diff --git a/.gitattributes b/.gitattributes index 1f160080..c3f9b915 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1,5 +1,4 @@ scripts/docker/** linguist-vendored -scripts/githooks/** linguist-vendored scripts/reports/** linguist-vendored scripts/terraform/** linguist-vendored scripts/tests/test.mk linguist-vendored diff --git a/.github/actions/check-english-usage/action.yaml b/.github/actions/check-english-usage/action.yaml deleted file mode 100644 index 9953bcc7..00000000 --- a/.github/actions/check-english-usage/action.yaml +++ /dev/null @@ -1,10 +0,0 @@ -name: "Check English usage" -description: "Check English usage" -runs: - using: "composite" - steps: - - name: "Check English usage" - shell: bash - run: | - export BRANCH_NAME=origin/${{ github.event.repository.default_branch }} - check=branch ./scripts/githooks/check-english-usage.sh diff --git a/.github/actions/check-file-format/action.yaml b/.github/actions/check-file-format/action.yaml deleted file mode 100644 index bd0929a8..00000000 --- a/.github/actions/check-file-format/action.yaml +++ /dev/null @@ -1,10 +0,0 @@ -name: "Check file format" -description: "Check file format" -runs: - using: "composite" - steps: - - name: "Check file format" - shell: bash - run: | - export BRANCH_NAME=origin/${{ github.event.repository.default_branch }} - check=branch ./scripts/githooks/check-file-format.sh diff --git a/.github/actions/check-markdown-format/action.yaml b/.github/actions/check-markdown-format/action.yaml deleted file mode 100644 index 53a715b4..00000000 --- a/.github/actions/check-markdown-format/action.yaml +++ /dev/null @@ -1,10 +0,0 @@ -name: "Check Markdown format" -description: "Check Markdown format" -runs: - using: "composite" - steps: - - name: "Check Markdown format" - shell: bash - run: | - export BRANCH_NAME=origin/${{ github.event.repository.default_branch }} - check=branch ./scripts/githooks/check-markdown-format.sh diff --git a/.github/actions/create-lines-of-code-report/action.yaml b/.github/actions/create-lines-of-code-report/action.yaml deleted file mode 100644 index b21f0667..00000000 --- a/.github/actions/create-lines-of-code-report/action.yaml +++ /dev/null @@ -1,57 +0,0 @@ -name: "Count lines of code" -description: "Count lines of code" -inputs: - build_datetime: - description: "Build datetime, set by the CI/CD pipeline workflow" - required: true - build_timestamp: - description: "Build timestamp, set by the CI/CD pipeline workflow" - required: true - idp_aws_report_upload_account_id: - description: "IDP AWS account ID" - required: true - idp_aws_report_upload_region: - description: "IDP AWS account region" - required: true - idp_aws_report_upload_role_name: - description: "Role to upload the report" - required: true - idp_aws_report_upload_bucket_endpoint: - description: "Bucket endpoint for the report" - required: true -runs: - using: "composite" - steps: - - name: "Create CLOC report" - shell: bash - run: | - export BUILD_DATETIME=${{ inputs.build_datetime }} - ./scripts/reports/create-lines-of-code-report.sh - - name: "Compress CLOC report" - shell: bash - run: zip lines-of-code-report.json.zip lines-of-code-report.json - - name: "Upload CLOC report as an artefact" - if: ${{ !env.ACT }} - uses: actions/upload-artifact@v4 - with: - name: lines-of-code-report.json.zip - path: ./lines-of-code-report.json.zip - retention-days: 21 - - name: "Check prerequisites for sending the report" - shell: bash - id: check - run: | - echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT - - name: "Authenticate to send the report" - if: steps.check.outputs.secrets_exist == 'true' - uses: aws-actions/configure-aws-credentials@v2 - with: - role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }} - aws-region: ${{ inputs.idp_aws_report_upload_region }} - - name: "Send the CLOC report to the central location" - shell: bash - if: steps.check.outputs.secrets_exist == 'true' - run: | - aws s3 cp \ - ./lines-of-code-report.json.zip \ - ${{ inputs.idp_aws_report_upload_bucket_endpoint }}/${{ inputs.build_timestamp }}-lines-of-code-report.json.zip diff --git a/.github/actions/lint-terraform/action.yaml b/.github/actions/lint-terraform/action.yaml deleted file mode 100644 index d5dfe35d..00000000 --- a/.github/actions/lint-terraform/action.yaml +++ /dev/null @@ -1,20 +0,0 @@ -name: "Lint Terraform" -description: "Lint Terraform" -inputs: - root-modules: - description: "Comma separated list of root module directories to validate, content of the 'infrastructure/environments' is checked by default" - required: false -runs: - using: "composite" - steps: - - name: "Check Terraform format" - shell: bash - run: | - check_only=true scripts/githooks/check-terraform-format.sh - - name: "Validate Terraform" - shell: bash - run: | - stacks=${{ inputs.root-modules }} - for dir in $(find infrastructure/environments -maxdepth 1 -mindepth 1 -type d; echo ${stacks//,/$'\n'}); do - dir=$dir make terraform-validate - done diff --git a/.github/actions/perform-static-analysis/action.yaml b/.github/actions/perform-static-analysis/action.yaml deleted file mode 100644 index a619e9d2..00000000 --- a/.github/actions/perform-static-analysis/action.yaml +++ /dev/null @@ -1,28 +0,0 @@ -name: "Perform static analysis" -description: "Perform static analysis" -inputs: - sonar_organisation_key: - description: "Sonar organisation key, used to identify the project" - required: false - sonar_project_key: - description: "Sonar project key, used to identify the project" - required: false - sonar_token: - description: "Sonar token, the API key" - required: false -runs: - using: "composite" - steps: - - name: "Check prerequisites for performing static analysis" - shell: bash - id: check - run: echo "secret_exist=${{ inputs.sonar_token != '' }}" >> $GITHUB_OUTPUT - - name: "Perform static analysis" - shell: bash - if: steps.check.outputs.secret_exist == 'true' - run: | - export BRANCH_NAME=${GITHUB_HEAD_REF:-$(echo $GITHUB_REF | sed 's#refs/heads/##')} - export SONAR_ORGANISATION_KEY=${{ inputs.sonar_organisation_key }} - export SONAR_PROJECT_KEY=${{ inputs.sonar_project_key }} - export SONAR_TOKEN=${{ inputs.sonar_token }} - ./scripts/reports/perform-static-analysis.sh diff --git a/.github/actions/scan-dependencies/action.yaml b/.github/actions/scan-dependencies/action.yaml deleted file mode 100644 index f8ed605d..00000000 --- a/.github/actions/scan-dependencies/action.yaml +++ /dev/null @@ -1,74 +0,0 @@ -name: "Scan dependencies" -description: "Scan dependencies" -inputs: - build_datetime: - description: "Build datetime, set by the CI/CD pipeline workflow" - required: true - build_timestamp: - description: "Build timestamp, set by the CI/CD pipeline workflow" - required: true - idp_aws_report_upload_account_id: - description: "IDP AWS report upload account ID to upload the report to" - required: false - idp_aws_report_upload_region: - description: "IDP AWS report upload account region to upload the report to" - required: false - idp_aws_report_upload_role_name: - description: "IDP AWS report upload role name for OIDC authentication" - required: false - idp_aws_report_upload_bucket_endpoint: - description: "IDP AWS report upload endpoint to upload the report to" - required: false -runs: - using: "composite" - steps: - - name: "Generate SBOM" - shell: bash - run: | - export BUILD_DATETIME=${{ inputs.build_datetime }} - ./scripts/reports/create-sbom-report.sh - - name: "Compress SBOM report" - shell: bash - run: zip sbom-repository-report.json.zip sbom-repository-report.json - - name: "Upload SBOM report as an artefact" - if: ${{ !env.ACT }} - uses: actions/upload-artifact@v4 - with: - name: sbom-repository-report.json.zip - path: ./sbom-repository-report.json.zip - retention-days: 21 - - name: "Scan vulnerabilities" - shell: bash - run: | - export BUILD_DATETIME=${{ inputs.build_datetime }} - ./scripts/reports/scan-vulnerabilities.sh - - name: "Compress vulnerabilities report" - shell: bash - run: zip vulnerabilities-repository-report.json.zip vulnerabilities-repository-report.json - - name: "Upload vulnerabilities report as an artefact" - if: ${{ !env.ACT }} - uses: actions/upload-artifact@v4 - with: - name: vulnerabilities-repository-report.json.zip - path: ./vulnerabilities-repository-report.json.zip - retention-days: 21 - - name: "Check prerequisites for sending the reports" - shell: bash - id: check - run: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT - - name: "Authenticate to send the reports" - if: steps.check.outputs.secrets_exist == 'true' - uses: aws-actions/configure-aws-credentials@v2 - with: - role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }} - aws-region: ${{ inputs.idp_aws_report_upload_region }} - - name: "Send the SBOM and vulnerabilities reports to the central location" - shell: bash - if: steps.check.outputs.secrets_exist == 'true' - run: | - aws s3 cp \ - ./sbom-repository-report.json.zip \ - ${{ inputs.idp_aws_report_upload_bucket_endpoint }}/${{ inputs.build_timestamp }}-sbom-repository-report.json.zip - aws s3 cp \ - ./vulnerabilities-repository-report.json.zip \ - ${{ inputs.idp_aws_report_upload_bucket_endpoint }}/${{ inputs.build_timestamp }}-vulnerabilities-repository-report.json.zip diff --git a/.github/actions/scan-secrets/action.yaml b/.github/actions/scan-secrets/action.yaml deleted file mode 100644 index 1ed8bac2..00000000 --- a/.github/actions/scan-secrets/action.yaml +++ /dev/null @@ -1,10 +0,0 @@ -name: "Scan secrets" -description: "Scan secrets" -runs: - using: "composite" - steps: - - name: "Scan secrets" - shell: bash - run: | - # Please do not change this `check=whole-history` setting, as new patterns may be added or history may be rewritten. - check=whole-history ./scripts/githooks/scan-secrets.sh diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml index 17ef311a..6d7cbd2a 100644 --- a/.github/dependabot.yaml +++ b/.github/dependabot.yaml @@ -6,23 +6,33 @@ updates: directory: "/" schedule: interval: "daily" + commit-message: + prefix: "CCM-9336: " - package-ecosystem: "github-actions" directory: "/" schedule: interval: "daily" + commit-message: + prefix: "CCM-9336: " - package-ecosystem: "npm" directory: "/" schedule: interval: "daily" + commit-message: + prefix: "CCM-9336: " - package-ecosystem: "pip" directory: "/" schedule: interval: "daily" + commit-message: + prefix: "CCM-9336: " - package-ecosystem: "terraform" directory: "/" schedule: interval: "daily" + commit-message: + prefix: "CCM-9336: " diff --git a/.github/workflows/cicd-4-pr-title-check.yaml b/.github/workflows/cicd-4-pr-title-check.yaml new file mode 100644 index 00000000..a3358cdc --- /dev/null +++ b/.github/workflows/cicd-4-pr-title-check.yaml @@ -0,0 +1,20 @@ +name: "4. PR Title Check" + +on: + pull_request: + types: [opened, reopened, synchronize, edited] + branches: + - main + +permissions: + contents: read + +jobs: + check-pr-title: + name: "Check PR title" + runs-on: ubuntu-latest + steps: + - name: "Check PR title format" + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/check-pr-title-format@3009a36549abae57bae8fe0119c2f3fed156a628 # 3.1.2 + with: + title: ${{ github.event.pull_request.title }} diff --git a/.github/workflows/manual-combine-dependabot-prs.yaml b/.github/workflows/manual-combine-dependabot-prs.yaml new file mode 100644 index 00000000..8965f1d3 --- /dev/null +++ b/.github/workflows/manual-combine-dependabot-prs.yaml @@ -0,0 +1,24 @@ +name: Combine Dependabot PRs + +on: + workflow_dispatch: + +permissions: + contents: write + pull-requests: write + checks: read + +jobs: + combine-prs: + runs-on: ubuntu-latest + + steps: + - name: combine-prs + id: combine-prs + uses: github/combine-prs@2909f404763c3177a456e052bdb7f2e85d3a7cb3 # v5.2.0 + with: + ci_required: false + labels: dependencies + pr_title: "CCM-9336: Combined Dependabot PRs" + combine_branch_name: dependabotCombined + pr_body_header: "CCM-9336: Combined Dependabot PRs" diff --git a/.github/workflows/scheduled-repository-template-sync.yaml b/.github/workflows/scheduled-repository-template-sync.yaml new file mode 100644 index 00000000..b2f47d75 --- /dev/null +++ b/.github/workflows/scheduled-repository-template-sync.yaml @@ -0,0 +1,54 @@ +name: Repository Template Sync + +on: + schedule: + - cron: '0 0 1 * *' + workflow_dispatch: + +permissions: + contents: write + pull-requests: write + checks: read + +jobs: + update-external-repo: + runs-on: ubuntu-latest + + steps: + - name: Check out the repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - name: Check out external repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + repository: NHSDigital/nhs-notify-repository-template + path: nhs-notify-repository-template + token: ${{ github.token }} + + - name: Run syncronisation script + run: | + ./nhs-notify-repository-template/scripts/maintenance/sync-template-repo.sh + rm -Rf ./nhs-notify-repository-template + + - name: Create Pull Request + if: ${{ !env.ACT }} + uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 + with: + token: ${{ secrets.GITHUB_TOKEN }} + commit-message: Drift from template + branch: scheduledTemplateRepositorySync + delete-branch: true + title: '[Template Sync] Drift from template-repository remediation' + body: | + # Resultant drift from repository template + + ## Who should respond to this PR? + The team which owns the responsibility for this component repository. You may want to consult other contributors. + + ## How to progress this PR + The repositories guardians should review the contents of the PR and decide how to proceed, you may wish to back-out certain changes or accept them from the upstream `nhsdigital/nhs-notify-repository-template` repository. + + If there are changes you do not wish to see again, it is recommended you add exclusions to `scripts/config/.repository-template-sync-ignore`. + labels: | + template + automation + draft: false diff --git a/.github/workflows/stage-1-commit.yaml b/.github/workflows/stage-1-commit.yaml index a516b786..f529e52a 100644 --- a/.github/workflows/stage-1-commit.yaml +++ b/.github/workflows/stage-1-commit.yaml @@ -19,10 +19,19 @@ on: description: "Node.js version, set by the CI/CD pipeline workflow" required: true type: string + pnpm_version: + description: "pnpm version, set by the CI/CD pipeline workflow" + required: true + type: string python_version: description: "Python version, set by the CI/CD pipeline workflow" required: true type: string + #TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549 + # skip_trivy_package: + # description: "Skip Trivy package scan when true" + # type: boolean + # default: false terraform_version: description: "Terraform version, set by the CI/CD pipeline workflow" required: true @@ -36,68 +45,160 @@ jobs: scan-secrets: name: "Scan secrets" runs-on: ubuntu-latest - timeout-minutes: 2 + timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 # Full history is needed to scan all commits - name: "Scan secrets" - uses: ./.github/actions/scan-secrets + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/scan-secrets@c49f0e52360edb291b09a39ae9c5ac1933716c6c # 3.0.0 check-file-format: name: "Check file format" runs-on: ubuntu-latest - timeout-minutes: 2 + timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check file format" - uses: ./.github/actions/check-file-format + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/check-file-format@c49f0e52360edb291b09a39ae9c5ac1933716c6c # 3.0.0 check-markdown-format: name: "Check Markdown format" runs-on: ubuntu-latest - timeout-minutes: 2 + timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check Markdown format" - uses: ./.github/actions/check-markdown-format + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/check-markdown-format@c49f0e52360edb291b09a39ae9c5ac1933716c6c # 3.0.0 + terraform-docs: + name: "Run terraform-docs" + runs-on: ubuntu-latest + needs: detect-terraform-changes + if: needs.detect-terraform-changes.outputs.terraform_changed == 'true' + permissions: + contents: write + steps: + - name: "Checkout code" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + fetch-depth: 0 # Full history is needed to compare branches + - name: "Check to see if Terraform Docs are up-to-date" + run: | + make terraform-docs + - name: "Stage changes" + run: | + git add infrastructure/terraform/**/*.md + - name: "Check for changes in Terraform Docs" + run: | + if git diff --cached --name-only | grep -qE '\.md$'; then + echo "Markdown files have changed. Please run 'make terraform-docs' and commit the changes." + exit 1 + fi check-english-usage: name: "Check English usage" runs-on: ubuntu-latest - timeout-minutes: 2 + timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check English usage" - uses: ./.github/actions/check-english-usage + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/check-english-usage@c49f0e52360edb291b09a39ae9c5ac1933716c6c # 3.0.0 + check-todo-usage: + name: "Check TODO usage" + runs-on: ubuntu-latest + timeout-minutes: 5 + steps: + - name: "Checkout code" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + fetch-depth: 0 # Full history is needed to compare branches + - name: "Check TODO usage" + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/check-todo-usage@c49f0e52360edb291b09a39ae9c5ac1933716c6c # 3.0.0 + detect-terraform-changes: + name: "Detect Terraform Changes" + runs-on: ubuntu-latest + outputs: + terraform_changed: ${{ steps.check.outputs.terraform_changed }} + steps: + - name: "Checkout code" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + + - name: "Check for Terraform changes" + id: check + run: | + git fetch origin main || true # Ensure you have the latest main branch + CHANGED_FILES=$(git diff --name-only HEAD origin/main) + echo "Changed files: $CHANGED_FILES" + + if echo "$CHANGED_FILES" | grep -qE '\.tf$'; then + echo "Terraform files have changed." + echo "terraform_changed=true" >> $GITHUB_OUTPUT + else + echo "No Terraform changes detected." + echo "terraform_changed=false" >> $GITHUB_OUTPUT + fi lint-terraform: name: "Lint Terraform" runs-on: ubuntu-latest - timeout-minutes: 2 + timeout-minutes: 5 + needs: detect-terraform-changes + if: needs.detect-terraform-changes.outputs.terraform_changed == 'true' steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - name: "Setup ASDF" + uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302 - name: "Lint Terraform" - uses: ./.github/actions/lint-terraform + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/lint-terraform@c49f0e52360edb291b09a39ae9c5ac1933716c6c # 3.0.0 + #TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549 + # trivy-iac: + # name: "Trivy IaC Scan" + # permissions: + # contents: read + # runs-on: ubuntu-latest + # timeout-minutes: 10 + # needs: detect-terraform-changes + # if: needs.detect-terraform-changes.outputs.terraform_changed == 'true' + # steps: + # - name: "Checkout code" + # uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + # - name: "Setup ASDF" + # uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302 + # - name: "Trivy IaC Scan" + # uses: NHSDigital/nhs-notify-shared-modules/.github/actions/trivy-iac@c0d351d206f638c18349021ad5b79ca65de2b56c # v2.0.32 + # trivy-package: + # if: ${{ !inputs.skip_trivy_package }} + # name: "Trivy Package Scan" + # permissions: + # contents: read + # runs-on: ubuntu-latest + # timeout-minutes: 10 + # steps: + # - name: "Checkout code" + # uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + # - name: "Setup ASDF" + # uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302 + # - name: "Trivy Package Scan" + # uses: NHSDigital/nhs-notify-shared-modules/.github/actions/trivy-package@c0d351d206f638c18349021ad5b79ca65de2b56c # v2.0.32 count-lines-of-code: name: "Count lines of code" runs-on: ubuntu-latest permissions: id-token: write contents: read - timeout-minutes: 2 + timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: "Count lines of code" - uses: ./.github/actions/create-lines-of-code-report + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/create-lines-of-code-report@c0d351d206f638c18349021ad5b79ca65de2b56c # v2.0.32 with: build_datetime: "${{ inputs.build_datetime }}" build_timestamp: "${{ inputs.build_timestamp }}" @@ -111,12 +212,12 @@ jobs: permissions: id-token: write contents: read - timeout-minutes: 2 + timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: "Scan dependencies" - uses: ./.github/actions/scan-dependencies + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/scan-dependencies@c0d351d206f638c18349021ad5b79ca65de2b56c # v2.0.32 with: build_datetime: "${{ inputs.build_datetime }}" build_timestamp: "${{ inputs.build_timestamp }}" diff --git a/.github/workflows/stage-2-test.yaml b/.github/workflows/stage-2-test.yaml index efcb2ac4..bd2c98bc 100644 --- a/.github/workflows/stage-2-test.yaml +++ b/.github/workflows/stage-2-test.yaml @@ -87,7 +87,7 @@ jobs: with: fetch-depth: 0 # Full history is needed to improving relevancy of reporting - name: "Perform static analysis" - uses: ./.github/actions/perform-static-analysis + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/perform-static-analysis@c0d351d206f638c18349021ad5b79ca65de2b56c # v2.0.32 with: sonar_organisation_key: "${{ vars.SONAR_ORGANISATION_KEY }}" sonar_project_key: "${{ vars.SONAR_PROJECT_KEY }}" diff --git a/.github/workflows/stage-3-build.yaml b/.github/workflows/stage-3-build.yaml index 2a53a07a..5eb7e9f6 100644 --- a/.github/workflows/stage-3-build.yaml +++ b/.github/workflows/stage-3-build.yaml @@ -19,6 +19,10 @@ on: description: "Node.js version, set by the CI/CD pipeline workflow" required: true type: string + pnpm_version: + description: "pnpm version, set by the CI/CD pipeline workflow" + required: true + type: string python_version: description: "Python version, set by the CI/CD pipeline workflow" required: true @@ -33,13 +37,29 @@ on: type: string jobs: + artefact-jekyll-docs: + name: "Build Docs" + runs-on: ubuntu-latest + timeout-minutes: 3 + steps: + - name: "Checkout code" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - name: "Setup pnpm" + uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0 + with: + version: "${{ inputs.pnpm_version }}" + cache: true + - name: "Build docs" + uses: NHSDigital/nhs-notify-shared-modules/.github/actions/build-docs@c0d351d206f638c18349021ad5b79ca65de2b56c # v2.0.32 + with: + version: "${{ inputs.version }}" artefact-1: name: "Artefact 1" runs-on: ubuntu-latest timeout-minutes: 3 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: "Build artefact 1" run: | echo "Building artefact 1 ..." @@ -49,21 +69,21 @@ jobs: - name: "Upload artefact 1" run: | echo "Uploading artefact 1 ..." - # TODO: Use either action/cache or action/upload-artifact - artefact-2: - name: "Artefact 2" + # Use either action/cache or action/upload-artifact + artefact-n: + name: "Artefact n" runs-on: ubuntu-latest timeout-minutes: 3 steps: - name: "Checkout code" - uses: actions/checkout@v4 - - name: "Build artefact 2" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - name: "Build artefact n" run: | - echo "Building artefact 2 ..." - - name: "Check artefact 2" + echo "Building artefact n ..." + - name: "Check artefact n" run: | - echo "Checking artefact 2 ..." - - name: "Upload artefact 2" + echo "Checking artefact n ..." + - name: "Upload artefact n" run: | - echo "Uploading artefact 2 ..." - # TODO: Use either action/cache or action/upload-artifact + echo "Uploading artefact n ..." + # Use either action/cache or action/upload-artifact diff --git a/docs/developer-guides/Scripting_Terraform.md b/docs/developer-guides/Scripting_Terraform.md index 837288f6..1fcace12 100644 --- a/docs/developer-guides/Scripting_Terraform.md +++ b/docs/developer-guides/Scripting_Terraform.md @@ -52,8 +52,8 @@ Here are some key features built into this repository's Terraform module: - Configuration - [`.tool-versions`](../../.tool-versions): Stores Terraform version to be used - Code quality gates - - [`lint-terraform/action.yaml`](../../.github/actions/lint-terraform/action.yaml): GitHub action - - [`check-terraform-format.sh`](../../scripts/githooks/check-terraform-format.sh): Git hook + - [`lint-terraform/action.yaml`](https://github.com/NHSDigital/nhs-notify-shared-modules/blob/v2.0.32/.github/actions/lint-terraform/action.yaml): Shared GitHub action + - [`pre-commit.yaml`](../../scripts/config/pre-commit.yaml): Uses shared hooks including Terraform lint and docs checks - Usage example - Declarative infrastructure definition example [`terraform-state-aws-s3`](../../scripts/terraform/examples/terraform-state-aws-s3) to store Terraform state - A set of [make targets](https://github.com/nhs-england-tools/repository-template/blob/main/scripts/terraform/terraform.mk#L44) to run the example diff --git a/docs/user-guides/Perform_static_analysis.md b/docs/user-guides/Perform_static_analysis.md index a1f70118..2642f862 100644 --- a/docs/user-guides/Perform_static_analysis.md +++ b/docs/user-guides/Perform_static_analysis.md @@ -17,7 +17,7 @@ Static code analysis is an essential part of modern software development. It pro - [perform-static-analysis.sh](../../scripts/reports/perform-static-analysis.sh): A shell script that performs analysis - [sonar-scanner.properties](../../scripts/config/sonar-scanner.properties): A configuration file that includes the project details -- [perform-static-analysis/action.yaml](../../.github/actions/perform-static-analysis/action.yaml): GitHub action to run the script as part of the CI/CD pipeline +- [perform-static-analysis/action.yaml](https://github.com/NHSDigital/nhs-notify-shared-modules/blob/v2.0.32/.github/actions/perform-static-analysis/action.yaml): Shared GitHub action used by the CI/CD pipeline - [.gitignore](../../.gitignore): Excludes the `.scannerwork` temporary directory created during the process ## Setup diff --git a/docs/user-guides/Run_Git_hooks_on_commit.md b/docs/user-guides/Run_Git_hooks_on_commit.md index 5dd191f5..dc1ca569 100644 --- a/docs/user-guides/Run_Git_hooks_on_commit.md +++ b/docs/user-guides/Run_Git_hooks_on_commit.md @@ -7,20 +7,17 @@ ## Overview -Git hooks are scripts that are located in the [`./scripts/githooks`](../../scripts/githooks) directory. They are executed automatically on each commit, provided that the `make config` command has been run locally to set up the project. These same scripts are also part of the CI/CD pipeline execution. This setup serves as a safety net and helps to ensure consistency. +Git hooks are managed by the [pre-commit](https://pre-commit.com/) framework and sourced from the shared repository [NHSDigital/nhs-notify-shared-modules](https://github.com/NHSDigital/nhs-notify-shared-modules). They are executed automatically on each commit, provided that the `make config` command has been run locally to set up the project. The same checks are also part of the CI/CD pipeline execution. This setup serves as a safety net and helps to ensure consistency. The [pre-commit](https://pre-commit.com/) framework is a powerful tool for managing Git hooks, providing automated hook installation and management capabilities. ## Key files -- Scripts - - [`check-file-format.sh`](../../scripts/githooks/check-file-format.sh) - - [`check-markdown-format.sh`](../../scripts/githooks/check-markdown-format.sh) - - [`check-terraform-format.sh`](../../scripts/githooks/check-terraform-format.sh) - - [`scan-secrets.sh`](../../scripts/githooks/scan-secrets.sh) - Configuration - [`pre-commit.yaml`](../../scripts/config/pre-commit.yaml) - [`init.mk`](../../scripts/init.mk): make targets +- Shared hooks source + - [`NHSDigital/nhs-notify-shared-modules`](https://github.com/NHSDigital/nhs-notify-shared-modules) ## Testing diff --git a/docs/user-guides/Scan_dependencies.md b/docs/user-guides/Scan_dependencies.md index 4145897e..44a79721 100644 --- a/docs/user-guides/Scan_dependencies.md +++ b/docs/user-guides/Scan_dependencies.md @@ -19,7 +19,7 @@ In modern software development, leveraging third-party dependencies is a common - [`syft.yaml`](../../scripts/config/syft.yaml): A configuration file for the SBOM generator - [`scan-vulnerabilities.sh`](../../scripts/reports/scan-vulnerabilities.sh): A shell script that performs CVE analysis - [`grype.yaml`](../../scripts/config/grype.yaml): A configuration file for the CVE scanner -- [`scan-dependencies/action.yaml`](../../.github/actions/scan-dependencies/action.yaml): GitHub action to run the scripts as part of the CI/CD pipeline +- [`scan-dependencies/action.yaml`](https://github.com/NHSDigital/nhs-notify-shared-modules/blob/v2.0.32/.github/actions/scan-dependencies/action.yaml): Shared GitHub action used by the CI/CD pipeline - [`.gitignore`](../../.gitignore): Excludes the `*sbom*report.json` and `*vulnerabilities*report.json` report files created during the process ## Configuration checklist diff --git a/docs/user-guides/Scan_secrets.md b/docs/user-guides/Scan_secrets.md index 1e3e1e10..fbbe0a18 100644 --- a/docs/user-guides/Scan_secrets.md +++ b/docs/user-guides/Scan_secrets.md @@ -15,10 +15,9 @@ Scanning a repository for hard-coded secrets is a crucial security practice. "Ha ## Key files -- [`scan-secrets.sh`](../../scripts/githooks/scan-secrets.sh): A shell script that scans the codebase for hard-coded secrets - [`gitleaks.toml`](../../scripts/config/gitleaks.toml): A configuration file for the secret scanner - [`.gitleaksignore`](../../.gitleaksignore): A list of fingerprints to ignore by the secret scanner -- [`scan-secrets/action.yaml`](../../.github/actions/scan-secrets/action.yaml): GitHub action to run the scripts as part of the CI/CD pipeline +- [`scan-secrets/action.yaml`](https://github.com/NHSDigital/nhs-notify-shared-modules/blob/v2.0.32/.github/actions/scan-secrets/action.yaml): Shared GitHub action used by the CI/CD pipeline - [`pre-commit.yaml`](../../scripts/config/pre-commit.yaml): Run the secret scanner as a pre-commit git hook ## Configuration checklist @@ -33,7 +32,7 @@ Scanning a repository for hard-coded secrets is a crucial security practice. "Ha You can execute and test the secret scanning across all commits locally on a developer's workstation using the following command ```shell -ALL_FILES=true ./scripts/githooks/scan-secrets.sh +pre-commit run scan-secrets --all-files ``` ## Removing sensitive data diff --git a/scripts/config/check-todos-ignore.conf b/scripts/config/check-todos-ignore.conf new file mode 100644 index 00000000..27e84c50 --- /dev/null +++ b/scripts/config/check-todos-ignore.conf @@ -0,0 +1,20 @@ +# Configuration file for check-todos.sh + +[files] +.devcontainer/devcontainer.json +.github/workflows/stage-1-commit.yaml +.pre-commit-hooks.yaml +.tool-versions +.vscode/extensions.json +infrastructure/terraform/bin/terraform.sh +Makefile +project.code-workspace +scripts/config/check-todos-ignore.conf +scripts/config/pre-commit.yaml +src/jekyll-devcontainer/src/.devcontainer/devcontainer.json + +[directories] +.git/ +.venv/ +docs/ +node_modules/ diff --git a/scripts/config/pre-commit.yaml b/scripts/config/pre-commit.yaml index 37ca6375..c5f2353c 100644 --- a/scripts/config/pre-commit.yaml +++ b/scripts/config/pre-commit.yaml @@ -1,40 +1,34 @@ repos: -- repo: local - hooks: - - id: scan-secrets - name: Scan secrets - entry: ./scripts/githooks/scan-secrets.sh - args: ["check=staged-changes"] - language: script - pass_filenames: false -- repo: local - hooks: - - id: check-file-format - name: Check file format - entry: ./scripts/githooks/check-file-format.sh - args: ["check=staged-changes"] - language: script - pass_filenames: false -- repo: local - hooks: - - id: check-markdown-format - name: Check Markdown format - entry: ./scripts/githooks/check-markdown-format.sh - args: ["check=staged-changes"] - language: script - pass_filenames: false -- repo: local - hooks: - - id: check-english-usage - name: Check English usage - entry: ./scripts/githooks/check-english-usage.sh - args: ["check=staged-changes"] - language: script - pass_filenames: false -- repo: local - hooks: - - id: lint-terraform - name: Lint Terraform - entry: ./scripts/githooks/check-terraform-format.sh - language: script - pass_filenames: false + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v5.0.0 # Use the ref you want to point at + hooks: + - id: trailing-whitespace + - id: detect-aws-credentials + args: [--allow-missing-credentials] + - id: check-added-large-files + - id: check-symlinks + - id: detect-private-key + - id: end-of-file-fixer + - id: forbid-new-submodules + - id: mixed-line-ending + - id: pretty-format-json + args: ['--autofix'] + exclude: '(^|/)package(-lock)?\.json$' + # - id: ... + + - repo: https://github.com/NHSDigital/nhs-notify-shared-modules + rev: 3.1.2 + hooks: + - id: sort-dictionary + - id: scan-secrets + args: [check=whole-history] + - id: check-file-format + args: [check=branch] + - id: check-markdown-format + args: [check=branch] + - id: check-english-usage + args: [check=branch] + - id: lint-terraform + - id: generate-terraform-docs + - id: check-todo-usage + args: [check=branch] diff --git a/scripts/githooks/check-english-usage.sh b/scripts/githooks/check-english-usage.sh deleted file mode 100755 index b3942deb..00000000 --- a/scripts/githooks/check-english-usage.sh +++ /dev/null @@ -1,108 +0,0 @@ -#!/bin/bash - -# WARNING: Please, DO NOT edit this file! It is maintained in the Repository Template (https://github.com/nhs-england-tools/repository-template). Raise a PR instead. - -set -euo pipefail - -# Git hook to check prose style -# -# Usage: -# $ check={all,staged-changes,working-tree-changes,branch} ./check-english-usage.sh -# -# Exit codes: -# 0 - All files are formatted correctly -# 1 - Files are not formatted correctly -# -# The `check` parameter controls which files are checked, so you can -# limit the scope of the check according to what is appropriate at the -# point the check is being applied. -# -# check=all: check all files in the repository -# check=staged-changes: check only files staged for commit. -# check=working-tree-changes: check modified, unstaged files. This is the default. -# check=branch: check for all changes since branching from $BRANCH_NAME - -# ============================================================================== - -function main() { - - cd "$(git rev-parse --show-toplevel)" - - check=${check:-working-tree-changes} - case $check in - "all") - filter="git ls-files" - ;; - "staged-changes") - filter="git diff --diff-filter=ACMRT --name-only --cached" - ;; - "working-tree-changes") - filter="git diff --diff-filter=ACMRT --name-only" - ;; - "branch") - filter="git diff --diff-filter=ACMRT --name-only ${BRANCH_NAME:-origin/main}" - ;; - *) - echo "Unrecognised check mode: $check" >&2 && exit 1 - ;; - esac - - if command -v vale > /dev/null 2>&1 && ! is-arg-true "${FORCE_USE_DOCKER:-false}"; then - filter="$filter" run-vale-natively - else - filter="$filter" run-vale-in-docker - fi -} - -# Run Vale natively. -# Arguments (provided as environment variables): -# filter=[git command to filter the files to check] -function run-vale-natively() { - - # shellcheck disable=SC2046 - vale \ - --config "$PWD/scripts/config/vale/vale.ini" \ - $($filter) -} - -# Run Vale in a Docker container. -# Arguments (provided as environment variables): -# filter=[git command to filter the files to check] -function run-vale-in-docker() { - - # shellcheck disable=SC1091 - source ./scripts/docker/docker.lib.sh - - # shellcheck disable=SC2155 - local image=$(name=jdkato/vale docker-get-image-version-and-pull) - # We use /dev/null here to stop `vale` from complaining that it's - # not been called correctly if the $filter happens to return an - # empty list. As long as there's a filename, even if it's one that - # will be ignored, `vale` is happy. - # shellcheck disable=SC2046,SC2086 - docker run --rm --platform linux/amd64 \ - --volume "$PWD:/workdir" \ - --workdir /workdir \ - "$image" \ - --config /workdir/scripts/config/vale/vale.ini \ - $($filter) /dev/null -} - -# ============================================================================== - -function is-arg-true() { - - if [[ "$1" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$ ]]; then - return 0 - else - return 1 - fi -} - -# ============================================================================== - -is-arg-true "${VERBOSE:-false}" && set -x - -main "$@" - -exit 0 diff --git a/scripts/githooks/check-file-format.sh b/scripts/githooks/check-file-format.sh deleted file mode 100755 index d7c94747..00000000 --- a/scripts/githooks/check-file-format.sh +++ /dev/null @@ -1,124 +0,0 @@ -#!/bin/bash - -# WARNING: Please, DO NOT edit this file! It is maintained in the Repository Template (https://github.com/nhs-england-tools/repository-template). Raise a PR instead. - -set -euo pipefail - -# Pre-commit git hook to check the EditorConfig rules compliance over changed -# files. It ensures all non-binary files across the codebase are formatted -# according to the style defined in the `.editorconfig` file. This is a -# editorconfig command wrapper. It will run editorconfig natively if it is -# installed, otherwise it will run it in a Docker container. -# -# Usage: -# $ [options] ./check-file-format.sh -# -# Options: -# check={all,staged-changes,working-tree-changes,branch} # Check mode, default is 'working-tree-changes' -# dry_run=true # Do not check, run dry run only, default is 'false' -# BRANCH_NAME=other-branch-than-main # Branch to compare with, default is `origin/main` -# FORCE_USE_DOCKER=true # If set to true the command is run in a Docker container, default is 'false' -# VERBOSE=true # Show all the executed commands, default is `false` -# -# Exit codes: -# 0 - All files are formatted correctly -# 1 - Files are not formatted correctly -# -# The `check` parameter controls which files are checked, so you can -# limit the scope of the check according to what is appropriate at the -# point the check is being applied. -# -# check=all: check all files in the repository -# check=staged-changes: check only files staged for commit. -# check=working-tree-changes: check modified, unstaged files. This is the default. -# check=branch: check for all changes since branching from $BRANCH_NAME -# -# Notes: -# Please make sure to enable EditorConfig linting in your IDE. For the -# Visual Studio Code editor it is `editorconfig.editorconfig` that is already -# specified in the `./.vscode/extensions.json` file. - -# ============================================================================== - -function main() { - - cd "$(git rev-parse --show-toplevel)" - - # shellcheck disable=SC2154 - is-arg-true "${dry_run:-false}" && dry_run_opt="--dry-run" - - check=${check:-working-tree-changes} - case $check in - "all") - filter="git ls-files" - ;; - "staged-changes") - filter="git diff --diff-filter=ACMRT --name-only --cached" - ;; - "working-tree-changes") - filter="git diff --diff-filter=ACMRT --name-only" - ;; - "branch") - filter="git diff --diff-filter=ACMRT --name-only ${BRANCH_NAME:-origin/main}" - ;; - *) - echo "Unrecognised check mode: $check" >&2 && exit 1 - ;; - esac - - if command -v editorconfig > /dev/null 2>&1 && ! is-arg-true "${FORCE_USE_DOCKER:-false}"; then - filter="$filter" dry_run_opt="${dry_run_opt:-}" run-editorconfig-natively - else - filter="$filter" dry_run_opt="${dry_run_opt:-}" run-editorconfig-in-docker - fi -} - -# Run editorconfig natively. -# Arguments (provided as environment variables): -# dry_run_opt=[dry run option] -# filter=[git command to filter the files to check] -function run-editorconfig-natively() { - - # shellcheck disable=SC2046,SC2086 - editorconfig \ - --exclude '.git/' $dry_run_opt $($filter) -} - -# Run editorconfig in a Docker container. -# Arguments (provided as environment variables): -# dry_run_opt=[dry run option] -# filter=[git command to filter the files to check] -function run-editorconfig-in-docker() { - - # shellcheck disable=SC1091 - source ./scripts/docker/docker.lib.sh - - # shellcheck disable=SC2155 - local image=$(name=mstruebing/editorconfig-checker docker-get-image-version-and-pull) - # We use /dev/null here as a backstop in case there are no files in the state - # we choose. If the filter comes back empty, adding `/dev/null` onto it has - # the effect of preventing `ec` from treating "no files" as "all the files". - docker run --rm --platform linux/amd64 \ - --volume "$PWD":/check \ - "$image" \ - sh -c "ec --exclude '.git/' $dry_run_opt \$($filter) /dev/null" -} - -# ============================================================================== - -function is-arg-true() { - - if [[ "$1" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$ ]]; then - return 0 - else - return 1 - fi -} - -# ============================================================================== - -is-arg-true "${VERBOSE:-false}" && set -x - -main "$@" - -exit 0 diff --git a/scripts/githooks/check-markdown-format.sh b/scripts/githooks/check-markdown-format.sh deleted file mode 100755 index c39a080d..00000000 --- a/scripts/githooks/check-markdown-format.sh +++ /dev/null @@ -1,109 +0,0 @@ -#!/bin/bash - -# WARNING: Please, DO NOT edit this file! It is maintained in the Repository Template (https://github.com/nhs-england-tools/repository-template). Raise a PR instead. - -set -euo pipefail - -# Pre-commit git hook to check the Markdown file formatting rules compliance -# over changed files. This is a markdownlint command wrapper. It will run -# markdownlint natively if it is installed, otherwise it will run it in a Docker -# container. -# -# Usage: -# $ [options] ./check-markdown-format.sh -# -# Options: -# check={all,staged-changes,working-tree-changes,branch} # Check mode, default is 'working-tree-changes' -# BRANCH_NAME=other-branch-than-main # Branch to compare with, default is `origin/main` -# FORCE_USE_DOCKER=true # If set to true the command is run in a Docker container, default is 'false' -# VERBOSE=true # Show all the executed commands, default is `false` -# -# Exit codes: -# 0 - All files are formatted correctly -# 1 - Files are not formatted correctly -# -# Notes: -# 1) Please make sure to enable Markdown linting in your IDE. For the Visual -# Studio Code editor it is `davidanson.vscode-markdownlint` that is already -# specified in the `./.vscode/extensions.json` file. -# 2) To see the full list of the rules, please visit -# https://github.com/DavidAnson/markdownlint/blob/main/doc/Rules.md - -# ============================================================================== - -function main() { - - cd "$(git rev-parse --show-toplevel)" - - check=${check:-working-tree-changes} - case $check in - "all") - files="$(git ls-files "*.md")" - ;; - "staged-changes") - files="$(git diff --diff-filter=ACMRT --name-only --cached "*.md")" - ;; - "working-tree-changes") - files="$(git diff --diff-filter=ACMRT --name-only "*.md")" - ;; - "branch") - files="$( (git diff --diff-filter=ACMRT --name-only "${BRANCH_NAME:-origin/main}" "*.md"; git diff --name-only "*.md") | sort | uniq )" - ;; - esac - - if [ -n "$files" ]; then - if command -v markdownlint > /dev/null 2>&1 && ! is-arg-true "${FORCE_USE_DOCKER:-false}"; then - files="$files" run-markdownlint-natively - else - files="$files" run-markdownlint-in-docker - fi - fi -} - -# Run markdownlint natively. -# Arguments (provided as environment variables): -# files=[files to check] -function run-markdownlint-natively() { - - # shellcheck disable=SC2086 - markdownlint \ - $files \ - --config "$PWD/scripts/config/markdownlint.yaml" -} - -# Run markdownlint in a Docker container. -# Arguments (provided as environment variables): -# files=[files to check] -function run-markdownlint-in-docker() { - - # shellcheck disable=SC1091 - source ./scripts/docker/docker.lib.sh - - # shellcheck disable=SC2155 - local image=$(name=ghcr.io/igorshubovych/markdownlint-cli docker-get-image-version-and-pull) - # shellcheck disable=SC2086 - docker run --rm --platform linux/amd64 \ - --volume "$PWD":/workdir \ - "$image" \ - $files \ - --config /workdir/scripts/config/markdownlint.yaml -} - -# ============================================================================== - -function is-arg-true() { - - if [[ "$1" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$ ]]; then - return 0 - else - return 1 - fi -} - -# ============================================================================== - -is-arg-true "${VERBOSE:-false}" && set -x - -main "$@" - -exit 0 diff --git a/scripts/githooks/check-terraform-format.sh b/scripts/githooks/check-terraform-format.sh deleted file mode 100755 index 7255e512..00000000 --- a/scripts/githooks/check-terraform-format.sh +++ /dev/null @@ -1,56 +0,0 @@ -#!/bin/bash - -# WARNING: Please DO NOT edit this file! It is maintained in the Repository Template (https://github.com/nhs-england-tools/repository-template). Raise a PR instead. - -set -euo pipefail - -# Pre-commit git hook to check format Terraform code. -# -# Usage: -# $ [options] ./check-terraform-format.sh -# -# Options: -# check_only=true # Do not format, run check only, default is 'false' -# FORCE_USE_DOCKER=true # If set to true the command is run in a Docker container, default is 'false' -# VERBOSE=true # Show all the executed commands, default is 'false' - -# ============================================================================== - -function main() { - - cd "$(git rev-parse --show-toplevel)" - - local check_only=${check_only:-false} - check_only=$check_only terraform-fmt -} - -# Format Terraform files. -# Arguments (provided as environment variables): -# check_only=[do not format, run check only] -function terraform-fmt() { - - local opts= - if is-arg-true "$check_only"; then - opts="-check" - fi - opts=$opts make terraform-fmt -} - -# ============================================================================== - -function is-arg-true() { - - if [[ "$1" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$ ]]; then - return 0 - else - return 1 - fi -} - -# ============================================================================== - -is-arg-true "${VERBOSE:-false}" && set -x - -main "$@" - -exit 0 diff --git a/scripts/githooks/scan-secrets.sh b/scripts/githooks/scan-secrets.sh deleted file mode 100755 index 06155b8a..00000000 --- a/scripts/githooks/scan-secrets.sh +++ /dev/null @@ -1,111 +0,0 @@ -#!/bin/bash - -# WARNING: Please, DO NOT edit this file! It is maintained in the Repository Template (https://github.com/nhs-england-tools/repository-template). Raise a PR instead. - -set -euo pipefail - -# Pre-commit git hook to scan for secrets hard-coded in the codebase. This is a -# gitleaks command wrapper. It will run gitleaks natively if it is installed, -# otherwise it will run it in a Docker container. -# -# Usage: -# $ [options] ./scan-secrets.sh -# -# Options: -# check={whole-history,last-commit,staged-changes} # Type of the check to run, default is 'staged-changes' -# FORCE_USE_DOCKER=true # If set to true the command is run in a Docker container, default is 'false' -# VERBOSE=true # Show all the executed commands, default is 'false' -# -# Exit codes: -# 0 - No leaks present -# 1 - Leaks or error encountered -# 126 - Unknown flag - -# ============================================================================== - -function main() { - - cd "$(git rev-parse --show-toplevel)" - - if command -v gitleaks > /dev/null 2>&1 && ! is-arg-true "${FORCE_USE_DOCKER:-false}"; then - dir="$PWD" - cmd="$(get-cmd-to-run)" run-gitleaks-natively - else - dir="/workdir" - cmd="$(get-cmd-to-run)" run-gitleaks-in-docker - fi -} - -# Get Gitleaks command to execute and configuration. -# Arguments (provided as environment variables): -# dir=[project's top-level directory] -function get-cmd-to-run() { - - check=${check:-staged-changes} - case $check in - "whole-history") - cmd="detect --source $dir --verbose --redact" - ;; - "last-commit") - cmd="detect --source $dir --verbose --redact --log-opts -1" - ;; - "staged-changes") - cmd="protect --source $dir --verbose --staged" - ;; - esac - # Include base line file if it exists - if [ -f "$dir/scripts/config/.gitleaks-baseline.json" ]; then - cmd="$cmd --baseline-path $dir/scripts/config/.gitleaks-baseline.json" - fi - # Include the config file - cmd="$cmd --config $dir/scripts/config/gitleaks.toml" - - echo "$cmd" -} - -# Run Gitleaks natively. -# Arguments (provided as environment variables): -# cmd=[command to run] -function run-gitleaks-natively() { - - # shellcheck disable=SC2086 - gitleaks $cmd -} - -# Run Gitleaks in a Docker container. -# Arguments (provided as environment variables): -# cmd=[command to run] -# dir=[directory to mount as a volume] -function run-gitleaks-in-docker() { - - # shellcheck disable=SC1091 - source ./scripts/docker/docker.lib.sh - - # shellcheck disable=SC2155 - local image=$(name=ghcr.io/gitleaks/gitleaks docker-get-image-version-and-pull) - # shellcheck disable=SC2086 - docker run --rm --platform linux/amd64 \ - --volume "$PWD:$dir" \ - --workdir $dir \ - "$image" \ - $cmd -} - -# ============================================================================== - -function is-arg-true() { - - if [[ "$1" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$ ]]; then - return 0 - else - return 1 - fi -} - -# ============================================================================== - -is-arg-true "${VERBOSE:-false}" && set -x - -main "$@" - -exit 0 diff --git a/scripts/tests/style.sh b/scripts/tests/style.sh index da042fad..ee41445c 100755 --- a/scripts/tests/style.sh +++ b/scripts/tests/style.sh @@ -12,5 +12,4 @@ cd "$(git rev-parse --show-toplevel)" # is to give you fast feedback on the changes you've most recently # made. -check=working-tree-changes ./scripts/githooks/check-english-usage.sh && \ - check=staged-changes ./scripts/githooks/check-english-usage.sh +pre-commit run check-english-usage --all-files