Merge pull request #99 from NHSDigital/CCM-11345-Manual-Repo-Sync

CCM-11345 manual repo sync

Author: aidenvaines-cgi

.github/SECURITY.md

@@ -21,8 +21,8 @@ If you wish to notify us of a vulnerability via email, please include detailed i
 
 You can reach us at:
 
-- _[ A product team email address ]_
-- [cybersecurity@nhs.net](cybersecurity@nhs.net)
+- [england.nhsnotify@nhs.net](mailto:england.nhsnotify@nhs.net)
+- [cybersecurity@nhs.net](mailto:cybersecurity@nhs.net)
 
 ### NCSC
 

.github/actions/check-todo-usage/action.yaml

@@ -0,0 +1,10 @@
+name: "Check Todo usage"
+description: "Check Todo usage"
+runs:
+  using: "composite"
+  steps:
+    - name: "Check Todo usage"
+      shell: bash
+      run: |
+        export BRANCH_NAME=origin/${{ github.event.repository.default_branch }}
+        check=branch ./scripts/githooks/check-todos.sh

.github/actions/create-lines-of-code-report/action.yaml

@@ -44,7 +44,7 @@ runs:
         echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT
     - name: "Authenticate to send the report"
       if: steps.check.outputs.secrets_exist == 'true'
-      uses: aws-actions/configure-aws-credentials@v2
+      uses: aws-actions/configure-aws-credentials@v4
       with:
         role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }}
         aws-region: ${{ inputs.idp_aws_report_upload_region }}

.github/actions/scan-dependencies/action.yaml

@@ -58,7 +58,7 @@ runs:
       run: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT
     - name: "Authenticate to send the reports"
       if: steps.check.outputs.secrets_exist == 'true'
-      uses: aws-actions/configure-aws-credentials@v2
+      uses: aws-actions/configure-aws-credentials@v4
       with:
         role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }}
         aws-region: ${{ inputs.idp_aws_report_upload_region }}

.github/actions/trivy/action.yaml

@@ -5,9 +5,11 @@ runs:
     - name: "Trivy Terraform IAC Scan"
       shell: bash
       run: |
+        components_exit_code=0
         modules_exit_code=0
 
-        ./scripts/terraform/trivy.sh ./infrastructure/modules || modules_exit_code=$?
+        ./scripts/terraform/trivy.sh ./infrastructure/terraform/components || components_exit_code=$?
+        ./scripts/terraform/trivy.sh ./infrastructure/terraform/modules || modules_exit_code=$?
 
         if [ $components_exit_code -ne 0 ] || [ $modules_exit_code -ne 0 ]; then
           echo "Trivy misconfigurations detected."

.github/workflows/cicd-3-deploy.yaml

@@ -48,7 +48,6 @@ jobs:
           echo "nodejs_version=$(grep "^nodejs\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
           echo "python_version=$(grep "^python\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
           echo "terraform_version=$(grep "^terraform\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
-          # TODO: Get the version, but it may not be the .version file as this should come from the CI/CD Pull Request Workflow
           echo "version=$(head -n 1 .version 2> /dev/null || echo unknown)" >> $GITHUB_OUTPUT
           # echo "tag=${{ github.event.inputs.tag }}" >> $GITHUB_OUTPUT
       - name: "List variables"

.github/workflows/scheduled-repository-template-sync.yaml

@@ -0,0 +1,55 @@
+name: Repository Template Sync
+
+on:
+  schedule:
+    - cron: '0 0 1 * *'
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+  checks: read
+
+jobs:
+  update-external-repo:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Check out the repository
+      uses: actions/checkout@v4
+
+    - name: Check out external repository
+      uses: actions/checkout@v4
+      with:
+        repository: NHSDigital/nhs-notify-repository-template
+        path: nhs-notify-repository-template
+        token: ${{ github.token }}
+
+    - name: Run syncronisation script
+      run: |
+        ./nhs-notify-repository-template/scripts/githooks/sync-template-repo.sh
+        rm -Rf ./nhs-notify-repository-template
+
+    - name: Create Pull Request
+      if: ${{ !env.ACT }}
+      uses: peter-evans/create-pull-request@v7.0.8
+      with:
+        token: ${{ secrets.GITHUB_TOKEN }}
+        commit-message: Drift from template
+        branch: scheduledTemplateRepositorySync
+        delete-branch: true
+        title: '[Template Sync] Drift from template-repository remediation'
+        body: |
+          # Resultant drift from repository template
+
+          ## Who should respond to this PR?
+          The team which owns the responsibility for this component repository. You may want to consult other contributors.
+
+          ## How to progress this PR
+          The repositories guardians should review the contents of the PR and decide how to proceed, you may wish to back-out certain changes or accept them from the upstream `nhsdigital/nhs-notify-repository-template` repository.
+
+          If there are changes you do not wish to see again, it is recommended you add exclusions to `scripts/config/.repository-template-sync-ignore`.
+        labels: |
+          template
+          automation
+        draft: false

.github/workflows/scorecard.yml

@@ -27,25 +27,25 @@ jobs:
       # Needed to publish results and get a badge (see publish_results below).
       id-token: write
       # Uncomment the permissions below if installing in a private repository.
-      # contents: read
-      # actions: read
+      contents: read
+      actions: read
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
         with:
           results_file: results.sarif
           results_format: sarif
           # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
           # - you want to enable the Branch-Protection check on a *public* repository, or
           # - you are installing Scorecard on a *private* repository
           # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional.
-          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+          repo_token: ${{ secrets.SCORECARD_TOKEN }}
 
           # Public repositories:
           #   - Publish results to OpenSSF REST API for easy access by consumers
@@ -59,7 +59,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20
+        uses: actions/upload-artifact@v4
         with:
           name: SARIF file
           path: results.sarif
@@ -68,6 +68,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
+        uses: github/codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
         with:
           sarif_file: results.sarif

.github/workflows/stage-1-commit.yaml

@@ -101,6 +101,17 @@ jobs:
           fetch-depth: 0 # Full history is needed to compare branches
       - name: "Check English usage"
         uses: ./.github/actions/check-english-usage
+  check-todo-usage:
+    name: "Check TODO usage"
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # Full history is needed to compare branches
+      - name: "Check TODO usage"
+        uses: ./.github/actions/check-todo-usage
   detect-terraform-changes:
     name: "Detect Terraform Changes"
     runs-on: ubuntu-latest
@@ -145,7 +156,7 @@ jobs:
       - name: "Checkout code"
         uses: actions/checkout@v4
       - name: "Setup ASDF"
-        uses: asdf-vm/actions/setup@v3
+        uses: asdf-vm/actions/setup@v4
       - name: "Perform Setup"
         uses: ./.github/actions/setup
       - name: "Trivy Scan"

.github/workflows/stage-3-build.yaml

@@ -60,7 +60,7 @@ jobs:
       - name: "Upload artefact 1"
         run: |
           echo "Uploading artefact 1 ..."
-          # TODO: Use either action/cache or action/upload-artifact
+          # Use either action/cache or action/upload-artifact
   artefact-n:
     name: "Artefact n"
     runs-on: ubuntu-latest
@@ -77,4 +77,4 @@ jobs:
       - name: "Upload artefact n"
         run: |
           echo "Uploading artefact n ..."
-          # TODO: Use either action/cache or action/upload-artifact
+          # Use either action/cache or action/upload-artifact