NHSDigital · github-actions · Mar 10, 2025 · Mar 10, 2025
@@ -44,7 +44,7 @@ runs:
         echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT
     - name: "Authenticate to send the report"
       if: steps.check.outputs.secrets_exist == 'true'
-      uses: aws-actions/configure-aws-credentials@v4
+      uses: aws-actions/configure-aws-credentials@v2
       with:
         role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }}
         aws-region: ${{ inputs.idp_aws_report_upload_region }}

@@ -7,8 +7,6 @@ inputs:
 runs:
   using: "composite"
   steps:
-    - uses: hashicorp/setup-terraform@v3
-    - uses: asdf-vm/actions/setup@v3
     - name: "Check Terraform format"
       shell: bash
       run: |
@@ -18,5 +16,6 @@ runs:
       run: |
         stacks=${{ inputs.root-modules }}
         for dir in $(find infrastructure/environments -maxdepth 1 -mindepth 1 -type d; echo ${stacks//,/$'\n'}); do
+          dir=$dir opts='-backend=false' make terraform-init
           dir=$dir make terraform-validate
         done
@@ -58,7 +58,7 @@ runs:
       run: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT
     - name: "Authenticate to send the reports"
       if: steps.check.outputs.secrets_exist == 'true'
-      uses: aws-actions/configure-aws-credentials@v4
+      uses: aws-actions/configure-aws-credentials@v2
       with:
         role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }}
         aws-region: ${{ inputs.idp_aws_report_upload_region }}

@@ -3,8 +3,6 @@ description: "Scan HCL using TFSec"
 runs:
   using: "composite"
   steps:
-    - uses: hashicorp/setup-terraform@v3
-    - uses: asdf-vm/actions/setup@v3
     - name: "TFSec Scan - Components"
       shell: bash
       run: |

@@ -27,7 +27,7 @@ jobs:
 
     - name: Run syncronisation script
       run: |
-        ./scripts/githooks/sync-template-repo.sh
+        ./nhs-notify-repository-template/scripts/githooks/sync-template-repo.sh
         rm -Rf ./nhs-notify-repository-template
 
     - name: Create Pull Request

@@ -5,6 +5,7 @@
 *sbom*report*.json
 *vulnerabilities*report*.json
 *report*json.zip
+version.json
 .version
 
 *.code-workspace

@@ -3,3 +3,5 @@
 cd9c0efec38c5d63053dd865e5d4e207c0760d91:docs/guides/Perform_static_analysis.md:generic-api-key:37
 87312c6a627a7b0420956d49187fd15b130df170:src/__tests__/components/molecules/LoginStatus.test.tsx:jwt:23
 37ca9f5670f4cd7d91869845ca27defbe6156bb9:src/__tests__/components/molecules/LoginStatus.test.tsx:jwt:23
+b19d88d1d92b0530f065feefcf25d8cdd82a876a:tests/test-team/auth/user.json:jwt:15
+b19d88d1d92b0530f065feefcf25d8cdd82a876a:tests/test-team/auth/user.json:jwt:25
@@ -1,5 +1,5 @@
 act 0.2.64
-gitleaks 8.18.4
+gitleaks 8.24.0
 pre-commit 3.6.0
 terraform 1.9.2
 terraform-docs 0.19.0
@@ -13,7 +13,7 @@ nodejs 20.18.2
 # TODO: Move this section - consider using a different file for the repository template dependencies.
 # docker/ghcr.io/anchore/grype v0.69.1@sha256:d41fcb371d0af59f311e72123dff46900ebd6d0482391b5a830853ee4f9d1a76 # SEE: https://github.com/anchore/grype/pkgs/container/grype
 # docker/ghcr.io/anchore/syft v0.92.0@sha256:63c60f0a21efb13e80aa1359ab243e49213b6cc2d7e0f8179da38e6913b997e0 # SEE: https://github.com/anchore/syft/pkgs/container/syft
-# docker/ghcr.io/gitleaks/gitleaks v8.18.0@sha256:fd2b5cab12b563d2cc538b14631764a1c25577780e3b7dba71657d58da45d9d9 # SEE: https://github.com/gitleaks/gitleaks/pkgs/container/gitleaks
+# docker/ghcr.io/gitleaks/gitleaks v8.24.0@sha256:2bcceac45179b3a91bff11a824d0fb952585b429e54fc928728b1d4d5c3e5176 # SEE: https://github.com/gitleaks/gitleaks/pkgs/container/gitleaks
 # docker/ghcr.io/igorshubovych/markdownlint-cli v0.37.0@sha256:fb3e79946fce78e1cde84d6798c6c2a55f2de11fc16606a40d49411e281d950d # SEE: https://github.com/igorshubovych/markdownlint-cli/pkgs/container/markdownlint-cli
 # docker/ghcr.io/make-ops-tools/gocloc latest@sha256:6888e62e9ae693c4ebcfed9f1d86c70fd083868acb8815fe44b561b9a73b5032 # SEE: https://github.com/make-ops-tools/gocloc/pkgs/container/gocloc
 # docker/ghcr.io/nhs-england-tools/github-runner-image 20230909-321fd1e-rt@sha256:ce4fd6035dc450a50d3cbafb4986d60e77cb49a71ab60a053bb1b9518139a646 # SEE: https://github.com/nhs-england-tools/github-runner-image/pkgs/container/github-runner-image

@@ -8,7 +8,7 @@
 ##
 # Set Script Version
 ##
-readonly script_ver="1.8.0";
+readonly script_ver="1.8.1";
 
 ##
 # Standardised failure function
@@ -399,13 +399,16 @@ fi;
 pushd "${component_path}";
 readonly component_name=$(basename ${component_path});
 
-# Check for presence of tfenv (https://github.com/kamatama41/tfenv)
-# and a .terraform-version file. If both present, ensure required
-# version of terraform for this component is installed automagically.
-tfenv_bin="$(which tfenv 2>/dev/null)";
-if [[ -n "${tfenv_bin}" && -x "${tfenv_bin}" && -f .terraform-version ]]; then
-  ${tfenv_bin} install;
-fi;
+# install terraform
+# verify terraform version matches .tool-versions
+echo ${PWD}
+tool_version=$(grep "terraform " .tool-versions | cut -d ' ' -f 2)
+asdf plugin-add terraform && asdf install terraform "${tool_version}"
+current_version=$(terraform --version | head -n 1 | cut -d 'v' -f 2)
+
+if [ -z "${current_version}" ] || [ "${current_version}" != "${tool_version}" ]; then
+  error_and_die "Terraform version mismatch. Expected: ${tool_version}, Actual: ${current_version}"
+fi
 
 # Regardless of bootstrapping or not, we'll be using this string.
 # If bootstrapping, we will fill it with variables,
@@ -536,26 +539,24 @@ fi;
 [ -f "${dynamic_file_path}" ] && tf_var_file_paths+=("${dynamic_file_path}");
 
 # Warn on duplication
-if [ ${#tf_var_file_paths[@]} -gt 0 ]; then
-  duplicate_variables="$(cat "${tf_var_file_paths[@]}" | sed -n -e 's/\(^[a-zA-Z0-9_\-]\+\)\s*=.*$/\1/p' | sort | uniq -d)";
-  [ -n "${duplicate_variables}" ] \
-    && echo -e "
-  ###################################################################
-  # WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING #
-  ###################################################################
-  The following input variables appear to be duplicated:
-
-  ${duplicate_variables}
-
-  This could lead to unexpected behaviour. Overriding of variables
-  has previously been unpredictable and is not currently supported,
-  but it may work.
-
-  Recent changes to terraform might give you useful overriding and
-  map-merging functionality, please use with caution and report back
-  on your successes & failures.
-  ###################################################################";
-fi
+duplicate_variables="$(cat "${tf_var_file_paths[@]}" | sed -n -e 's/\(^[a-zA-Z0-9_\-]\+\)\s*=.*$/\1/p' | sort | uniq -d)";
+[ -n "${duplicate_variables}" ] \
+  && echo -e "
+###################################################################
+# WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING #
+###################################################################
+The following input variables appear to be duplicated:
+
+${duplicate_variables}
+
+This could lead to unexpected behaviour. Overriding of variables
+has previously been unpredictable and is not currently supported,
+but it may work.
+
+Recent changes to terraform might give you useful overriding and
+map-merging functionality, please use with caution and report back
+on your successes & failures.
+###################################################################";
 
 # Build up the tfvars arguments for terraform command line
 for file_path in "${tf_var_file_paths[@]}"; do

@@ -1,18 +1,24 @@
 # Files and folders to ignore when syncing nhs-notify-repository-template back in to this repository
-scripts/config/.repository-template-sync-ignore
 .github/workflows/
 nhs-notify-repository-template/
+.github/CODEOWNERS
 
 # Files and Folders in this repository to ignore
 .vscode/
 CHANGELOG.md
 project.code-workspace
 README.md
 VERSION
+.editorconfig
+.gitleaksignore
+scripts/tests/
+Makefile
+scripts/config/sonar-scanner.properties
 
 # Files and Folders in the template repository to disregard
 .devcontainer/
 .github/workflows/cicd-*.yaml
 */examples/
 docs/
 infrastructure/terraform/components/
+docker/examples/
@@ -0,0 +1,7 @@
+# Files and folders to merge when syncing nhs-notify-repository-template back in to this repository
+scripts/config/.repository-template-sync-ignore
+scripts/config/.repository-template-sync-merge
+.tool-versions
+.gitignore
+scripts/config/vale/styles/config/vocabularies/words/accept.txt
+scripts/config/vale/styles/config/vocabularies/words/reject.txt
@@ -16,4 +16,15 @@ regexes = [
 ]
 
 [allowlist]
-paths = ['''.terraform.lock.hcl''', '''poetry.lock''', '''yarn.lock''']
+paths = [
+  '''.terraform.lock.hcl''',
+  '''poetry.lock''',
+  '''yarn.lock''',
+  '''Gemfile.lock''',
+]
+
+# Exclude Chrome version in user agent
+regexTarget = "line"
+regexes = [
+  '''Chrome/[\d.]+'''
+]
@@ -1,43 +1,62 @@
 repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.6.0 # Use the ref you want to point at
+    hooks:
+      - id: trailing-whitespace
+      - id: detect-aws-credentials
+        args: [--allow-missing-credentials]
+      - id: check-added-large-files
+      - id: check-symlinks
+      - id: detect-private-key
+      - id: end-of-file-fixer
+        exclude: .+\.cs
+      - id: forbid-new-submodules
+      - id: mixed-line-ending
+      - id: pretty-format-json
+        args: ['--autofix']
+    # -   id: ...
   - repo: local
     hooks:
-    - id: scan-secrets
-      name: Scan secrets
-      entry: ./scripts/githooks/scan-secrets.sh
-      args: ["check=staged-changes"]
-      language: script
-      pass_filenames: false
+      - id: sort-dictionary
+        name: Sort dictionary
+        entry: ./scripts/githooks/sort-dictionary.sh
+        language: script
+        pass_filenames: false
   - repo: local
     hooks:
-    - id: check-file-format
-      name: Check file format
-      entry: ./scripts/githooks/check-file-format.sh
-      args: ["check=staged-changes"]
-      language: script
-      pass_filenames: false
+      - id: scan-secrets
+        name: Scan secrets
+        entry: /usr/bin/env check=whole-history ./scripts/githooks/scan-secrets.sh
+        language: script
+        pass_filenames: false
   - repo: local
     hooks:
-    - id: check-markdown-format
-      name: Check Markdown format
-      entry: ./scripts/githooks/check-markdown-format.sh
-      args: ["check=staged-changes"]
-      language: script
-      pass_filenames: false
+      - id: check-file-format
+        name: Check file format
+        entry: /usr/bin/env check=branch ./scripts/githooks/check-file-format.sh
+        language: script
+        pass_filenames: false
   - repo: local
     hooks:
-    - id: check-english-usage
-      name: Check English usage
-      entry: ./scripts/githooks/check-english-usage.sh
-      args: ["check=staged-changes"]
-      language: script
-      pass_filenames: false
+      - id: check-markdown-format
+        name: Check Markdown format
+        entry: /usr/bin/env check=branch ./scripts/githooks/check-markdown-format.sh
+        language: script
+        pass_filenames: false
   - repo: local
     hooks:
-    - id: lint-terraform
-      name: Lint Terraform
-      entry: ./scripts/githooks/check-terraform-format.sh
-      language: script
-      pass_filenames: false
+      - id: check-english-usage
+        name: Check English usage
+        entry: /usr/bin/env check=branch ./scripts/githooks/check-english-usage.sh
+        language: script
+        pass_filenames: false
+  - repo: local
+    hooks:
+      - id: lint-terraform
+        name: Lint Terraform
+        entry: ./scripts/githooks/check-terraform-format.sh
+        language: script
+        pass_filenames: false
   - repo: local
     hooks:
       - id: generate-terraform-docs

@@ -12,3 +12,4 @@ sonar.coverage.exclusions=tests/, frontend/src/__tests__, frontend/src/**/*.dev.
 
 #sonar.python.coverage.reportPaths=.coverage/coverage.xml
 sonar.javascript.lcov.reportPaths=lcov.info
+sonar.coverage.exclusions=scripts/**/*
@@ -0,0 +1,11 @@
+# GitHub
+
+## Auto link Protection Rules
+
+This will create the auto link to Jira.
+
+```sh
+./auto-link.sh $reponame $PAT
+```
+
+PAT must have `administration:write`. [Create an auto link](https://docs.github.com/en/rest/repos/autolinks?apiVersion=2022-11-28#create-an-autolink-for-a-repository)
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+curl -L \
+  -X POST \
+  -H "Accept: application/vnd.github+json" \
+  -H "Authorization: Bearer $2" \
+  -H "X-GitHub-Api-Version: 2022-11-28" \
+  https://api.github.com/repos/NHSDigital/$1/autolinks \
+  -d '{"key_prefix":"CCM-","url_template":" https://nhsd-jira.digital.nhs.uk/browse/CCM-<num>","is_alphanumeric":true}'
@@ -0,0 +1,11 @@
+# GitHub
+
+## Branch Protection Rules
+
+This will create the default branch protection rules using GitHub API.
+
+```sh
+./branch-protection.sh $reponame $PAT
+```
+
+PAT must have `administration:write`. [Create a repository rule set](https://docs.github.com/en/rest/repos/rules?apiVersion=2022-11-28#create-a-repository-ruleset)
@@ -0,0 +1,48 @@
+#!/bin/bash
+
+curl --location "https://api.github.com/repos/NHSDigital/$1/rulesets" \
+--header 'X-GitHub-Api-Version: 2022-11-28' \
+--header 'Accept: application/vnd.github+json' \
+--header "Authorization: Bearer $2" \
+--header 'Content-Type: application/json' \
+--data '{
+    "name": "nhs-notify-default",
+    "target": "branch",
+    "enforcement": "active",
+    "conditions": {
+        "ref_name": {
+            "exclude": [],
+            "include": [
+                "~DEFAULT_BRANCH"
+            ]
+        }
+    },
+    "rules": [
+        {
+            "type": "deletion"
+        },
+        {
+            "type": "non_fast_forward"
+        },
+        {
+            "type": "pull_request",
+            "parameters": {
+                "required_approving_review_count": 1,
+                "dismiss_stale_reviews_on_push": true,
+                "require_code_owner_review": true,
+                "require_last_push_approval": true,
+                "required_review_thread_resolution": true
+            }
+        },
+        {
+            "type": "required_signatures"
+        },
+        {
+            "type": "required_status_checks",
+            "parameters": {
+                "strict_required_status_checks_policy": true,
+                "required_status_checks": []
+            }
+        }
+    ]
+}'
@@ -38,7 +38,7 @@ function main() {
   check=${check:-working-tree-changes}
   case $check in
     "all")
-      files="$(find ./ -type f -name "*.md")"
+      files="$(git ls-files "*.md")"
       ;;
     "staged-changes")
       files="$(git diff --diff-filter=ACMRT --name-only --cached "*.md")"
Original file line number	Diff line number	Diff line change
Expand Up		@@ -12,3 +12,4 @@ sonar.coverage.exclusions=tests/, frontend/src/__tests__, frontend/src/*/.dev.

		#sonar.python.coverage.reportPaths=.coverage/coverage.xml
		sonar.javascript.lcov.reportPaths=lcov.info
		sonar.coverage.exclusions=scripts/*/