Fixed more sonar issues

.github/scripts/dispatch_internal_repo_workflow.sh

@@ -34,6 +34,9 @@
 
 set -e
 
+readonly GH_ACCEPT_HEADER="Accept: application/vnd.github+json"
+readonly GH_API_VERSION_HEADER="X-GitHub-Api-Version: 2022-11-28"
+
 usage() {
   cat >&2 <<'EOF'
 Usage:
@@ -171,16 +174,16 @@ signature=$(
 JWT="${header_payload}"."${signature}"
 
 INSTALLATION_ID=$(curl -X GET \
-    -H "Accept: application/vnd.github+json" \
+    -H "${GH_ACCEPT_HEADER}" \
     -H "Authorization: Bearer ${JWT}" \
-    -H "X-GitHub-Api-Version: 2022-11-28" \
+    -H "${GH_API_VERSION_HEADER}" \
     --url "https://api.github.com/app/installations" | jq -r '.[0].id')
 
 PR_TRIGGER_PAT=$(curl --request POST \
   --url "https://api.github.com/app/installations/${INSTALLATION_ID}/access_tokens" \
-  -H "Accept: application/vnd.github+json" \
+  -H "${GH_ACCEPT_HEADER}" \
   -H "Authorization: Bearer ${JWT}" \
-  -H "X-GitHub-Api-Version: 2022-11-28" | jq -r '.token')
+  -H "${GH_API_VERSION_HEADER}" | jq -r '.token')
 
 # Set default values if not provided
 if [[ -z "$PR_TRIGGER_PAT" ]]; then
@@ -243,9 +246,9 @@ echo "[INFO] Triggering workflow '$targetWorkflow' in nhs-notify-internal..."
 trigger_response=$(curl -s -L \
   --fail \
   -X POST \
-  -H "Accept: application/vnd.github+json" \
+  -H "${GH_ACCEPT_HEADER}" \
   -H "Authorization: Bearer ${PR_TRIGGER_PAT}" \
-  -H "X-GitHub-Api-Version: 2022-11-28" \
+  -H "${GH_API_VERSION_HEADER}" \
   "https://api.github.com/repos/NHSDigital/nhs-notify-internal/actions/workflows/$targetWorkflow/dispatches" \
   -d "$DISPATCH_EVENT" 2>&1)
 
@@ -264,9 +267,9 @@ workflow_run_url=""
 for _ in {1..18}; do
 
   response=$(curl -s -L \
-    -H "Accept: application/vnd.github+json" \
+    -H "${GH_ACCEPT_HEADER}" \
     -H "Authorization: Bearer ${PR_TRIGGER_PAT}" \
-    -H "X-GitHub-Api-Version: 2022-11-28" \
+    -H "${GH_API_VERSION_HEADER}" \
     "https://api.github.com/repos/NHSDigital/nhs-notify-internal/actions/runs?event=workflow_dispatch")
 
   if ! echo "$response" | jq empty 2>/dev/null; then
@@ -318,7 +321,7 @@ while true; do
   sleep 10
   response=$(curl -s -L \
     -H "Authorization: Bearer ${PR_TRIGGER_PAT}" \
-    -H "Accept: application/vnd.github+json" \
+    -H "${GH_ACCEPT_HEADER}" \
     "$workflow_run_url")
 
   status=$(echo "$response" | jq -r '.status')

.github/workflows/cicd-3-deploy.yaml

@@ -18,8 +18,6 @@ on:
 run-name: "Include prerelease: ${{ inputs.include_prereleases }} Version: ${{ inputs.version }} by @${{ github.actor }}"
 permissions:
   contents: read
-  pages: write
-  id-token: write
 
 jobs:
   metadata:
@@ -66,6 +64,10 @@ jobs:
           make list-variables
 
   deploy-jekyll:
+    permissions:
+      contents: read
+      pages: write
+      id-token: write
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}

docs/assets/js/nhs-notify.js

@@ -1,20 +1,20 @@
 // Quick poc for view full screen
 
-window.addEventListener("load", (event) => {
-  var fullScreenParamName = "fullscreen";
-  var urlParams = new URLSearchParams(document.location.search);
-  var param = urlParams.get(fullScreenParamName);
+window.addEventListener("load", () => {
+  const fullScreenParamName = "fullscreen";
+  const urlParams = new URLSearchParams(document.location.search);
+  const param = urlParams.get(fullScreenParamName);
   if (param) {
     tempViewFullScreen();
   } else {
     setViewAtStart();
   }
 });
 
-let nhsNotify = nhsNotifyDefaults();
+const nhsNotify = nhsNotifyDefaults();
 
 function nhsNotifyDefaults() {
-  var defaults = {};
+  const defaults = {};
   defaults.storageName = "cb-checked";
   defaults.buttonName = "fullScreenButton";
   defaults.standard = "Standard";
@@ -24,16 +24,16 @@ function nhsNotifyDefaults() {
 
 function tempViewFullScreen() {
   viewFullScreen();
-  var buttons = document.getElementsByName(nhsNotify.buttonName);
+  const buttons = document.getElementsByName(nhsNotify.buttonName);
   buttons.forEach((item) => {
     item.style.display = "none";
   });
 }
 
 function viewFullScreen() {
-  var sideBar = document.getElementsByClassName("side-bar")[0];
-  var main = document.getElementsByClassName("main")[0];
-  var pageInfo = document.getElementsByClassName("page-info")[0];
+  const sideBar = document.getElementsByClassName("side-bar")[0];
+  const main = document.getElementsByClassName("main")[0];
+  const pageInfo = document.getElementsByClassName("page-info")[0];
   sideBar.style.display = "none";
   main.style.maxWidth = "100%";
   main.style.marginLeft = "0px";
@@ -45,9 +45,9 @@ function setFullScreen() {
 }
 
 function setStandard() {
-  var sideBar = document.getElementsByClassName("side-bar")[0];
-  var main = document.getElementsByClassName("main")[0];
-  var pageInfo = document.getElementsByClassName("page-info")[0];
+  const sideBar = document.getElementsByClassName("side-bar")[0];
+  const main = document.getElementsByClassName("main")[0];
+  const pageInfo = document.getElementsByClassName("page-info")[0];
   sideBar.style.display = "";
   main.style.maxWidth = "";
   main.style.marginLeft = "";
@@ -56,7 +56,7 @@ function setStandard() {
 }
 
 function setViewAtStart() {
-  var currentStatus = localStorage.getItem(nhsNotify.storageName);
+  const currentStatus = localStorage.getItem(nhsNotify.storageName);
   if (currentStatus == nhsNotify.fullScreen) makeChange(currentStatus);
 }
 
@@ -69,41 +69,27 @@ function makeChange(newStatus) {
 }
 
 function afterChange(currentStatus, newStatus) {
-  var storageName = nhsNotify.storageName;
-  var buttonName = nhsNotify.buttonName;
-  var buttons = document.getElementsByName(buttonName);
-  localStorage.setItem(storageName, newStatus);
+  const buttons = document.getElementsByName(nhsNotify.buttonName);
+  localStorage.setItem(nhsNotify.storageName, newStatus);
 
   buttons.forEach((item) => {
     item.textContent = currentStatus + " View";
   });
 }
 
 function fullScreenToggle() {
-  var standard = nhsNotify.standard;
-  var fullScreen = nhsNotify.fullScreen;
-  var storageName = nhsNotify.storageName;
-  var currentStatus = "";
-  var newStatus = "";
-
-  currentStatus = localStorage.getItem(storageName);
+  const { standard, fullScreen, storageName } = nhsNotify;
+  let currentStatus = localStorage.getItem(storageName);
 
   if (
     currentStatus == "false" ||
     currentStatus == "undefined" ||
     currentStatus == null
   ) {
     currentStatus = standard;
-    newStatus = fullScreen;
   }
 
-  if (currentStatus == standard) {
-    newStatus = fullScreen;
-    currentStatus = standard;
-  } else {
-    newStatus = standard;
-    currentStatus = fullScreen;
-  }
+  const newStatus = currentStatus == standard ? fullScreen : standard;
 
   makeChange(newStatus);
 }

scripts/docker/dgoss.sh

@@ -18,7 +18,8 @@ info() {
     return 0
 }
 error() {
-    echo -e "ERROR: $*" >&2;
+    local message="$*";
+    echo -e "ERROR: $message" >&2;
     exit 1;
 }
 
@@ -98,7 +99,8 @@ GOSS_SLEEP=${GOSS_SLEEP:-0.2}
 
 [[ $CONTAINER_RUNTIME =~ ^(docker|podman)$ ]] || { error "Runtime must be one of docker or podman"; }
 
-case "$1" in
+readonly command="$1"
+case "$command" in
     run)
         run "$@"
         if [[ -e "${GOSS_FILES_PATH}/goss_wait.yaml" ]]; then

scripts/docker/docker.lib.sh

@@ -189,7 +189,7 @@ function docker-get-image-version-and-pull() {
   local version="latest"
   if [[ -f "$versions_file"  ]]; then
     line=$(grep "docker/${name} " "$versions_file" | sed "s/^#\s*//; s/\s*#.*$//" | grep "${match_version:-".*"}")
-    [ -n "$line" ] && version=$(echo "$line" | awk '{print $2}')
+    [[ -n "$line" ]] && version=$(echo "$line" | awk '{print $2}')
   fi
 
   # Split the image version into two, tag name and digest sha256.
@@ -250,7 +250,7 @@ function _replace-image-latest-by-specific-version() {
     # First, list the entries specific for Docker to take precedence, then the rest but exclude comments
     content=$(grep " docker/" "$versions_file"; grep -v " docker/" "$versions_file" ||: | grep -v "^#")
     echo "$content" | while IFS= read -r line; do
-      [ -z "$line" ] && continue
+      [[ -z "$line" ]] && continue
       line=$(echo "$line" | sed "s/^#\s*//; s/\s*#.*$//" | sed "s;docker/;;")
       name=$(echo "$line" | awk '{print $1}')
       version=$(echo "$line" | awk '{print $2}')

scripts/githooks/check-markdown-format.sh

@@ -49,6 +49,10 @@ function main() {
     "branch")
       files="$( (git diff --diff-filter=ACMRT --name-only "${BRANCH_NAME:-origin/main}" "*.md"; git diff --name-only "*.md") | sort | uniq )"
       ;;
+    *)
+      echo "Unknown check mode: $check" >&2
+      return 1
+      ;;
   esac
 
   if [[ -n "$files" ]] && command -v markdownlint > /dev/null 2>&1 && ! is-arg-true "${FORCE_USE_DOCKER:-false}"; then

scripts/githooks/scan-secrets.sh

@@ -54,6 +54,10 @@ function get-cmd-to-run() {
     "staged-changes")
       cmd="protect --source $dir --verbose --staged"
       ;;
+    *)
+      echo "Unknown check mode: $check" >&2
+      return 1
+      ;;
   esac
   # Include base line file if it exists
   if [[ -f "$dir/scripts/config/.gitleaks-baseline.json"  ]]; then

scripts/shellscript-linter.sh

@@ -21,7 +21,7 @@ function main() {
 
   cd "$(git rev-parse --show-toplevel)"
 
-  [ -z "${file:-}" ] && echo "WARNING: 'file' variable not set, defaulting to itself"
+  [[ -z "${file:-}" ]] && echo "WARNING: 'file' variable not set, defaulting to itself"
   local file=${file:-scripts/shellscript-linter.sh}
   if command -v shellcheck > /dev/null 2>&1 && ! is-arg-true "${FORCE_USE_DOCKER:-false}"; then
     file="$file" run-shellcheck-natively

scripts/terraform/terraform.sh

@@ -27,6 +27,8 @@ function main() {
   else
     cmd=$cmd run-terraform-in-docker
   fi
+
+  return 0
 }
 
 # Run Terraform natively.
@@ -36,6 +38,8 @@ function run-terraform-natively() {
 
   # shellcheck disable=SC2086
   terraform $cmd
+
+  return 0
 }
 
 # Run Terraform in a Docker container.
@@ -54,13 +58,16 @@ function run-terraform-in-docker() {
     --workdir /workdir \
     "$image" \
       $cmd
+
+  return 0
 }
 
 # ==============================================================================
 
 function is-arg-true() {
+  local arg="$1"
 
-  if [[ "$1" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$ ]]; then
+  if [[ "$arg" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$ ]]; then
     return 0
   else
     return 1

scripts/terraform/trivy-scan.sh

@@ -28,38 +28,36 @@ function main() {
   local dir_to_scan="."
 
   while [[ $# -gt 0 ]]; do
-    local current_arg="$1"
-    case "$current_arg" in
+    local arg="$1"
+    case "$arg" in
       --mode|-m)
         if [[ $# -lt 2 ]]; then
           echo "Error: --mode requires an argument." >&2
           usage
           exit 1
         fi
-        local mode_arg="$2"
-        scan_mode="$mode_arg"
+        scan_mode="$2"
         shift 2
-          exit 0
-          ;;
-        --)
-          shift
-          break
-          ;;
-        -*)
         ;;
-          usage
-          exit 1
-          ;;
-        *)
-          dir_to_scan="$current_arg"
-          shift
       --help|-h)
-      dir_to_scan="$trailing_arg"
+        usage
+        exit 0
+        ;;
+      --)
+        shift
+        break
+        ;;
+      -*)
+        echo "Unknown option: $arg" >&2
+        usage
+        exit 1
+        ;;
+      *)
+        dir_to_scan="$arg"
         shift
         ;;
     esac
-      local trailing_arg="$1"
-      dir_to_scan="$trailing_arg"
+  done
 
   if [[ $# -gt 0 ]]; then
     dir_to_scan="$1"