NHSDigital · aidenvaines-cgi · Jul 28, 2025 · Jul 23, 2025 · Jul 23, 2025 · Jul 24, 2025
@@ -21,8 +21,8 @@ If you wish to notify us of a vulnerability via email, please include detailed i
 
 You can reach us at:
 
-- _[ A product team email address ]_
-- [cybersecurity@nhs.net](cybersecurity@nhs.net)
+- [england.nhsnotify@nhs.net](mailto:england.nhsnotify@nhs.net)
+- [cybersecurity@nhs.net](mailto:cybersecurity@nhs.net)
 
 ### NCSC
 

@@ -0,0 +1,10 @@
+name: "Check Todo usage"
+description: "Check Todo usage"
+runs:
+  using: "composite"
+  steps:
+    - name: "Check Todo usage"
+      shell: bash
+      run: |
+        export BRANCH_NAME=origin/${{ github.event.repository.default_branch }}
+        check=branch ./scripts/githooks/check-todos.sh
@@ -32,7 +32,7 @@ jobs:
 
     - name: Create Pull Request
       if: ${{ !env.ACT }}
-      uses: peter-evans/create-pull-request@v7.0.7
+      uses: peter-evans/create-pull-request@v7.0.8
       with:
         token: ${{ secrets.GITHUB_TOKEN }}
         commit-message: Drift from template

@@ -0,0 +1,73 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '15 22 * * 5'
+  push:
+    branches: [ "main" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      # Uncomment the permissions below if installing in a private repository.
+      contents: read
+      actions: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional.
+          repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: false
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@v4
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard (optional).
+      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
+        with:
+          sarif_file: results.sarif
@@ -36,7 +36,7 @@
   scan-secrets:
     name: "Scan secrets"
     runs-on: ubuntu-latest
-    timeout-minutes: 2
+    timeout-minutes: 5
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v4
@@ -47,7 +47,7 @@
   check-file-format:
     name: "Check file format"
     runs-on: ubuntu-latest
-    timeout-minutes: 2
+    timeout-minutes: 5
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v4
@@ -58,7 +58,7 @@
   check-markdown-format:
     name: "Check Markdown format"
     runs-on: ubuntu-latest
-    timeout-minutes: 2
+    timeout-minutes: 5
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v4
@@ -93,15 +93,26 @@
   check-english-usage:
     name: "Check English usage"
     runs-on: ubuntu-latest
-    timeout-minutes: 2
+    timeout-minutes: 5
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v4
         with:
           fetch-depth: 0 # Full history is needed to compare branches
       - name: "Check English usage"
         uses: ./.github/actions/check-english-usage
+  check-todo-usage:
+    name: "Check TODO usage"
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # Full history is needed to compare branches
+      - name: "Check TODO usage"
+        uses: ./.github/actions/check-todo-usage
   detect-terraform-changes:
     name: "Detect Terraform Changes"
     runs-on: ubuntu-latest
    outputs:
@@ -127,7 +138,7 @@
   lint-terraform:
     name: "Lint Terraform"
     runs-on: ubuntu-latest
-    timeout-minutes: 2
+    timeout-minutes: 5
     needs: detect-terraform-changes
     if: needs.detect-terraform-changes.outputs.terraform_changed == 'true'
     steps:
@@ -145,7 +156,7 @@
       - name: "Checkout code"
         uses: actions/checkout@v4
       - name: "Setup ASDF"
-        uses: asdf-vm/actions/setup@v3
+        uses: asdf-vm/actions/setup@v4
       - name: "Perform Setup"
         uses: ./.github/actions/setup
       - name: "Trivy Scan"
@@ -156,7 +167,7 @@
     permissions:
       id-token: write
       contents: read
-    timeout-minutes: 2
+    timeout-minutes: 5
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v4
@@ -175,7 +186,7 @@
     permissions:
       id-token: write
       contents: read
-    timeout-minutes: 2
+    timeout-minutes: 5
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v4

@@ -7,6 +7,7 @@ terraform 1.9.2
 terraform-docs 0.19.0
 trivy 0.61.0
 vale 3.6.0
+# python 3.13.2
 
 # ==============================================================================
 # The section below is reserved for Docker image versions.

@@ -1,6 +1,6 @@
 # MIT Licence
 
-Copyright (c) 2024 Crown Copyright NHS England.
+Copyright (c) 2025 Crown Copyright NHS England.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

@@ -793,8 +793,8 @@ case "${action}" in
     ;;
   *)
     echo -e "Generic action case invoked. Only the additional arguments will be passed to terraform, you break it you fix it:";
-    echo -e "\tterraform ${action} ${extra_args}";
-    terraform "${action}" ${extra_args} \
+    echo -e "\tterraform ${action} ${extra_args} | tee terraform_output";
+    terraform "${action}" ${extra_args} | tee terraform_output \
       || error_and_die "Terraform ${action} failed.";
     ;;
 esac;

@@ -1,24 +1,33 @@
 # Files and folders to ignore when syncing nhs-notify-repository-template back in to this repository
-.github/workflows/
 nhs-notify-repository-template/
-.github/CODEOWNERS
 
 # Files and Folders in this repository to ignore
+.editorconfig
+.github/CODEOWNERS
+.github/ISSUE_TEMPLATE
+.github/workflows/cicd-*.yaml
+.github/workflows/stage-*.yaml
+.gitleaksignore
 .vscode/
+Makefile
 CHANGELOG.md
 project.code-workspace
 README.md
-VERSION
-.editorconfig
-.gitleaksignore
-scripts/tests/
-Makefile
 scripts/config/sonar-scanner.properties
+scripts/tests/
+VERSION
 
 # Files and Folders in the template repository to disregard
 .devcontainer/
-.github/workflows/cicd-*.yaml
+.github/actions/build-docs
+.github/workflows/*.disabled
 */examples/
 docs/
+eslint.config.mjs
 infrastructure/terraform/components/
-docker/examples/
+lambdas/example-lambda/
+package-lock.json
+package.json
+scripts/**/examples/
+scripts/terraform/terraform.mk
+src/.vscode/
@@ -1,6 +1,8 @@
 # Files and folders to merge when syncing nhs-notify-repository-template back in to this repository
+.github/workflows/cicd-*.yaml
 scripts/config/.repository-template-sync-ignore
 scripts/config/.repository-template-sync-merge
+scripts/config/vale/vale.ini
 .tool-versions
 .gitignore
 scripts/config/vale/styles/config/vocabularies/words/accept.txt

@@ -1,22 +1,18 @@
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.6.0 # Use the ref you want to point at
+    rev: v5.0.0 # Use the ref you want to point at
     hooks:
       - id: trailing-whitespace
-        exclude: .+\.snap
       - id: detect-aws-credentials
         args: [--allow-missing-credentials]
       - id: check-added-large-files
       - id: check-symlinks
       - id: detect-private-key
       - id: end-of-file-fixer
-        exclude: .+\.cs
       - id: forbid-new-submodules
       - id: mixed-line-ending
       - id: pretty-format-json
         args: ['--autofix']
-        exclude: package-lock.json
-
     # -   id: ...
   - repo: local
     hooks:
@@ -67,3 +63,10 @@ repos:
         entry: ./scripts/githooks/check-terraform-docs.sh
         language: script
         pass_filenames: false
+  - repo: local
+    hooks:
+      - id: check-todo-usage
+        name: Check TODO usage
+        entry: /usr/bin/env check=branch ./scripts/githooks/check-todos.sh
+        language: script
+        pass_filenames: false
@@ -9,6 +9,7 @@ drawio
 endcapture
 endfor
 endraw
+Git[Hh]ub
 GitHub
 Gitleaks
 Grype

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+rm -Rf ~/.asdf
+git clone https://github.com/asdf-vm/asdf.git ~/.asdf;
+chmod +x ~/.asdf/asdf.sh;
+echo '. $HOME/.asdf/asdf.sh' >> ~/.zshrc
+echo '. $HOME/.asdf/completions/asdf.bash' >> ~/.zshrc
+
+source ~/.zshrc
+
+echo 'asdf setup complete'
+
+make config
+
+jekyll --version && cd docs && bundle install
+
+echo 'jekyll setup complete'
@@ -0,0 +1,3 @@
+#!/bin/bash
+source ~/.zshrc
+make config
-Original file line number
+Diff line change
@@ Expand Up / @@ -9,6 +9,7 @@ drawio @@
     endcapture
     endfor
     endraw
+    Git[Hh]ub
     GitHub
     Gitleaks
     Grype
@@ Expand Down @@