diff --git a/.github/actions/check-english-usage/action.yaml b/.github/actions/check-english-usage/action.yaml deleted file mode 100644 index 9953bcc7..00000000 --- a/.github/actions/check-english-usage/action.yaml +++ /dev/null @@ -1,10 +0,0 @@ -name: "Check English usage" -description: "Check English usage" -runs: - using: "composite" - steps: - - name: "Check English usage" - shell: bash - run: | - export BRANCH_NAME=origin/${{ github.event.repository.default_branch }} - check=branch ./scripts/githooks/check-english-usage.sh diff --git a/.github/actions/check-file-format/action.yaml b/.github/actions/check-file-format/action.yaml deleted file mode 100644 index bd0929a8..00000000 --- a/.github/actions/check-file-format/action.yaml +++ /dev/null @@ -1,10 +0,0 @@ -name: "Check file format" -description: "Check file format" -runs: - using: "composite" - steps: - - name: "Check file format" - shell: bash - run: | - export BRANCH_NAME=origin/${{ github.event.repository.default_branch }} - check=branch ./scripts/githooks/check-file-format.sh diff --git a/.github/actions/check-markdown-format/action.yaml b/.github/actions/check-markdown-format/action.yaml deleted file mode 100644 index 53a715b4..00000000 --- a/.github/actions/check-markdown-format/action.yaml +++ /dev/null @@ -1,10 +0,0 @@ -name: "Check Markdown format" -description: "Check Markdown format" -runs: - using: "composite" - steps: - - name: "Check Markdown format" - shell: bash - run: | - export BRANCH_NAME=origin/${{ github.event.repository.default_branch }} - check=branch ./scripts/githooks/check-markdown-format.sh diff --git a/.github/actions/create-lines-of-code-report/action.yaml b/.github/actions/create-lines-of-code-report/action.yaml deleted file mode 100644 index b21f0667..00000000 --- a/.github/actions/create-lines-of-code-report/action.yaml +++ /dev/null @@ -1,57 +0,0 @@ -name: "Count lines of code" -description: "Count lines of code" -inputs: - build_datetime: - description: "Build datetime, set by the CI/CD pipeline workflow" - required: true - build_timestamp: - description: "Build timestamp, set by the CI/CD pipeline workflow" - required: true - idp_aws_report_upload_account_id: - description: "IDP AWS account ID" - required: true - idp_aws_report_upload_region: - description: "IDP AWS account region" - required: true - idp_aws_report_upload_role_name: - description: "Role to upload the report" - required: true - idp_aws_report_upload_bucket_endpoint: - description: "Bucket endpoint for the report" - required: true -runs: - using: "composite" - steps: - - name: "Create CLOC report" - shell: bash - run: | - export BUILD_DATETIME=${{ inputs.build_datetime }} - ./scripts/reports/create-lines-of-code-report.sh - - name: "Compress CLOC report" - shell: bash - run: zip lines-of-code-report.json.zip lines-of-code-report.json - - name: "Upload CLOC report as an artefact" - if: ${{ !env.ACT }} - uses: actions/upload-artifact@v4 - with: - name: lines-of-code-report.json.zip - path: ./lines-of-code-report.json.zip - retention-days: 21 - - name: "Check prerequisites for sending the report" - shell: bash - id: check - run: | - echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT - - name: "Authenticate to send the report" - if: steps.check.outputs.secrets_exist == 'true' - uses: aws-actions/configure-aws-credentials@v2 - with: - role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }} - aws-region: ${{ inputs.idp_aws_report_upload_region }} - - name: "Send the CLOC report to the central location" - shell: bash - if: steps.check.outputs.secrets_exist == 'true' - run: | - aws s3 cp \ - ./lines-of-code-report.json.zip \ - ${{ inputs.idp_aws_report_upload_bucket_endpoint }}/${{ inputs.build_timestamp }}-lines-of-code-report.json.zip diff --git a/.github/actions/lint-terraform/action.yaml b/.github/actions/lint-terraform/action.yaml deleted file mode 100644 index d5dfe35d..00000000 --- a/.github/actions/lint-terraform/action.yaml +++ /dev/null @@ -1,20 +0,0 @@ -name: "Lint Terraform" -description: "Lint Terraform" -inputs: - root-modules: - description: "Comma separated list of root module directories to validate, content of the 'infrastructure/environments' is checked by default" - required: false -runs: - using: "composite" - steps: - - name: "Check Terraform format" - shell: bash - run: | - check_only=true scripts/githooks/check-terraform-format.sh - - name: "Validate Terraform" - shell: bash - run: | - stacks=${{ inputs.root-modules }} - for dir in $(find infrastructure/environments -maxdepth 1 -mindepth 1 -type d; echo ${stacks//,/$'\n'}); do - dir=$dir make terraform-validate - done diff --git a/.github/actions/perform-static-analysis/action.yaml b/.github/actions/perform-static-analysis/action.yaml deleted file mode 100644 index a619e9d2..00000000 --- a/.github/actions/perform-static-analysis/action.yaml +++ /dev/null @@ -1,28 +0,0 @@ -name: "Perform static analysis" -description: "Perform static analysis" -inputs: - sonar_organisation_key: - description: "Sonar organisation key, used to identify the project" - required: false - sonar_project_key: - description: "Sonar project key, used to identify the project" - required: false - sonar_token: - description: "Sonar token, the API key" - required: false -runs: - using: "composite" - steps: - - name: "Check prerequisites for performing static analysis" - shell: bash - id: check - run: echo "secret_exist=${{ inputs.sonar_token != '' }}" >> $GITHUB_OUTPUT - - name: "Perform static analysis" - shell: bash - if: steps.check.outputs.secret_exist == 'true' - run: | - export BRANCH_NAME=${GITHUB_HEAD_REF:-$(echo $GITHUB_REF | sed 's#refs/heads/##')} - export SONAR_ORGANISATION_KEY=${{ inputs.sonar_organisation_key }} - export SONAR_PROJECT_KEY=${{ inputs.sonar_project_key }} - export SONAR_TOKEN=${{ inputs.sonar_token }} - ./scripts/reports/perform-static-analysis.sh diff --git a/.github/actions/scan-dependencies/action.yaml b/.github/actions/scan-dependencies/action.yaml deleted file mode 100644 index f8ed605d..00000000 --- a/.github/actions/scan-dependencies/action.yaml +++ /dev/null @@ -1,74 +0,0 @@ -name: "Scan dependencies" -description: "Scan dependencies" -inputs: - build_datetime: - description: "Build datetime, set by the CI/CD pipeline workflow" - required: true - build_timestamp: - description: "Build timestamp, set by the CI/CD pipeline workflow" - required: true - idp_aws_report_upload_account_id: - description: "IDP AWS report upload account ID to upload the report to" - required: false - idp_aws_report_upload_region: - description: "IDP AWS report upload account region to upload the report to" - required: false - idp_aws_report_upload_role_name: - description: "IDP AWS report upload role name for OIDC authentication" - required: false - idp_aws_report_upload_bucket_endpoint: - description: "IDP AWS report upload endpoint to upload the report to" - required: false -runs: - using: "composite" - steps: - - name: "Generate SBOM" - shell: bash - run: | - export BUILD_DATETIME=${{ inputs.build_datetime }} - ./scripts/reports/create-sbom-report.sh - - name: "Compress SBOM report" - shell: bash - run: zip sbom-repository-report.json.zip sbom-repository-report.json - - name: "Upload SBOM report as an artefact" - if: ${{ !env.ACT }} - uses: actions/upload-artifact@v4 - with: - name: sbom-repository-report.json.zip - path: ./sbom-repository-report.json.zip - retention-days: 21 - - name: "Scan vulnerabilities" - shell: bash - run: | - export BUILD_DATETIME=${{ inputs.build_datetime }} - ./scripts/reports/scan-vulnerabilities.sh - - name: "Compress vulnerabilities report" - shell: bash - run: zip vulnerabilities-repository-report.json.zip vulnerabilities-repository-report.json - - name: "Upload vulnerabilities report as an artefact" - if: ${{ !env.ACT }} - uses: actions/upload-artifact@v4 - with: - name: vulnerabilities-repository-report.json.zip - path: ./vulnerabilities-repository-report.json.zip - retention-days: 21 - - name: "Check prerequisites for sending the reports" - shell: bash - id: check - run: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT - - name: "Authenticate to send the reports" - if: steps.check.outputs.secrets_exist == 'true' - uses: aws-actions/configure-aws-credentials@v2 - with: - role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }} - aws-region: ${{ inputs.idp_aws_report_upload_region }} - - name: "Send the SBOM and vulnerabilities reports to the central location" - shell: bash - if: steps.check.outputs.secrets_exist == 'true' - run: | - aws s3 cp \ - ./sbom-repository-report.json.zip \ - ${{ inputs.idp_aws_report_upload_bucket_endpoint }}/${{ inputs.build_timestamp }}-sbom-repository-report.json.zip - aws s3 cp \ - ./vulnerabilities-repository-report.json.zip \ - ${{ inputs.idp_aws_report_upload_bucket_endpoint }}/${{ inputs.build_timestamp }}-vulnerabilities-repository-report.json.zip diff --git a/.github/actions/scan-secrets/action.yaml b/.github/actions/scan-secrets/action.yaml deleted file mode 100644 index 1ed8bac2..00000000 --- a/.github/actions/scan-secrets/action.yaml +++ /dev/null @@ -1,10 +0,0 @@ -name: "Scan secrets" -description: "Scan secrets" -runs: - using: "composite" - steps: - - name: "Scan secrets" - shell: bash - run: | - # Please do not change this `check=whole-history` setting, as new patterns may be added or history may be rewritten. - check=whole-history ./scripts/githooks/scan-secrets.sh diff --git a/.github/workflows/cicd-1-pull-request.yaml b/.github/workflows/cicd-1-pull-request.yaml index cd068ec0..cf3a5114 100644 --- a/.github/workflows/cicd-1-pull-request.yaml +++ b/.github/workflows/cicd-1-pull-request.yaml @@ -26,7 +26,7 @@ jobs: does_pull_request_exist: ${{ steps.pr_exists.outputs.does_pull_request_exist }} steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: "Set CI/CD variables" id: variables run: | diff --git a/.github/workflows/cicd-2-publish.yaml b/.github/workflows/cicd-2-publish.yaml index 44eebbf2..9fa4d358 100644 --- a/.github/workflows/cicd-2-publish.yaml +++ b/.github/workflows/cicd-2-publish.yaml @@ -22,7 +22,7 @@ jobs: version: ${{ steps.variables.outputs.version }} steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: "Set CI/CD variables" id: variables run: | @@ -53,14 +53,14 @@ jobs: timeout-minutes: 3 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: "Get the artefacts" run: | echo "Getting the artefacts created by the build stage ..." # TODO: Use either action/cache or action/upload-artifact - name: "Create release" id: create_release - uses: actions/create-release@v1 + uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -71,7 +71,7 @@ jobs: draft: false prerelease: false # - name: "Upload release asset" - # uses: actions/upload-release-asset@v1 + # uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1 # env: # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # with: diff --git a/.github/workflows/cicd-3-deploy.yaml b/.github/workflows/cicd-3-deploy.yaml index 2745b380..acfc36aa 100644 --- a/.github/workflows/cicd-3-deploy.yaml +++ b/.github/workflows/cicd-3-deploy.yaml @@ -24,7 +24,7 @@ jobs: tag: ${{ steps.variables.outputs.tag }} steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: "Set CI/CD variables" id: variables run: | @@ -56,7 +56,7 @@ jobs: timeout-minutes: 10 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 # TODO: More jobs or/and steps here # success: # name: "Success notification" diff --git a/.github/workflows/jekyll-gh-pages.yml b/.github/workflows/jekyll-gh-pages.yml index 350db850..b3928ba3 100644 --- a/.github/workflows/jekyll-gh-pages.yml +++ b/.github/workflows/jekyll-gh-pages.yml @@ -31,11 +31,11 @@ jobs: working-directory: docs steps: - name: Checkout - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: - node-version: 18 - - run: npm ci + node-version: 22 + - run: npm ci --ignore-scripts - name: Setup Ruby uses: ruby/setup-ruby@086ffb1a2090c870a3f881cc91ea83aa4243d408 # v1.195.0 with: @@ -45,7 +45,7 @@ jobs: working-directory: "./docs" - name: Setup Pages id: pages - uses: actions/configure-pages@v5 + uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 - name: Build with Jekyll working-directory: ./docs # Outputs to the './_site' directory by default @@ -54,11 +54,11 @@ jobs: JEKYLL_ENV: production - name: Upload artifact # Automatically uploads an artifact from the './_site' directory by default - uses: actions/upload-pages-artifact@v3 + uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3 with: path: "docs/_site/" - name: Archive production artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: site path: "docs/_site/" @@ -76,4 +76,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v4 + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4 diff --git a/.github/workflows/stage-1-commit.yaml b/.github/workflows/stage-1-commit.yaml index a516b786..1516680b 100644 --- a/.github/workflows/stage-1-commit.yaml +++ b/.github/workflows/stage-1-commit.yaml @@ -1,5 +1,8 @@ name: "Commit stage" +permissions: + contents: read + on: workflow_call: inputs: @@ -43,7 +46,7 @@ jobs: with: fetch-depth: 0 # Full history is needed to scan all commits - name: "Scan secrets" - uses: ./.github/actions/scan-secrets + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/scan-secrets@3.0.9 check-file-format: name: "Check file format" runs-on: ubuntu-latest @@ -54,7 +57,7 @@ jobs: with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check file format" - uses: ./.github/actions/check-file-format + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/check-file-format@3.0.9 check-markdown-format: name: "Check Markdown format" runs-on: ubuntu-latest @@ -65,7 +68,7 @@ jobs: with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check Markdown format" - uses: ./.github/actions/check-markdown-format + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/check-markdown-format@3.0.9 check-english-usage: name: "Check English usage" runs-on: ubuntu-latest @@ -76,16 +79,16 @@ jobs: with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check English usage" - uses: ./.github/actions/check-english-usage - lint-terraform: - name: "Lint Terraform" - runs-on: ubuntu-latest - timeout-minutes: 2 - steps: - - name: "Checkout code" - uses: actions/checkout@v4 - - name: "Lint Terraform" - uses: ./.github/actions/lint-terraform + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/check-english-usage@3.0.9 + # lint-terraform: + # name: "Lint Terraform" + # runs-on: ubuntu-latest + # timeout-minutes: 2 + # steps: + # - name: "Checkout code" + # uses: actions/checkout@v4 + # - name: "Lint Terraform" + # uses: NHSDigital/nhs-notify-shared-modules/.github/actions/lint-terraform@3.0.9 count-lines-of-code: name: "Count lines of code" runs-on: ubuntu-latest @@ -97,7 +100,7 @@ jobs: - name: "Checkout code" uses: actions/checkout@v4 - name: "Count lines of code" - uses: ./.github/actions/create-lines-of-code-report + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/create-lines-of-code-report@3.0.9 with: build_datetime: "${{ inputs.build_datetime }}" build_timestamp: "${{ inputs.build_timestamp }}" @@ -116,7 +119,7 @@ jobs: - name: "Checkout code" uses: actions/checkout@v4 - name: "Scan dependencies" - uses: ./.github/actions/scan-dependencies + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/scan-dependencies@3.0.9 with: build_datetime: "${{ inputs.build_datetime }}" build_timestamp: "${{ inputs.build_timestamp }}" diff --git a/.github/workflows/stage-2-test.yaml b/.github/workflows/stage-2-test.yaml index efcb2ac4..ffa5795d 100644 --- a/.github/workflows/stage-2-test.yaml +++ b/.github/workflows/stage-2-test.yaml @@ -39,7 +39,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: "Run unit test suite" run: | make test-unit @@ -52,7 +52,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: "Run linting" run: | make test-lint @@ -66,7 +66,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: "Run test coverage check" run: | make test-coverage @@ -83,11 +83,11 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 # Full history is needed to improving relevancy of reporting - name: "Perform static analysis" - uses: ./.github/actions/perform-static-analysis + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/perform-static-analysis@3.0.9 with: sonar_organisation_key: "${{ vars.SONAR_ORGANISATION_KEY }}" sonar_project_key: "${{ vars.SONAR_PROJECT_KEY }}" diff --git a/.github/workflows/stage-3-build.yaml b/.github/workflows/stage-3-build.yaml index 2a53a07a..32fe1c1b 100644 --- a/.github/workflows/stage-3-build.yaml +++ b/.github/workflows/stage-3-build.yaml @@ -39,7 +39,7 @@ jobs: timeout-minutes: 3 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: "Build artefact 1" run: | echo "Building artefact 1 ..." @@ -56,7 +56,7 @@ jobs: timeout-minutes: 3 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: "Build artefact 2" run: | echo "Building artefact 2 ..." diff --git a/.github/workflows/stage-4-acceptance.yaml b/.github/workflows/stage-4-acceptance.yaml index e83b0cfe..9085b995 100644 --- a/.github/workflows/stage-4-acceptance.yaml +++ b/.github/workflows/stage-4-acceptance.yaml @@ -39,7 +39,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: "Create infractructure" run: | echo "Creating infractructure..." @@ -56,7 +56,7 @@ jobs: timeout-minutes: 10 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: "Run contract test" run: | make test-contract @@ -70,7 +70,7 @@ jobs: timeout-minutes: 10 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: "Run security test" run: | make test-security @@ -84,7 +84,7 @@ jobs: timeout-minutes: 10 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: "Run UI test" run: | make test-ui @@ -98,7 +98,7 @@ jobs: timeout-minutes: 10 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: "Run UI performance test" run: | make test-ui-performance @@ -112,7 +112,7 @@ jobs: timeout-minutes: 10 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: "Run integration test" run: | make test-integration @@ -126,11 +126,11 @@ jobs: timeout-minutes: 10 steps: - name: "Checkout code" - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: - node-version: 18 - - run: npm ci + node-version: 22 + - run: npm ci # Sonar: --ignore-scripts breaks playwright installation for Pa11y working-directory: "./docs" - name: Setup Ruby uses: ruby/setup-ruby@086ffb1a2090c870a3f881cc91ea83aa4243d408 # v1.195.0 @@ -141,7 +141,7 @@ jobs: working-directory: "./docs" - name: Setup Pages id: pages - uses: actions/configure-pages@v5 + uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 with: working-directory: "./docs" - name: Build with Jekyll @@ -152,7 +152,7 @@ jobs: - name: Run accessibility test run: make test-accessibility - name: Archive accessibility results - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: accessibility path: "docs/.reports/accessibility" @@ -163,7 +163,7 @@ jobs: timeout-minutes: 10 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: "Run load tests" run: | make test-load @@ -187,7 +187,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: "Tear down environment" run: | echo "Tearing down environment..." diff --git a/.tool-versions b/.tool-versions index 3e5e8ed3..38bd0def 100644 --- a/.tool-versions +++ b/.tool-versions @@ -1,24 +1,24 @@ -gitleaks 8.18.4 -nodejs 18.18.2 -pre-commit 3.6.0 -terraform 1.7.0 -vale 3.6.0 +gitleaks 8.30.1 +jq 1.8.1 +nodejs 22.22.0 +pre-commit 4.5.1 +terraform 1.14.8 +vale 3.14.1 python 3.13.2 - # ============================================================================== # The section below is reserved for Docker image versions. # TODO: Move this section - consider using a different file for the repository template dependencies. -# docker/ghcr.io/anchore/grype v0.104.3@sha256:d340f4f8b3b7e6e72a6c9c0152f25402ed8a2d7375dba1dfce4e53115242feb6 # SEE: https://github.com/anchore/grype/pkgs/container/grype -# docker/ghcr.io/anchore/syft v1.39.0@sha256:6f13bb010923c33fb197047c8f88888e77071bd32596b3f605d62a133e493ce4 # SEE: https://github.com/anchore/syft/pkgs/container/syft -# docker/ghcr.io/gitleaks/gitleaks v8.24.0@sha256:2bcceac45179b3a91bff11a824d0fb952585b429e54fc928728b1d4d5c3e5176 # SEE: https://github.com/gitleaks/gitleaks/pkgs/container/gitleaks -# docker/ghcr.io/igorshubovych/markdownlint-cli v0.37.0@sha256:fb3e79946fce78e1cde84d6798c6c2a55f2de11fc16606a40d49411e281d950d # SEE: https://github.com/igorshubovych/markdownlint-cli/pkgs/container/markdownlint-cli +# docker/ghcr.io/anchore/grype v0.110.0@sha256:af65fbc0c664691067788fe95ff88760b435543e45595eb2ca6f102fc476fbe1 # SEE: https://github.com/anchore/grype/pkgs/container/grype +# docker/ghcr.io/anchore/syft v1.42.3@sha256:5999d209a342e55e9edf70bf8930fb5b86d8f2a783fa401178372c50e21b1d36 # SEE: https://github.com/anchore/syft/pkgs/container/syft +# docker/ghcr.io/gitleaks/gitleaks v8.30.0@sha256:691af3c7c5a48b16f187ce3446d5f194838f91238f27270ed36eef6359a574d9 # SEE: https://github.com/gitleaks/gitleaks/pkgs/container/gitleaks +# docker/ghcr.io/igorshubovych/markdownlint-cli v0.48.0@sha256:c97f19b52cf7371ff767c080e3e15c15f1cbd3336fc41aeca7a93bb2cdb9843c # SEE: https://github.com/igorshubovych/markdownlint-cli/pkgs/container/markdownlint-cli # docker/ghcr.io/make-ops-tools/gocloc latest@sha256:6888e62e9ae693c4ebcfed9f1d86c70fd083868acb8815fe44b561b9a73b5032 # SEE: https://github.com/make-ops-tools/gocloc/pkgs/container/gocloc # docker/ghcr.io/nhs-england-tools/github-runner-image 20230909-321fd1e-rt@sha256:ce4fd6035dc450a50d3cbafb4986d60e77cb49a71ab60a053bb1b9518139a646 # SEE: https://github.com/nhs-england-tools/github-runner-image/pkgs/container/github-runner-image -# docker/hadolint/hadolint 2.12.0-alpine@sha256:7dba9a9f1a0350f6d021fb2f6f88900998a4fb0aaf8e4330aa8c38544f04db42 # SEE: https://hub.docker.com/r/hadolint/hadolint/tags -# docker/hashicorp/terraform 1.5.6@sha256:180a7efa983386a27b43657ed610e9deed9e6c3848d54f9ea9b6cb8a5c8c25f5 # SEE: https://hub.docker.com/r/hashicorp/terraform/tags -# docker/jdkato/vale v3.6.0@sha256:0ef22c8d537f079633cfff69fc46f69a2196072f69cab1ab232e8a79a388e425 # SEE: https://hub.docker.com/r/jdkato/vale/tags -# docker/koalaman/shellcheck latest@sha256:e40388688bae0fcffdddb7e4dea49b900c18933b452add0930654b2dea3e7d5c # SEE: https://hub.docker.com/r/koalaman/shellcheck/tags -# docker/mstruebing/editorconfig-checker 2.7.1@sha256:dd3ca9ea50ef4518efe9be018d669ef9cf937f6bb5cfe2ef84ff2a620b5ddc24 # SEE: https://hub.docker.com/r/mstruebing/editorconfig-checker/tags -# docker/sonarsource/sonar-scanner-cli 11.3@sha256:7462f132388135e32b948f8f18ff0db9ae28a87c6777f1df5b2207e04a6d7c5c # SEE: https://hub.docker.com/r/sonarsource/sonar-scanner-cli/tags +# docker/hadolint/hadolint 2.14.0-alpine@sha256:7aba693c1442eb31c0b015c129697cb3b6cb7da589d85c7562f9deb435a6657c # SEE: https://hub.docker.com/r/hadolint/hadolint/tags +# docker/hashicorp/terraform 1.14.8@sha256:42ecfb253183ec823646dd7859c5652039669409b44daa72abf57112e622849a # SEE: https://hub.docker.com/r/hashicorp/terraform/tags +# docker/jdkato/vale v3.14.1@sha256:e10e0fd59ac94fcb1ebaea37cafd4e7d5c737cd0bc170a84386dbd21c1144a34 # SEE: https://hub.docker.com/r/jdkato/vale/tags +# docker/koalaman/shellcheck latest@sha256:3ec6239ae73eaf9c5a4c5d1c050d99d8c9bd98b43e49c997ac05a209daaaedf0 # SEE: https://hub.docker.com/r/koalaman/shellcheck/tags +# docker/mstruebing/editorconfig-checker v3.6.1@sha256:af556694c3eb0a16b598efbe84c1171d40dfb779fdac6f01b89baedde065556f # SEE: https://hub.docker.com/r/mstruebing/editorconfig-checker/tags +# docker/sonarsource/sonar-scanner-cli 12.1@sha256:a429d20d22c8d97b9a10ea5585f1c56d2a54796f0ae3da06c7a1a49eec78e6c2 # SEE: https://hub.docker.com/r/sonarsource/sonar-scanner-cli/tags diff --git a/scripts/config/check-todos-ignore.conf b/scripts/config/check-todos-ignore.conf new file mode 100644 index 00000000..ea86b598 --- /dev/null +++ b/scripts/config/check-todos-ignore.conf @@ -0,0 +1,19 @@ +# Configuration file for check-todos.sh + +[files] +.devcontainer/devcontainer.json +.github/workflows/stage-1-commit.yaml +.pre-commit-hooks.yaml +.tool-versions +.vscode/extensions.json +infrastructure/terraform/bin/terraform.sh +Makefile +project.code-workspace +scripts/config/check-todos-ignore.conf +scripts/config/pre-commit.yaml + +[directories] +.git/ +.venv/ +docs/ +node_modules/ diff --git a/scripts/config/pre-commit.yaml b/scripts/config/pre-commit.yaml index 3156979c..432760e5 100644 --- a/scripts/config/pre-commit.yaml +++ b/scripts/config/pre-commit.yaml @@ -1,33 +1,12 @@ repos: -- repo: local - hooks: - - id: scan-secrets - name: Scan secrets - entry: ./scripts/githooks/scan-secrets.sh - args: ["check=staged-changes"] - language: script - pass_filenames: false -- repo: local - hooks: - - id: check-file-format - name: Check file format - entry: ./scripts/githooks/check-file-format.sh - args: ["check=staged-changes"] - language: script - pass_filenames: false -- repo: local - hooks: - - id: check-markdown-format - name: Check Markdown format - entry: ./scripts/githooks/check-markdown-format.sh - args: ["check=staged-changes"] - language: script - pass_filenames: false -- repo: local - hooks: - - id: check-english-usage - name: Check English usage - entry: ./scripts/githooks/check-english-usage.sh - args: ["check=staged-changes"] - language: script - pass_filenames: false + - repo: https://github.com/NHSDigital/nhs-notify-shared-modules + rev: 3.0.9 + hooks: + - id: scan-secrets + args: [check=staged-changes] + - id: check-file-format + args: [check=staged-changes] + - id: check-markdown-format + args: [check=staged-changes] + - id: check-english-usage + args: [check=staged-changes] diff --git a/scripts/githooks/check-english-usage.sh b/scripts/githooks/check-english-usage.sh deleted file mode 100755 index b3942deb..00000000 --- a/scripts/githooks/check-english-usage.sh +++ /dev/null @@ -1,108 +0,0 @@ -#!/bin/bash - -# WARNING: Please, DO NOT edit this file! It is maintained in the Repository Template (https://github.com/nhs-england-tools/repository-template). Raise a PR instead. - -set -euo pipefail - -# Git hook to check prose style -# -# Usage: -# $ check={all,staged-changes,working-tree-changes,branch} ./check-english-usage.sh -# -# Exit codes: -# 0 - All files are formatted correctly -# 1 - Files are not formatted correctly -# -# The `check` parameter controls which files are checked, so you can -# limit the scope of the check according to what is appropriate at the -# point the check is being applied. -# -# check=all: check all files in the repository -# check=staged-changes: check only files staged for commit. -# check=working-tree-changes: check modified, unstaged files. This is the default. -# check=branch: check for all changes since branching from $BRANCH_NAME - -# ============================================================================== - -function main() { - - cd "$(git rev-parse --show-toplevel)" - - check=${check:-working-tree-changes} - case $check in - "all") - filter="git ls-files" - ;; - "staged-changes") - filter="git diff --diff-filter=ACMRT --name-only --cached" - ;; - "working-tree-changes") - filter="git diff --diff-filter=ACMRT --name-only" - ;; - "branch") - filter="git diff --diff-filter=ACMRT --name-only ${BRANCH_NAME:-origin/main}" - ;; - *) - echo "Unrecognised check mode: $check" >&2 && exit 1 - ;; - esac - - if command -v vale > /dev/null 2>&1 && ! is-arg-true "${FORCE_USE_DOCKER:-false}"; then - filter="$filter" run-vale-natively - else - filter="$filter" run-vale-in-docker - fi -} - -# Run Vale natively. -# Arguments (provided as environment variables): -# filter=[git command to filter the files to check] -function run-vale-natively() { - - # shellcheck disable=SC2046 - vale \ - --config "$PWD/scripts/config/vale/vale.ini" \ - $($filter) -} - -# Run Vale in a Docker container. -# Arguments (provided as environment variables): -# filter=[git command to filter the files to check] -function run-vale-in-docker() { - - # shellcheck disable=SC1091 - source ./scripts/docker/docker.lib.sh - - # shellcheck disable=SC2155 - local image=$(name=jdkato/vale docker-get-image-version-and-pull) - # We use /dev/null here to stop `vale` from complaining that it's - # not been called correctly if the $filter happens to return an - # empty list. As long as there's a filename, even if it's one that - # will be ignored, `vale` is happy. - # shellcheck disable=SC2046,SC2086 - docker run --rm --platform linux/amd64 \ - --volume "$PWD:/workdir" \ - --workdir /workdir \ - "$image" \ - --config /workdir/scripts/config/vale/vale.ini \ - $($filter) /dev/null -} - -# ============================================================================== - -function is-arg-true() { - - if [[ "$1" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$ ]]; then - return 0 - else - return 1 - fi -} - -# ============================================================================== - -is-arg-true "${VERBOSE:-false}" && set -x - -main "$@" - -exit 0 diff --git a/scripts/githooks/check-file-format.sh b/scripts/githooks/check-file-format.sh deleted file mode 100755 index d7c94747..00000000 --- a/scripts/githooks/check-file-format.sh +++ /dev/null @@ -1,124 +0,0 @@ -#!/bin/bash - -# WARNING: Please, DO NOT edit this file! It is maintained in the Repository Template (https://github.com/nhs-england-tools/repository-template). Raise a PR instead. - -set -euo pipefail - -# Pre-commit git hook to check the EditorConfig rules compliance over changed -# files. It ensures all non-binary files across the codebase are formatted -# according to the style defined in the `.editorconfig` file. This is a -# editorconfig command wrapper. It will run editorconfig natively if it is -# installed, otherwise it will run it in a Docker container. -# -# Usage: -# $ [options] ./check-file-format.sh -# -# Options: -# check={all,staged-changes,working-tree-changes,branch} # Check mode, default is 'working-tree-changes' -# dry_run=true # Do not check, run dry run only, default is 'false' -# BRANCH_NAME=other-branch-than-main # Branch to compare with, default is `origin/main` -# FORCE_USE_DOCKER=true # If set to true the command is run in a Docker container, default is 'false' -# VERBOSE=true # Show all the executed commands, default is `false` -# -# Exit codes: -# 0 - All files are formatted correctly -# 1 - Files are not formatted correctly -# -# The `check` parameter controls which files are checked, so you can -# limit the scope of the check according to what is appropriate at the -# point the check is being applied. -# -# check=all: check all files in the repository -# check=staged-changes: check only files staged for commit. -# check=working-tree-changes: check modified, unstaged files. This is the default. -# check=branch: check for all changes since branching from $BRANCH_NAME -# -# Notes: -# Please make sure to enable EditorConfig linting in your IDE. For the -# Visual Studio Code editor it is `editorconfig.editorconfig` that is already -# specified in the `./.vscode/extensions.json` file. - -# ============================================================================== - -function main() { - - cd "$(git rev-parse --show-toplevel)" - - # shellcheck disable=SC2154 - is-arg-true "${dry_run:-false}" && dry_run_opt="--dry-run" - - check=${check:-working-tree-changes} - case $check in - "all") - filter="git ls-files" - ;; - "staged-changes") - filter="git diff --diff-filter=ACMRT --name-only --cached" - ;; - "working-tree-changes") - filter="git diff --diff-filter=ACMRT --name-only" - ;; - "branch") - filter="git diff --diff-filter=ACMRT --name-only ${BRANCH_NAME:-origin/main}" - ;; - *) - echo "Unrecognised check mode: $check" >&2 && exit 1 - ;; - esac - - if command -v editorconfig > /dev/null 2>&1 && ! is-arg-true "${FORCE_USE_DOCKER:-false}"; then - filter="$filter" dry_run_opt="${dry_run_opt:-}" run-editorconfig-natively - else - filter="$filter" dry_run_opt="${dry_run_opt:-}" run-editorconfig-in-docker - fi -} - -# Run editorconfig natively. -# Arguments (provided as environment variables): -# dry_run_opt=[dry run option] -# filter=[git command to filter the files to check] -function run-editorconfig-natively() { - - # shellcheck disable=SC2046,SC2086 - editorconfig \ - --exclude '.git/' $dry_run_opt $($filter) -} - -# Run editorconfig in a Docker container. -# Arguments (provided as environment variables): -# dry_run_opt=[dry run option] -# filter=[git command to filter the files to check] -function run-editorconfig-in-docker() { - - # shellcheck disable=SC1091 - source ./scripts/docker/docker.lib.sh - - # shellcheck disable=SC2155 - local image=$(name=mstruebing/editorconfig-checker docker-get-image-version-and-pull) - # We use /dev/null here as a backstop in case there are no files in the state - # we choose. If the filter comes back empty, adding `/dev/null` onto it has - # the effect of preventing `ec` from treating "no files" as "all the files". - docker run --rm --platform linux/amd64 \ - --volume "$PWD":/check \ - "$image" \ - sh -c "ec --exclude '.git/' $dry_run_opt \$($filter) /dev/null" -} - -# ============================================================================== - -function is-arg-true() { - - if [[ "$1" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$ ]]; then - return 0 - else - return 1 - fi -} - -# ============================================================================== - -is-arg-true "${VERBOSE:-false}" && set -x - -main "$@" - -exit 0 diff --git a/scripts/githooks/check-markdown-format.sh b/scripts/githooks/check-markdown-format.sh deleted file mode 100755 index 698df4a5..00000000 --- a/scripts/githooks/check-markdown-format.sh +++ /dev/null @@ -1,109 +0,0 @@ -#!/bin/bash - -# WARNING: Please, DO NOT edit this file! It is maintained in the Repository Template (https://github.com/nhs-england-tools/repository-template). Raise a PR instead. - -set -euo pipefail - -# Pre-commit git hook to check the Markdown file formatting rules compliance -# over changed files. This is a markdownlint command wrapper. It will run -# markdownlint natively if it is installed, otherwise it will run it in a Docker -# container. -# -# Usage: -# $ [options] ./check-markdown-format.sh -# -# Options: -# check={all,staged-changes,working-tree-changes,branch} # Check mode, default is 'working-tree-changes' -# BRANCH_NAME=other-branch-than-main # Branch to compare with, default is `origin/main` -# FORCE_USE_DOCKER=true # If set to true the command is run in a Docker container, default is 'false' -# VERBOSE=true # Show all the executed commands, default is `false` -# -# Exit codes: -# 0 - All files are formatted correctly -# 1 - Files are not formatted correctly -# -# Notes: -# 1) Please make sure to enable Markdown linting in your IDE. For the Visual -# Studio Code editor it is `davidanson.vscode-markdownlint` that is already -# specified in the `./.vscode/extensions.json` file. -# 2) To see the full list of the rules, please visit -# https://github.com/DavidAnson/markdownlint/blob/main/doc/Rules.md - -# ============================================================================== - -function main() { - - cd "$(git rev-parse --show-toplevel)" - - check=${check:-working-tree-changes} - case $check in - "all") - files="$(find ./ -type f -name "*.md")" - ;; - "staged-changes") - files="$(git diff --diff-filter=ACMRT --name-only --cached "*.md")" - ;; - "working-tree-changes") - files="$(git diff --diff-filter=ACMRT --name-only "*.md")" - ;; - "branch") - files="$( (git diff --diff-filter=ACMRT --name-only "${BRANCH_NAME:-origin/main}" "*.md"; git diff --name-only "*.md") | sort | uniq )" - ;; - esac - - if [ -n "$files" ]; then - if command -v markdownlint > /dev/null 2>&1 && ! is-arg-true "${FORCE_USE_DOCKER:-false}"; then - files="$files" run-markdownlint-natively - else - files="$files" run-markdownlint-in-docker - fi - fi -} - -# Run markdownlint natively. -# Arguments (provided as environment variables): -# files=[files to check] -function run-markdownlint-natively() { - - # shellcheck disable=SC2086 - markdownlint \ - $files \ - --config "$PWD/scripts/config/markdownlint.yaml" -} - -# Run markdownlint in a Docker container. -# Arguments (provided as environment variables): -# files=[files to check] -function run-markdownlint-in-docker() { - - # shellcheck disable=SC1091 - source ./scripts/docker/docker.lib.sh - - # shellcheck disable=SC2155 - local image=$(name=ghcr.io/igorshubovych/markdownlint-cli docker-get-image-version-and-pull) - # shellcheck disable=SC2086 - docker run --rm --platform linux/amd64 \ - --volume "$PWD":/workdir \ - "$image" \ - $files \ - --config /workdir/scripts/config/markdownlint.yaml -} - -# ============================================================================== - -function is-arg-true() { - - if [[ "$1" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$ ]]; then - return 0 - else - return 1 - fi -} - -# ============================================================================== - -is-arg-true "${VERBOSE:-false}" && set -x - -main "$@" - -exit 0 diff --git a/scripts/githooks/check-terraform-format.sh b/scripts/githooks/check-terraform-format.sh deleted file mode 100755 index 7255e512..00000000 --- a/scripts/githooks/check-terraform-format.sh +++ /dev/null @@ -1,56 +0,0 @@ -#!/bin/bash - -# WARNING: Please DO NOT edit this file! It is maintained in the Repository Template (https://github.com/nhs-england-tools/repository-template). Raise a PR instead. - -set -euo pipefail - -# Pre-commit git hook to check format Terraform code. -# -# Usage: -# $ [options] ./check-terraform-format.sh -# -# Options: -# check_only=true # Do not format, run check only, default is 'false' -# FORCE_USE_DOCKER=true # If set to true the command is run in a Docker container, default is 'false' -# VERBOSE=true # Show all the executed commands, default is 'false' - -# ============================================================================== - -function main() { - - cd "$(git rev-parse --show-toplevel)" - - local check_only=${check_only:-false} - check_only=$check_only terraform-fmt -} - -# Format Terraform files. -# Arguments (provided as environment variables): -# check_only=[do not format, run check only] -function terraform-fmt() { - - local opts= - if is-arg-true "$check_only"; then - opts="-check" - fi - opts=$opts make terraform-fmt -} - -# ============================================================================== - -function is-arg-true() { - - if [[ "$1" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$ ]]; then - return 0 - else - return 1 - fi -} - -# ============================================================================== - -is-arg-true "${VERBOSE:-false}" && set -x - -main "$@" - -exit 0 diff --git a/scripts/githooks/scan-secrets.sh b/scripts/githooks/scan-secrets.sh deleted file mode 100755 index 06155b8a..00000000 --- a/scripts/githooks/scan-secrets.sh +++ /dev/null @@ -1,111 +0,0 @@ -#!/bin/bash - -# WARNING: Please, DO NOT edit this file! It is maintained in the Repository Template (https://github.com/nhs-england-tools/repository-template). Raise a PR instead. - -set -euo pipefail - -# Pre-commit git hook to scan for secrets hard-coded in the codebase. This is a -# gitleaks command wrapper. It will run gitleaks natively if it is installed, -# otherwise it will run it in a Docker container. -# -# Usage: -# $ [options] ./scan-secrets.sh -# -# Options: -# check={whole-history,last-commit,staged-changes} # Type of the check to run, default is 'staged-changes' -# FORCE_USE_DOCKER=true # If set to true the command is run in a Docker container, default is 'false' -# VERBOSE=true # Show all the executed commands, default is 'false' -# -# Exit codes: -# 0 - No leaks present -# 1 - Leaks or error encountered -# 126 - Unknown flag - -# ============================================================================== - -function main() { - - cd "$(git rev-parse --show-toplevel)" - - if command -v gitleaks > /dev/null 2>&1 && ! is-arg-true "${FORCE_USE_DOCKER:-false}"; then - dir="$PWD" - cmd="$(get-cmd-to-run)" run-gitleaks-natively - else - dir="/workdir" - cmd="$(get-cmd-to-run)" run-gitleaks-in-docker - fi -} - -# Get Gitleaks command to execute and configuration. -# Arguments (provided as environment variables): -# dir=[project's top-level directory] -function get-cmd-to-run() { - - check=${check:-staged-changes} - case $check in - "whole-history") - cmd="detect --source $dir --verbose --redact" - ;; - "last-commit") - cmd="detect --source $dir --verbose --redact --log-opts -1" - ;; - "staged-changes") - cmd="protect --source $dir --verbose --staged" - ;; - esac - # Include base line file if it exists - if [ -f "$dir/scripts/config/.gitleaks-baseline.json" ]; then - cmd="$cmd --baseline-path $dir/scripts/config/.gitleaks-baseline.json" - fi - # Include the config file - cmd="$cmd --config $dir/scripts/config/gitleaks.toml" - - echo "$cmd" -} - -# Run Gitleaks natively. -# Arguments (provided as environment variables): -# cmd=[command to run] -function run-gitleaks-natively() { - - # shellcheck disable=SC2086 - gitleaks $cmd -} - -# Run Gitleaks in a Docker container. -# Arguments (provided as environment variables): -# cmd=[command to run] -# dir=[directory to mount as a volume] -function run-gitleaks-in-docker() { - - # shellcheck disable=SC1091 - source ./scripts/docker/docker.lib.sh - - # shellcheck disable=SC2155 - local image=$(name=ghcr.io/gitleaks/gitleaks docker-get-image-version-and-pull) - # shellcheck disable=SC2086 - docker run --rm --platform linux/amd64 \ - --volume "$PWD:$dir" \ - --workdir $dir \ - "$image" \ - $cmd -} - -# ============================================================================== - -function is-arg-true() { - - if [[ "$1" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$ ]]; then - return 0 - else - return 1 - fi -} - -# ============================================================================== - -is-arg-true "${VERBOSE:-false}" && set -x - -main "$@" - -exit 0