NHSDigital · Ian-Hodges · Jan 22, 2026 · Jan 8, 2026 · Jan 8, 2026 · Jan 12, 2026
@@ -25,16 +25,23 @@ runs:
   using: "composite"
 
   steps:
+    - name: Get Node version
+      id: nodejs_version
+      shell: bash
+      run: |
+        echo "nodejs_version=$(grep "^nodejs\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
+    - uses: ./.github/actions/node-install
+      with:
+        node-version: ${{ steps.nodejs_version.outputs.nodejs_version }}
+        GITHUB_TOKEN: ${{ env.GITHUB_TOKEN }}
     - name: "Repo setup"
       shell: bash
       run: |
         npm ci
-
     - name: "Generate dependencies"
       shell: bash
       run: |
         npm run generate-dependencies
-
     - name: Run test - ${{ inputs.testType }}
       shell: bash
       run: |
@@ -51,7 +58,6 @@ runs:
       env:
         TEST_TYPE: ${{ inputs.testType }}
         ENVIRONMENT: ${{ inputs.targetEnvironment }}
-
     - name: Archive integration test results
       if: ${{ inputs.testType == 'integration' }}
       uses: actions/upload-artifact@v4

@@ -4,14 +4,21 @@ inputs:
   version:
     description: "Version number"
     required: true
+  node-version:
+    description: 'Node.js version'
+    required: true
+  GITHUB_TOKEN:
+    description: "Token for access to github package registry"
+    required: true
 runs:
   using: "composite"
   steps:
     - name: Checkout
       uses: actions/checkout@v5
-    - uses: actions/setup-node@v6
+    - uses: ./.github/actions/node-install
       with:
-        node-version: 24
+        node-version: ${{ inputs.node-version }}
+        GITHUB_TOKEN: ${{ inputs.GITHUB_TOKEN }}
     - name: Npm cli install
       working-directory: ./docs
       run: npm ci

@@ -0,0 +1,25 @@
+name: 'Node install and setup'
+description: 'Setup node and authenticate github package repository'
+
+inputs:
+  node-version:
+    description: 'Node.js version'
+    required: true
+  GITHUB_TOKEN:
+    description: "Token for access to github package registry"
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+    - name: 'Use Node.js'
+      uses: actions/setup-node@v6
+      with:
+        node-version: '${{ inputs.node-version }}'
+
+    - name: "Configure npm for GitHub Packages"
+      shell: bash
+      env:
+        GITHUB_TOKEN: ${{ inputs.GITHUB_TOKEN }}
+      run: |
+        scripts/set-github-token.sh
@@ -15,12 +15,15 @@ on:
 permissions:
   id-token: write
   contents: write
+  packages: read
 
 jobs:
   metadata:
     name: "Set CI/CD metadata"
     runs-on: ubuntu-latest
     timeout-minutes: 1
+    permissions:
+      contents: read
     outputs:
       build_datetime_london: ${{ steps.variables.outputs.build_datetime_london }}
       build_datetime: ${{ steps.variables.outputs.build_datetime }}
@@ -152,6 +155,9 @@ jobs:
     name: Trigger dynamic environment creation
     needs: [metadata, build-stage]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     if: needs.metadata.outputs.does_pull_request_exist == 'true' || (github.event_name == 'pull_request' && (github.event.action == 'opened' || github.event.action == 'reopened'))
     steps:
       - uses: actions/checkout@v5.0.0

@@ -152,12 +152,15 @@ jobs:
         uses: ./.github/actions/lint-terraform
   trivy-iac:
     name: "Trivy IaC Scan"
-    permissions:
-      contents: read
     runs-on: ubuntu-latest
     timeout-minutes: 10
     needs: detect-terraform-changes
     if: needs.detect-terraform-changes.outputs.terraform_changed == 'true'
+    permissions:
+      contents: read
+      packages: read
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v4
@@ -168,10 +171,13 @@ jobs:
   trivy-package:
     if: ${{ !inputs.skip_trivy_package }}
     name: "Trivy Package Scan"
-    permissions:
-      contents: read
     runs-on: ubuntu-latest
     timeout-minutes: 10
+    permissions:
+      contents: read
+      packages: read
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v4

@@ -40,21 +40,21 @@ env:
   AWS_REGION: eu-west-2
   TERM: xterm-256color
 
-permissions:
-  id-token: write # This is required for requesting the JWT
-  contents: read  # This is required for actions/checkout
-
 jobs:
   check-generated-dependencies:
     name: "Check generated dependencies"
     runs-on: ubuntu-latest
     timeout-minutes: 5
+    permissions:
+      contents: read
+      packages: read
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v5
-      - uses: actions/setup-node@v6
+      - uses: ./.github/actions/node-install
         with:
-          node-version: 24.10.0
+          node-version: ${{ inputs.nodejs_version }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: "Repo setup"
         run: |
           npm ci
@@ -66,12 +66,16 @@ jobs:
     name: "Unit tests"
     runs-on: ubuntu-latest
     timeout-minutes: 5
+    permissions:
+      contents: read
+      packages: read
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v5
-      - uses: actions/setup-node@v6
+      - uses: ./.github/actions/node-install
         with:
-          node-version: 24.10.0
+          node-version: ${{ inputs.nodejs_version }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: "Setup Python"
         uses: actions/setup-python@v6
         with:
@@ -103,29 +107,39 @@ jobs:
     name: "Linting"
     runs-on: ubuntu-latest
     timeout-minutes: 5
+    permissions:
+      contents: read
+      packages: read
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v5
       - name: "Setup Python"
         uses: actions/setup-python@v6
         with:
           python-version: ${{ inputs.python_version }}
-      - uses: actions/setup-node@v6
+      - uses: ./.github/actions/node-install
         with:
-          node-version: 24.10.0
+          node-version: ${{ inputs.nodejs_version }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: "Run linting"
         run: |
           make test-lint
   test-typecheck:
     name: "Typecheck"
     runs-on: ubuntu-latest
     timeout-minutes: 5
+    permissions:
+      contents: read
+      packages: read
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v5
-      - uses: actions/setup-node@v6
+      - uses: ./.github/actions/node-install
         with:
-          node-version: 24.10.0
+          node-version: ${{ inputs.nodejs_version }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: "Run typecheck"
         run: |
           make test-typecheck
@@ -134,6 +148,8 @@ jobs:
     needs: [test-unit]
     runs-on: ubuntu-latest
     timeout-minutes: 5
+    permissions:
+      contents: read
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v5

@@ -44,3 +44,5 @@ jobs:
         uses: ./.github/actions/build-docs
         with:
           version: "${{ inputs.version }}"
+          node-version: ${{ inputs.nodejs_version }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -0,0 +1,2 @@
+# Package is scoped under @org, set registry for that scope
+@nhsdigital:registry=https://npm.pkg.github.com
@@ -17,6 +17,7 @@ dependencies:: # Install dependencies needed to build and test the project @Pipe
 	$(MAKE) -C utils/metric-publishers install
 	$(MAKE) -C utils/event-publisher-py install
 	$(MAKE) -C utils/py-mock-mesh install
+	./scripts/set-github-token.sh
 	npm install --workspaces
 	$(MAKE) generate
 

@@ -50,6 +50,7 @@ No requirements.
 | <a name="module_pdm_mock"></a> [pdm\_mock](#module\_pdm\_mock) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.29/terraform-lambda.zip | n/a |
 | <a name="module_pdm_poll"></a> [pdm\_poll](#module\_pdm\_poll) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.29/terraform-lambda.zip | n/a |
 | <a name="module_pdm_uploader"></a> [pdm\_uploader](#module\_pdm\_uploader) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.29/terraform-lambda.zip | n/a |
+| <a name="module_print_status_handler"></a> [print\_status\_handler](#module\_print\_status\_handler) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.29/terraform-lambda.zip | n/a |
 | <a name="module_s3bucket_cf_logs"></a> [s3bucket\_cf\_logs](#module\_s3bucket\_cf\_logs) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.24/terraform-s3bucket.zip | n/a |
 | <a name="module_s3bucket_letters"></a> [s3bucket\_letters](#module\_s3bucket\_letters) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.24/terraform-s3bucket.zip | n/a |
 | <a name="module_s3bucket_non_pii_data"></a> [s3bucket\_non\_pii\_data](#module\_s3bucket\_non\_pii\_data) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.24/terraform-s3bucket.zip | n/a |
@@ -60,6 +61,7 @@ No requirements.
 | <a name="module_sqs_mesh_download"></a> [sqs\_mesh\_download](#module\_sqs\_mesh\_download) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.24/terraform-sqs.zip | n/a |
 | <a name="module_sqs_pdm_poll"></a> [sqs\_pdm\_poll](#module\_sqs\_pdm\_poll) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.24/terraform-sqs.zip | n/a |
 | <a name="module_sqs_pdm_uploader"></a> [sqs\_pdm\_uploader](#module\_sqs\_pdm\_uploader) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.24/terraform-sqs.zip | n/a |
+| <a name="module_sqs_print_status_handler"></a> [sqs\_print\_status\_handler](#module\_sqs\_print\_status\_handler) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.30/terraform-sqs.zip | n/a |
 | <a name="module_sqs_ttl"></a> [sqs\_ttl](#module\_sqs\_ttl) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.24/terraform-sqs.zip | n/a |
 | <a name="module_sqs_ttl_handle_expiry_errors"></a> [sqs\_ttl\_handle\_expiry\_errors](#module\_sqs\_ttl\_handle\_expiry\_errors) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.24/terraform-sqs.zip | n/a |
 | <a name="module_ttl_create"></a> [ttl\_create](#module\_ttl\_create) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.29/terraform-lambda.zip | n/a |

@@ -0,0 +1,19 @@
+resource "aws_cloudwatch_event_rule" "print_status_changed" {
+  name           = "${local.csi}-print-status-changed"
+  description    = "Print status changed event rule"
+  event_bus_name = aws_cloudwatch_event_bus.main.name
+
+  event_pattern = jsonencode({
+    "detail" : {
+      "type" : [{
+        "prefix" : "uk.nhs.notify.supplier-api.letter."
+      }]
+    }
+  })
+}
+
+resource "aws_cloudwatch_event_target" "print_status_changed_print_status_handler" {
+  rule           = aws_cloudwatch_event_rule.print_status_changed.name
+  arn            = module.sqs_print_status_handler.sqs_queue_arn
+  event_bus_name = aws_cloudwatch_event_bus.main.name
+}
@@ -0,0 +1,10 @@
+resource "aws_lambda_event_source_mapping" "print_status_handler" {
+  event_source_arn                   = module.sqs_print_status_handler.sqs_queue_arn
+  function_name                      = module.print_status_handler.function_name
+  batch_size                         = var.queue_batch_size
+  maximum_batching_window_in_seconds = var.queue_batch_window_seconds
+
+  function_response_types = [
+    "ReportBatchItemFailures"
+  ]
+}
@@ -0,0 +1,86 @@
+module "print_status_handler" {
+  source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.29/terraform-lambda.zip"
+
+  function_name = "print-status-handler"
+  description   = "A function for processing letter printing statuses"
+
+  aws_account_id = var.aws_account_id
+  component      = local.component
+  environment    = var.environment
+  project        = var.project
+  region         = var.region
+  group          = var.group
+
+  log_retention_in_days = var.log_retention_in_days
+  kms_key_arn           = module.kms.key_arn
+
+  iam_policy_document = {
+    body = data.aws_iam_policy_document.print_status_handler.json
+  }
+
+  function_s3_bucket      = local.acct.s3_buckets["lambda_function_artefacts"]["id"]
+  function_code_base_path = local.aws_lambda_functions_dir_path
+  function_code_dir       = "print-status-handler/dist"
+  function_include_common = true
+  handler_function_name   = "handler"
+  runtime                 = "nodejs22.x"
+  memory                  = 128
+  timeout                 = 60
+  log_level               = var.log_level
+
+  force_lambda_code_deploy = var.force_lambda_code_deploy
+  enable_lambda_insights   = false
+
+  log_destination_arn       = local.log_destination_arn
+  log_subscription_role_arn = local.acct.log_subscription_role_arn
+
+  lambda_env_vars = {
+    "EVENT_PUBLISHER_EVENT_BUS_ARN"        = aws_cloudwatch_event_bus.main.arn
+    "EVENT_PUBLISHER_DLQ_URL"              = module.sqs_event_publisher_errors.sqs_queue_url
+  }
+}
+
+data "aws_iam_policy_document" "print_status_handler" {
+  statement {
+    sid    = "PutEvents"
+    effect = "Allow"
+
+    actions = [
+      "events:PutEvents",
+    ]
+
+    resources = [
+      aws_cloudwatch_event_bus.main.arn,
+    ]
+  }
+
+  statement {
+    sid    = "SQSPermissionsDLQs"
+    effect = "Allow"
+
+    actions = [
+      "sqs:SendMessage",
+      "sqs:SendMessageBatch",
+    ]
+
+    resources = [
+      module.sqs_event_publisher_errors.sqs_queue_arn,
+    ]
+  }
+
+  statement {
+    sid    = "SQSPermissionsPrintStatusHandlerQueue"
+    effect = "Allow"
+
+    actions = [
+      "sqs:ReceiveMessage",
+      "sqs:DeleteMessage",
+      "sqs:GetQueueAttributes",
+      "sqs:GetQueueUrl",
+    ]
+
+    resources = [
+      module.sqs_print_status_handler.sqs_queue_arn,
+    ]
+  }
+}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		# Package is scoped under @org, set registry for that scope
		@nhsdigital:registry=https://npm.pkg.github.com