=true" >> "$GITHUB_OUTPUT" || echo "exists=false" >> "$GITHUB_OUTPUT"
+
+      - name: Publish acceptance test results to summary
+        if: ${{ always() && steps.check-acceptance.outputs.exists == 'true' }}
+        uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86
+        with:
+          paths: gateway-api/test-artefacts/acceptance-tests.xml
+
+      # Cleanup after tests
+      - name: Remove mTLS temp files
+        if: github.event.action != 'closed'
+        run: rm -f /tmp/client1-key.pem /tmp/client1-cert.pem || true
+
       - name: Comment function name on PR
         if: github.event_name == 'pull_request' && github.event.action != 'closed'
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd