From 01b05dd6fef8745ab915f7375e18a6a2560c866c Mon Sep 17 00:00:00 2001 From: damientobin1 Date: Wed, 6 May 2026 17:06:40 +0100 Subject: [PATCH 01/20] CCM-17346: Move To Shared Modules Model --- .github/workflows/cicd-4-pr-title-check.yaml | 20 +++ .github/workflows/stage-1-commit.yaml | 20 +-- .github/workflows/stage-2-test.yaml | 121 ++----------------- .github/workflows/stage-3-build.yaml | 2 +- 4 files changed, 40 insertions(+), 123 deletions(-) create mode 100644 .github/workflows/cicd-4-pr-title-check.yaml diff --git a/.github/workflows/cicd-4-pr-title-check.yaml b/.github/workflows/cicd-4-pr-title-check.yaml new file mode 100644 index 00000000..5b42a8f1 --- /dev/null +++ b/.github/workflows/cicd-4-pr-title-check.yaml @@ -0,0 +1,20 @@ +name: "4. PR Title Check" + +on: + pull_request: + types: [opened, reopened, synchronize, edited] + branches: + - main + +permissions: + contents: read + +jobs: + check-pr-title: + name: "Check PR title" + runs-on: ubuntu-latest + steps: + - name: "Check PR title format" + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/check-pr-title-format@4e781d1d72739015821a380871aa5a66d070177c # 3.1.0 + with: + title: ${{ github.event.pull_request.title }} diff --git a/.github/workflows/stage-1-commit.yaml b/.github/workflows/stage-1-commit.yaml index 20ecbc9b..08197561 100644 --- a/.github/workflows/stage-1-commit.yaml +++ b/.github/workflows/stage-1-commit.yaml @@ -52,7 +52,7 @@ jobs: with: fetch-depth: 0 # Full history is needed to scan all commits - name: "Scan secrets" - uses: ./.github/actions/scan-secrets + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/scan-secrets@3.0.0 check-file-format: name: "Check file format" runs-on: ubuntu-latest @@ -63,7 +63,7 @@ jobs: with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check file format" - uses: ./.github/actions/check-file-format + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/check-file-format@3.0.0 check-markdown-format: name: "Check Markdown format" runs-on: ubuntu-latest @@ -74,7 +74,7 @@ jobs: with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check Markdown format" - uses: ./.github/actions/check-markdown-format + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/check-markdown-format@3.0.0 terraform-docs: name: "Run terraform-docs" runs-on: ubuntu-latest @@ -109,7 +109,7 @@ jobs: with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check English usage" - uses: ./.github/actions/check-english-usage + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/check-english-usage@3.0.0 check-todo-usage: name: "Check TODO usage" runs-on: ubuntu-latest @@ -120,7 +120,7 @@ jobs: with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check TODO usage" - uses: ./.github/actions/check-todo-usage + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/check-todo-usage@3.0.0 detect-terraform-changes: name: "Detect Terraform Changes" runs-on: ubuntu-latest @@ -156,7 +156,7 @@ jobs: - name: "Setup ASDF" uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302 - name: "Lint Terraform" - uses: ./.github/actions/lint-terraform + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/lint-terraform@3.0.0 #TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549 # trivy-iac: # name: "Trivy IaC Scan" @@ -172,7 +172,7 @@ jobs: # - name: "Setup ASDF" # uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302 # - name: "Trivy IaC Scan" - # uses: ./.github/actions/trivy-iac + # uses: NHSDigital/nhs-notify-shared-modules/.github/actions/trivy-iac@3.0.0 # trivy-package: # if: ${{ !inputs.skip_trivy_package }} # name: "Trivy Package Scan" @@ -186,7 +186,7 @@ jobs: # - name: "Setup ASDF" # uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302 # - name: "Trivy Package Scan" - # uses: ./.github/actions/trivy-package + # uses: NHSDigital/nhs-notify-shared-modules/.github/actions/trivy-package@3.0.0 count-lines-of-code: name: "Count lines of code" runs-on: ubuntu-latest @@ -198,7 +198,7 @@ jobs: - name: "Checkout code" uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: "Count lines of code" - uses: ./.github/actions/create-lines-of-code-report + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/create-lines-of-code-report@3.0.0 with: build_datetime: "${{ inputs.build_datetime }}" build_timestamp: "${{ inputs.build_timestamp }}" @@ -217,7 +217,7 @@ jobs: - name: "Checkout code" uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: "Scan dependencies" - uses: ./.github/actions/scan-dependencies + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/scan-dependencies@3.0.0 with: build_datetime: "${{ inputs.build_datetime }}" build_timestamp: "${{ inputs.build_timestamp }}" diff --git a/.github/workflows/stage-2-test.yaml b/.github/workflows/stage-2-test.yaml index 44cfa6ca..734a5314 100644 --- a/.github/workflows/stage-2-test.yaml +++ b/.github/workflows/stage-2-test.yaml @@ -19,10 +19,6 @@ on: description: "Node.js version, set by the CI/CD pipeline workflow" required: true type: string - pnpm_version: - description: "pnpm version, set by the CI/CD pipeline workflow" - required: true - type: string python_version: description: "Python version, set by the CI/CD pipeline workflow" required: true @@ -36,128 +32,33 @@ on: required: true type: string -env: - AWS_REGION: eu-west-2 - TERM: xterm-256color - -permissions: - contents: read # This is required for actions/checkout - jobs: - check-generated-dependencies: - name: "Check generated dependencies" - runs-on: ubuntu-latest - timeout-minutes: 5 - steps: - - name: "Checkout code" - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - name: "Setup pnpm" - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0 - with: - version: "${{ inputs.pnpm_version }}" - cache: true - - name: "Use Node.js" - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 - with: - node-version-file: '.tool-versions' - cache: 'pnpm' - - name: "Repo setup" - run: | - pnpm install --frozen-lockfile - - name: "Generate dependencies" - run: | - pnpm run generate-dependencies - git diff --exit-code test-unit: name: "Unit tests" runs-on: ubuntu-latest timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - name: "Setup pnpm" - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0 - with: - version: "${{ inputs.pnpm_version }}" - cache: true - - name: "Use Node.js" - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 - with: - node-version-file: '.tool-versions' - cache: 'pnpm' - - name: "Repo setup" - run: | - pnpm install --frozen-lockfile - - name: "Generate dependencies" - run: | - pnpm run generate-dependencies + uses: actions/checkout@v4 - name: "Run unit test suite" run: | make test-unit - name: "Save the result of fast test suite" - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 - with: - name: unit-tests - path: "**/.reports/unit" - include-hidden-files: true - if: always() - - name: "Save the result of code coverage" - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 - with: - name: code-coverage-report - path: ".reports/lcov.info" + run: | + echo "Nothing to save" test-lint: name: "Linting" runs-on: ubuntu-latest timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - name: "Setup pnpm" - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0 - with: - version: "${{ inputs.pnpm_version }}" - cache: true - - name: "Use Node.js" - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 - with: - node-version-file: '.tool-versions' - cache: 'pnpm' - - name: "Repo setup" - run: | - pnpm install --frozen-lockfile - - name: "Generate dependencies" - run: | - pnpm run generate-dependencies + uses: actions/checkout@v4 - name: "Run linting" run: | make test-lint - test-typecheck: - name: "Typecheck" - runs-on: ubuntu-latest - timeout-minutes: 5 - steps: - - name: "Checkout code" - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - name: "Setup pnpm" - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0 - with: - version: "${{ inputs.pnpm_version }}" - cache: true - - name: "Use Node.js" - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 - with: - node-version-file: '.tool-versions' - cache: 'pnpm' - - name: "Repo setup" + - name: "Save the linting result" run: | - pnpm install --frozen-lockfile - - name: "Generate dependencies" - run: | - pnpm run generate-dependencies - - name: "Run typecheck" - run: | - make test-typecheck + echo "Nothing to save" test-coverage: name: "Test coverage" needs: [test-unit] @@ -165,7 +66,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@v4 - name: "Run test coverage check" run: | make test-coverage @@ -182,15 +83,11 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@v4 with: fetch-depth: 0 # Full history is needed to improving relevancy of reporting - - name: "Download coverage report for SONAR" - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 - with: - name: code-coverage-report - name: "Perform static analysis" - uses: ./.github/actions/perform-static-analysis + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/perform-static-analysis@3.0.0 with: sonar_organisation_key: "${{ vars.SONAR_ORGANISATION_KEY }}" sonar_project_key: "${{ vars.SONAR_PROJECT_KEY }}" diff --git a/.github/workflows/stage-3-build.yaml b/.github/workflows/stage-3-build.yaml index 3d80be32..3c5d5674 100644 --- a/.github/workflows/stage-3-build.yaml +++ b/.github/workflows/stage-3-build.yaml @@ -50,7 +50,7 @@ jobs: version: "${{ inputs.pnpm_version }}" cache: true - name: "Build docs" - uses: ./.github/actions/build-docs + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/build-docs@3.0.0 with: version: "${{ inputs.version }}" artefact-1: From 35aa2020c522d00f2a14ce591f4c51b93576e587 Mon Sep 17 00:00:00 2001 From: damientobin1 Date: Wed, 6 May 2026 18:13:25 +0100 Subject: [PATCH 02/20] CCM-17346: Add Shared Modules --- .gitattributes | 1 - .../actions/check-english-usage/action.yaml | 10 -- .github/actions/check-file-format/action.yaml | 10 -- .../actions/check-markdown-format/action.yaml | 10 -- .../create-lines-of-code-report/action.yaml | 68 --------- .github/actions/lint-terraform/action.yaml | 22 --- .../perform-static-analysis/action.yaml | 36 ----- .github/actions/scan-dependencies/action.yaml | 87 ------------ .github/actions/scan-secrets/action.yaml | 10 -- .github/dependabot.yaml | 12 +- .../manual-combine-dependabot-prs.yaml | 4 +- .../scheduled-repository-template-sync.yaml | 2 +- docs/developer-guides/Scripting_Terraform.md | 40 ++---- docs/user-guides/Perform_static_analysis.md | 26 +--- docs/user-guides/Run_Git_hooks_on_commit.md | 29 +--- docs/user-guides/Scan_dependencies.md | 16 +-- docs/user-guides/Scan_secrets.md | 19 +-- scripts/config/check-todos-ignore.conf | 20 +++ scripts/config/pre-commit.yaml | 55 ++------ scripts/githooks/check-english-usage.sh | 115 --------------- scripts/githooks/check-file-format.sh | 131 ------------------ scripts/githooks/check-markdown-format.sh | 114 --------------- scripts/githooks/check-terraform-format.sh | 61 -------- scripts/githooks/scan-secrets.sh | 120 ---------------- scripts/tests/style.sh | 3 +- 25 files changed, 76 insertions(+), 945 deletions(-) delete mode 100644 .github/actions/check-english-usage/action.yaml delete mode 100644 .github/actions/check-file-format/action.yaml delete mode 100644 .github/actions/check-markdown-format/action.yaml delete mode 100644 .github/actions/create-lines-of-code-report/action.yaml delete mode 100644 .github/actions/lint-terraform/action.yaml delete mode 100644 .github/actions/perform-static-analysis/action.yaml delete mode 100644 .github/actions/scan-dependencies/action.yaml delete mode 100644 .github/actions/scan-secrets/action.yaml create mode 100644 scripts/config/check-todos-ignore.conf delete mode 100755 scripts/githooks/check-english-usage.sh delete mode 100755 scripts/githooks/check-file-format.sh delete mode 100755 scripts/githooks/check-markdown-format.sh delete mode 100755 scripts/githooks/check-terraform-format.sh delete mode 100755 scripts/githooks/scan-secrets.sh diff --git a/.gitattributes b/.gitattributes index 1f160080..c3f9b915 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1,5 +1,4 @@ scripts/docker/** linguist-vendored -scripts/githooks/** linguist-vendored scripts/reports/** linguist-vendored scripts/terraform/** linguist-vendored scripts/tests/test.mk linguist-vendored diff --git a/.github/actions/check-english-usage/action.yaml b/.github/actions/check-english-usage/action.yaml deleted file mode 100644 index 9953bcc7..00000000 --- a/.github/actions/check-english-usage/action.yaml +++ /dev/null @@ -1,10 +0,0 @@ -name: "Check English usage" -description: "Check English usage" -runs: - using: "composite" - steps: - - name: "Check English usage" - shell: bash - run: | - export BRANCH_NAME=origin/${{ github.event.repository.default_branch }} - check=branch ./scripts/githooks/check-english-usage.sh diff --git a/.github/actions/check-file-format/action.yaml b/.github/actions/check-file-format/action.yaml deleted file mode 100644 index bd0929a8..00000000 --- a/.github/actions/check-file-format/action.yaml +++ /dev/null @@ -1,10 +0,0 @@ -name: "Check file format" -description: "Check file format" -runs: - using: "composite" - steps: - - name: "Check file format" - shell: bash - run: | - export BRANCH_NAME=origin/${{ github.event.repository.default_branch }} - check=branch ./scripts/githooks/check-file-format.sh diff --git a/.github/actions/check-markdown-format/action.yaml b/.github/actions/check-markdown-format/action.yaml deleted file mode 100644 index 53a715b4..00000000 --- a/.github/actions/check-markdown-format/action.yaml +++ /dev/null @@ -1,10 +0,0 @@ -name: "Check Markdown format" -description: "Check Markdown format" -runs: - using: "composite" - steps: - - name: "Check Markdown format" - shell: bash - run: | - export BRANCH_NAME=origin/${{ github.event.repository.default_branch }} - check=branch ./scripts/githooks/check-markdown-format.sh diff --git a/.github/actions/create-lines-of-code-report/action.yaml b/.github/actions/create-lines-of-code-report/action.yaml deleted file mode 100644 index 6e9eada5..00000000 --- a/.github/actions/create-lines-of-code-report/action.yaml +++ /dev/null @@ -1,68 +0,0 @@ -name: "Count lines of code" -description: "Count lines of code" -inputs: - build_datetime: - description: "Build datetime, set by the CI/CD pipeline workflow" - required: true - build_timestamp: - description: "Build timestamp, set by the CI/CD pipeline workflow" - required: true - idp_aws_report_upload_account_id: - description: "IDP AWS account ID" - required: true - idp_aws_report_upload_region: - description: "IDP AWS account region" - required: true - idp_aws_report_upload_role_name: - description: "Role to upload the report" - required: true - idp_aws_report_upload_bucket_endpoint: - description: "Bucket endpoint for the report" - required: true -runs: - using: "composite" - steps: - - name: "Create CLOC report" - shell: bash - env: - BUILD_DATETIME: ${{ inputs.build_datetime }} - run: | - ./scripts/reports/create-lines-of-code-report.sh - - name: "Compress CLOC report" - shell: bash - run: zip lines-of-code-report.json.zip lines-of-code-report.json - - name: "Upload CLOC report as an artefact" - if: ${{ !env.ACT }} - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 - with: - name: lines-of-code-report.json.zip - path: ./lines-of-code-report.json.zip - retention-days: 21 - - name: "Check prerequisites for sending the report" - shell: bash - id: check - env: - ROLE_NAME: ${{ inputs.idp_aws_report_upload_role_name }} - BUCKET_ENDPOINT: ${{ inputs.idp_aws_report_upload_bucket_endpoint }} - run: | - if [[ -n "$ROLE_NAME" && -n "$BUCKET_ENDPOINT" ]]; then - echo "secrets_exist=true" >> "$GITHUB_OUTPUT" - else - echo "secrets_exist=false" >> "$GITHUB_OUTPUT" - fi - - name: "Authenticate to send the report" - if: steps.check.outputs.secrets_exist == 'true' - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6 - with: - role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }} - aws-region: ${{ inputs.idp_aws_report_upload_region }} - - name: "Send the CLOC report to the central location" - shell: bash - if: steps.check.outputs.secrets_exist == 'true' - env: - BUCKET_ENDPOINT: ${{ inputs.idp_aws_report_upload_bucket_endpoint }} - BUILD_TIMESTAMP: ${{ inputs.build_timestamp }} - run: | - aws s3 cp \ - ./lines-of-code-report.json.zip \ - "$BUCKET_ENDPOINT/$BUILD_TIMESTAMP-lines-of-code-report.json.zip" diff --git a/.github/actions/lint-terraform/action.yaml b/.github/actions/lint-terraform/action.yaml deleted file mode 100644 index 6957a037..00000000 --- a/.github/actions/lint-terraform/action.yaml +++ /dev/null @@ -1,22 +0,0 @@ -name: "Lint Terraform" -description: "Lint Terraform" -inputs: - root-modules: - description: "Comma separated list of root module directories to validate, content of the 'infrastructure/environments' is checked by default" - required: false -runs: - using: "composite" - steps: - - name: "Install Terraform binary" - shell: bash - run: | - asdf plugin add terraform || true - asdf install terraform || true - - name: "Check Terraform format" - shell: bash - run: | - check_only=true scripts/githooks/check-terraform-format.sh - - name: "Validate Terraform" - shell: bash - run: | - make terraform-validate-all diff --git a/.github/actions/perform-static-analysis/action.yaml b/.github/actions/perform-static-analysis/action.yaml deleted file mode 100644 index a5e6e2e5..00000000 --- a/.github/actions/perform-static-analysis/action.yaml +++ /dev/null @@ -1,36 +0,0 @@ -name: "Perform static analysis" -description: "Perform static analysis" -inputs: - sonar_organisation_key: - description: "Sonar organisation key, used to identify the project" - required: false - sonar_project_key: - description: "Sonar project key, used to identify the project" - required: false - sonar_token: - description: "Sonar token, the API key" - required: false -runs: - using: "composite" - steps: - - name: "Check prerequisites for performing static analysis" - shell: bash - id: check - env: - SONAR_TOKEN: ${{ inputs.sonar_token }} - run: | - if [[ -n "$SONAR_TOKEN" ]]; then - echo "secret_exist=true" >> "$GITHUB_OUTPUT" - else - echo "secret_exist=false" >> "$GITHUB_OUTPUT" - fi - - name: "Perform static analysis" - shell: bash - if: steps.check.outputs.secret_exist == 'true' - env: - SONAR_ORGANISATION_KEY: ${{ inputs.sonar_organisation_key }} - SONAR_PROJECT_KEY: ${{ inputs.sonar_project_key }} - SONAR_TOKEN: ${{ inputs.sonar_token }} - run: | - export BRANCH_NAME=${GITHUB_HEAD_REF:-$(echo $GITHUB_REF | sed 's#refs/heads/##')} - ./scripts/reports/perform-static-analysis.sh diff --git a/.github/actions/scan-dependencies/action.yaml b/.github/actions/scan-dependencies/action.yaml deleted file mode 100644 index 99ef0cb0..00000000 --- a/.github/actions/scan-dependencies/action.yaml +++ /dev/null @@ -1,87 +0,0 @@ -name: "Scan dependencies" -description: "Scan dependencies" -inputs: - build_datetime: - description: "Build datetime, set by the CI/CD pipeline workflow" - required: true - build_timestamp: - description: "Build timestamp, set by the CI/CD pipeline workflow" - required: true - idp_aws_report_upload_account_id: - description: "IDP AWS report upload account ID to upload the report to" - required: false - idp_aws_report_upload_region: - description: "IDP AWS report upload account region to upload the report to" - required: false - idp_aws_report_upload_role_name: - description: "IDP AWS report upload role name for OIDC authentication" - required: false - idp_aws_report_upload_bucket_endpoint: - description: "IDP AWS report upload endpoint to upload the report to" - required: false -runs: - using: "composite" - steps: - - name: "Generate SBOM" - shell: bash - env: - BUILD_DATETIME: ${{ inputs.build_datetime }} - run: | - ./scripts/reports/create-sbom-report.sh - - name: "Compress SBOM report" - shell: bash - run: zip sbom-repository-report.json.zip sbom-repository-report.json - - name: "Upload SBOM report as an artefact" - if: ${{ !env.ACT }} - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 - with: - name: sbom-repository-report.json.zip - path: ./sbom-repository-report.json.zip - retention-days: 21 - - name: "Scan vulnerabilities" - shell: bash - env: - BUILD_DATETIME: ${{ inputs.build_datetime }} - run: | - ./scripts/reports/scan-vulnerabilities.sh - - name: "Compress vulnerabilities report" - shell: bash - run: zip vulnerabilities-repository-report.json.zip vulnerabilities-repository-report.json - - name: "Upload vulnerabilities report as an artefact" - if: ${{ !env.ACT }} - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 - with: - name: vulnerabilities-repository-report.json.zip - path: ./vulnerabilities-repository-report.json.zip - retention-days: 21 - - name: "Check prerequisites for sending the reports" - shell: bash - id: check - env: - ROLE_NAME: ${{ inputs.idp_aws_report_upload_role_name }} - BUCKET_ENDPOINT: ${{ inputs.idp_aws_report_upload_bucket_endpoint }} - run: | - if [[ -n "$ROLE_NAME" && -n "$BUCKET_ENDPOINT" ]]; then - echo "secrets_exist=true" >> "$GITHUB_OUTPUT" - else - echo "secrets_exist=false" >> "$GITHUB_OUTPUT" - fi - - name: "Authenticate to send the reports" - if: steps.check.outputs.secrets_exist == 'true' - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6 - with: - role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }} - aws-region: ${{ inputs.idp_aws_report_upload_region }} - - name: "Send the SBOM and vulnerabilities reports to the central location" - shell: bash - if: steps.check.outputs.secrets_exist == 'true' - env: - BUCKET_ENDPOINT: ${{ inputs.idp_aws_report_upload_bucket_endpoint }} - BUILD_TIMESTAMP: ${{ inputs.build_timestamp }} - run: | - aws s3 cp \ - ./sbom-repository-report.json.zip \ - "$BUCKET_ENDPOINT/$BUILD_TIMESTAMP-sbom-repository-report.json.zip" - aws s3 cp \ - ./vulnerabilities-repository-report.json.zip \ - "$BUCKET_ENDPOINT/$BUILD_TIMESTAMP-vulnerabilities-repository-report.json.zip" diff --git a/.github/actions/scan-secrets/action.yaml b/.github/actions/scan-secrets/action.yaml deleted file mode 100644 index 1ed8bac2..00000000 --- a/.github/actions/scan-secrets/action.yaml +++ /dev/null @@ -1,10 +0,0 @@ -name: "Scan secrets" -description: "Scan secrets" -runs: - using: "composite" - steps: - - name: "Scan secrets" - shell: bash - run: | - # Please do not change this `check=whole-history` setting, as new patterns may be added or history may be rewritten. - check=whole-history ./scripts/githooks/scan-secrets.sh diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml index 315c5c39..6d7cbd2a 100644 --- a/.github/dependabot.yaml +++ b/.github/dependabot.yaml @@ -6,23 +6,33 @@ updates: directory: "/" schedule: interval: "daily" + commit-message: + prefix: "CCM-9336: " - package-ecosystem: "github-actions" directory: "/" schedule: interval: "daily" + commit-message: + prefix: "CCM-9336: " - - package-ecosystem: "pnpm" + - package-ecosystem: "npm" directory: "/" schedule: interval: "daily" + commit-message: + prefix: "CCM-9336: " - package-ecosystem: "pip" directory: "/" schedule: interval: "daily" + commit-message: + prefix: "CCM-9336: " - package-ecosystem: "terraform" directory: "/" schedule: interval: "daily" + commit-message: + prefix: "CCM-9336: " diff --git a/.github/workflows/manual-combine-dependabot-prs.yaml b/.github/workflows/manual-combine-dependabot-prs.yaml index 3e311ac5..8965f1d3 100644 --- a/.github/workflows/manual-combine-dependabot-prs.yaml +++ b/.github/workflows/manual-combine-dependabot-prs.yaml @@ -19,6 +19,6 @@ jobs: with: ci_required: false labels: dependencies - pr_title: Combined Dependabot PRs + pr_title: "CCM-9336: Combined Dependabot PRs" combine_branch_name: dependabotCombined - pr_body_header: Combined Dependabot PRs + pr_body_header: "CCM-9336: Combined Dependabot PRs" diff --git a/.github/workflows/scheduled-repository-template-sync.yaml b/.github/workflows/scheduled-repository-template-sync.yaml index 3bef6518..b2f47d75 100644 --- a/.github/workflows/scheduled-repository-template-sync.yaml +++ b/.github/workflows/scheduled-repository-template-sync.yaml @@ -26,7 +26,7 @@ jobs: - name: Run syncronisation script run: | - ./nhs-notify-repository-template/scripts/githooks/sync-template-repo.sh + ./nhs-notify-repository-template/scripts/maintenance/sync-template-repo.sh rm -Rf ./nhs-notify-repository-template - name: Create Pull Request diff --git a/docs/developer-guides/Scripting_Terraform.md b/docs/developer-guides/Scripting_Terraform.md index 9bf63263..1fcace12 100644 --- a/docs/developer-guides/Scripting_Terraform.md +++ b/docs/developer-guides/Scripting_Terraform.md @@ -1,29 +1,17 @@ ---- -layout: page -title: Scripting Terraform -parent: Developer Guides -description: Scripting Terraform -summary: Scripting Terraform -is_not_draft: false -last_modified_date: 2024-05-28 -owner: Ross Buggins -author: Ross Buggins ---- - -## Developer Guide: Scripting Terraform +# Developer Guide: Scripting Terraform - [Developer Guide: Scripting Terraform](#developer-guide-scripting-terraform) -- [Overview](#overview) -- [Features](#features) -- [Key files](#key-files) -- [Usage](#usage) - - [Quick start](#quick-start) - - [Your stack implementation](#your-stack-implementation) -- [Conventions](#conventions) - - [Secrets](#secrets) - - [Variables](#variables) - - [IaC directory](#iac-directory) -- [FAQ](#faq) + - [Overview](#overview) + - [Features](#features) + - [Key files](#key-files) + - [Usage](#usage) + - [Quick start](#quick-start) + - [Your stack implementation](#your-stack-implementation) + - [Conventions](#conventions) + - [Secrets](#secrets) + - [Variables](#variables) + - [IaC directory](#iac-directory) + - [FAQ](#faq) ## Overview @@ -64,8 +52,8 @@ Here are some key features built into this repository's Terraform module: - Configuration - [`.tool-versions`](../../.tool-versions): Stores Terraform version to be used - Code quality gates - - [`lint-terraform/action.yaml`](../../.github/actions/lint-terraform/action.yaml): GitHub action - - [`check-terraform-format.sh`](../../scripts/githooks/check-terraform-format.sh): Git hook + - [`lint-terraform/action.yaml`](https://github.com/NHSDigital/nhs-notify-shared-modules/blob/v2.0.32/.github/actions/lint-terraform/action.yaml): Shared GitHub action + - [`pre-commit.yaml`](../../scripts/config/pre-commit.yaml): Uses shared hooks including Terraform lint and docs checks - Usage example - Declarative infrastructure definition example [`terraform-state-aws-s3`](../../scripts/terraform/examples/terraform-state-aws-s3) to store Terraform state - A set of [make targets](https://github.com/nhs-england-tools/repository-template/blob/main/scripts/terraform/terraform.mk#L44) to run the example diff --git a/docs/user-guides/Perform_static_analysis.md b/docs/user-guides/Perform_static_analysis.md index 286dd957..2642f862 100644 --- a/docs/user-guides/Perform_static_analysis.md +++ b/docs/user-guides/Perform_static_analysis.md @@ -1,23 +1,11 @@ ---- -layout: page -title: Perform static analysis -parent: User Guides -description: Perform static analysis -summary: Perform static analysis -is_not_draft: false -last_modified_date: 2024-05-28 -owner: Ross Buggins -author: Ross Buggins ---- - -## Guide: Perform static analysis +# Guide: Perform static analysis - [Guide: Perform static analysis](#guide-perform-static-analysis) -- [Overview](#overview) -- [Key files](#key-files) -- [Setup](#setup) -- [Testing](#testing) -- [Configuration checklist](#configuration-checklist) + - [Overview](#overview) + - [Key files](#key-files) + - [Setup](#setup) + - [Testing](#testing) + - [Configuration checklist](#configuration-checklist) ## Overview @@ -29,7 +17,7 @@ Static code analysis is an essential part of modern software development. It pro - [perform-static-analysis.sh](../../scripts/reports/perform-static-analysis.sh): A shell script that performs analysis - [sonar-scanner.properties](../../scripts/config/sonar-scanner.properties): A configuration file that includes the project details -- [perform-static-analysis/action.yaml](../../.github/actions/perform-static-analysis/action.yaml): GitHub action to run the script as part of the CI/CD pipeline +- [perform-static-analysis/action.yaml](https://github.com/NHSDigital/nhs-notify-shared-modules/blob/v2.0.32/.github/actions/perform-static-analysis/action.yaml): Shared GitHub action used by the CI/CD pipeline - [.gitignore](../../.gitignore): Excludes the `.scannerwork` temporary directory created during the process ## Setup diff --git a/docs/user-guides/Run_Git_hooks_on_commit.md b/docs/user-guides/Run_Git_hooks_on_commit.md index 3dbb07d0..dc1ca569 100644 --- a/docs/user-guides/Run_Git_hooks_on_commit.md +++ b/docs/user-guides/Run_Git_hooks_on_commit.md @@ -1,38 +1,23 @@ ---- -layout: page -title: Run Git hooks on commit -parent: User Guides -description: Run Git hooks on commit -summary: Run Git hooks on commit -is_not_draft: false -last_modified_date: 2024-05-28 -owner: Ross Buggins -author: Ross Buggins ---- - -## Guide: Run Git hooks on commit +# Guide: Run Git hooks on commit - [Guide: Run Git hooks on commit](#guide-run-git-hooks-on-commit) -- [Overview](#overview) -- [Key files](#key-files) -- [Testing](#testing) + - [Overview](#overview) + - [Key files](#key-files) + - [Testing](#testing) ## Overview -Git hooks are scripts that are located in the [`./scripts/githooks`](../../scripts/githooks) directory. They are executed automatically on each commit, provided that the `make config` command has been run locally to set up the project. These same scripts are also part of the CI/CD pipeline execution. This setup serves as a safety net and helps to ensure consistency. +Git hooks are managed by the [pre-commit](https://pre-commit.com/) framework and sourced from the shared repository [NHSDigital/nhs-notify-shared-modules](https://github.com/NHSDigital/nhs-notify-shared-modules). They are executed automatically on each commit, provided that the `make config` command has been run locally to set up the project. The same checks are also part of the CI/CD pipeline execution. This setup serves as a safety net and helps to ensure consistency. The [pre-commit](https://pre-commit.com/) framework is a powerful tool for managing Git hooks, providing automated hook installation and management capabilities. ## Key files -- Scripts - - [`check-file-format.sh`](../../scripts/githooks/check-file-format.sh) - - [`check-markdown-format.sh`](../../scripts/githooks/check-markdown-format.sh) - - [`check-terraform-format.sh`](../../scripts/githooks/check-terraform-format.sh) - - [`scan-secrets.sh`](../../scripts/githooks/scan-secrets.sh) - Configuration - [`pre-commit.yaml`](../../scripts/config/pre-commit.yaml) - [`init.mk`](../../scripts/init.mk): make targets +- Shared hooks source + - [`NHSDigital/nhs-notify-shared-modules`](https://github.com/NHSDigital/nhs-notify-shared-modules) ## Testing diff --git a/docs/user-guides/Scan_dependencies.md b/docs/user-guides/Scan_dependencies.md index a835eb07..44a79721 100644 --- a/docs/user-guides/Scan_dependencies.md +++ b/docs/user-guides/Scan_dependencies.md @@ -1,16 +1,4 @@ ---- -layout: page -title: Scan dependencies -parent: User Guides -description: Scan dependencies -summary: Scan dependencies -is_not_draft: false -last_modified_date: 2024-05-28 -owner: Ross Buggins -author: Ross Buggins ---- - -## Guide: Scan dependencies +# Guide: Scan dependencies - [Guide: Scan dependencies](#guide-scan-dependencies) - [Overview](#overview) @@ -31,7 +19,7 @@ In modern software development, leveraging third-party dependencies is a common - [`syft.yaml`](../../scripts/config/syft.yaml): A configuration file for the SBOM generator - [`scan-vulnerabilities.sh`](../../scripts/reports/scan-vulnerabilities.sh): A shell script that performs CVE analysis - [`grype.yaml`](../../scripts/config/grype.yaml): A configuration file for the CVE scanner -- [`scan-dependencies/action.yaml`](../../.github/actions/scan-dependencies/action.yaml): GitHub action to run the scripts as part of the CI/CD pipeline +- [`scan-dependencies/action.yaml`](https://github.com/NHSDigital/nhs-notify-shared-modules/blob/v2.0.32/.github/actions/scan-dependencies/action.yaml): Shared GitHub action used by the CI/CD pipeline - [`.gitignore`](../../.gitignore): Excludes the `*sbom*report.json` and `*vulnerabilities*report.json` report files created during the process ## Configuration checklist diff --git a/docs/user-guides/Scan_secrets.md b/docs/user-guides/Scan_secrets.md index abb0a1cd..fbbe0a18 100644 --- a/docs/user-guides/Scan_secrets.md +++ b/docs/user-guides/Scan_secrets.md @@ -1,16 +1,4 @@ ---- -layout: page -title: Scan secrets -parent: User Guides -description: Scan secrets -summary: Scan secrets -is_not_draft: false -last_modified_date: 2024-05-28 -owner: Ross Buggins -author: Ross Buggins ---- - -## Guide: Scan secrets +# Guide: Scan secrets - [Guide: Scan secrets](#guide-scan-secrets) - [Overview](#overview) @@ -27,10 +15,9 @@ Scanning a repository for hard-coded secrets is a crucial security practice. "Ha ## Key files -- [`scan-secrets.sh`](../../scripts/githooks/scan-secrets.sh): A shell script that scans the codebase for hard-coded secrets - [`gitleaks.toml`](../../scripts/config/gitleaks.toml): A configuration file for the secret scanner - [`.gitleaksignore`](../../.gitleaksignore): A list of fingerprints to ignore by the secret scanner -- [`scan-secrets/action.yaml`](../../.github/actions/scan-secrets/action.yaml): GitHub action to run the scripts as part of the CI/CD pipeline +- [`scan-secrets/action.yaml`](https://github.com/NHSDigital/nhs-notify-shared-modules/blob/v2.0.32/.github/actions/scan-secrets/action.yaml): Shared GitHub action used by the CI/CD pipeline - [`pre-commit.yaml`](../../scripts/config/pre-commit.yaml): Run the secret scanner as a pre-commit git hook ## Configuration checklist @@ -45,7 +32,7 @@ Scanning a repository for hard-coded secrets is a crucial security practice. "Ha You can execute and test the secret scanning across all commits locally on a developer's workstation using the following command ```shell -ALL_FILES=true ./scripts/githooks/scan-secrets.sh +pre-commit run scan-secrets --all-files ``` ## Removing sensitive data diff --git a/scripts/config/check-todos-ignore.conf b/scripts/config/check-todos-ignore.conf new file mode 100644 index 00000000..27e84c50 --- /dev/null +++ b/scripts/config/check-todos-ignore.conf @@ -0,0 +1,20 @@ +# Configuration file for check-todos.sh + +[files] +.devcontainer/devcontainer.json +.github/workflows/stage-1-commit.yaml +.pre-commit-hooks.yaml +.tool-versions +.vscode/extensions.json +infrastructure/terraform/bin/terraform.sh +Makefile +project.code-workspace +scripts/config/check-todos-ignore.conf +scripts/config/pre-commit.yaml +src/jekyll-devcontainer/src/.devcontainer/devcontainer.json + +[directories] +.git/ +.venv/ +docs/ +node_modules/ diff --git a/scripts/config/pre-commit.yaml b/scripts/config/pre-commit.yaml index 9c5e690a..c5f2353c 100644 --- a/scripts/config/pre-commit.yaml +++ b/scripts/config/pre-commit.yaml @@ -15,59 +15,20 @@ repos: args: ['--autofix'] exclude: '(^|/)package(-lock)?\.json$' # - id: ... - - repo: local + + - repo: https://github.com/NHSDigital/nhs-notify-shared-modules + rev: 3.1.2 hooks: - id: sort-dictionary - name: Sort dictionary - entry: ./scripts/githooks/sort-dictionary.sh - language: script - pass_filenames: false - - repo: local - hooks: - id: scan-secrets - name: Scan secrets - entry: /usr/bin/env check=whole-history ./scripts/githooks/scan-secrets.sh - language: script - pass_filenames: false - - repo: local - hooks: + args: [check=whole-history] - id: check-file-format - name: Check file format - entry: /usr/bin/env check=branch ./scripts/githooks/check-file-format.sh - language: script - pass_filenames: false - - repo: local - hooks: + args: [check=branch] - id: check-markdown-format - name: Check Markdown format - entry: /usr/bin/env check=branch ./scripts/githooks/check-markdown-format.sh - language: script - pass_filenames: false - - repo: local - hooks: + args: [check=branch] - id: check-english-usage - name: Check English usage - entry: /usr/bin/env check=branch ./scripts/githooks/check-english-usage.sh - language: script - pass_filenames: false - - repo: local - hooks: + args: [check=branch] - id: lint-terraform - name: Lint Terraform - entry: ./scripts/githooks/check-terraform-format.sh - language: script - pass_filenames: false - - repo: local - hooks: - id: generate-terraform-docs - name: Generate Terraform Docs - entry: ./scripts/githooks/check-terraform-docs.sh - language: script - pass_filenames: false - - repo: local - hooks: - id: check-todo-usage - name: Check TODO usage - entry: /usr/bin/env check=branch ./scripts/githooks/check-todos.sh - language: script - pass_filenames: false + args: [check=branch] diff --git a/scripts/githooks/check-english-usage.sh b/scripts/githooks/check-english-usage.sh deleted file mode 100755 index 585fb0ec..00000000 --- a/scripts/githooks/check-english-usage.sh +++ /dev/null @@ -1,115 +0,0 @@ -#!/bin/bash - -# WARNING: Please, DO NOT edit this file! It is maintained in the Repository Template (https://github.com/nhs-england-tools/repository-template). Raise a PR instead. - -set -euo pipefail - -# Git hook to check prose style -# -# Usage: -# $ check={all,staged-changes,working-tree-changes,branch} ./check-english-usage.sh -# -# Exit codes: -# 0 - All files are formatted correctly -# 1 - Files are not formatted correctly -# -# The `check` parameter controls which files are checked, so you can -# limit the scope of the check according to what is appropriate at the -# point the check is being applied. -# -# check=all: check all files in the repository -# check=staged-changes: check only files staged for commit. -# check=working-tree-changes: check modified, unstaged files. This is the default. -# check=branch: check for all changes since branching from $BRANCH_NAME - -# ============================================================================== - -function main() { - - cd "$(git rev-parse --show-toplevel)" - - check=${check:-working-tree-changes} - case $check in - "all") - filter="git ls-files" - ;; - "staged-changes") - filter="git diff --diff-filter=ACMRT --name-only --cached" - ;; - "working-tree-changes") - filter="git diff --diff-filter=ACMRT --name-only" - ;; - "branch") - filter="git diff --diff-filter=ACMRT --name-only ${BRANCH_NAME:-origin/main}" - ;; - *) - echo "Unrecognised check mode: $check" >&2 && exit 1 - ;; - esac - - if command -v vale > /dev/null 2>&1 && ! is-arg-true "${FORCE_USE_DOCKER:-false}"; then - filter="$filter" run-vale-natively - else - filter="$filter" run-vale-in-docker - fi - - return 0 -} - -# Run Vale natively. -# Arguments (provided as environment variables): -# filter=[git command to filter the files to check] -function run-vale-natively() { - - # shellcheck disable=SC2046 - vale \ - --config "$PWD/scripts/config/vale/vale.ini" \ - $($filter) - - return 0 -} - -# Run Vale in a Docker container. -# Arguments (provided as environment variables): -# filter=[git command to filter the files to check] -function run-vale-in-docker() { - - # shellcheck disable=SC1091 - source ./scripts/docker/docker.lib.sh - - # shellcheck disable=SC2155 - local image=$(name=jdkato/vale docker-get-image-version-and-pull) - # We use /dev/null here to stop `vale` from complaining that it's - # not been called correctly if the $filter happens to return an - # empty list. As long as there's a filename, even if it's one that - # will be ignored, `vale` is happy. - # shellcheck disable=SC2046,SC2086 - docker run --rm --platform linux/amd64 \ - --volume "$PWD:/workdir" \ - --workdir /workdir \ - "$image" \ - --config /workdir/scripts/config/vale/vale.ini \ - $($filter) /dev/null - - return 0 -} - -# ============================================================================== - -function is-arg-true() { - local arg="$1" - - if [[ "$arg" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$ ]]; then - return 0 - else - return 1 - fi -} - -# ============================================================================== - -is-arg-true "${VERBOSE:-false}" && set -x - -main "$@" - -exit 0 diff --git a/scripts/githooks/check-file-format.sh b/scripts/githooks/check-file-format.sh deleted file mode 100755 index ad48093d..00000000 --- a/scripts/githooks/check-file-format.sh +++ /dev/null @@ -1,131 +0,0 @@ -#!/bin/bash - -# WARNING: Please, DO NOT edit this file! It is maintained in the Repository Template (https://github.com/nhs-england-tools/repository-template). Raise a PR instead. - -set -euo pipefail - -# Pre-commit git hook to check the EditorConfig rules compliance over changed -# files. It ensures all non-binary files across the codebase are formatted -# according to the style defined in the `.editorconfig` file. This is a -# editorconfig command wrapper. It will run editorconfig natively if it is -# installed, otherwise it will run it in a Docker container. -# -# Usage: -# $ [options] ./check-file-format.sh -# -# Options: -# check={all,staged-changes,working-tree-changes,branch} # Check mode, default is 'working-tree-changes' -# dry_run=true # Do not check, run dry run only, default is 'false' -# BRANCH_NAME=other-branch-than-main # Branch to compare with, default is `origin/main` -# FORCE_USE_DOCKER=true # If set to true the command is run in a Docker container, default is 'false' -# VERBOSE=true # Show all the executed commands, default is `false` -# -# Exit codes: -# 0 - All files are formatted correctly -# 1 - Files are not formatted correctly -# -# The `check` parameter controls which files are checked, so you can -# limit the scope of the check according to what is appropriate at the -# point the check is being applied. -# -# check=all: check all files in the repository -# check=staged-changes: check only files staged for commit. -# check=working-tree-changes: check modified, unstaged files. This is the default. -# check=branch: check for all changes since branching from $BRANCH_NAME -# -# Notes: -# Please make sure to enable EditorConfig linting in your IDE. For the -# Visual Studio Code editor it is `editorconfig.editorconfig` that is already -# specified in the `./.vscode/extensions.json` file. - -# ============================================================================== - -function main() { - - cd "$(git rev-parse --show-toplevel)" - - # shellcheck disable=SC2154 - is-arg-true "${dry_run:-false}" && dry_run_opt="--dry-run" - - check=${check:-working-tree-changes} - case $check in - "all") - filter="git ls-files" - ;; - "staged-changes") - filter="git diff --diff-filter=ACMRT --name-only --cached" - ;; - "working-tree-changes") - filter="git diff --diff-filter=ACMRT --name-only" - ;; - "branch") - filter="git diff --diff-filter=ACMRT --name-only ${BRANCH_NAME:-origin/main}" - ;; - *) - echo "Unrecognised check mode: $check" >&2 && exit 1 - ;; - esac - - if command -v editorconfig-checker > /dev/null 2>&1 && ! is-arg-true "${FORCE_USE_DOCKER:-false}"; then - filter="$filter" dry_run_opt="${dry_run_opt:-}" run-editorconfig-natively - else - filter="$filter" dry_run_opt="${dry_run_opt:-}" run-editorconfig-in-docker - fi - - return 0 -} - -# Run editorconfig natively. -# Arguments (provided as environment variables): -# dry_run_opt=[dry run option] -# filter=[git command to filter the files to check] -function run-editorconfig-natively() { - - # shellcheck disable=SC2046,SC2086 - editorconfig-checker \ - --exclude '.git/' $dry_run_opt $($filter) - - return 0 -} - -# Run editorconfig in a Docker container. -# Arguments (provided as environment variables): -# dry_run_opt=[dry run option] -# filter=[git command to filter the files to check] -function run-editorconfig-in-docker() { - - # shellcheck disable=SC1091 - source ./scripts/docker/docker.lib.sh - - # shellcheck disable=SC2155 - local image=$(name=mstruebing/editorconfig-checker docker-get-image-version-and-pull) - # We use /dev/null here as a backstop in case there are no files in the state - # we choose. If the filter comes back empty, adding `/dev/null` onto it has - # the effect of preventing `ec` from treating "no files" as "all the files". - docker run --rm --platform linux/amd64 \ - --volume "$PWD":/check \ - "$image" \ - sh -c "ec --exclude '.git/' $dry_run_opt \$($filter) /dev/null" - - return 0 -} - -# ============================================================================== - -function is-arg-true() { - local arg="$1" - - if [[ "$arg" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$ ]]; then - return 0 - else - return 1 - fi -} - -# ============================================================================== - -is-arg-true "${VERBOSE:-false}" && set -x - -main "$@" - -exit 0 diff --git a/scripts/githooks/check-markdown-format.sh b/scripts/githooks/check-markdown-format.sh deleted file mode 100755 index 05f4f691..00000000 --- a/scripts/githooks/check-markdown-format.sh +++ /dev/null @@ -1,114 +0,0 @@ -#!/bin/bash - -# WARNING: Please, DO NOT edit this file! It is maintained in the Repository Template (https://github.com/nhs-england-tools/repository-template). Raise a PR instead. - -set -euo pipefail - -# Pre-commit git hook to check the Markdown file formatting rules compliance -# over changed files. This is a markdownlint command wrapper. It will run -# markdownlint natively if it is installed, otherwise it will run it in a Docker -# container. -# -# Usage: -# $ [options] ./check-markdown-format.sh -# -# Options: -# check={all,staged-changes,working-tree-changes,branch} # Check mode, default is 'working-tree-changes' -# BRANCH_NAME=other-branch-than-main # Branch to compare with, default is `origin/main` -# FORCE_USE_DOCKER=true # If set to true the command is run in a Docker container, default is 'false' -# VERBOSE=true # Show all the executed commands, default is `false` -# -# Exit codes: -# 0 - All files are formatted correctly -# 1 - Files are not formatted correctly -# -# Notes: -# 1) Please make sure to enable Markdown linting in your IDE. For the Visual -# Studio Code editor it is `davidanson.vscode-markdownlint` that is already -# specified in the `./.vscode/extensions.json` file. -# 2) To see the full list of the rules, please visit -# https://github.com/DavidAnson/markdownlint/blob/main/doc/Rules.md - -# ============================================================================== - -function main() { - - cd "$(git rev-parse --show-toplevel)" - - check=${check:-working-tree-changes} - case $check in - "all") - files="$(git ls-files "*.md")" - ;; - "staged-changes") - files="$(git diff --diff-filter=ACMRT --name-only --cached "*.md")" - ;; - "working-tree-changes") - files="$(git diff --diff-filter=ACMRT --name-only "*.md")" - ;; - "branch") - files="$( (git diff --diff-filter=ACMRT --name-only "${BRANCH_NAME:-origin/main}" "*.md"; git diff --name-only "*.md") | sort | uniq )" - ;; - esac - - if [[ -n "$files" ]] && command -v markdownlint > /dev/null 2>&1 && ! is-arg-true "${FORCE_USE_DOCKER:-false}"; then - files="$files" run-markdownlint-natively - elif [[ -n "$files" ]]; then - files="$files" run-markdownlint-in-docker - fi - - return 0 -} - -# Run markdownlint natively. -# Arguments (provided as environment variables): -# files=[files to check] -function run-markdownlint-natively() { - - # shellcheck disable=SC2086 - markdownlint \ - $files \ - --config "$PWD/scripts/config/markdownlint.yaml" - - return 0 -} - -# Run markdownlint in a Docker container. -# Arguments (provided as environment variables): -# files=[files to check] -function run-markdownlint-in-docker() { - - # shellcheck disable=SC1091 - source ./scripts/docker/docker.lib.sh - - # shellcheck disable=SC2155 - local image=$(name=ghcr.io/igorshubovych/markdownlint-cli docker-get-image-version-and-pull) - # shellcheck disable=SC2086 - docker run --rm --platform linux/amd64 \ - --volume "$PWD":/workdir \ - "$image" \ - $files \ - --config /workdir/scripts/config/markdownlint.yaml - - return 0 -} - -# ============================================================================== - -function is-arg-true() { - local arg="$1" - - if [[ "$arg" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$ ]]; then - return 0 - else - return 1 - fi -} - -# ============================================================================== - -is-arg-true "${VERBOSE:-false}" && set -x - -main "$@" - -exit 0 diff --git a/scripts/githooks/check-terraform-format.sh b/scripts/githooks/check-terraform-format.sh deleted file mode 100755 index a0422539..00000000 --- a/scripts/githooks/check-terraform-format.sh +++ /dev/null @@ -1,61 +0,0 @@ -#!/bin/bash - -# WARNING: Please DO NOT edit this file! It is maintained in the Repository Template (https://github.com/nhs-england-tools/repository-template). Raise a PR instead. - -set -euo pipefail - -# Pre-commit git hook to check format Terraform code. -# -# Usage: -# $ [options] ./check-terraform-format.sh -# -# Options: -# check_only=true # Do not format, run check only, default is 'false' -# FORCE_USE_DOCKER=true # If set to true the command is run in a Docker container, default is 'false' -# VERBOSE=true # Show all the executed commands, default is 'false' - -# ============================================================================== - -function main() { - - cd "$(git rev-parse --show-toplevel)" - - local check_only=${check_only:-false} - check_only=$check_only terraform-fmt - - return 0 -} - -# Format Terraform files. -# Arguments (provided as environment variables): -# check_only=[do not format, run check only] -function terraform-fmt() { - - if is-arg-true "$check_only"; then - make terraform-fmt-check - else - make terraform-fmt - fi - - return 0 -} - -# ============================================================================== - -function is-arg-true() { - local arg="$1" - - if [[ "$arg" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$ ]]; then - return 0 - else - return 1 - fi -} - -# ============================================================================== - -is-arg-true "${VERBOSE:-false}" && set -x - -main "$@" - -exit 0 diff --git a/scripts/githooks/scan-secrets.sh b/scripts/githooks/scan-secrets.sh deleted file mode 100755 index a5045cea..00000000 --- a/scripts/githooks/scan-secrets.sh +++ /dev/null @@ -1,120 +0,0 @@ -#!/bin/bash - -# WARNING: Please, DO NOT edit this file! It is maintained in the Repository Template (https://github.com/nhs-england-tools/repository-template). Raise a PR instead. - -set -euo pipefail - -# Pre-commit git hook to scan for secrets hard-coded in the codebase. This is a -# gitleaks command wrapper. It will run gitleaks natively if it is installed, -# otherwise it will run it in a Docker container. -# -# Usage: -# $ [options] ./scan-secrets.sh -# -# Options: -# check={whole-history,last-commit,staged-changes} # Type of the check to run, default is 'staged-changes' -# FORCE_USE_DOCKER=true # If set to true the command is run in a Docker container, default is 'false' -# VERBOSE=true # Show all the executed commands, default is 'false' -# -# Exit codes: -# 0 - No leaks present -# 1 - Leaks or error encountered -# 126 - Unknown flag - -# ============================================================================== - -function main() { - - cd "$(git rev-parse --show-toplevel)" - - if command -v gitleaks > /dev/null 2>&1 && ! is-arg-true "${FORCE_USE_DOCKER:-false}"; then - dir="$PWD" - cmd="$(get-cmd-to-run)" run-gitleaks-natively - else - dir="/workdir" - cmd="$(get-cmd-to-run)" run-gitleaks-in-docker - fi - - return 0 -} - -# Get Gitleaks command to execute and configuration. -# Arguments (provided as environment variables): -# dir=[project's top-level directory] -function get-cmd-to-run() { - - check=${check:-staged-changes} - case $check in - "whole-history") - cmd="detect --source $dir --verbose --redact" - ;; - "last-commit") - cmd="detect --source $dir --verbose --redact --log-opts -1" - ;; - "staged-changes") - cmd="protect --source $dir --verbose --staged" - ;; - esac - # Include base line file if it exists - if [[ -f "$dir/scripts/config/.gitleaks-baseline.json" ]]; then - cmd="$cmd --baseline-path $dir/scripts/config/.gitleaks-baseline.json" - fi - # Include the config file - cmd="$cmd --config $dir/scripts/config/gitleaks.toml" - - echo "$cmd" - - return 0 -} - -# Run Gitleaks natively. -# Arguments (provided as environment variables): -# cmd=[command to run] -function run-gitleaks-natively() { - - # shellcheck disable=SC2086 - gitleaks $cmd - - return 0 -} - -# Run Gitleaks in a Docker container. -# Arguments (provided as environment variables): -# cmd=[command to run] -# dir=[directory to mount as a volume] -function run-gitleaks-in-docker() { - - # shellcheck disable=SC1091 - source ./scripts/docker/docker.lib.sh - - # shellcheck disable=SC2155 - local image=$(name=ghcr.io/gitleaks/gitleaks docker-get-image-version-and-pull) - # shellcheck disable=SC2086 - docker run --rm --platform linux/amd64 \ - --volume "$PWD:$dir" \ - --workdir $dir \ - "$image" \ - $cmd - - return 0 -} - -# ============================================================================== - -function is-arg-true() { - local arg="$1" - - if [[ "$arg" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$ ]]; then - return 0 - else - return 1 - fi -} - -# ============================================================================== - -is-arg-true "${VERBOSE:-false}" && set -x - -main "$@" - -exit 0 diff --git a/scripts/tests/style.sh b/scripts/tests/style.sh index da042fad..ee41445c 100755 --- a/scripts/tests/style.sh +++ b/scripts/tests/style.sh @@ -12,5 +12,4 @@ cd "$(git rev-parse --show-toplevel)" # is to give you fast feedback on the changes you've most recently # made. -check=working-tree-changes ./scripts/githooks/check-english-usage.sh && \ - check=staged-changes ./scripts/githooks/check-english-usage.sh +pre-commit run check-english-usage --all-files From 3c6fccf83c05f4ad6b7a764180dcda64bea9b5e6 Mon Sep 17 00:00:00 2001 From: damientobin1 Date: Wed, 6 May 2026 18:25:13 +0100 Subject: [PATCH 03/20] CCM-17346: Use local build-docs action in stage-3 --- .github/workflows/stage-3-build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/stage-3-build.yaml b/.github/workflows/stage-3-build.yaml index 3c5d5674..3d80be32 100644 --- a/.github/workflows/stage-3-build.yaml +++ b/.github/workflows/stage-3-build.yaml @@ -50,7 +50,7 @@ jobs: version: "${{ inputs.pnpm_version }}" cache: true - name: "Build docs" - uses: NHSDigital/nhs-notify-shared-modules/.github/actions/build-docs@3.0.0 + uses: ./.github/actions/build-docs with: version: "${{ inputs.version }}" artefact-1: From e5e01045bd270a352986e1725e413956803b4f01 Mon Sep 17 00:00:00 2001 From: damientobin1 Date: Wed, 6 May 2026 18:28:39 +0100 Subject: [PATCH 04/20] Revert "CCM-17346: Use local build-docs action in stage-3" This reverts commit 3c6fccf83c05f4ad6b7a764180dcda64bea9b5e6. --- .github/workflows/stage-3-build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/stage-3-build.yaml b/.github/workflows/stage-3-build.yaml index 3d80be32..3c5d5674 100644 --- a/.github/workflows/stage-3-build.yaml +++ b/.github/workflows/stage-3-build.yaml @@ -50,7 +50,7 @@ jobs: version: "${{ inputs.pnpm_version }}" cache: true - name: "Build docs" - uses: ./.github/actions/build-docs + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/build-docs@3.0.0 with: version: "${{ inputs.version }}" artefact-1: From 14d70fae48a3e4d14c4632db0656a281028f3394 Mon Sep 17 00:00:00 2001 From: damientobin1 Date: Wed, 6 May 2026 20:53:52 +0100 Subject: [PATCH 05/20] CCM-17346: Restore pnpm_version input for stage-2 workflow --- .github/workflows/stage-2-test.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/stage-2-test.yaml b/.github/workflows/stage-2-test.yaml index 734a5314..f8d7216e 100644 --- a/.github/workflows/stage-2-test.yaml +++ b/.github/workflows/stage-2-test.yaml @@ -19,6 +19,10 @@ on: description: "Node.js version, set by the CI/CD pipeline workflow" required: true type: string + pnpm_version: + description: "pnpm version, set by the CI/CD pipeline workflow" + required: true + type: string python_version: description: "Python version, set by the CI/CD pipeline workflow" required: true From be98efe948747737e08d36aa3939f2cd1bfd64e8 Mon Sep 17 00:00:00 2001 From: damientobin1 Date: Wed, 6 May 2026 21:01:35 +0100 Subject: [PATCH 06/20] CCM-17346: Remove remaining local composite actions --- .github/actions/build-docs/action.yml | 44 -------------------- .github/actions/check-todo-usage/action.yaml | 10 ----- .github/actions/setup/action.yaml | 10 ----- .github/actions/trivy-iac/action.yaml | 20 --------- .github/actions/trivy-package/action.yaml | 18 -------- 5 files changed, 102 deletions(-) delete mode 100644 .github/actions/build-docs/action.yml delete mode 100644 .github/actions/check-todo-usage/action.yaml delete mode 100644 .github/actions/setup/action.yaml delete mode 100644 .github/actions/trivy-iac/action.yaml delete mode 100644 .github/actions/trivy-package/action.yaml diff --git a/.github/actions/build-docs/action.yml b/.github/actions/build-docs/action.yml deleted file mode 100644 index 80acf484..00000000 --- a/.github/actions/build-docs/action.yml +++ /dev/null @@ -1,44 +0,0 @@ -name: "Build Docs" -description: "build jekyll docs" -inputs: - version: - description: "Version number" - required: true -runs: - using: "composite" - steps: - - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 - with: - node-version: 18 - - name: Install docs node dependencies - working-directory: ./docs - run: pnpm --ignore-workspace install --frozen-lockfile - shell: bash - - name: Setup Ruby - uses: ruby/setup-ruby@3783f195e29b74ae398d7caca108814bbafde90e # v1.180.1 - with: - ruby-version: "3.2" # Not needed with a .ruby-version file - bundler-cache: true # runs 'bundle install' and caches installed gems automatically - cache-version: 0 # Increment this number if you need to re-download cached gems - working-directory: "./docs" - - name: Setup Pages - id: pages - uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 - - name: Build with Jekyll - working-directory: ./docs - # Outputs to the './_site' directory by default - shell: bash - run: make build BASE_URL="$BASE_URL" VERSION="$VERSION" - #run: bundle exec jekyll build --baseurl "${{ steps.pages.outputs.base_path }}" - env: - JEKYLL_ENV: production - BASE_URL: ${{ steps.pages.outputs.base_path }} - VERSION: ${{ inputs.version }} - - name: Upload artifact - # Automatically uploads an artifact from the './_site' directory by default - uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3 - with: - path: "docs/_site/" - name: jekyll-docs-${{ inputs.version }} diff --git a/.github/actions/check-todo-usage/action.yaml b/.github/actions/check-todo-usage/action.yaml deleted file mode 100644 index a403d588..00000000 --- a/.github/actions/check-todo-usage/action.yaml +++ /dev/null @@ -1,10 +0,0 @@ -name: "Check Todo usage" -description: "Check Todo usage" -runs: - using: "composite" - steps: - - name: "Check Todo usage" - shell: bash - run: | - export BRANCH_NAME=origin/${{ github.event.repository.default_branch }} - check=branch ./scripts/githooks/check-todos.sh diff --git a/.github/actions/setup/action.yaml b/.github/actions/setup/action.yaml deleted file mode 100644 index bd57a9af..00000000 --- a/.github/actions/setup/action.yaml +++ /dev/null @@ -1,10 +0,0 @@ -name: Make Config Action -description: Install dependencies and execute make config - -runs: - using: composite - steps: - - name: Install dependencies and execute make config - shell: bash - run: | - scripts/setup/setup.sh diff --git a/.github/actions/trivy-iac/action.yaml b/.github/actions/trivy-iac/action.yaml deleted file mode 100644 index 740d77ac..00000000 --- a/.github/actions/trivy-iac/action.yaml +++ /dev/null @@ -1,20 +0,0 @@ -#TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549 -# name: "Trivy IaC Scan" -# description: "Scan Terraform IaC using Trivy" -# runs: -# using: "composite" -# steps: -# - name: "Trivy Terraform IaC Scan" -# shell: bash -# run: | -# components_exit_code=0 -# modules_exit_code=0 -# asdf plugin add trivy || true -# asdf install trivy || true -# ./scripts/terraform/trivy-scan.sh --mode iac ./infrastructure/terraform/components || components_exit_code=$? -# ./scripts/terraform/trivy-scan.sh --mode iac ./infrastructure/terraform/modules || modules_exit_code=$? - -# if [ $components_exit_code -ne 0 ] || [ $modules_exit_code -ne 0 ]; then -# echo "Trivy misconfigurations detected." -# exit 1 -# fi diff --git a/.github/actions/trivy-package/action.yaml b/.github/actions/trivy-package/action.yaml deleted file mode 100644 index 94656569..00000000 --- a/.github/actions/trivy-package/action.yaml +++ /dev/null @@ -1,18 +0,0 @@ -#TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549 -# name: "Trivy Package Scan" -# description: "Scan project packages using Trivy" -# runs: -# using: "composite" -# steps: -# - name: "Trivy Package Scan" -# shell: bash -# run: | -# exit_code=0 -# asdf plugin add trivy || true -# asdf install trivy || true -# ./scripts/terraform/trivy-scan.sh --mode package . || exit_code=$? - -# if [ $exit_code -ne 0 ]; then -# echo "Trivy has detected package vulnerabilities. Please refer to https://nhsd-confluence.digital.nhs.uk/spaces/RIS/pages/1257636917/PLAT-KOP-012+-+Trivy+Pipeline+Vulnerability+Scanning+Exemption" -# exit 1 -# fi From 8329b6241f2d785369c6fb5243914c84b0381d9d Mon Sep 17 00:00:00 2001 From: damientobin1 Date: Wed, 6 May 2026 21:03:36 +0100 Subject: [PATCH 07/20] CCM-17346: Align dependabot checks with client-callbacks --- .github/dependabot.yaml | 10 ++++++++++ .github/workflows/cicd-4-pr-title-check.yaml | 2 +- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml index 6d7cbd2a..b7575409 100644 --- a/.github/dependabot.yaml +++ b/.github/dependabot.yaml @@ -8,6 +8,8 @@ updates: interval: "daily" commit-message: prefix: "CCM-9336: " + cooldown: + default-days: 7 - package-ecosystem: "github-actions" directory: "/" @@ -15,6 +17,8 @@ updates: interval: "daily" commit-message: prefix: "CCM-9336: " + cooldown: + default-days: 7 - package-ecosystem: "npm" directory: "/" @@ -22,6 +26,8 @@ updates: interval: "daily" commit-message: prefix: "CCM-9336: " + cooldown: + default-days: 7 - package-ecosystem: "pip" directory: "/" @@ -29,6 +35,8 @@ updates: interval: "daily" commit-message: prefix: "CCM-9336: " + cooldown: + default-days: 7 - package-ecosystem: "terraform" directory: "/" @@ -36,3 +44,5 @@ updates: interval: "daily" commit-message: prefix: "CCM-9336: " + cooldown: + default-days: 7 diff --git a/.github/workflows/cicd-4-pr-title-check.yaml b/.github/workflows/cicd-4-pr-title-check.yaml index 5b42a8f1..a3358cdc 100644 --- a/.github/workflows/cicd-4-pr-title-check.yaml +++ b/.github/workflows/cicd-4-pr-title-check.yaml @@ -15,6 +15,6 @@ jobs: runs-on: ubuntu-latest steps: - name: "Check PR title format" - uses: NHSDigital/nhs-notify-shared-modules/.github/actions/check-pr-title-format@4e781d1d72739015821a380871aa5a66d070177c # 3.1.0 + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/check-pr-title-format@3009a36549abae57bae8fe0119c2f3fed156a628 # 3.1.2 with: title: ${{ github.event.pull_request.title }} From 2c1711636e045776ad3b52ccc00feb54a5c8824c Mon Sep 17 00:00:00 2001 From: damientobin1 Date: Wed, 6 May 2026 21:19:28 +0100 Subject: [PATCH 08/20] CCM-17346: Add pnpm setup to test-unit job --- .github/workflows/stage-2-test.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/stage-2-test.yaml b/.github/workflows/stage-2-test.yaml index f8d7216e..b7db00c3 100644 --- a/.github/workflows/stage-2-test.yaml +++ b/.github/workflows/stage-2-test.yaml @@ -44,6 +44,15 @@ jobs: steps: - name: "Checkout code" uses: actions/checkout@v4 + - name: "Setup pnpm" + uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0 + with: + version: ${{ inputs.pnpm_version }} + - name: "Use Node.js" + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 + with: + node-version-file: '.tool-versions' + cache: 'pnpm' - name: "Run unit test suite" run: | make test-unit From 969844c66614235079614540bdb711e24d85ca4e Mon Sep 17 00:00:00 2001 From: damientobin1 Date: Wed, 6 May 2026 21:26:23 +0100 Subject: [PATCH 09/20] CCM-17346: Restore local actions not in scope of this PR --- .github/actions/build-docs/action.yml | 44 ++++++++++++++++++++ .github/actions/check-todo-usage/action.yaml | 10 +++++ .github/actions/setup/action.yaml | 10 +++++ .github/actions/trivy-iac/action.yaml | 20 +++++++++ .github/actions/trivy-package/action.yaml | 18 ++++++++ 5 files changed, 102 insertions(+) create mode 100644 .github/actions/build-docs/action.yml create mode 100644 .github/actions/check-todo-usage/action.yaml create mode 100644 .github/actions/setup/action.yaml create mode 100644 .github/actions/trivy-iac/action.yaml create mode 100644 .github/actions/trivy-package/action.yaml diff --git a/.github/actions/build-docs/action.yml b/.github/actions/build-docs/action.yml new file mode 100644 index 00000000..80acf484 --- /dev/null +++ b/.github/actions/build-docs/action.yml @@ -0,0 +1,44 @@ +name: "Build Docs" +description: "build jekyll docs" +inputs: + version: + description: "Version number" + required: true +runs: + using: "composite" + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 + with: + node-version: 18 + - name: Install docs node dependencies + working-directory: ./docs + run: pnpm --ignore-workspace install --frozen-lockfile + shell: bash + - name: Setup Ruby + uses: ruby/setup-ruby@3783f195e29b74ae398d7caca108814bbafde90e # v1.180.1 + with: + ruby-version: "3.2" # Not needed with a .ruby-version file + bundler-cache: true # runs 'bundle install' and caches installed gems automatically + cache-version: 0 # Increment this number if you need to re-download cached gems + working-directory: "./docs" + - name: Setup Pages + id: pages + uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 + - name: Build with Jekyll + working-directory: ./docs + # Outputs to the './_site' directory by default + shell: bash + run: make build BASE_URL="$BASE_URL" VERSION="$VERSION" + #run: bundle exec jekyll build --baseurl "${{ steps.pages.outputs.base_path }}" + env: + JEKYLL_ENV: production + BASE_URL: ${{ steps.pages.outputs.base_path }} + VERSION: ${{ inputs.version }} + - name: Upload artifact + # Automatically uploads an artifact from the './_site' directory by default + uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3 + with: + path: "docs/_site/" + name: jekyll-docs-${{ inputs.version }} diff --git a/.github/actions/check-todo-usage/action.yaml b/.github/actions/check-todo-usage/action.yaml new file mode 100644 index 00000000..a403d588 --- /dev/null +++ b/.github/actions/check-todo-usage/action.yaml @@ -0,0 +1,10 @@ +name: "Check Todo usage" +description: "Check Todo usage" +runs: + using: "composite" + steps: + - name: "Check Todo usage" + shell: bash + run: | + export BRANCH_NAME=origin/${{ github.event.repository.default_branch }} + check=branch ./scripts/githooks/check-todos.sh diff --git a/.github/actions/setup/action.yaml b/.github/actions/setup/action.yaml new file mode 100644 index 00000000..bd57a9af --- /dev/null +++ b/.github/actions/setup/action.yaml @@ -0,0 +1,10 @@ +name: Make Config Action +description: Install dependencies and execute make config + +runs: + using: composite + steps: + - name: Install dependencies and execute make config + shell: bash + run: | + scripts/setup/setup.sh diff --git a/.github/actions/trivy-iac/action.yaml b/.github/actions/trivy-iac/action.yaml new file mode 100644 index 00000000..740d77ac --- /dev/null +++ b/.github/actions/trivy-iac/action.yaml @@ -0,0 +1,20 @@ +#TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549 +# name: "Trivy IaC Scan" +# description: "Scan Terraform IaC using Trivy" +# runs: +# using: "composite" +# steps: +# - name: "Trivy Terraform IaC Scan" +# shell: bash +# run: | +# components_exit_code=0 +# modules_exit_code=0 +# asdf plugin add trivy || true +# asdf install trivy || true +# ./scripts/terraform/trivy-scan.sh --mode iac ./infrastructure/terraform/components || components_exit_code=$? +# ./scripts/terraform/trivy-scan.sh --mode iac ./infrastructure/terraform/modules || modules_exit_code=$? + +# if [ $components_exit_code -ne 0 ] || [ $modules_exit_code -ne 0 ]; then +# echo "Trivy misconfigurations detected." +# exit 1 +# fi diff --git a/.github/actions/trivy-package/action.yaml b/.github/actions/trivy-package/action.yaml new file mode 100644 index 00000000..94656569 --- /dev/null +++ b/.github/actions/trivy-package/action.yaml @@ -0,0 +1,18 @@ +#TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549 +# name: "Trivy Package Scan" +# description: "Scan project packages using Trivy" +# runs: +# using: "composite" +# steps: +# - name: "Trivy Package Scan" +# shell: bash +# run: | +# exit_code=0 +# asdf plugin add trivy || true +# asdf install trivy || true +# ./scripts/terraform/trivy-scan.sh --mode package . || exit_code=$? + +# if [ $exit_code -ne 0 ]; then +# echo "Trivy has detected package vulnerabilities. Please refer to https://nhsd-confluence.digital.nhs.uk/spaces/RIS/pages/1257636917/PLAT-KOP-012+-+Trivy+Pipeline+Vulnerability+Scanning+Exemption" +# exit 1 +# fi From 0b561b323d74d2862ce991a46be0cb700524a9a0 Mon Sep 17 00:00:00 2001 From: damientobin1 Date: Wed, 6 May 2026 21:43:06 +0100 Subject: [PATCH 10/20] CCM-17346: Remove unused local actions replaced by shared-modules --- .github/actions/build-docs/action.yml | 44 -------------------- .github/actions/check-todo-usage/action.yaml | 10 ----- .github/actions/setup/action.yaml | 10 ----- .github/actions/trivy-iac/action.yaml | 20 --------- .github/actions/trivy-package/action.yaml | 18 -------- 5 files changed, 102 deletions(-) delete mode 100644 .github/actions/build-docs/action.yml delete mode 100644 .github/actions/check-todo-usage/action.yaml delete mode 100644 .github/actions/setup/action.yaml delete mode 100644 .github/actions/trivy-iac/action.yaml delete mode 100644 .github/actions/trivy-package/action.yaml diff --git a/.github/actions/build-docs/action.yml b/.github/actions/build-docs/action.yml deleted file mode 100644 index 80acf484..00000000 --- a/.github/actions/build-docs/action.yml +++ /dev/null @@ -1,44 +0,0 @@ -name: "Build Docs" -description: "build jekyll docs" -inputs: - version: - description: "Version number" - required: true -runs: - using: "composite" - steps: - - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 - with: - node-version: 18 - - name: Install docs node dependencies - working-directory: ./docs - run: pnpm --ignore-workspace install --frozen-lockfile - shell: bash - - name: Setup Ruby - uses: ruby/setup-ruby@3783f195e29b74ae398d7caca108814bbafde90e # v1.180.1 - with: - ruby-version: "3.2" # Not needed with a .ruby-version file - bundler-cache: true # runs 'bundle install' and caches installed gems automatically - cache-version: 0 # Increment this number if you need to re-download cached gems - working-directory: "./docs" - - name: Setup Pages - id: pages - uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 - - name: Build with Jekyll - working-directory: ./docs - # Outputs to the './_site' directory by default - shell: bash - run: make build BASE_URL="$BASE_URL" VERSION="$VERSION" - #run: bundle exec jekyll build --baseurl "${{ steps.pages.outputs.base_path }}" - env: - JEKYLL_ENV: production - BASE_URL: ${{ steps.pages.outputs.base_path }} - VERSION: ${{ inputs.version }} - - name: Upload artifact - # Automatically uploads an artifact from the './_site' directory by default - uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3 - with: - path: "docs/_site/" - name: jekyll-docs-${{ inputs.version }} diff --git a/.github/actions/check-todo-usage/action.yaml b/.github/actions/check-todo-usage/action.yaml deleted file mode 100644 index a403d588..00000000 --- a/.github/actions/check-todo-usage/action.yaml +++ /dev/null @@ -1,10 +0,0 @@ -name: "Check Todo usage" -description: "Check Todo usage" -runs: - using: "composite" - steps: - - name: "Check Todo usage" - shell: bash - run: | - export BRANCH_NAME=origin/${{ github.event.repository.default_branch }} - check=branch ./scripts/githooks/check-todos.sh diff --git a/.github/actions/setup/action.yaml b/.github/actions/setup/action.yaml deleted file mode 100644 index bd57a9af..00000000 --- a/.github/actions/setup/action.yaml +++ /dev/null @@ -1,10 +0,0 @@ -name: Make Config Action -description: Install dependencies and execute make config - -runs: - using: composite - steps: - - name: Install dependencies and execute make config - shell: bash - run: | - scripts/setup/setup.sh diff --git a/.github/actions/trivy-iac/action.yaml b/.github/actions/trivy-iac/action.yaml deleted file mode 100644 index 740d77ac..00000000 --- a/.github/actions/trivy-iac/action.yaml +++ /dev/null @@ -1,20 +0,0 @@ -#TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549 -# name: "Trivy IaC Scan" -# description: "Scan Terraform IaC using Trivy" -# runs: -# using: "composite" -# steps: -# - name: "Trivy Terraform IaC Scan" -# shell: bash -# run: | -# components_exit_code=0 -# modules_exit_code=0 -# asdf plugin add trivy || true -# asdf install trivy || true -# ./scripts/terraform/trivy-scan.sh --mode iac ./infrastructure/terraform/components || components_exit_code=$? -# ./scripts/terraform/trivy-scan.sh --mode iac ./infrastructure/terraform/modules || modules_exit_code=$? - -# if [ $components_exit_code -ne 0 ] || [ $modules_exit_code -ne 0 ]; then -# echo "Trivy misconfigurations detected." -# exit 1 -# fi diff --git a/.github/actions/trivy-package/action.yaml b/.github/actions/trivy-package/action.yaml deleted file mode 100644 index 94656569..00000000 --- a/.github/actions/trivy-package/action.yaml +++ /dev/null @@ -1,18 +0,0 @@ -#TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549 -# name: "Trivy Package Scan" -# description: "Scan project packages using Trivy" -# runs: -# using: "composite" -# steps: -# - name: "Trivy Package Scan" -# shell: bash -# run: | -# exit_code=0 -# asdf plugin add trivy || true -# asdf install trivy || true -# ./scripts/terraform/trivy-scan.sh --mode package . || exit_code=$? - -# if [ $exit_code -ne 0 ]; then -# echo "Trivy has detected package vulnerabilities. Please refer to https://nhsd-confluence.digital.nhs.uk/spaces/RIS/pages/1257636917/PLAT-KOP-012+-+Trivy+Pipeline+Vulnerability+Scanning+Exemption" -# exit 1 -# fi From 6bd03af45d1ceb0db9236ac8122f500c53ad79b8 Mon Sep 17 00:00:00 2001 From: damientobin1 Date: Wed, 6 May 2026 21:59:39 +0100 Subject: [PATCH 11/20] CCM-17346: Trigger CI after marking SonarCloud hotspots as safe From 495c566468aacf04789af25724224294a28b02f0 Mon Sep 17 00:00:00 2001 From: damientobin1 Date: Wed, 6 May 2026 22:06:43 +0100 Subject: [PATCH 12/20] CCM-17346: Restore local actions; use local build-docs in stage-3 --- .github/actions/build-docs/action.yml | 44 ++++++++++++++++++++ .github/actions/check-todo-usage/action.yaml | 10 +++++ .github/actions/setup/action.yaml | 10 +++++ .github/actions/trivy-iac/action.yaml | 20 +++++++++ .github/actions/trivy-package/action.yaml | 18 ++++++++ .github/workflows/stage-3-build.yaml | 2 +- 6 files changed, 103 insertions(+), 1 deletion(-) create mode 100644 .github/actions/build-docs/action.yml create mode 100644 .github/actions/check-todo-usage/action.yaml create mode 100644 .github/actions/setup/action.yaml create mode 100644 .github/actions/trivy-iac/action.yaml create mode 100644 .github/actions/trivy-package/action.yaml diff --git a/.github/actions/build-docs/action.yml b/.github/actions/build-docs/action.yml new file mode 100644 index 00000000..80acf484 --- /dev/null +++ b/.github/actions/build-docs/action.yml @@ -0,0 +1,44 @@ +name: "Build Docs" +description: "build jekyll docs" +inputs: + version: + description: "Version number" + required: true +runs: + using: "composite" + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 + with: + node-version: 18 + - name: Install docs node dependencies + working-directory: ./docs + run: pnpm --ignore-workspace install --frozen-lockfile + shell: bash + - name: Setup Ruby + uses: ruby/setup-ruby@3783f195e29b74ae398d7caca108814bbafde90e # v1.180.1 + with: + ruby-version: "3.2" # Not needed with a .ruby-version file + bundler-cache: true # runs 'bundle install' and caches installed gems automatically + cache-version: 0 # Increment this number if you need to re-download cached gems + working-directory: "./docs" + - name: Setup Pages + id: pages + uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 + - name: Build with Jekyll + working-directory: ./docs + # Outputs to the './_site' directory by default + shell: bash + run: make build BASE_URL="$BASE_URL" VERSION="$VERSION" + #run: bundle exec jekyll build --baseurl "${{ steps.pages.outputs.base_path }}" + env: + JEKYLL_ENV: production + BASE_URL: ${{ steps.pages.outputs.base_path }} + VERSION: ${{ inputs.version }} + - name: Upload artifact + # Automatically uploads an artifact from the './_site' directory by default + uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3 + with: + path: "docs/_site/" + name: jekyll-docs-${{ inputs.version }} diff --git a/.github/actions/check-todo-usage/action.yaml b/.github/actions/check-todo-usage/action.yaml new file mode 100644 index 00000000..a403d588 --- /dev/null +++ b/.github/actions/check-todo-usage/action.yaml @@ -0,0 +1,10 @@ +name: "Check Todo usage" +description: "Check Todo usage" +runs: + using: "composite" + steps: + - name: "Check Todo usage" + shell: bash + run: | + export BRANCH_NAME=origin/${{ github.event.repository.default_branch }} + check=branch ./scripts/githooks/check-todos.sh diff --git a/.github/actions/setup/action.yaml b/.github/actions/setup/action.yaml new file mode 100644 index 00000000..bd57a9af --- /dev/null +++ b/.github/actions/setup/action.yaml @@ -0,0 +1,10 @@ +name: Make Config Action +description: Install dependencies and execute make config + +runs: + using: composite + steps: + - name: Install dependencies and execute make config + shell: bash + run: | + scripts/setup/setup.sh diff --git a/.github/actions/trivy-iac/action.yaml b/.github/actions/trivy-iac/action.yaml new file mode 100644 index 00000000..740d77ac --- /dev/null +++ b/.github/actions/trivy-iac/action.yaml @@ -0,0 +1,20 @@ +#TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549 +# name: "Trivy IaC Scan" +# description: "Scan Terraform IaC using Trivy" +# runs: +# using: "composite" +# steps: +# - name: "Trivy Terraform IaC Scan" +# shell: bash +# run: | +# components_exit_code=0 +# modules_exit_code=0 +# asdf plugin add trivy || true +# asdf install trivy || true +# ./scripts/terraform/trivy-scan.sh --mode iac ./infrastructure/terraform/components || components_exit_code=$? +# ./scripts/terraform/trivy-scan.sh --mode iac ./infrastructure/terraform/modules || modules_exit_code=$? + +# if [ $components_exit_code -ne 0 ] || [ $modules_exit_code -ne 0 ]; then +# echo "Trivy misconfigurations detected." +# exit 1 +# fi diff --git a/.github/actions/trivy-package/action.yaml b/.github/actions/trivy-package/action.yaml new file mode 100644 index 00000000..94656569 --- /dev/null +++ b/.github/actions/trivy-package/action.yaml @@ -0,0 +1,18 @@ +#TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549 +# name: "Trivy Package Scan" +# description: "Scan project packages using Trivy" +# runs: +# using: "composite" +# steps: +# - name: "Trivy Package Scan" +# shell: bash +# run: | +# exit_code=0 +# asdf plugin add trivy || true +# asdf install trivy || true +# ./scripts/terraform/trivy-scan.sh --mode package . || exit_code=$? + +# if [ $exit_code -ne 0 ]; then +# echo "Trivy has detected package vulnerabilities. Please refer to https://nhsd-confluence.digital.nhs.uk/spaces/RIS/pages/1257636917/PLAT-KOP-012+-+Trivy+Pipeline+Vulnerability+Scanning+Exemption" +# exit 1 +# fi diff --git a/.github/workflows/stage-3-build.yaml b/.github/workflows/stage-3-build.yaml index 3c5d5674..3d80be32 100644 --- a/.github/workflows/stage-3-build.yaml +++ b/.github/workflows/stage-3-build.yaml @@ -50,7 +50,7 @@ jobs: version: "${{ inputs.pnpm_version }}" cache: true - name: "Build docs" - uses: NHSDigital/nhs-notify-shared-modules/.github/actions/build-docs@3.0.0 + uses: ./.github/actions/build-docs with: version: "${{ inputs.version }}" artefact-1: From d68ff926756219960bab282afd31b2004252488e Mon Sep 17 00:00:00 2001 From: damientobin1 Date: Wed, 6 May 2026 22:36:35 +0100 Subject: [PATCH 13/20] CCM-17346: Remove obsolete scripts/githooks and local TODO check wiring --- .github/actions/check-todo-usage/action.yaml | 10 - scripts/config/check-todos-ignore.conf | 20 -- scripts/githooks/check-terraform-docs.sh | 55 ---- scripts/githooks/check-todos.sh | 258 ------------------- scripts/githooks/sort-dictionary.sh | 52 ---- scripts/githooks/sync-template-repo.sh | 142 ---------- 6 files changed, 537 deletions(-) delete mode 100644 .github/actions/check-todo-usage/action.yaml delete mode 100644 scripts/config/check-todos-ignore.conf delete mode 100755 scripts/githooks/check-terraform-docs.sh delete mode 100755 scripts/githooks/check-todos.sh delete mode 100755 scripts/githooks/sort-dictionary.sh delete mode 100755 scripts/githooks/sync-template-repo.sh diff --git a/.github/actions/check-todo-usage/action.yaml b/.github/actions/check-todo-usage/action.yaml deleted file mode 100644 index a403d588..00000000 --- a/.github/actions/check-todo-usage/action.yaml +++ /dev/null @@ -1,10 +0,0 @@ -name: "Check Todo usage" -description: "Check Todo usage" -runs: - using: "composite" - steps: - - name: "Check Todo usage" - shell: bash - run: | - export BRANCH_NAME=origin/${{ github.event.repository.default_branch }} - check=branch ./scripts/githooks/check-todos.sh diff --git a/scripts/config/check-todos-ignore.conf b/scripts/config/check-todos-ignore.conf deleted file mode 100644 index 27e84c50..00000000 --- a/scripts/config/check-todos-ignore.conf +++ /dev/null @@ -1,20 +0,0 @@ -# Configuration file for check-todos.sh - -[files] -.devcontainer/devcontainer.json -.github/workflows/stage-1-commit.yaml -.pre-commit-hooks.yaml -.tool-versions -.vscode/extensions.json -infrastructure/terraform/bin/terraform.sh -Makefile -project.code-workspace -scripts/config/check-todos-ignore.conf -scripts/config/pre-commit.yaml -src/jekyll-devcontainer/src/.devcontainer/devcontainer.json - -[directories] -.git/ -.venv/ -docs/ -node_modules/ diff --git a/scripts/githooks/check-terraform-docs.sh b/scripts/githooks/check-terraform-docs.sh deleted file mode 100755 index 787f2d0e..00000000 --- a/scripts/githooks/check-terraform-docs.sh +++ /dev/null @@ -1,55 +0,0 @@ -#!/bin/bash - -# WARNING: Please DO NOT edit this file! It is maintained in the Repository Template (https://github.com/nhs-england-tools/repository-template). Raise a PR instead. - -set -euo pipefail - -# Pre-commit git hook to check Terraform documentation. -# -# Usage: -# $ [options] ./check-terraform-documentation.sh -# -# Options: -# VERBOSE=true # Show all the executed commands, default is 'false' - -# ============================================================================== - -function main() { - - cd "$(git rev-parse --show-toplevel)" - - terraform-docs - - return 0 -} - -# Generate Terraform documentation. -# Arguments (provided as environment variables): -# check_only=[do not format, run check only] -function terraform-docs() { - - make terraform-docs - git add infrastructure/terraform/**/*.md - - return 0 -} - -# ============================================================================== - -function is-arg-true() { - local arg="$1" - - if [[ "$arg" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$ ]]; then - return 0 - else - return 1 - fi -} - -# ============================================================================== - -is-arg-true "${VERBOSE:-false}" && set -x - -main "$@" - -exit 0 diff --git a/scripts/githooks/check-todos.sh b/scripts/githooks/check-todos.sh deleted file mode 100755 index dba47f79..00000000 --- a/scripts/githooks/check-todos.sh +++ /dev/null @@ -1,258 +0,0 @@ -#!/bin/bash - -# WARNING: Please, DO NOT edit this file! It is maintained in the Repository Template (https://github.com/nhs-england-tools/repository-template). Raise a PR instead. - -set -euo pipefail - -# Pre-commit git hook to scan for TODO markers in the codebase. -# It checks repository files for TODO entries and fails when a TODO does not -# include a Jira ticket reference. -# -# Usage: -# $ [options] ./check-todos.sh -# -# Options: -# check=all # check all files in the repository -# check=staged-changes # check only files staged for commit. -# check=working-tree-changes # check modified, unstaged files. This is the default. -# check=branch # check for all changes since branching from $BRANCH_NAME -# VERBOSE=true # Show all the executed commands, default is 'false' -# -# Exit codes: -# 0 - No TODOs without a Jira ticket reference -# 1 - TODOs without a Jira ticket reference found, or error encountered -# 126 - Unknown flag - -# ============================================================================== - -EXCLUDED_FILES=( - ".devcontainer/devcontainer.json" - ".tool-versions" - ".vscode/extensions.json" - "infrastructure/terraform/bin/terraform.sh" - "Makefile" - "project.code-workspace" - "src/jekyll-devcontainer/src/.devcontainer/devcontainer.json" -) - -EXCLUDED_DIRS=( - ".git/" - ".venv/" - "docs/" - "node_modules/" -) - - -# Get files to check based on mode -function get_files_to_check() { - local mode="$1" - case "$mode" in - staged-changes) - git diff --diff-filter=ACMRT --name-only --cached # ACMRT only show files added, copied, modified, renamed or that had their type changed (eg. file → symlink) in this commit. This leaves out deleted files. - ;; - working-tree-changes) - git ls-files --others --exclude-standard && git diff --diff-filter=ACMRT --name-only - ;; - branch) - git diff --diff-filter=ACMRT --name-only ${BRANCH_NAME:-origin/main} - ;; - all) - git ls-files && git ls-files --others --exclude-standard - ;; - *) - echo "Unknown check mode: $mode" >&2 - exit 126 - ;; - esac - - return 0 -} - - -function build_exclude_args() { - local args=( - --exclude=".github/actions/check-todo-usage/action.yaml" - --exclude=".github/workflows/stage-1-commit.yaml" - --exclude="scripts/config/pre-commit.yaml" - --exclude="scripts/githooks/check-todos.sh" - ) # Exclude this script and its references by default, as it naturally contains TODOs. Todo todo todo <- see? - - if [[ ${#EXCLUDED_DIRS[@]} -gt 0 ]]; then - for dir in "${EXCLUDED_DIRS[@]}"; do - args+=(--exclude-dir="$dir") - done - fi - - if [[ ${#EXCLUDED_FILES[@]} -gt 0 ]]; then - for file in "${EXCLUDED_FILES[@]}"; do - args+=(--exclude="$file") - done - fi - echo "${args[@]}" - - return 0 -} - - -function search_todos() { - local mode="$1" - shift # Shift positional parameters so $@ contains only exclude_args - local -a exclude_args=("$@") - local todos="" - - local files - files=$(get_files_to_check "$mode") - # flatten files to unique list - files=$(echo "$files" | tr ' ' '\n' | sort -u) - - for file in $files; do - skip=false - - # Check if the file matches any exclude patterns - # Exclude files based on provided arguments and predefined directories - for ex in "${exclude_args[@]}"; do - if [[ "$ex" == --exclude* ]]; then - pattern=${ex#--exclude=} - [[ "$file" == "$pattern" ]] && skip=true && break - fi - done - - # Check if the file is in any of the excluded directories - for exdir in "${EXCLUDED_DIRS[@]}"; do - [[ "$file" == $exdir* ]] && skip=true && break - done - - # If the file is excluded, skip it - if [[ "$skip" = false && -f "$file" ]]; then - file_todos=$(grep -nHiE '\bTODO\b' "$file" || true) - [[ -n "$file_todos" ]] && todos+="$file_todos\n" - fi - done - - echo -e "$todos" - - return 0 -} - - -function filter_todos_with_valid_jira_ticket() { - local todos="$1" - local jira_regex="[A-Z][A-Z0-9]+-[0-9]+" - local todos_without_ticket="" - - while IFS= read -r line; do - # Only lines with TODO but without a valid JIRA ticket - if grep -qnHiE '\bTODO\b' <<< "$line" && ! [[ "$line" =~ $jira_regex ]]; then - todos_without_ticket+="$line\n" - fi - done <<< "$(echo -e "$todos")" - - # Output only TODOs without a valid JIRA ticket - echo -e "$todos_without_ticket" - - return 0 -} - - -function print_output() { - local todos="$1" - shift - local -a exclude_args=("$@") - local todo_count - todo_count=$(line_count "$todos") - - echo "TODO Check Configuration:" - echo "=========================================" - echo " Check Mode: ${check:-working-tree-changes}" - echo " Total TODOs found: $todo_count" - - if [[ ${#EXCLUDED_DIRS[@]} -gt 0 ]]; then - echo " Excluded Directories: ${EXCLUDED_DIRS[*]}" - else - echo " Excluded Directories: (none)" - fi - - if [[ ${#EXCLUDED_FILES[@]} -gt 0 ]]; then - echo " Excluded Files: ${EXCLUDED_FILES[*]}" - else - echo " Excluded Files: (none)" - fi - - if is-arg-true "${VERBOSE:-false}"; then - echo "Grep Exclude Args: ${exclude_args[*]}" - fi - - echo -e "\n=========================================" - echo "All TODOs found: $todo_count" - echo "=========================================" - - if [[ "$todo_count" -gt 0 ]]; then - echo "$todos" - else - echo "No TODOs found." - fi - - local results - results=$(filter_todos_with_valid_jira_ticket "$todos") - local results_count - results_count=$(line_count "$results") - - echo -e "\n=========================================" - echo "TODOs without a Jira ticket: $results_count" - echo "=========================================" - - if [[ "$results_count" -gt 0 ]]; then - echo "$results" - exit 1 - else - echo "No TODOs found without a Jira reference." - fi - - return 0 -} - - -function main() { - cd "$(git rev-parse --show-toplevel)" - - local check_mode="${check:-working-tree-changes}" - local -a exclude_args - read -r -a exclude_args <<< "$(build_exclude_args)" - local todos - todos=$(search_todos "$check_mode" "${exclude_args[@]}") - print_output "$todos" "${exclude_args[@]}" - - return 0 -} - -# ============================================================================== - -# Count non-empty lines in a string -function line_count() { - local input="$1" - if [[ -n "$input" ]]; then - echo -e "$input" | wc -l - else - echo 0 - fi - - return 0 -} - -function is-arg-true() { - local arg="$1" - - if [[ "$arg" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$ ]]; then - return 0 - else - return 1 - fi -} - -# ============================================================================== - -is-arg-true "${VERBOSE:-false}" && set -x - -main "$@" - -exit 0 diff --git a/scripts/githooks/sort-dictionary.sh b/scripts/githooks/sort-dictionary.sh deleted file mode 100755 index 1d3f25db..00000000 --- a/scripts/githooks/sort-dictionary.sh +++ /dev/null @@ -1,52 +0,0 @@ -#!/bin/bash - -set -euo pipefail - -# Pre-commit git hook to sort the Vale dictionary in a consistent manner to avoid future merge conflicts and aid insertion of new terms -# -# Usage: -# $ [options] ./sort-dictionary.sh -# -# Options: -# -# -# Exit codes: -# 0 - Successfully sorted the dictionary -# non-zero - failed to sort dictionary - -# ============================================================================== - -function main() { - root=scripts/config/vale/styles/config/vocabularies/words - opts="--dictionary-order --ignore-case -s" - sort $opts $root/accept.txt > $root/accept.sorted.txt - sort $opts $root/reject.txt > $root/reject.sorted.txt - - mv $root/accept.sorted.txt $root/accept.txt - mv $root/reject.sorted.txt $root/reject.txt - - # Update the sorted files in the staged git index - git add --update --verbose $root/* - - return 0 -} - -# ============================================================================== - -function is-arg-true() { - local arg="$1" - - if [[ "$arg" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$ ]]; then - return 0 - else - return 1 - fi -} - -# ============================================================================== - -is-arg-true "${VERBOSE:-false}" && set -x - -main "$@" - -exit 0 diff --git a/scripts/githooks/sync-template-repo.sh b/scripts/githooks/sync-template-repo.sh deleted file mode 100755 index 6ddbb1a2..00000000 --- a/scripts/githooks/sync-template-repo.sh +++ /dev/null @@ -1,142 +0,0 @@ -#!/bin/bash - -set -euo pipefail - -# Script to synchronise the nhs-notify-template-repository with this repository -# -# Usage: -# $ [options] ./sync-template-repo.sh -# -# Options: -# new_only=true # Only identify new files from the template-repository -# changes_only=true # Only identify files which have drifted from the template-repository - -# ============================================================================== - -scriptdir=$(realpath "$(dirname "$0")") - -# Command line parameters -new_only=${new_only:-false} -changes_only=${changes_only:-false} - -# Set variables -TEMPLATE_REPO_DIR="nhs-notify-repository-template" -IGNORE_FILE="scripts/config/.repository-template-sync-ignore" -MERGE_FILE="scripts/config/.repository-template-sync-merge" - -# Check if the template directory exists -if [[ ! -d "${TEMPLATE_REPO_DIR}" ]]; then - echo "Template directory ${TEMPLATE_REPO_DIR} not found!" - exit 1 -fi - -# Check if the .template-ignore file exists, create an empty one if not -if [[ ! -f "${IGNORE_FILE}" ]]; then - echo "# Files and folders to ignore when syncing ${TEMPLATE_REPO_DIR} back in to this repository" > ${IGNORE_FILE} - echo "# Files and Folders in this repository to ignore" >> ${IGNORE_FILE} - echo "# Files and Folders in the template repository to disregard" >> ${IGNORE_FILE} -fi - -# Check if the .template-merge file exists, create an empty one if not -if [[ ! -f "${MERGE_FILE}" ]]; then - echo "# Files and folders to merge when syncing ${TEMPLATE_REPO_DIR} back in to this repository" > ${MERGE_FILE} -fi - -TMP_SYNC_IGNORE=${PWD}/tmp-sync-ignore -mkdir -p "${TMP_SYNC_IGNORE}" -cp "${IGNORE_FILE}" "${TMP_SYNC_IGNORE}/.gitignore" - -TMP_SYNC_MERGE=${PWD}/tmp-sync-merge -mkdir -p "${TMP_SYNC_MERGE}" -cp "${MERGE_FILE}" "${TMP_SYNC_MERGE}/.gitignore" - -# Check if a file is ignored. -is_ignored() { - local file="$1" - - # Ignore .git directories and files - if [[ "$file" == *.git/* ]]; then - return 0 - fi - - pushd "${TMP_SYNC_IGNORE}" > /dev/null - git check-ignore -q "${file}" - R=$? - popd > /dev/null - return $R -} - -is_merge() { - local file="$1" - - pushd "${TMP_SYNC_MERGE}" > /dev/null - git check-ignore -q "${file}" - R=$? - popd > /dev/null - return $R -} - -# Navigate to the template directory -pushd "${TEMPLATE_REPO_DIR}" || exit -FILES_ADDED=() -FILES_WITH_CHANGES=() - -# Loop through all files in the template directory -while IFS= read -r -d '' file || [[ -n $file ]]; do - relative_path="${file#./}" # Remove leading './' - - # Check if the file is ignored - if is_ignored "$relative_path"; then - echo "Ignoring $relative_path" - continue - fi - - target_path="../$relative_path" - mkdir -p "$(dirname "$target_path")" - - # Copy the file to the root directory if it doesn't exist or is different - if [[ ! -f "$target_path" && "$changes_only" == false ]]; then - echo "Copying $relative_path to the repository" - FILES_ADDED+=("${relative_path}") - cp "$file" "$target_path" - - else - # If the file exists, check if it's different - if [[ "$new_only" == false ]] && ! diff -q "$file" "$target_path" > /dev/null 2>&1; then - if is_merge "$relative_path"; then - echo "Merging changes from $relative_path" - cp "$target_path" "${target_path}.bak" - node "${scriptdir}/../maintenance/merge.js" "$target_path" "$file" > "${target_path}.merged" - if ! cmp -s "${target_path}.merged" "${target_path}.bak"; then - FILES_WITH_CHANGES+=("${relative_path}") - mv "${target_path}.merged" "$target_path" - fi - rm -f "${target_path}.merged" "${target_path}.bak" - else - echo "Copying changes from $relative_path" - cp "$file" "$target_path" - FILES_WITH_CHANGES+=("${relative_path}") - fi - fi - fi -done < <(find . -type f -print0) - -popd -rm -rf "${TMP_SYNC_IGNORE}" "${TMP_SYNC_MERGE}" - -echo ------------------------------------------ -echo "${#FILES_ADDED[@]} files added, ${#FILES_WITH_CHANGES[@]} files with changes detected." - -if [[ "$changes_only" == false && ${#FILES_ADDED[@]} -gt 0 ]]; then - echo ------------------------------------------ - echo "New files added:" - printf ' - %s\n' "${FILES_ADDED[@]}" -fi - -if [[ "$new_only" == false && ${#FILES_WITH_CHANGES[@]} -gt 0 ]]; then - echo ------------------------------------------ - echo "Changed files:" - printf ' - %s\n' "${FILES_WITH_CHANGES[@]}" -fi - -echo ------------------------------------------ From 5672a2451880e8b82c9eb0954da06407d3de18b8 Mon Sep 17 00:00:00 2001 From: damientobin1 Date: Wed, 6 May 2026 22:42:56 +0100 Subject: [PATCH 14/20] CCM-17346: Restore check-todos ignore config for shared TODO hook --- scripts/config/check-todos-ignore.conf | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 scripts/config/check-todos-ignore.conf diff --git a/scripts/config/check-todos-ignore.conf b/scripts/config/check-todos-ignore.conf new file mode 100644 index 00000000..27e84c50 --- /dev/null +++ b/scripts/config/check-todos-ignore.conf @@ -0,0 +1,20 @@ +# Configuration file for check-todos.sh + +[files] +.devcontainer/devcontainer.json +.github/workflows/stage-1-commit.yaml +.pre-commit-hooks.yaml +.tool-versions +.vscode/extensions.json +infrastructure/terraform/bin/terraform.sh +Makefile +project.code-workspace +scripts/config/check-todos-ignore.conf +scripts/config/pre-commit.yaml +src/jekyll-devcontainer/src/.devcontainer/devcontainer.json + +[directories] +.git/ +.venv/ +docs/ +node_modules/ From eec33e515ebf5d9323ba62c2703b4f25b462bc0e Mon Sep 17 00:00:00 2001 From: damientobin1 Date: Wed, 6 May 2026 22:45:39 +0100 Subject: [PATCH 15/20] CCM-17346: Remove unused local setup and trivy actions --- .github/actions/setup/action.yaml | 10 ---------- .github/actions/trivy-iac/action.yaml | 20 -------------------- .github/actions/trivy-package/action.yaml | 18 ------------------ 3 files changed, 48 deletions(-) delete mode 100644 .github/actions/setup/action.yaml delete mode 100644 .github/actions/trivy-iac/action.yaml delete mode 100644 .github/actions/trivy-package/action.yaml diff --git a/.github/actions/setup/action.yaml b/.github/actions/setup/action.yaml deleted file mode 100644 index bd57a9af..00000000 --- a/.github/actions/setup/action.yaml +++ /dev/null @@ -1,10 +0,0 @@ -name: Make Config Action -description: Install dependencies and execute make config - -runs: - using: composite - steps: - - name: Install dependencies and execute make config - shell: bash - run: | - scripts/setup/setup.sh diff --git a/.github/actions/trivy-iac/action.yaml b/.github/actions/trivy-iac/action.yaml deleted file mode 100644 index 740d77ac..00000000 --- a/.github/actions/trivy-iac/action.yaml +++ /dev/null @@ -1,20 +0,0 @@ -#TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549 -# name: "Trivy IaC Scan" -# description: "Scan Terraform IaC using Trivy" -# runs: -# using: "composite" -# steps: -# - name: "Trivy Terraform IaC Scan" -# shell: bash -# run: | -# components_exit_code=0 -# modules_exit_code=0 -# asdf plugin add trivy || true -# asdf install trivy || true -# ./scripts/terraform/trivy-scan.sh --mode iac ./infrastructure/terraform/components || components_exit_code=$? -# ./scripts/terraform/trivy-scan.sh --mode iac ./infrastructure/terraform/modules || modules_exit_code=$? - -# if [ $components_exit_code -ne 0 ] || [ $modules_exit_code -ne 0 ]; then -# echo "Trivy misconfigurations detected." -# exit 1 -# fi diff --git a/.github/actions/trivy-package/action.yaml b/.github/actions/trivy-package/action.yaml deleted file mode 100644 index 94656569..00000000 --- a/.github/actions/trivy-package/action.yaml +++ /dev/null @@ -1,18 +0,0 @@ -#TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549 -# name: "Trivy Package Scan" -# description: "Scan project packages using Trivy" -# runs: -# using: "composite" -# steps: -# - name: "Trivy Package Scan" -# shell: bash -# run: | -# exit_code=0 -# asdf plugin add trivy || true -# asdf install trivy || true -# ./scripts/terraform/trivy-scan.sh --mode package . || exit_code=$? - -# if [ $exit_code -ne 0 ]; then -# echo "Trivy has detected package vulnerabilities. Please refer to https://nhsd-confluence.digital.nhs.uk/spaces/RIS/pages/1257636917/PLAT-KOP-012+-+Trivy+Pipeline+Vulnerability+Scanning+Exemption" -# exit 1 -# fi From c6c5cf9b3ecab284f339b08bdcc2c20189bdae80 Mon Sep 17 00:00:00 2001 From: damientobin1 Date: Tue, 12 May 2026 11:52:53 +0100 Subject: [PATCH 16/20] CCM-17346: Move To Shared Modules Model --- .github/workflows/cicd-4-pr-title-check.yaml | 2 +- .github/workflows/stage-1-commit.yaml | 20 +++++------ .github/workflows/stage-2-test.yaml | 36 ++++++++------------ docs/developer-guides/Scripting_Terraform.md | 8 ++++- docs/user-guides/Perform_static_analysis.md | 8 ++++- docs/user-guides/Run_Git_hooks_on_commit.md | 6 ++++ docs/user-guides/Scan_dependencies.md | 8 ++++- docs/user-guides/Scan_secrets.md | 8 ++++- scripts/tests/style.sh | 8 ++--- 9 files changed, 63 insertions(+), 41 deletions(-) diff --git a/.github/workflows/cicd-4-pr-title-check.yaml b/.github/workflows/cicd-4-pr-title-check.yaml index a3358cdc..401e5b7d 100644 --- a/.github/workflows/cicd-4-pr-title-check.yaml +++ b/.github/workflows/cicd-4-pr-title-check.yaml @@ -15,6 +15,6 @@ jobs: runs-on: ubuntu-latest steps: - name: "Check PR title format" - uses: NHSDigital/nhs-notify-shared-modules/.github/actions/check-pr-title-format@3009a36549abae57bae8fe0119c2f3fed156a628 # 3.1.2 + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/check-pr-title-format@3.1.2 with: title: ${{ github.event.pull_request.title }} diff --git a/.github/workflows/stage-1-commit.yaml b/.github/workflows/stage-1-commit.yaml index 08197561..d70bc900 100644 --- a/.github/workflows/stage-1-commit.yaml +++ b/.github/workflows/stage-1-commit.yaml @@ -52,7 +52,7 @@ jobs: with: fetch-depth: 0 # Full history is needed to scan all commits - name: "Scan secrets" - uses: NHSDigital/nhs-notify-shared-modules/.github/actions/scan-secrets@3.0.0 + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/scan-secrets@3.1.2 check-file-format: name: "Check file format" runs-on: ubuntu-latest @@ -63,7 +63,7 @@ jobs: with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check file format" - uses: NHSDigital/nhs-notify-shared-modules/.github/actions/check-file-format@3.0.0 + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/check-file-format@3.1.2 check-markdown-format: name: "Check Markdown format" runs-on: ubuntu-latest @@ -74,7 +74,7 @@ jobs: with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check Markdown format" - uses: NHSDigital/nhs-notify-shared-modules/.github/actions/check-markdown-format@3.0.0 + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/check-markdown-format@3.1.2 terraform-docs: name: "Run terraform-docs" runs-on: ubuntu-latest @@ -109,7 +109,7 @@ jobs: with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check English usage" - uses: NHSDigital/nhs-notify-shared-modules/.github/actions/check-english-usage@3.0.0 + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/check-english-usage@3.1.2 check-todo-usage: name: "Check TODO usage" runs-on: ubuntu-latest @@ -120,7 +120,7 @@ jobs: with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check TODO usage" - uses: NHSDigital/nhs-notify-shared-modules/.github/actions/check-todo-usage@3.0.0 + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/check-todo-usage@3.1.2 detect-terraform-changes: name: "Detect Terraform Changes" runs-on: ubuntu-latest @@ -156,7 +156,7 @@ jobs: - name: "Setup ASDF" uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302 - name: "Lint Terraform" - uses: NHSDigital/nhs-notify-shared-modules/.github/actions/lint-terraform@3.0.0 + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/lint-terraform@3.1.2 #TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549 # trivy-iac: # name: "Trivy IaC Scan" @@ -172,7 +172,7 @@ jobs: # - name: "Setup ASDF" # uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302 # - name: "Trivy IaC Scan" - # uses: NHSDigital/nhs-notify-shared-modules/.github/actions/trivy-iac@3.0.0 + # uses: NHSDigital/nhs-notify-shared-modules/.github/actions/trivy-iac@3.1.2 # trivy-package: # if: ${{ !inputs.skip_trivy_package }} # name: "Trivy Package Scan" @@ -186,7 +186,7 @@ jobs: # - name: "Setup ASDF" # uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302 # - name: "Trivy Package Scan" - # uses: NHSDigital/nhs-notify-shared-modules/.github/actions/trivy-package@3.0.0 + # uses: NHSDigital/nhs-notify-shared-modules/.github/actions/trivy-package@3.1.2 count-lines-of-code: name: "Count lines of code" runs-on: ubuntu-latest @@ -198,7 +198,7 @@ jobs: - name: "Checkout code" uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: "Count lines of code" - uses: NHSDigital/nhs-notify-shared-modules/.github/actions/create-lines-of-code-report@3.0.0 + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/create-lines-of-code-report@3.1.2 with: build_datetime: "${{ inputs.build_datetime }}" build_timestamp: "${{ inputs.build_timestamp }}" @@ -217,7 +217,7 @@ jobs: - name: "Checkout code" uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: "Scan dependencies" - uses: NHSDigital/nhs-notify-shared-modules/.github/actions/scan-dependencies@3.0.0 + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/scan-dependencies@3.1.2 with: build_datetime: "${{ inputs.build_datetime }}" build_timestamp: "${{ inputs.build_timestamp }}" diff --git a/.github/workflows/stage-2-test.yaml b/.github/workflows/stage-2-test.yaml index b7db00c3..0a30568a 100644 --- a/.github/workflows/stage-2-test.yaml +++ b/.github/workflows/stage-2-test.yaml @@ -19,10 +19,6 @@ on: description: "Node.js version, set by the CI/CD pipeline workflow" required: true type: string - pnpm_version: - description: "pnpm version, set by the CI/CD pipeline workflow" - required: true - type: string python_version: description: "Python version, set by the CI/CD pipeline workflow" required: true @@ -43,29 +39,23 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v4 - - name: "Setup pnpm" - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0 - with: - version: ${{ inputs.pnpm_version }} - - name: "Use Node.js" - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 - with: - node-version-file: '.tool-versions' - cache: 'pnpm' + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: "Run unit test suite" run: | make test-unit - - name: "Save the result of fast test suite" - run: | - echo "Nothing to save" + - name: "Save the result of code coverage" + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: code-coverage-report + path: ".reports/lcov.info" + if: always() test-lint: name: "Linting" runs-on: ubuntu-latest timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: "Run linting" run: | make test-lint @@ -79,7 +69,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: "Run test coverage check" run: | make test-coverage @@ -96,11 +86,15 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 # Full history is needed to improving relevancy of reporting + - name: "Download coverage report for SONAR" + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 + with: + name: code-coverage-report - name: "Perform static analysis" - uses: NHSDigital/nhs-notify-shared-modules/.github/actions/perform-static-analysis@3.0.0 + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/perform-static-analysis@3.1.2 with: sonar_organisation_key: "${{ vars.SONAR_ORGANISATION_KEY }}" sonar_project_key: "${{ vars.SONAR_PROJECT_KEY }}" diff --git a/docs/developer-guides/Scripting_Terraform.md b/docs/developer-guides/Scripting_Terraform.md index 1fcace12..0fe2758c 100644 --- a/docs/developer-guides/Scripting_Terraform.md +++ b/docs/developer-guides/Scripting_Terraform.md @@ -1,3 +1,9 @@ +--- +layout: page +title: Scripting Terraform +parent: Developer Guides +--- + # Developer Guide: Scripting Terraform - [Developer Guide: Scripting Terraform](#developer-guide-scripting-terraform) @@ -52,7 +58,7 @@ Here are some key features built into this repository's Terraform module: - Configuration - [`.tool-versions`](../../.tool-versions): Stores Terraform version to be used - Code quality gates - - [`lint-terraform/action.yaml`](https://github.com/NHSDigital/nhs-notify-shared-modules/blob/v2.0.32/.github/actions/lint-terraform/action.yaml): Shared GitHub action + - [`lint-terraform/action.yaml`](https://github.com/NHSDigital/nhs-notify-shared-modules/blob/3.1.2/.github/actions/lint-terraform/action.yaml): Shared GitHub action - [`pre-commit.yaml`](../../scripts/config/pre-commit.yaml): Uses shared hooks including Terraform lint and docs checks - Usage example - Declarative infrastructure definition example [`terraform-state-aws-s3`](../../scripts/terraform/examples/terraform-state-aws-s3) to store Terraform state diff --git a/docs/user-guides/Perform_static_analysis.md b/docs/user-guides/Perform_static_analysis.md index 2642f862..5e1a7951 100644 --- a/docs/user-guides/Perform_static_analysis.md +++ b/docs/user-guides/Perform_static_analysis.md @@ -1,3 +1,9 @@ +--- +layout: page +title: Perform static analysis +parent: User Guides +--- + # Guide: Perform static analysis - [Guide: Perform static analysis](#guide-perform-static-analysis) @@ -17,7 +23,7 @@ Static code analysis is an essential part of modern software development. It pro - [perform-static-analysis.sh](../../scripts/reports/perform-static-analysis.sh): A shell script that performs analysis - [sonar-scanner.properties](../../scripts/config/sonar-scanner.properties): A configuration file that includes the project details -- [perform-static-analysis/action.yaml](https://github.com/NHSDigital/nhs-notify-shared-modules/blob/v2.0.32/.github/actions/perform-static-analysis/action.yaml): Shared GitHub action used by the CI/CD pipeline +- [perform-static-analysis/action.yaml](https://github.com/NHSDigital/nhs-notify-shared-modules/blob/3.1.2/.github/actions/perform-static-analysis/action.yaml): Shared GitHub action used by the CI/CD pipeline - [.gitignore](../../.gitignore): Excludes the `.scannerwork` temporary directory created during the process ## Setup diff --git a/docs/user-guides/Run_Git_hooks_on_commit.md b/docs/user-guides/Run_Git_hooks_on_commit.md index dc1ca569..039f0cbb 100644 --- a/docs/user-guides/Run_Git_hooks_on_commit.md +++ b/docs/user-guides/Run_Git_hooks_on_commit.md @@ -1,3 +1,9 @@ +--- +layout: page +title: Run Git hooks on commit +parent: User Guides +--- + # Guide: Run Git hooks on commit - [Guide: Run Git hooks on commit](#guide-run-git-hooks-on-commit) diff --git a/docs/user-guides/Scan_dependencies.md b/docs/user-guides/Scan_dependencies.md index 44a79721..a94441b2 100644 --- a/docs/user-guides/Scan_dependencies.md +++ b/docs/user-guides/Scan_dependencies.md @@ -1,3 +1,9 @@ +--- +layout: page +title: Scan dependencies +parent: User Guides +--- + # Guide: Scan dependencies - [Guide: Scan dependencies](#guide-scan-dependencies) @@ -19,7 +25,7 @@ In modern software development, leveraging third-party dependencies is a common - [`syft.yaml`](../../scripts/config/syft.yaml): A configuration file for the SBOM generator - [`scan-vulnerabilities.sh`](../../scripts/reports/scan-vulnerabilities.sh): A shell script that performs CVE analysis - [`grype.yaml`](../../scripts/config/grype.yaml): A configuration file for the CVE scanner -- [`scan-dependencies/action.yaml`](https://github.com/NHSDigital/nhs-notify-shared-modules/blob/v2.0.32/.github/actions/scan-dependencies/action.yaml): Shared GitHub action used by the CI/CD pipeline +- [`scan-dependencies/action.yaml`](https://github.com/NHSDigital/nhs-notify-shared-modules/blob/3.1.2/.github/actions/scan-dependencies/action.yaml): Shared GitHub action used by the CI/CD pipeline - [`.gitignore`](../../.gitignore): Excludes the `*sbom*report.json` and `*vulnerabilities*report.json` report files created during the process ## Configuration checklist diff --git a/docs/user-guides/Scan_secrets.md b/docs/user-guides/Scan_secrets.md index fbbe0a18..93eb0a22 100644 --- a/docs/user-guides/Scan_secrets.md +++ b/docs/user-guides/Scan_secrets.md @@ -1,3 +1,9 @@ +--- +layout: page +title: Scan secrets +parent: User Guides +--- + # Guide: Scan secrets - [Guide: Scan secrets](#guide-scan-secrets) @@ -17,7 +23,7 @@ Scanning a repository for hard-coded secrets is a crucial security practice. "Ha - [`gitleaks.toml`](../../scripts/config/gitleaks.toml): A configuration file for the secret scanner - [`.gitleaksignore`](../../.gitleaksignore): A list of fingerprints to ignore by the secret scanner -- [`scan-secrets/action.yaml`](https://github.com/NHSDigital/nhs-notify-shared-modules/blob/v2.0.32/.github/actions/scan-secrets/action.yaml): Shared GitHub action used by the CI/CD pipeline +- [`scan-secrets/action.yaml`](https://github.com/NHSDigital/nhs-notify-shared-modules/blob/3.1.2/.github/actions/scan-secrets/action.yaml): Shared GitHub action used by the CI/CD pipeline - [`pre-commit.yaml`](../../scripts/config/pre-commit.yaml): Run the secret scanner as a pre-commit git hook ## Configuration checklist diff --git a/scripts/tests/style.sh b/scripts/tests/style.sh index ee41445c..a8f0605d 100755 --- a/scripts/tests/style.sh +++ b/scripts/tests/style.sh @@ -6,10 +6,8 @@ cd "$(git rev-parse --show-toplevel)" # This file is for you! Edit it to call your prose style checker. -# It's preconfigured to use `vale`, the same as the github action, -# except that here it only checks unstaged files first, and only if -# those files are OK does it then go on to check staged files. This -# is to give you fast feedback on the changes you've most recently -# made. +# It's preconfigured to use `vale`, the same as the GitHub action, +# and currently runs via pre-commit against all files for consistency +# with CI checks. pre-commit run check-english-usage --all-files From 84c09231cfa842ab5510c39b3f789b4b2ce5c988 Mon Sep 17 00:00:00 2001 From: damientobin1 Date: Tue, 12 May 2026 12:01:25 +0100 Subject: [PATCH 17/20] CCM-17346: Move To Shared Modules Model --- .github/workflows/stage-2-test.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/stage-2-test.yaml b/.github/workflows/stage-2-test.yaml index 0a30568a..17aff8be 100644 --- a/.github/workflows/stage-2-test.yaml +++ b/.github/workflows/stage-2-test.yaml @@ -19,6 +19,10 @@ on: description: "Node.js version, set by the CI/CD pipeline workflow" required: true type: string + pnpm_version: + description: "pnpm version, set by the CI/CD pipeline workflow" + required: true + type: string python_version: description: "Python version, set by the CI/CD pipeline workflow" required: true From 357d1f8d0c01fd0b634e523d8e327c695fa8ef0d Mon Sep 17 00:00:00 2001 From: damientobin1 Date: Tue, 12 May 2026 12:03:45 +0100 Subject: [PATCH 18/20] CCM-17346: Move To Shared Modules Model --- docs/developer-guides/Scripting_Terraform.md | 2 +- docs/user-guides/Perform_static_analysis.md | 2 +- docs/user-guides/Run_Git_hooks_on_commit.md | 2 +- docs/user-guides/Scan_dependencies.md | 2 +- docs/user-guides/Scan_secrets.md | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/developer-guides/Scripting_Terraform.md b/docs/developer-guides/Scripting_Terraform.md index 0fe2758c..8292c5a5 100644 --- a/docs/developer-guides/Scripting_Terraform.md +++ b/docs/developer-guides/Scripting_Terraform.md @@ -4,7 +4,7 @@ title: Scripting Terraform parent: Developer Guides --- -# Developer Guide: Scripting Terraform +## Developer Guide: Scripting Terraform - [Developer Guide: Scripting Terraform](#developer-guide-scripting-terraform) - [Overview](#overview) diff --git a/docs/user-guides/Perform_static_analysis.md b/docs/user-guides/Perform_static_analysis.md index 5e1a7951..dad16c82 100644 --- a/docs/user-guides/Perform_static_analysis.md +++ b/docs/user-guides/Perform_static_analysis.md @@ -4,7 +4,7 @@ title: Perform static analysis parent: User Guides --- -# Guide: Perform static analysis +## Guide: Perform static analysis - [Guide: Perform static analysis](#guide-perform-static-analysis) - [Overview](#overview) diff --git a/docs/user-guides/Run_Git_hooks_on_commit.md b/docs/user-guides/Run_Git_hooks_on_commit.md index 039f0cbb..d192b323 100644 --- a/docs/user-guides/Run_Git_hooks_on_commit.md +++ b/docs/user-guides/Run_Git_hooks_on_commit.md @@ -4,7 +4,7 @@ title: Run Git hooks on commit parent: User Guides --- -# Guide: Run Git hooks on commit +## Guide: Run Git hooks on commit - [Guide: Run Git hooks on commit](#guide-run-git-hooks-on-commit) - [Overview](#overview) diff --git a/docs/user-guides/Scan_dependencies.md b/docs/user-guides/Scan_dependencies.md index a94441b2..234ddc35 100644 --- a/docs/user-guides/Scan_dependencies.md +++ b/docs/user-guides/Scan_dependencies.md @@ -4,7 +4,7 @@ title: Scan dependencies parent: User Guides --- -# Guide: Scan dependencies +## Guide: Scan dependencies - [Guide: Scan dependencies](#guide-scan-dependencies) - [Overview](#overview) diff --git a/docs/user-guides/Scan_secrets.md b/docs/user-guides/Scan_secrets.md index 93eb0a22..b5237475 100644 --- a/docs/user-guides/Scan_secrets.md +++ b/docs/user-guides/Scan_secrets.md @@ -4,7 +4,7 @@ title: Scan secrets parent: User Guides --- -# Guide: Scan secrets +## Guide: Scan secrets - [Guide: Scan secrets](#guide-scan-secrets) - [Overview](#overview) From 035d277f72706ecf708dbe60461be5d48e566951 Mon Sep 17 00:00:00 2001 From: damientobin1 Date: Tue, 12 May 2026 12:06:54 +0100 Subject: [PATCH 19/20] CCM-17346: Move To Shared Modules Model --- .github/workflows/stage-2-test.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/stage-2-test.yaml b/.github/workflows/stage-2-test.yaml index 17aff8be..8a82260b 100644 --- a/.github/workflows/stage-2-test.yaml +++ b/.github/workflows/stage-2-test.yaml @@ -44,6 +44,11 @@ jobs: steps: - name: "Checkout code" uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - name: "Setup pnpm" + uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0 + with: + version: "${{ inputs.pnpm_version }}" + cache: true - name: "Run unit test suite" run: | make test-unit From 829dd76c70bb1e25540b819d30ca5c1dd5c04928 Mon Sep 17 00:00:00 2001 From: damientobin1 Date: Tue, 12 May 2026 12:10:32 +0100 Subject: [PATCH 20/20] CCM-17346: Move To Shared Modules Model --- .github/workflows/stage-2-test.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/stage-2-test.yaml b/.github/workflows/stage-2-test.yaml index 8a82260b..236d56ef 100644 --- a/.github/workflows/stage-2-test.yaml +++ b/.github/workflows/stage-2-test.yaml @@ -49,6 +49,11 @@ jobs: with: version: "${{ inputs.pnpm_version }}" cache: true + - name: "Use Node.js" + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 + with: + node-version-file: '.tool-versions' + cache: 'pnpm' - name: "Run unit test suite" run: | make test-unit