From 75a0ded014cc7c9e300bb8b9f7157b95a46391b5 Mon Sep 17 00:00:00 2001 From: aidenvaines-bjss Date: Wed, 23 Jul 2025 16:00:46 +0100 Subject: [PATCH 1/4] CCM-11345 Manual Repo Sync --- .github/actions/check-todo-usage/action.yaml | 10 + .../scheduled-repository-template-sync.yaml | 2 +- .github/workflows/scorecard.yml | 73 ++++++ .github/workflows/stage-1-commit.yaml | 25 +- .tool-versions | 1 + infrastructure/terraform/bin/terraform.sh | 4 +- .../config/.repository-template-sync-ignore | 27 +- .../config/.repository-template-sync-merge | 2 + scripts/config/pre-commit.yaml | 11 +- .../config/vocabularies/words/accept.txt | 1 + scripts/devcontainer/postcreatecommand.sh | 17 ++ scripts/devcontainer/poststartcommand.sh | 3 + scripts/githooks/check-todos.sh | 238 ++++++++++++++++++ scripts/githooks/sort-dictionary.sh | 3 +- scripts/githooks/sync-template-repo.sh | 41 ++- 15 files changed, 413 insertions(+), 45 deletions(-) create mode 100644 .github/actions/check-todo-usage/action.yaml create mode 100644 .github/workflows/scorecard.yml create mode 100755 scripts/devcontainer/postcreatecommand.sh create mode 100755 scripts/devcontainer/poststartcommand.sh create mode 100755 scripts/githooks/check-todos.sh diff --git a/.github/actions/check-todo-usage/action.yaml b/.github/actions/check-todo-usage/action.yaml new file mode 100644 index 000000000..a403d5888 --- /dev/null +++ b/.github/actions/check-todo-usage/action.yaml @@ -0,0 +1,10 @@ +name: "Check Todo usage" +description: "Check Todo usage" +runs: + using: "composite" + steps: + - name: "Check Todo usage" + shell: bash + run: | + export BRANCH_NAME=origin/${{ github.event.repository.default_branch }} + check=branch ./scripts/githooks/check-todos.sh diff --git a/.github/workflows/scheduled-repository-template-sync.yaml b/.github/workflows/scheduled-repository-template-sync.yaml index a8284425a..e91148656 100644 --- a/.github/workflows/scheduled-repository-template-sync.yaml +++ b/.github/workflows/scheduled-repository-template-sync.yaml @@ -32,7 +32,7 @@ jobs: - name: Create Pull Request if: ${{ !env.ACT }} - uses: peter-evans/create-pull-request@v7.0.7 + uses: peter-evans/create-pull-request@v7.0.8 with: token: ${{ secrets.GITHUB_TOKEN }} commit-message: Drift from template diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 000000000..03bf1714d --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,73 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '15 22 * * 5' + push: + branches: [ "main" ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + # Uncomment the permissions below if installing in a private repository. + contents: read + actions: read + + steps: + - name: "Checkout code" + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecard on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional. + repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: false + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@v4 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard (optional). + # Commenting out will disable upload of results to your repo's Code Scanning dashboard + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9 + with: + sarif_file: results.sarif diff --git a/.github/workflows/stage-1-commit.yaml b/.github/workflows/stage-1-commit.yaml index e168ba960..e56f2f3e8 100644 --- a/.github/workflows/stage-1-commit.yaml +++ b/.github/workflows/stage-1-commit.yaml @@ -36,7 +36,7 @@ jobs: scan-secrets: name: "Scan secrets" runs-on: ubuntu-latest - timeout-minutes: 2 + timeout-minutes: 5 steps: - name: "Checkout code" uses: actions/checkout@v4 @@ -47,7 +47,7 @@ jobs: check-file-format: name: "Check file format" runs-on: ubuntu-latest - timeout-minutes: 2 + timeout-minutes: 5 steps: - name: "Checkout code" uses: actions/checkout@v4 @@ -58,7 +58,7 @@ jobs: check-markdown-format: name: "Check Markdown format" runs-on: ubuntu-latest - timeout-minutes: 2 + timeout-minutes: 5 steps: - name: "Checkout code" uses: actions/checkout@v4 @@ -93,7 +93,7 @@ jobs: check-english-usage: name: "Check English usage" runs-on: ubuntu-latest - timeout-minutes: 2 + timeout-minutes: 5 steps: - name: "Checkout code" uses: actions/checkout@v4 @@ -101,6 +101,17 @@ jobs: fetch-depth: 0 # Full history is needed to compare branches - name: "Check English usage" uses: ./.github/actions/check-english-usage + check-todo-usage: + name: "Check TODO usage" + runs-on: ubuntu-latest + timeout-minutes: 5 + steps: + - name: "Checkout code" + uses: actions/checkout@v4 + with: + fetch-depth: 0 # Full history is needed to compare branches + - name: "Check TODO usage" + uses: ./.github/actions/check-todo-usage detect-terraform-changes: name: "Detect Terraform Changes" runs-on: ubuntu-latest @@ -127,7 +138,7 @@ jobs: lint-terraform: name: "Lint Terraform" runs-on: ubuntu-latest - timeout-minutes: 2 + timeout-minutes: 5 needs: detect-terraform-changes if: needs.detect-terraform-changes.outputs.terraform_changed == 'true' steps: @@ -156,7 +167,7 @@ jobs: permissions: id-token: write contents: read - timeout-minutes: 2 + timeout-minutes: 5 steps: - name: "Checkout code" uses: actions/checkout@v4 @@ -175,7 +186,7 @@ jobs: permissions: id-token: write contents: read - timeout-minutes: 2 + timeout-minutes: 5 steps: - name: "Checkout code" uses: actions/checkout@v4 diff --git a/.tool-versions b/.tool-versions index 2024d0ca6..55c4b9f4c 100644 --- a/.tool-versions +++ b/.tool-versions @@ -7,6 +7,7 @@ terraform 1.9.2 terraform-docs 0.19.0 trivy 0.61.0 vale 3.6.0 +# python 3.13.2 # ============================================================================== # The section below is reserved for Docker image versions. diff --git a/infrastructure/terraform/bin/terraform.sh b/infrastructure/terraform/bin/terraform.sh index a829d1836..72e6c5718 100755 --- a/infrastructure/terraform/bin/terraform.sh +++ b/infrastructure/terraform/bin/terraform.sh @@ -793,8 +793,8 @@ case "${action}" in ;; *) echo -e "Generic action case invoked. Only the additional arguments will be passed to terraform, you break it you fix it:"; - echo -e "\tterraform ${action} ${extra_args}"; - terraform "${action}" ${extra_args} \ + echo -e "\tterraform ${action} ${extra_args} | tee terraform_output"; + terraform "${action}" ${extra_args} | tee terraform_output \ || error_and_die "Terraform ${action} failed."; ;; esac; diff --git a/scripts/config/.repository-template-sync-ignore b/scripts/config/.repository-template-sync-ignore index 2c23df7ab..7b6cbfc12 100644 --- a/scripts/config/.repository-template-sync-ignore +++ b/scripts/config/.repository-template-sync-ignore @@ -1,24 +1,33 @@ # Files and folders to ignore when syncing nhs-notify-repository-template back in to this repository -.github/workflows/ nhs-notify-repository-template/ -.github/CODEOWNERS # Files and Folders in this repository to ignore +.editorconfig +.github/CODEOWNERS +.github/ISSUE_TEMPLATE +.github/workflows/cicd-*.yaml +.github/workflows/stage-*.yaml +.gitleaksignore .vscode/ +Makefile CHANGELOG.md project.code-workspace README.md -VERSION -.editorconfig -.gitleaksignore -scripts/tests/ -Makefile scripts/config/sonar-scanner.properties +scripts/tests/ +VERSION # Files and Folders in the template repository to disregard .devcontainer/ -.github/workflows/cicd-*.yaml +.github/actions/build-docs +.github/workflows/*.disabled */examples/ docs/ +eslint.config.mjs infrastructure/terraform/components/ -docker/examples/ +lambdas/example-lambda/ +package-lock.json +package.json +scripts/**/examples/ +scripts/terraform/terraform.mk +src/.vscode/ diff --git a/scripts/config/.repository-template-sync-merge b/scripts/config/.repository-template-sync-merge index 549e19157..8b5774fdf 100644 --- a/scripts/config/.repository-template-sync-merge +++ b/scripts/config/.repository-template-sync-merge @@ -1,6 +1,8 @@ # Files and folders to merge when syncing nhs-notify-repository-template back in to this repository +.github/workflows/cicd-*.yaml scripts/config/.repository-template-sync-ignore scripts/config/.repository-template-sync-merge +scripts/config/vale/vale.ini .tool-versions .gitignore scripts/config/vale/styles/config/vocabularies/words/accept.txt diff --git a/scripts/config/pre-commit.yaml b/scripts/config/pre-commit.yaml index b216db0a5..8843370f7 100644 --- a/scripts/config/pre-commit.yaml +++ b/scripts/config/pre-commit.yaml @@ -3,20 +3,16 @@ repos: rev: v4.6.0 # Use the ref you want to point at hooks: - id: trailing-whitespace - exclude: .+\.snap - id: detect-aws-credentials args: [--allow-missing-credentials] - id: check-added-large-files - id: check-symlinks - id: detect-private-key - id: end-of-file-fixer - exclude: .+\.cs - id: forbid-new-submodules - id: mixed-line-ending - id: pretty-format-json args: ['--autofix'] - exclude: package-lock.json - # - id: ... - repo: local hooks: @@ -67,3 +63,10 @@ repos: entry: ./scripts/githooks/check-terraform-docs.sh language: script pass_filenames: false + - repo: local + hooks: + - id: check-todo-usage + name: Check TODO usage + entry: /usr/bin/env check=branch ./scripts/githooks/check-todos.sh + language: script + pass_filenames: false diff --git a/scripts/config/vale/styles/config/vocabularies/words/accept.txt b/scripts/config/vale/styles/config/vocabularies/words/accept.txt index 96f75515c..ad7a1af5a 100644 --- a/scripts/config/vale/styles/config/vocabularies/words/accept.txt +++ b/scripts/config/vale/styles/config/vocabularies/words/accept.txt @@ -9,6 +9,7 @@ drawio endcapture endfor endraw +Git[Hh]ub GitHub Gitleaks Grype diff --git a/scripts/devcontainer/postcreatecommand.sh b/scripts/devcontainer/postcreatecommand.sh new file mode 100755 index 000000000..aefabaf3c --- /dev/null +++ b/scripts/devcontainer/postcreatecommand.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +rm -Rf ~/.asdf +git clone https://github.com/asdf-vm/asdf.git ~/.asdf; +chmod +x ~/.asdf/asdf.sh; +echo '. $HOME/.asdf/asdf.sh' >> ~/.zshrc +echo '. $HOME/.asdf/completions/asdf.bash' >> ~/.zshrc + +source ~/.zshrc + +echo 'asdf setup complete' + +make config + +jekyll --version && cd docs && bundle install + +echo 'jekyll setup complete' diff --git a/scripts/devcontainer/poststartcommand.sh b/scripts/devcontainer/poststartcommand.sh new file mode 100755 index 000000000..31a110d18 --- /dev/null +++ b/scripts/devcontainer/poststartcommand.sh @@ -0,0 +1,3 @@ +#!/bin/bash +source ~/.zshrc +make config diff --git a/scripts/githooks/check-todos.sh b/scripts/githooks/check-todos.sh new file mode 100755 index 000000000..83b7a80e8 --- /dev/null +++ b/scripts/githooks/check-todos.sh @@ -0,0 +1,238 @@ +#!/bin/bash + +# WARNING: Please, DO NOT edit this file! It is maintained in the Repository Template (https://github.com/nhs-england-tools/repository-template). Raise a PR instead. + +set -euo pipefail + +# Pre-commit git hook to scan for secrets hard-coded in the codebase. This is a +# gitleaks command wrapper. It will run gitleaks natively if it is installed, +# otherwise it will run it in a Docker container. +# +# Usage: +# $ [options] ./scan-secrets.sh +# +# Options: +# check=all # check all files in the repository +# check=staged-changes # check only files staged for commit. +# check=working-tree-changes # check modified, unstaged files. This is the default. +# check=branch # check for all changes since branching from $BRANCH_NAME +# VERBOSE=true # Show all the executed commands, default is 'false' +# +# Exit codes: +# 0 - No Todos +# 1 - Todos found or error encountered +# 126 - Unknown flag + +# ============================================================================== + +EXCLUDED_FILES=( + ".devcontainer/devcontainer.json" + ".tool-versions" + ".vscode/extensions.json" + "infrastructure/terraform/bin/terraform.sh" + "Makefile" + "project.code-workspace" + "src/jekyll-devcontainer/src/.devcontainer/devcontainer.json" +) + +EXCLUDED_DIRS=( + ".git/" + ".venv/" + "docs/" + "node_modules/" +) + + +# Get files to check based on mode +function get_files_to_check() { + local mode="$1" + case "$mode" in + staged-changes) + git diff --diff-filter=ACMRT --name-only --cached # ACMRT only show files added, copied, modified, renamed or that had their type changed (eg. file → symlink) in this commit. This leaves out deleted files. + ;; + working-tree-changes) + git ls-files --others --exclude-standard && git diff --diff-filter=ACMRT --name-only + ;; + branch) + git diff --diff-filter=ACMRT --name-only ${BRANCH_NAME:-origin/main} + ;; + all) + git ls-files && git ls-files --others --exclude-standard + ;; + *) + echo "Unknown check mode: $mode" >&2 + exit 126 + ;; + esac +} + + +function build_exclude_args() { + local args=( + --exclude=".github/actions/check-todo-usage/action.yaml" + --exclude=".github/workflows/stage-1-commit.yaml" + --exclude="scripts/config/pre-commit.yaml" + --exclude="scripts/githooks/check-todos.sh" + ) # Exclude this script and its references by default, as it naturally contains TODOs. Todo todo todo <- see? + + if [ ${#EXCLUDED_DIRS[@]} -gt 0 ]; then + for dir in "${EXCLUDED_DIRS[@]}"; do + args+=(--exclude-dir="$dir") + done + fi + + if [ ${#EXCLUDED_FILES[@]} -gt 0 ]; then + for file in "${EXCLUDED_FILES[@]}"; do + args+=(--exclude="$file") + done + fi + echo "${args[@]}" +} + + +function search_todos() { + local mode="$1" + shift # Shift positional parameters so $@ contains only exclude_args + local exclude_args=("$@") + local todos="" + + local files + files=$(get_files_to_check "$mode") + # flatten files to unique list + files=$(echo "$files" | tr ' ' '\n' | sort -u) + + for file in $files; do + skip=false + + # Check if the file matches any exclude patterns + # Exclude files based on provided arguments and predefined directories + for ex in "${exclude_args[@]}"; do + if [[ "$ex" == --exclude* ]]; then + pattern=${ex#--exclude=} + [[ "$file" == $pattern ]] && skip=true && break + fi + done + + # Check if the file is in any of the excluded directories + for exdir in "${EXCLUDED_DIRS[@]}"; do + [[ "$file" == $exdir* ]] && skip=true && break + done + + # If the file is excluded, skip it + if [ "$skip" = false ] && [ -f "$file" ]; then + file_todos=$(grep -nHiE '\bTODO\b' "$file" || true) + [ -n "$file_todos" ] && todos+="$file_todos\n" + fi + done + + echo -e "$todos" +} + + +function filter_todos_with_valid_jira_ticket() { + local todos="$1" + local jira_regex="[A-Z][A-Z0-9]+-[0-9]+" + local todos_without_ticket="" + + while IFS= read -r line; do + # Only lines with TODO but without a valid JIRA ticket + if grep -qnHiE '\bTODO\b' <<< "$line"; then + if ! [[ "$line" =~ $jira_regex ]]; then + todos_without_ticket+="$line\n" + fi + fi + done <<< "$(echo -e "$todos")" + + # Output only TODOs without a valid JIRA ticket + echo -e "$todos_without_ticket" +} + + +function print_output() { + local todos="$1" + local exclude_args="$2" + local todo_count=$(line_count "$todos") + + echo "TODO Check Configuration:" + echo "=========================================" + echo " Check Mode: ${check:-working-tree-changes}" + echo " Total TODOs found: $todo_count" + + if [ ${#EXCLUDED_DIRS[@]} -gt 0 ]; then + echo " Excluded Directories: ${EXCLUDED_DIRS[*]}" + else + echo " Excluded Directories: (none)" + fi + + if [ ${#EXCLUDED_FILES[@]} -gt 0 ]; then + echo " Excluded Files: ${EXCLUDED_FILES[*]}" + else + echo " Excluded Files: (none)" + fi + + if is-arg-true "${VERBOSE:-false}"; then + echo "Grep Exclude Args: $exclude_args" + fi + + echo -e "\n=========================================" + echo "All TODOs found: $todo_count" + echo "=========================================" + + if [ "$todo_count" -gt 0 ]; then + echo "$todos" + else + echo "No TODOs found." + fi + + local results=$(filter_todos_with_valid_jira_ticket "$todos") + local results_count=$(line_count "$results") + + echo -e "\n=========================================" + echo "TODOs without a Jira ticket: $results_count" + echo "=========================================" + + if [ "$results_count" -gt 0 ]; then + echo "$results" + exit 1 + else + echo "No TODOs found without a Jira reference." + fi +} + + +function main() { + cd "$(git rev-parse --show-toplevel)" + + local check_mode="${check:-working-tree-changes}" + local exclude_args=$(build_exclude_args) + local todos=$(search_todos "$check_mode" $exclude_args) + print_output "$todos" "$exclude_args" +} + +# ============================================================================== + +# Count non-empty lines in a string +function line_count() { + local input="$1" + if [ -n "$input" ]; then + echo -e "$input" | wc -l + else + echo 0 + fi +} + +function is-arg-true() { + if [[ "$1" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$ ]]; then + return 0 + else + return 1 + fi +} + +# ============================================================================== + +is-arg-true "${VERBOSE:-false}" && set -x + +main "$@" + +exit 0 diff --git a/scripts/githooks/sort-dictionary.sh b/scripts/githooks/sort-dictionary.sh index 45a395292..2fea13998 100755 --- a/scripts/githooks/sort-dictionary.sh +++ b/scripts/githooks/sort-dictionary.sh @@ -25,7 +25,8 @@ function main() { mv $root/accept.sorted.txt $root/accept.txt mv $root/reject.sorted.txt $root/reject.txt - git add -uv $root/* + # Update the sorted files in the staged git index + git add --update --verbose $root/* } # ============================================================================== diff --git a/scripts/githooks/sync-template-repo.sh b/scripts/githooks/sync-template-repo.sh index 0d23e52f3..6e731db7b 100755 --- a/scripts/githooks/sync-template-repo.sh +++ b/scripts/githooks/sync-template-repo.sh @@ -42,15 +42,13 @@ if [ ! -f "${MERGE_FILE}" ]; then echo "# Files and folders to merge when syncing ${TEMPLATE_REPO_DIR} back in to this repository" > ${MERGE_FILE} fi -# Read the .template-ignore file into an array -while IFS= read -r line || [ -n "$line" ]; do - IGNORED_PATHS+=("$line") -done < "$IGNORE_FILE" +TMP_SYNC_IGNORE=${PWD}/tmp-sync-ignore +mkdir -p "${TMP_SYNC_IGNORE}" +cp "${IGNORE_FILE}" "${TMP_SYNC_IGNORE}/.gitignore" -# Read the .template-merge file into an array -while IFS= read -r line || [ -n "$line" ]; do - MERGED_PATHS+=("$line") -done < "$MERGE_FILE" +TMP_SYNC_MERGE=${PWD}/tmp-sync-merge +mkdir -p "${TMP_SYNC_MERGE}" +cp "${MERGE_FILE}" "${TMP_SYNC_MERGE}/.gitignore" # Check if a file is ignored. is_ignored() { @@ -61,27 +59,25 @@ is_ignored() { return 0 fi - for ignored in "${IGNORED_PATHS[@]}"; do - if [[ -n "$ignored" && "$file" =~ $ignored ]]; then - return 0 - fi - done - return 1 + pushd "${TMP_SYNC_IGNORE}" > /dev/null + git check-ignore -q "${file}" + R=$? + popd > /dev/null + return $R } is_merge() { local file=${1} - for merged in "${MERGED_PATHS[@]}"; do - if [[ -n "$merged" && "$file" =~ $merged ]]; then - return 0 - fi - done - return 1 + pushd "${TMP_SYNC_MERGE}" > /dev/null + git check-ignore -q "${file}" + R=$? + popd > /dev/null + return $R } # Navigate to the template directory -cd "${TEMPLATE_REPO_DIR}" || exit +pushd "${TEMPLATE_REPO_DIR}" || exit FILES_ADDED=() FILES_WITH_CHANGES=() @@ -127,6 +123,9 @@ while IFS= read -r -d '' file || [[ -n $file ]]; do fi done < <(find . -type f -print0) +popd +rm -rf "${TMP_SYNC_IGNORE}" "${TMP_SYNC_MERGE}" + echo ------------------------------------------ echo "${#FILES_ADDED[@]} files added, ${#FILES_WITH_CHANGES[@]} files with changes detected." From 9c2393816e4acfb1d1b84242aee348c5b642a210 Mon Sep 17 00:00:00 2001 From: aidenvaines-bjss Date: Wed, 23 Jul 2025 16:40:22 +0100 Subject: [PATCH 2/4] CCM-11345 Manual Repo Sync --- .github/SECURITY.md | 4 ++-- .github/workflows/stage-1-commit.yaml | 2 +- LICENCE.md | 2 +- scripts/config/pre-commit.yaml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/SECURITY.md b/.github/SECURITY.md index 241f1e337..0382fd5df 100644 --- a/.github/SECURITY.md +++ b/.github/SECURITY.md @@ -21,8 +21,8 @@ If you wish to notify us of a vulnerability via email, please include detailed i You can reach us at: -- _[ A product team email address ]_ -- [cybersecurity@nhs.net](cybersecurity@nhs.net) +- [england.nhsnotify@nhs.net](mailto:england.nhsnotify@nhs.net) +- [cybersecurity@nhs.net](mailto:cybersecurity@nhs.net) ### NCSC diff --git a/.github/workflows/stage-1-commit.yaml b/.github/workflows/stage-1-commit.yaml index e56f2f3e8..ececcb365 100644 --- a/.github/workflows/stage-1-commit.yaml +++ b/.github/workflows/stage-1-commit.yaml @@ -156,7 +156,7 @@ jobs: - name: "Checkout code" uses: actions/checkout@v4 - name: "Setup ASDF" - uses: asdf-vm/actions/setup@v3 + uses: asdf-vm/actions/setup@v4 - name: "Perform Setup" uses: ./.github/actions/setup - name: "Trivy Scan" diff --git a/LICENCE.md b/LICENCE.md index ed56eb210..02174c4c8 100644 --- a/LICENCE.md +++ b/LICENCE.md @@ -1,6 +1,6 @@ # MIT Licence -Copyright (c) 2024 Crown Copyright NHS England. +Copyright (c) 2025 Crown Copyright NHS England. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/scripts/config/pre-commit.yaml b/scripts/config/pre-commit.yaml index 8843370f7..29397e233 100644 --- a/scripts/config/pre-commit.yaml +++ b/scripts/config/pre-commit.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.6.0 # Use the ref you want to point at + rev: v5.0.0 # Use the ref you want to point at hooks: - id: trailing-whitespace - id: detect-aws-credentials From 22944034ccfc3da2dbd2a5e30267f3398e236ff6 Mon Sep 17 00:00:00 2001 From: aidenvaines-bjss Date: Thu, 24 Jul 2025 16:45:56 +0100 Subject: [PATCH 3/4] CCM-11345 Manual Repo Sync --- .github/workflows/scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 03bf1714d..091fd4734 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -68,6 +68,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). # Commenting out will disable upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9 + uses: github/codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19 with: sarif_file: results.sarif From 08729f8a0001f814af5eb7476f50a9dc68720d43 Mon Sep 17 00:00:00 2001 From: aidenvaines-bjss Date: Fri, 25 Jul 2025 09:29:35 +0100 Subject: [PATCH 4/4] CCM-11345 Manual Repo Sync --- .github/workflows/scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 091fd4734..5552785d3 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -37,7 +37,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 + uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1 with: results_file: results.sarif results_format: sarif