From f7b71f2087d70e7014e255e9c9550adbf3bd212b Mon Sep 17 00:00:00 2001 From: aidenvaines-cgi Date: Tue, 31 Mar 2026 15:12:02 +0100 Subject: [PATCH 1/4] CCM-15867 Consolidating shared scripts --- .../actions/check-english-usage/action.yaml | 10 --- .github/actions/check-file-format/action.yaml | 10 --- .../actions/check-markdown-format/action.yaml | 10 --- .github/actions/check-todo-usage/action.yaml | 10 --- .../create-lines-of-code-report/action.yaml | 57 -------------- .github/actions/lint-terraform/action.yaml | 22 ------ .../actions/normalize-branch-name/action.yaml | 41 ---------- .../perform-static-analysis/action.yaml | 28 ------- .github/actions/scan-dependencies/action.yaml | 74 ------------------- .github/actions/scan-secrets/action.yaml | 10 --- .github/actions/setup/action.yaml | 10 --- .github/actions/terraform_testing/action.yml | 61 --------------- .github/actions/trivy-iac/action.yaml | 20 ----- .github/actions/trivy-package/action.yaml | 18 ----- .github/workflows/stage-1-commit.yaml | 18 ++--- .github/workflows/stage-2-test.yaml | 2 +- .tool-versions | 35 ++++----- scripts/config/check-todos-ignore.conf | 20 +++++ scripts/config/pre-commit.yaml | 56 ++------------ 19 files changed, 56 insertions(+), 456 deletions(-) delete mode 100644 .github/actions/check-english-usage/action.yaml delete mode 100644 .github/actions/check-file-format/action.yaml delete mode 100644 .github/actions/check-markdown-format/action.yaml delete mode 100644 .github/actions/check-todo-usage/action.yaml delete mode 100644 .github/actions/create-lines-of-code-report/action.yaml delete mode 100644 .github/actions/lint-terraform/action.yaml delete mode 100644 .github/actions/normalize-branch-name/action.yaml delete mode 100644 .github/actions/perform-static-analysis/action.yaml delete mode 100644 .github/actions/scan-dependencies/action.yaml delete mode 100644 .github/actions/scan-secrets/action.yaml delete mode 100644 .github/actions/setup/action.yaml delete mode 100644 .github/actions/terraform_testing/action.yml delete mode 100644 .github/actions/trivy-iac/action.yaml delete mode 100644 .github/actions/trivy-package/action.yaml create mode 100644 scripts/config/check-todos-ignore.conf diff --git a/.github/actions/check-english-usage/action.yaml b/.github/actions/check-english-usage/action.yaml deleted file mode 100644 index 9953bcc709..0000000000 --- a/.github/actions/check-english-usage/action.yaml +++ /dev/null @@ -1,10 +0,0 @@ -name: "Check English usage" -description: "Check English usage" -runs: - using: "composite" - steps: - - name: "Check English usage" - shell: bash - run: | - export BRANCH_NAME=origin/${{ github.event.repository.default_branch }} - check=branch ./scripts/githooks/check-english-usage.sh diff --git a/.github/actions/check-file-format/action.yaml b/.github/actions/check-file-format/action.yaml deleted file mode 100644 index bd0929a820..0000000000 --- a/.github/actions/check-file-format/action.yaml +++ /dev/null @@ -1,10 +0,0 @@ -name: "Check file format" -description: "Check file format" -runs: - using: "composite" - steps: - - name: "Check file format" - shell: bash - run: | - export BRANCH_NAME=origin/${{ github.event.repository.default_branch }} - check=branch ./scripts/githooks/check-file-format.sh diff --git a/.github/actions/check-markdown-format/action.yaml b/.github/actions/check-markdown-format/action.yaml deleted file mode 100644 index 53a715b48e..0000000000 --- a/.github/actions/check-markdown-format/action.yaml +++ /dev/null @@ -1,10 +0,0 @@ -name: "Check Markdown format" -description: "Check Markdown format" -runs: - using: "composite" - steps: - - name: "Check Markdown format" - shell: bash - run: | - export BRANCH_NAME=origin/${{ github.event.repository.default_branch }} - check=branch ./scripts/githooks/check-markdown-format.sh diff --git a/.github/actions/check-todo-usage/action.yaml b/.github/actions/check-todo-usage/action.yaml deleted file mode 100644 index a403d5888d..0000000000 --- a/.github/actions/check-todo-usage/action.yaml +++ /dev/null @@ -1,10 +0,0 @@ -name: "Check Todo usage" -description: "Check Todo usage" -runs: - using: "composite" - steps: - - name: "Check Todo usage" - shell: bash - run: | - export BRANCH_NAME=origin/${{ github.event.repository.default_branch }} - check=branch ./scripts/githooks/check-todos.sh diff --git a/.github/actions/create-lines-of-code-report/action.yaml b/.github/actions/create-lines-of-code-report/action.yaml deleted file mode 100644 index 86396f7ae6..0000000000 --- a/.github/actions/create-lines-of-code-report/action.yaml +++ /dev/null @@ -1,57 +0,0 @@ -name: "Count lines of code" -description: "Count lines of code" -inputs: - build_datetime: - description: "Build datetime, set by the CI/CD pipeline workflow" - required: true - build_timestamp: - description: "Build timestamp, set by the CI/CD pipeline workflow" - required: true - idp_aws_report_upload_account_id: - description: "IDP AWS account ID" - required: true - idp_aws_report_upload_region: - description: "IDP AWS account region" - required: true - idp_aws_report_upload_role_name: - description: "Role to upload the report" - required: true - idp_aws_report_upload_bucket_endpoint: - description: "Bucket endpoint for the report" - required: true -runs: - using: "composite" - steps: - - name: "Create CLOC report" - shell: bash - run: | - export BUILD_DATETIME=${{ inputs.build_datetime }} - ./scripts/reports/create-lines-of-code-report.sh - - name: "Compress CLOC report" - shell: bash - run: zip lines-of-code-report.json.zip lines-of-code-report.json - - name: "Upload CLOC report as an artefact" - if: ${{ !env.ACT }} - uses: actions/upload-artifact@v4 - with: - name: lines-of-code-report.json.zip - path: ./lines-of-code-report.json.zip - retention-days: 21 - - name: "Check prerequisites for sending the report" - shell: bash - id: check - run: | - echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT - - name: "Authenticate to send the report" - if: steps.check.outputs.secrets_exist == 'true' - uses: aws-actions/configure-aws-credentials@v4 - with: - role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }} - aws-region: ${{ inputs.idp_aws_report_upload_region }} - - name: "Send the CLOC report to the central location" - shell: bash - if: steps.check.outputs.secrets_exist == 'true' - run: | - aws s3 cp \ - ./lines-of-code-report.json.zip \ - ${{ inputs.idp_aws_report_upload_bucket_endpoint }}/${{ inputs.build_timestamp }}-lines-of-code-report.json.zip diff --git a/.github/actions/lint-terraform/action.yaml b/.github/actions/lint-terraform/action.yaml deleted file mode 100644 index 6957a03701..0000000000 --- a/.github/actions/lint-terraform/action.yaml +++ /dev/null @@ -1,22 +0,0 @@ -name: "Lint Terraform" -description: "Lint Terraform" -inputs: - root-modules: - description: "Comma separated list of root module directories to validate, content of the 'infrastructure/environments' is checked by default" - required: false -runs: - using: "composite" - steps: - - name: "Install Terraform binary" - shell: bash - run: | - asdf plugin add terraform || true - asdf install terraform || true - - name: "Check Terraform format" - shell: bash - run: | - check_only=true scripts/githooks/check-terraform-format.sh - - name: "Validate Terraform" - shell: bash - run: | - make terraform-validate-all diff --git a/.github/actions/normalize-branch-name/action.yaml b/.github/actions/normalize-branch-name/action.yaml deleted file mode 100644 index 8a4432a27f..0000000000 --- a/.github/actions/normalize-branch-name/action.yaml +++ /dev/null @@ -1,41 +0,0 @@ -name: "Normalize branch name" -description: "Normalize branch name" -outputs: - normalized_branch_name: - description: generare a short branch identifier that can be used for an environment name - value: ${{ steps.normalize_branch_name.outputs.normalized_branch_name }} -runs: - using: "composite" - steps: - - id: normalize_branch_name - env: - BRANCH: ${{ github.head_ref || github.ref_name }} - shell: bash - run: | - # Example: feature/CCM-00000_branch-description - echo "BRANCH: $BRANCH" - - # Example: feature/ccm-00000_branch-description - LOWER_CASE_BRANCH=$(echo $BRANCH | tr '[:upper:]' '[:lower:]') - - # Example: 00000_branch-description - LEADING_STRIPPED=(${LOWER_CASE_BRANCH##*ccm-}) - - if [[ $LOWER_CASE_BRANCH == $LEADING_STRIPPED ]]; then - # No CCM ref detected - TICKET_NUMBER="" - else - # Example: 00000 - TICKET_NUMBER=${LEADING_STRIPPED%%[_-]*} - fi - - # Example: 04f106adc56fc0460853351c314b670d - - HASH=$(md5sum <<<"$BRANCH") - - # Example: 0000004f106adc56fc0460853351c314b670d - - LONG_SANDBOX_NAME="$TICKET_NUMBER""$HASH" - - # Example: 0000004f - SANDBOX_NAME=${LONG_SANDBOX_NAME:0:8} - echo "$SANDBOX_NAME" - echo "normalized_branch_name=$SANDBOX_NAME" >> $GITHUB_OUTPUT diff --git a/.github/actions/perform-static-analysis/action.yaml b/.github/actions/perform-static-analysis/action.yaml deleted file mode 100644 index a619e9d291..0000000000 --- a/.github/actions/perform-static-analysis/action.yaml +++ /dev/null @@ -1,28 +0,0 @@ -name: "Perform static analysis" -description: "Perform static analysis" -inputs: - sonar_organisation_key: - description: "Sonar organisation key, used to identify the project" - required: false - sonar_project_key: - description: "Sonar project key, used to identify the project" - required: false - sonar_token: - description: "Sonar token, the API key" - required: false -runs: - using: "composite" - steps: - - name: "Check prerequisites for performing static analysis" - shell: bash - id: check - run: echo "secret_exist=${{ inputs.sonar_token != '' }}" >> $GITHUB_OUTPUT - - name: "Perform static analysis" - shell: bash - if: steps.check.outputs.secret_exist == 'true' - run: | - export BRANCH_NAME=${GITHUB_HEAD_REF:-$(echo $GITHUB_REF | sed 's#refs/heads/##')} - export SONAR_ORGANISATION_KEY=${{ inputs.sonar_organisation_key }} - export SONAR_PROJECT_KEY=${{ inputs.sonar_project_key }} - export SONAR_TOKEN=${{ inputs.sonar_token }} - ./scripts/reports/perform-static-analysis.sh diff --git a/.github/actions/scan-dependencies/action.yaml b/.github/actions/scan-dependencies/action.yaml deleted file mode 100644 index 1000df1473..0000000000 --- a/.github/actions/scan-dependencies/action.yaml +++ /dev/null @@ -1,74 +0,0 @@ -name: "Scan dependencies" -description: "Scan dependencies" -inputs: - build_datetime: - description: "Build datetime, set by the CI/CD pipeline workflow" - required: true - build_timestamp: - description: "Build timestamp, set by the CI/CD pipeline workflow" - required: true - idp_aws_report_upload_account_id: - description: "IDP AWS report upload account ID to upload the report to" - required: false - idp_aws_report_upload_region: - description: "IDP AWS report upload account region to upload the report to" - required: false - idp_aws_report_upload_role_name: - description: "IDP AWS report upload role name for OIDC authentication" - required: false - idp_aws_report_upload_bucket_endpoint: - description: "IDP AWS report upload endpoint to upload the report to" - required: false -runs: - using: "composite" - steps: - - name: "Generate SBOM" - shell: bash - run: | - export BUILD_DATETIME=${{ inputs.build_datetime }} - ./scripts/reports/create-sbom-report.sh - - name: "Compress SBOM report" - shell: bash - run: zip sbom-repository-report.json.zip sbom-repository-report.json - - name: "Upload SBOM report as an artefact" - if: ${{ !env.ACT }} - uses: actions/upload-artifact@v4 - with: - name: sbom-repository-report.json.zip - path: ./sbom-repository-report.json.zip - retention-days: 21 - - name: "Scan vulnerabilities" - shell: bash - run: | - export BUILD_DATETIME=${{ inputs.build_datetime }} - ./scripts/reports/scan-vulnerabilities.sh - - name: "Compress vulnerabilities report" - shell: bash - run: zip vulnerabilities-repository-report.json.zip vulnerabilities-repository-report.json - - name: "Upload vulnerabilities report as an artefact" - if: ${{ !env.ACT }} - uses: actions/upload-artifact@v4 - with: - name: vulnerabilities-repository-report.json.zip - path: ./vulnerabilities-repository-report.json.zip - retention-days: 21 - - name: "Check prerequisites for sending the reports" - shell: bash - id: check - run: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT - - name: "Authenticate to send the reports" - if: steps.check.outputs.secrets_exist == 'true' - uses: aws-actions/configure-aws-credentials@v4 - with: - role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }} - aws-region: ${{ inputs.idp_aws_report_upload_region }} - - name: "Send the SBOM and vulnerabilities reports to the central location" - shell: bash - if: steps.check.outputs.secrets_exist == 'true' - run: | - aws s3 cp \ - ./sbom-repository-report.json.zip \ - ${{ inputs.idp_aws_report_upload_bucket_endpoint }}/${{ inputs.build_timestamp }}-sbom-repository-report.json.zip - aws s3 cp \ - ./vulnerabilities-repository-report.json.zip \ - ${{ inputs.idp_aws_report_upload_bucket_endpoint }}/${{ inputs.build_timestamp }}-vulnerabilities-repository-report.json.zip diff --git a/.github/actions/scan-secrets/action.yaml b/.github/actions/scan-secrets/action.yaml deleted file mode 100644 index 1ed8bac27f..0000000000 --- a/.github/actions/scan-secrets/action.yaml +++ /dev/null @@ -1,10 +0,0 @@ -name: "Scan secrets" -description: "Scan secrets" -runs: - using: "composite" - steps: - - name: "Scan secrets" - shell: bash - run: | - # Please do not change this `check=whole-history` setting, as new patterns may be added or history may be rewritten. - check=whole-history ./scripts/githooks/scan-secrets.sh diff --git a/.github/actions/setup/action.yaml b/.github/actions/setup/action.yaml deleted file mode 100644 index bd57a9af09..0000000000 --- a/.github/actions/setup/action.yaml +++ /dev/null @@ -1,10 +0,0 @@ -name: Make Config Action -description: Install dependencies and execute make config - -runs: - using: composite - steps: - - name: Install dependencies and execute make config - shell: bash - run: | - scripts/setup/setup.sh diff --git a/.github/actions/terraform_testing/action.yml b/.github/actions/terraform_testing/action.yml deleted file mode 100644 index 06602281c4..0000000000 --- a/.github/actions/terraform_testing/action.yml +++ /dev/null @@ -1,61 +0,0 @@ -name: Terraform Testing -description: | - Executes a series of code quality, consistency and security tests against the - Terraform codebase in the repo - -inputs: - folder: - description: The project folder name - required: true - terraform_project: - description: The terraform project name to use for terraform planning - required: true - component: - description: The terraform component name to use for terraform planning - required: true - environment: - description: The terraform environment name to use for terraform planning - default: dev - required: true - group: - description: The terraform group name to use for terraform planning - default: target-env - required: true - region: - description: The terraform region code to use for terraform planning - default: eu-west-2 - required: true - -runs: - using: composite - steps: - - name: Dynamically generate a corresponding tfvars file - shell: bash - run: |- - cd ./${{ inputs.folder }}/terraform && ./bin/generate_target_env_tfvars.sh "${{ inputs.folder }}" "${{ inputs.environment }}" - - name: Ensure all Terraform files are named appropriately - shell: bash - run: |- - cd ./${{ inputs.folder }}/terraform && \ - ./bin/test_filenames.sh - - name: Ensure all mandatory fields are present in the TFVARS file - shell: bash - run: |- - cd ./${{ inputs.folder }}/terraform && \ - ./bin/test_mandatory_tfvars.sh "${{ inputs.component }}" - - name: Wait for the environment to be available - shell: bash - run: |- - cd ./${{ inputs.folder }}/terraform && \ - ./bin/wait_for_lock.sh ${{ inputs.terraform_project }} ${{ inputs.component }} ${{ inputs.environment }} - - name: Run Terraform Compliance against the plan file - shell: bash - run: |- - cd ./${{ inputs.folder }}/terraform && \ - ./bin/terratest.sh \ - --region "${{ inputs.region }}" \ - --project "${{ inputs.terraform_project }}" \ - --component "${{ inputs.component }}" \ - --environment "${{ inputs.environment }}" \ - --group "${{ inputs.group }}" \ - --action "plan" diff --git a/.github/actions/trivy-iac/action.yaml b/.github/actions/trivy-iac/action.yaml deleted file mode 100644 index 27075aca12..0000000000 --- a/.github/actions/trivy-iac/action.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549 -# name: "Trivy IaC Scan" -# description: "Scan Terraform IaC using Trivy" -# runs: -# using: "composite" -# steps: -# - name: "Trivy Terraform IaC Scan" -# shell: bash -# run: | -# components_exit_code=0 -# modules_exit_code=0 -# asdf plugin add trivy || true -# asdf install trivy || true -# ./scripts/terraform/trivy-scan.sh --mode iac ./infrastructure/terraform/components || components_exit_code=$? -# ./scripts/terraform/trivy-scan.sh --mode iac ./infrastructure/terraform/modules || modules_exit_code=$? - -# if [ $components_exit_code -ne 0 ] || [ $modules_exit_code -ne 0 ]; then -# echo "Trivy misconfigurations detected." -# exit 1 -# fi diff --git a/.github/actions/trivy-package/action.yaml b/.github/actions/trivy-package/action.yaml deleted file mode 100644 index 7cad282fd5..0000000000 --- a/.github/actions/trivy-package/action.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549 -# name: "Trivy Package Scan" -# description: "Scan project packages using Trivy" -# runs: -# using: "composite" -# steps: -# - name: "Trivy Package Scan" -# shell: bash -# run: | -# exit_code=0 -# asdf plugin add trivy || true -# asdf install trivy || true -# ./scripts/terraform/trivy-scan.sh --mode package . || exit_code=$? - -# if [ $exit_code -ne 0 ]; then -# echo "Trivy has detected package vulnerablilites. Please refer to https://nhsd-confluence.digital.nhs.uk/spaces/RIS/pages/1257636917/PLAT-KOP-012+-+Trivy+Pipeline+Vulnerability+Scanning+Exemption" -# exit 1 -# fi diff --git a/.github/workflows/stage-1-commit.yaml b/.github/workflows/stage-1-commit.yaml index f68ace4323..bd9547ae6a 100644 --- a/.github/workflows/stage-1-commit.yaml +++ b/.github/workflows/stage-1-commit.yaml @@ -48,7 +48,7 @@ jobs: with: fetch-depth: 0 # Full history is needed to scan all commits - name: "Scan secrets" - uses: ./.github/actions/scan-secrets + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/scan-secrets@3.0.0 check-file-format: name: "Check file format" runs-on: ubuntu-latest @@ -59,7 +59,7 @@ jobs: with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check file format" - uses: ./.github/actions/check-file-format + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/check-file-format@3.0.0 check-markdown-format: name: "Check Markdown format" runs-on: ubuntu-latest @@ -70,7 +70,7 @@ jobs: with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check Markdown format" - uses: ./.github/actions/check-markdown-format + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/check-markdown-format@3.0.0 terraform-docs: name: "Run terraform-docs" runs-on: ubuntu-latest @@ -105,7 +105,7 @@ jobs: with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check English usage" - uses: ./.github/actions/check-english-usage + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/check-english-usage@3.0.0 check-todo-usage: name: "Check TODO usage" runs-on: ubuntu-latest @@ -116,7 +116,7 @@ jobs: with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check TODO usage" - uses: ./.github/actions/check-todo-usage + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/check-todo-usage@3.0.0 detect-terraform-changes: name: "Detect Terraform Changes" runs-on: ubuntu-latest @@ -168,7 +168,7 @@ jobs: # - name: "Setup ASDF" # uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302 # - name: "Trivy IaC Scan" - # uses: ./.github/actions/trivy-iac + # uses: NHSDigital/nhs-notify-shared-modules/.github/actions/trivy-iac@3.0.8 # trivy-package: # if: ${{ !inputs.skip_trivy_package }} # name: "Trivy Package Scan" @@ -182,7 +182,7 @@ jobs: # - name: "Setup ASDF" # uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302 # - name: "Trivy Package Scan" - # uses: ./.github/actions/trivy-package + # uses: NHSDigital/nhs-notify-shared-modules/.github/actions/trivy-package@3.0.8 count-lines-of-code: name: "Count lines of code" runs-on: ubuntu-latest @@ -194,7 +194,7 @@ jobs: - name: "Checkout code" uses: actions/checkout@v5.0.0 - name: "Count lines of code" - uses: ./.github/actions/create-lines-of-code-report + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/create-lines-of-code-report@3.0.0 with: build_datetime: "${{ inputs.build_datetime }}" build_timestamp: "${{ inputs.build_timestamp }}" @@ -213,7 +213,7 @@ jobs: - name: "Checkout code" uses: actions/checkout@v5.0.0 - name: "Scan dependencies" - uses: ./.github/actions/scan-dependencies + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/scan-dependencies@3.0.0 with: build_datetime: "${{ inputs.build_datetime }}" build_timestamp: "${{ inputs.build_timestamp }}" diff --git a/.github/workflows/stage-2-test.yaml b/.github/workflows/stage-2-test.yaml index 9c50c9d95b..f35594ecd8 100644 --- a/.github/workflows/stage-2-test.yaml +++ b/.github/workflows/stage-2-test.yaml @@ -218,7 +218,7 @@ jobs: # with: # name: code-coverage-report # - name: "Perform static analysis" - # uses: ./.github/actions/perform-static-analysis + # uses: NHSDigital/nhs-notify-shared-modules/.github/actions/perform-static-analysis@3.0.0 # with: # sonar_organisation_key: "${{ vars.SONAR_ORGANISATION_KEY }}" # sonar_project_key: "${{ vars.SONAR_PROJECT_KEY }}" diff --git a/.tool-versions b/.tool-versions index 2faef318eb..193c2e8f78 100644 --- a/.tool-versions +++ b/.tool-versions @@ -1,29 +1,30 @@ -act 0.2.64 +act 0.2.86 direnv 2.32.1 -gitleaks 8.24.0 -jq 1.6 +gitleaks 8.30.1 +jq 1.8.1 nodejs 22.22.0 -pre-commit 3.6.0 -terraform 1.10.1 -terraform-docs 0.19.0 +pre-commit 4.5.1 +terraform 1.14.8 +terraform-docs 0.21.0 # TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549 # trivy 0.69.3 -vale 3.6.0 +vale 3.14.1 python 3.13.2 # ============================================================================== # The section below is reserved for Docker image versions. # TODO: Move this section - consider using a different file for the repository template dependencies. -# docker/ghcr.io/anchore/grype v0.104.3@sha256:d340f4f8b3b7e6e72a6c9c0152f25402ed8a2d7375dba1dfce4e53115242feb6 # SEE: https://github.com/anchore/grype/pkgs/container/grype -# docker/ghcr.io/anchore/syft v1.39.0@sha256:6f13bb010923c33fb197047c8f88888e77071bd32596b3f605d62a133e493ce4 # SEE: https://github.com/anchore/syft/pkgs/container/syft -# docker/ghcr.io/gitleaks/gitleaks v8.24.0@sha256:2bcceac45179b3a91bff11a824d0fb952585b429e54fc928728b1d4d5c3e5176 # SEE: https://github.com/gitleaks/gitleaks/pkgs/container/gitleaks -# docker/ghcr.io/igorshubovych/markdownlint-cli v0.37.0@sha256:fb3e79946fce78e1cde84d6798c6c2a55f2de11fc16606a40d49411e281d950d # SEE: https://github.com/igorshubovych/markdownlint-cli/pkgs/container/markdownlint-cli +# docker/ghcr.io/anchore/grype v0.110.0@sha256:af65fbc0c664691067788fe95ff88760b435543e45595eb2ca6f102fc476fbe1 # SEE: https://github.com/anchore/grype/pkgs/container/grype +# docker/ghcr.io/anchore/syft v1.42.3@sha256:5999d209a342e55e9edf70bf8930fb5b86d8f2a783fa401178372c50e21b1d36 # SEE: https://github.com/anchore/syft/pkgs/container/syft +# docker/ghcr.io/gitleaks/gitleaks v8.30.0@sha256:691af3c7c5a48b16f187ce3446d5f194838f91238f27270ed36eef6359a574d9 # SEE: https://github.com/gitleaks/gitleaks/pkgs/container/gitleaks +# docker/ghcr.io/igorshubovych/markdownlint-cli v0.48.0@sha256:691af3c7c5a48b16f187ce3446d5f194838f91238f27270ed36eef6359a574d9 # SEE: https://github.com/igorshubovych/markdownlint-cli/pkgs/container/markdownlint-cli # docker/ghcr.io/make-ops-tools/gocloc latest@sha256:6888e62e9ae693c4ebcfed9f1d86c70fd083868acb8815fe44b561b9a73b5032 # SEE: https://github.com/make-ops-tools/gocloc/pkgs/container/gocloc # docker/ghcr.io/nhs-england-tools/github-runner-image 20230909-321fd1e-rt@sha256:ce4fd6035dc450a50d3cbafb4986d60e77cb49a71ab60a053bb1b9518139a646 # SEE: https://github.com/nhs-england-tools/github-runner-image/pkgs/container/github-runner-image -# docker/hadolint/hadolint 2.12.0-alpine@sha256:7dba9a9f1a0350f6d021fb2f6f88900998a4fb0aaf8e4330aa8c38544f04db42 # SEE: https://hub.docker.com/r/hadolint/hadolint/tags -# docker/hashicorp/terraform 1.5.6@sha256:180a7efa983386a27b43657ed610e9deed9e6c3848d54f9ea9b6cb8a5c8c25f5 # SEE: https://hub.docker.com/r/hashicorp/terraform/tags -# docker/jdkato/vale v3.6.0@sha256:0ef22c8d537f079633cfff69fc46f69a2196072f69cab1ab232e8a79a388e425 # SEE: https://hub.docker.com/r/jdkato/vale/tags -# docker/koalaman/shellcheck latest@sha256:e40388688bae0fcffdddb7e4dea49b900c18933b452add0930654b2dea3e7d5c # SEE: https://hub.docker.com/r/koalaman/shellcheck/tags -# docker/mstruebing/editorconfig-checker 2.7.1@sha256:dd3ca9ea50ef4518efe9be018d669ef9cf937f6bb5cfe2ef84ff2a620b5ddc24 # SEE: https://hub.docker.com/r/mstruebing/editorconfig-checker/tags -# docker/sonarsource/sonar-scanner-cli 11.3@sha256:7462f132388135e32b948f8f18ff0db9ae28a87c6777f1df5b2207e04a6d7c5c # SEE: https://hub.docker.com/r/sonarsource/sonar-scanner-cli/tags +# docker/hadolint/hadolint 2.14.0-alpine@sha256:7aba693c1442eb31c0b015c129697cb3b6cb7da589d85c7562f9deb435a6657c # SEE: https://hub.docker.com/r/hadolint/hadolint/tags +# docker/hashicorp/terraform 1.14.8@sha256:42ecfb253183ec823646dd7859c5652039669409b44daa72abf57112e622849a # SEE: https://hub.docker.com/r/hashicorp/terraform/tags +# docker/jdkato/vale v3.14.1@sha256:e10e0fd59ac94fcb1ebaea37cafd4e7d5c737cd0bc170a84386dbd21c1144a34 # SEE: https://hub.docker.com/r/jdkato/vale/tags +# docker/koalaman/shellcheck latest@sha256:3ec6239ae73eaf9c5a4c5d1c050d99d8c9bd98b43e49c997ac05a209daaaedf0 # SEE: https://hub.docker.com/r/koalaman/shellcheck/tags +# docker/mstruebing/editorconfig-checker 3.6.1@sha256:af556694c3eb0a16b598efbe84c1171d40dfb779fdac6f01b89baedde065556f # SEE: https://hub.docker.com/r/mstruebing/editorconfig-checker/tags + +# docker/sonarsource/sonar-scanner-cli 12.1@sha256:a429d20d22c8d97b9a10ea5585f1c56d2a54796f0ae3da06c7a1a49eec78e6c2 # SEE: https://hub.docker.com/r/sonarsource/sonar-scanner-cli/tags diff --git a/scripts/config/check-todos-ignore.conf b/scripts/config/check-todos-ignore.conf new file mode 100644 index 0000000000..651de92c85 --- /dev/null +++ b/scripts/config/check-todos-ignore.conf @@ -0,0 +1,20 @@ +# Configuration file for check-todos.sh + +[files] +.devcontainer/devcontainer.json +.github/workflows/stage-1-commit.yaml +.pre-commit-hooks.yaml +.tool-versions +.vscode/extensions.json +infrastructure/terraform/bin/terraform.sh +Makefile +project.code-workspace +scripts/config/check-todos-ignore.conf +scripts/config/pre-commit.yaml +scripts/githooks/check-todos.sh + +[directories] +.git/ +.venv/ +docs/ +node_modules/ diff --git a/scripts/config/pre-commit.yaml b/scripts/config/pre-commit.yaml index 6b5f90d737..4e757008d7 100644 --- a/scripts/config/pre-commit.yaml +++ b/scripts/config/pre-commit.yaml @@ -23,60 +23,20 @@ repos: packages/event-schemas/schemas/[^/]+/[^/]+\.json )$ args: ['--autofix'] - # - id: ... - - repo: local + + - repo: https://github.com/NHSDigital/nhs-notify-shared-modules + rev: 3.0.8 hooks: - id: sort-dictionary - name: Sort dictionary - entry: ./scripts/githooks/sort-dictionary.sh - language: script - pass_filenames: false - - repo: local - hooks: - id: scan-secrets - name: Scan secrets - entry: /usr/bin/env check=whole-history ./scripts/githooks/scan-secrets.sh - language: script - pass_filenames: false - - repo: local - hooks: + args: [check=whole-history] - id: check-file-format - name: Check file format - entry: /usr/bin/env check=branch exclude=frontend/src/__tests__/utils/markdownit/fixtures/index.ts ./scripts/githooks/check-file-format.sh - language: script - pass_filenames: false - - repo: local - hooks: + args: [check=branch, exclude=frontend/src/__tests__/utils/markdownit/fixtures/index.ts] - id: check-markdown-format - name: Check Markdown format - entry: /usr/bin/env check=branch ./scripts/githooks/check-markdown-format.sh - language: script - pass_filenames: false - - repo: local - hooks: + args: [check=branch] - id: check-english-usage - name: Check English usage - entry: /usr/bin/env check=branch ./scripts/githooks/check-english-usage.sh - language: script - pass_filenames: false - - repo: local - hooks: + args: [check=branch] - id: lint-terraform - name: Lint Terraform - entry: ./scripts/githooks/check-terraform-format.sh - language: script - pass_filenames: false - - repo: local - hooks: - id: generate-terraform-docs - name: Generate Terraform Docs - entry: ./scripts/githooks/check-terraform-docs.sh - language: script - pass_filenames: false - - repo: local - hooks: - id: check-todo-usage - name: Check TODO usage - entry: /usr/bin/env check=branch ./scripts/githooks/check-todos.sh - language: script - pass_filenames: false + args: [check=branch] From edd7b894ef93a6a2cc407cb7a1d6015a0cc79e03 Mon Sep 17 00:00:00 2001 From: aidenvaines-cgi Date: Wed, 1 Apr 2026 15:58:24 +0100 Subject: [PATCH 2/4] CCM-15867 Consolidating shared scripts --- .github/workflows/stage-1-commit.yaml | 14 +++++++------- .github/workflows/stage-2-test.yaml | 2 +- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/stage-1-commit.yaml b/.github/workflows/stage-1-commit.yaml index bd9547ae6a..ecbf2ecff4 100644 --- a/.github/workflows/stage-1-commit.yaml +++ b/.github/workflows/stage-1-commit.yaml @@ -48,7 +48,7 @@ jobs: with: fetch-depth: 0 # Full history is needed to scan all commits - name: "Scan secrets" - uses: NHSDigital/nhs-notify-shared-modules/.github/actions/scan-secrets@3.0.0 + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/scan-secrets@3.0.8 check-file-format: name: "Check file format" runs-on: ubuntu-latest @@ -59,7 +59,7 @@ jobs: with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check file format" - uses: NHSDigital/nhs-notify-shared-modules/.github/actions/check-file-format@3.0.0 + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/check-file-format@3.0.8 check-markdown-format: name: "Check Markdown format" runs-on: ubuntu-latest @@ -70,7 +70,7 @@ jobs: with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check Markdown format" - uses: NHSDigital/nhs-notify-shared-modules/.github/actions/check-markdown-format@3.0.0 + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/check-markdown-format@3.0.8 terraform-docs: name: "Run terraform-docs" runs-on: ubuntu-latest @@ -105,7 +105,7 @@ jobs: with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check English usage" - uses: NHSDigital/nhs-notify-shared-modules/.github/actions/check-english-usage@3.0.0 + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/check-english-usage@3.0.8 check-todo-usage: name: "Check TODO usage" runs-on: ubuntu-latest @@ -116,7 +116,7 @@ jobs: with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check TODO usage" - uses: NHSDigital/nhs-notify-shared-modules/.github/actions/check-todo-usage@3.0.0 + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/check-todo-usage@3.0.8 detect-terraform-changes: name: "Detect Terraform Changes" runs-on: ubuntu-latest @@ -194,7 +194,7 @@ jobs: - name: "Checkout code" uses: actions/checkout@v5.0.0 - name: "Count lines of code" - uses: NHSDigital/nhs-notify-shared-modules/.github/actions/create-lines-of-code-report@3.0.0 + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/create-lines-of-code-report@3.0.8 with: build_datetime: "${{ inputs.build_datetime }}" build_timestamp: "${{ inputs.build_timestamp }}" @@ -213,7 +213,7 @@ jobs: - name: "Checkout code" uses: actions/checkout@v5.0.0 - name: "Scan dependencies" - uses: NHSDigital/nhs-notify-shared-modules/.github/actions/scan-dependencies@3.0.0 + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/scan-dependencies@3.0.8 with: build_datetime: "${{ inputs.build_datetime }}" build_timestamp: "${{ inputs.build_timestamp }}" diff --git a/.github/workflows/stage-2-test.yaml b/.github/workflows/stage-2-test.yaml index f35594ecd8..2d764a8c33 100644 --- a/.github/workflows/stage-2-test.yaml +++ b/.github/workflows/stage-2-test.yaml @@ -218,7 +218,7 @@ jobs: # with: # name: code-coverage-report # - name: "Perform static analysis" - # uses: NHSDigital/nhs-notify-shared-modules/.github/actions/perform-static-analysis@3.0.0 + # uses: NHSDigital/nhs-notify-shared-modules/.github/actions/perform-static-analysis@3.0.8 # with: # sonar_organisation_key: "${{ vars.SONAR_ORGANISATION_KEY }}" # sonar_project_key: "${{ vars.SONAR_PROJECT_KEY }}" From 3fd0683c2cecea57f77ac2901d9266037f790219 Mon Sep 17 00:00:00 2001 From: aidenvaines-cgi Date: Wed, 1 Apr 2026 17:06:20 +0100 Subject: [PATCH 3/4] CCM-15867 Consolidating shared scripts --- .tool-versions | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.tool-versions b/.tool-versions index 193c2e8f78..0d813b1c13 100644 --- a/.tool-versions +++ b/.tool-versions @@ -18,13 +18,12 @@ python 3.13.2 # docker/ghcr.io/anchore/grype v0.110.0@sha256:af65fbc0c664691067788fe95ff88760b435543e45595eb2ca6f102fc476fbe1 # SEE: https://github.com/anchore/grype/pkgs/container/grype # docker/ghcr.io/anchore/syft v1.42.3@sha256:5999d209a342e55e9edf70bf8930fb5b86d8f2a783fa401178372c50e21b1d36 # SEE: https://github.com/anchore/syft/pkgs/container/syft # docker/ghcr.io/gitleaks/gitleaks v8.30.0@sha256:691af3c7c5a48b16f187ce3446d5f194838f91238f27270ed36eef6359a574d9 # SEE: https://github.com/gitleaks/gitleaks/pkgs/container/gitleaks -# docker/ghcr.io/igorshubovych/markdownlint-cli v0.48.0@sha256:691af3c7c5a48b16f187ce3446d5f194838f91238f27270ed36eef6359a574d9 # SEE: https://github.com/igorshubovych/markdownlint-cli/pkgs/container/markdownlint-cli +# docker/ghcr.io/igorshubovych/markdownlint-cli v0.48.0@sha256:c97f19b52cf7371ff767c080e3e15c15f1cbd3336fc41aeca7a93bb2cdb9843c # SEE: https://github.com/igorshubovych/markdownlint-cli/pkgs/container/markdownlint-cli # docker/ghcr.io/make-ops-tools/gocloc latest@sha256:6888e62e9ae693c4ebcfed9f1d86c70fd083868acb8815fe44b561b9a73b5032 # SEE: https://github.com/make-ops-tools/gocloc/pkgs/container/gocloc # docker/ghcr.io/nhs-england-tools/github-runner-image 20230909-321fd1e-rt@sha256:ce4fd6035dc450a50d3cbafb4986d60e77cb49a71ab60a053bb1b9518139a646 # SEE: https://github.com/nhs-england-tools/github-runner-image/pkgs/container/github-runner-image # docker/hadolint/hadolint 2.14.0-alpine@sha256:7aba693c1442eb31c0b015c129697cb3b6cb7da589d85c7562f9deb435a6657c # SEE: https://hub.docker.com/r/hadolint/hadolint/tags # docker/hashicorp/terraform 1.14.8@sha256:42ecfb253183ec823646dd7859c5652039669409b44daa72abf57112e622849a # SEE: https://hub.docker.com/r/hashicorp/terraform/tags # docker/jdkato/vale v3.14.1@sha256:e10e0fd59ac94fcb1ebaea37cafd4e7d5c737cd0bc170a84386dbd21c1144a34 # SEE: https://hub.docker.com/r/jdkato/vale/tags # docker/koalaman/shellcheck latest@sha256:3ec6239ae73eaf9c5a4c5d1c050d99d8c9bd98b43e49c997ac05a209daaaedf0 # SEE: https://hub.docker.com/r/koalaman/shellcheck/tags -# docker/mstruebing/editorconfig-checker 3.6.1@sha256:af556694c3eb0a16b598efbe84c1171d40dfb779fdac6f01b89baedde065556f # SEE: https://hub.docker.com/r/mstruebing/editorconfig-checker/tags - +# docker/mstruebing/editorconfig-checker v3.6.1@sha256:af556694c3eb0a16b598efbe84c1171d40dfb779fdac6f01b89baedde065556f # SEE: https://hub.docker.com/r/mstruebing/editorconfig-checker/tags # docker/sonarsource/sonar-scanner-cli 12.1@sha256:a429d20d22c8d97b9a10ea5585f1c56d2a54796f0ae3da06c7a1a49eec78e6c2 # SEE: https://hub.docker.com/r/sonarsource/sonar-scanner-cli/tags From 9c2ca7960776c93e767d5b71d416bdebb3fe2716 Mon Sep 17 00:00:00 2001 From: aidenvaines-cgi Date: Tue, 7 Apr 2026 09:00:24 +0100 Subject: [PATCH 4/4] Excluding an email test file --- scripts/config/gitleaks.toml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/scripts/config/gitleaks.toml b/scripts/config/gitleaks.toml index 7b8360ae8a..bd9b47dfa7 100644 --- a/scripts/config/gitleaks.toml +++ b/scripts/config/gitleaks.toml @@ -24,8 +24,9 @@ paths = [ '''Gemfile.lock''', ] -# Exclude Chrome version in user agent +# Exclude Chrome version in user agent and email addresses with IP domains in test files regexTarget = "line" regexes = [ - '''Chrome/[\d.]+''' + '''Chrome/[\d.]+''', + '''email@\[?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\]?''', ]