diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 4293eea6b..cc47bc8fd 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -66,7 +66,8 @@ } } }, - "postCreateCommand": "rm -f ~/.docker/config.json; git config --global --add safe.directory /workspaces/prescriptionsforpatients; make install; direnv allow ." + "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" }, + "postCreateCommand": "rm -f ~/.docker/config.json; git config --global --add safe.directory /workspaces/prescriptionsforpatients; make install; direnv allow .; docker build -f /workspaces/eps-workflow-quality-checks/dockerfiles/nhsd-git-secrets.dockerfile -t git-secrets ." // "features": {}, // Use 'forwardPorts' to make a list of ports inside the container available locally. // "forwardPorts": [], diff --git a/.gitallowed b/.gitallowed new file mode 100644 index 000000000..49086f83e --- /dev/null +++ b/.gitallowed @@ -0,0 +1,16 @@ +token: ?"?\$\{\{\s*secrets\.GITHUB_TOKEN\s*\}\}"? +github-token: ?"?\$\{\{\s*secrets\.GITHUB_TOKEN\s*\}\}"? +token: ?"?\$\{\{\s*secrets\.DEPENDABOT_TOKEN\s*\}\}"? +id-token: write +--token=\$\{\{\s*steps\.generate-token\.outputs\.token\s*\}\} +--token=\$GITHUB-TOKEN +--token="\$GITHUB-TOKEN" +"accountId": "123456789012" +accountId: "123456789012" +console\.log\(`access token : \${access_token}`\) +.*CidrBlock.* +.*Gemfile\.lock.* +.*\.gitallowed.* +.*nhsd-rules-deny.txt.* +.*\.venv.* +.*node_modules.* diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c92b892d9..44da1367b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -9,7 +9,7 @@ env: jobs: quality_checks: - uses: NHSDigital/eps-workflow-quality-checks/.github/workflows/quality-checks.yml@v3.0.0 + uses: NHSDigital/eps-workflow-quality-checks/.github/workflows/quality-checks.yml@v4.0.2 secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index fb1e35970..426fa7c49 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -9,8 +9,8 @@ env: jobs: quality_checks: - uses: NHSDigital/eps-workflow-quality-checks/.github/workflows/quality-checks.yml@v3.0.0 - secrets: + uses: NHSDigital/eps-workflow-quality-checks/.github/workflows/quality-checks.yml@v4.0.2 + secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} pr_title_format_check: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 77788ba2b..83fa51858 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,7 +5,7 @@ on: jobs: quality_checks: - uses: NHSDigital/eps-workflow-quality-checks/.github/workflows/quality-checks.yml@v3.0.0 + uses: NHSDigital/eps-workflow-quality-checks/.github/workflows/quality-checks.yml@v4.0.2 secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 4f9faa97f..74da0190e 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -137,5 +137,16 @@ repos: types_or: [sh, shell] pass_filenames: false + - repo: local + hooks: + - id: git-secrets + name: Git Secrets + description: git-secrets scans commits, commit messages, and --no-ff merges to prevent adding secrets into your git repositories. + entry: bash + args: + - -c + - 'docker run -v "$LOCAL_WORKSPACE_FOLDER:/src" git-secrets --pre_commit_hook' + language: system + fail_fast: true default_stages: [commit]