Update from template 2023-08-11T14:47:15+0100

nhs-england-tools · Aug 11, 2023 · 53a1fee · 53a1fee
1 parent bf28346
commit 53a1fee
Show file tree

Hide file tree

Showing 22 changed files with 830 additions and 124 deletions.
diff --git a/.github/actions/check-file-format/action.yaml b/.github/actions/check-file-format/action.yaml
@@ -0,0 +1,10 @@
+name: "Check file format"
+description: "Check file format"
+runs:
+  using: "composite"
+  steps:
+    - name: "Check file format"
+      shell: bash
+      run: |
+        export BRANCH_NAME=origin/${{ github.event.repository.default_branch }}
+        ./scripts/githooks/check-file-format.sh
diff --git a/.github/actions/check-markdown-format/action.yaml b/.github/actions/check-markdown-format/action.yaml
@@ -0,0 +1,10 @@
+name: "Check Markdown format"
+description: "Check Markdown format"
+runs:
+  using: "composite"
+  steps:
+    - name: "Check Markdown format"
+      shell: bash
+      run: |
+        export BRANCH_NAME=origin/${{ github.event.repository.default_branch }}
+        ./scripts/githooks/check-markdown-format.sh
diff --git a/.github/actions/check-terraform-format/action.yaml b/.github/actions/check-terraform-format/action.yaml
@@ -0,0 +1,10 @@
+name: "Check Terraform format"
+description: "Check Terraform format"
+runs:
+  using: "composite"
+  steps:
+    - name: "Check Terraform format"
+      shell: bash
+      run: |
+        export CHECK_ONLY=true
+        ./scripts/githooks/check-terraform-format.sh
diff --git a/.github/actions/cloc-repository/action.yaml b/.github/actions/cloc-repository/action.yaml
@@ -0,0 +1,55 @@
+name: "Count lines of code"
+description: "Count lines of code"
+inputs:
+  build_datetime:
+    description: "Build datetime, set by the CI/CD pipeline workflow"
+    required: true
+  build_timestamp:
+    description: "Build timestamp, set by the CI/CD pipeline workflow"
+    required: true
+  idp_aws_report_upload_account_id:
+    description: "IDP AWS account ID"
+    required: true
+  idp_aws_report_upload_region:
+    description: "IDP AWS account region"
+    required: true
+  idp_aws_report_upload_role_name:
+    description: "Role to upload the report"
+    required: true
+  idp_aws_report_upload_bucket_endpoint:
+    description: "Bucket endpoint for the report"
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: "Create CLOC report"
+      shell: bash
+      run: |
+        export BUILD_DATETIME=${{ inputs.build_datetime }}
+        ./scripts/reports/cloc-repository.sh
+    - name: "Compress CLOC report"
+      shell: bash
+      run: zip cloc-report.json.zip cloc-report.json
+    - name: "Upload CLOC report as an artefact"
+      uses: actions/upload-artifact@v3
+      with:
+        name: cloc-report.json.zip
+        path: ./cloc-report.json.zip
+    - name: "Check prerequisites for sending the report"
+      shell: bash
+      id: check
+      run: |
+        echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT
+    - name: "Authenticate to send the report"
+      if: steps.check.outputs.secrets_exist == 'true'
+      uses: aws-actions/configure-aws-credentials@v2
+      with:
+        role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }}
+        aws-region: ${{ inputs.idp_aws_report_upload_region }}
+    - name: "Send the CLOC report to the central location"
+      shell: bash
+      if: steps.check.outputs.secrets_exist == 'true'
+      run: |
+        aws s3 cp \
+          ./cloc-report.json.zip \
+          ${{ inputs.idp_aws_report_upload_bucket_endpoint }}/${{ inputs.build_timestamp }}-cloc-report.json.zip
diff --git a/.github/actions/perform-static-analysis/action.yaml b/.github/actions/perform-static-analysis/action.yaml
@@ -0,0 +1,20 @@
+name: "Perform static analysis"
+description: "Perform static analysis"
+inputs:
+  sonar_token:
+    description: "Sonar token API key"
+    required: false
+runs:
+  using: "composite"
+  steps:
+    - name: "Check prerequisites for performing static analysis"
+      shell: bash
+      id: check
+      run: echo "secret_exist=${{ inputs.sonar_token != '' }}" >> $GITHUB_OUTPUT
+    - name: "Perform static analysis"
+      shell: bash
+      if: steps.check.outputs.secret_exist == 'true'
+      run: |
+        export BRANCH_NAME=${GITHUB_HEAD_REF:-$(echo $GITHUB_REF | sed 's#refs/heads/##')}
+        export SONAR_TOKEN=${{ inputs.sonar_token }}
+        ./scripts/reports/perform-static-analysis.sh
diff --git a/.github/actions/scan-dependencies/action.yaml b/.github/actions/scan-dependencies/action.yaml
@@ -0,0 +1,70 @@
+name: "Scan dependencies"
+description: "Scan dependencies"
+inputs:
+  build_datetime:
+    description: "Build datetime, set by the CI/CD pipeline workflow"
+    required: true
+  build_timestamp:
+    description: "Build timestamp, set by the CI/CD pipeline workflow"
+    required: true
+  idp_aws_report_upload_account_id:
+    description: "IDP AWS report upload account ID to upload the report to"
+    required: false
+  idp_aws_report_upload_region:
+    description: "IDP AWS report upload account region to upload the report to"
+    required: false
+  idp_aws_report_upload_role_name:
+    description: "IDP AWS report upload role name for OIDC authentication"
+    required: false
+  idp_aws_report_upload_bucket_endpoint:
+    description: "IDP AWS report upload endpoint to upload the report to"
+    required: false
+runs:
+  using: "composite"
+  steps:
+    - name: "Generate SBOM"
+      shell: bash
+      run: |
+        export BUILD_DATETIME=${{ inputs.build_datetime }}
+        ./scripts/reports/generate-sbom.sh
+    - name: "Compress SBOM report"
+      shell: bash
+      run: zip sbom-report.json.zip sbom-report.json
+    - name: "Upload SBOM report as an artefact"
+      uses: actions/upload-artifact@v3
+      with:
+        name: sbom-report.json.zip
+        path: ./sbom-report.json.zip
+    - name: "Scan vulnerabilities"
+      shell: bash
+      run: |
+        export BUILD_DATETIME=${{ inputs.build_datetime }}
+        ./scripts/reports/scan-vulnerabilities.sh
+    - name: "Compress vulnerabilities report"
+      shell: bash
+      run: zip vulnerabilities-report.json.zip vulnerabilities-report.json
+    - name: "Upload vulnerabilities report as an artefact"
+      uses: actions/upload-artifact@v3
+      with:
+        name: vulnerabilities-report.json.zip
+        path: ./vulnerabilities-report.json.zip
+    - name: "Check prerequisites for sending the reports"
+      shell: bash
+      id: check
+      run: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT
+    - name: "Authenticate to send the reports"
+      if: steps.check.outputs.secrets_exist == 'true'
+      uses: aws-actions/configure-aws-credentials@v2
+      with:
+        role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }}
+        aws-region: ${{ inputs.idp_aws_report_upload_region }}
+    - name: "Send the SBOM and vulnerabilities reports to the central location"
+      shell: bash
+      if: steps.check.outputs.secrets_exist == 'true'
+      run: |
+        aws s3 cp \
+          ./sbom-report.json.zip \
+          ${{ inputs.idp_aws_report_upload_bucket_endpoint }}/${{ inputs.build_timestamp }}-sbom-report.json.zip
+        aws s3 cp \
+          ./vulnerabilities-report.json.zip \
+          ${{ inputs.idp_aws_report_upload_bucket_endpoint }}/${{ inputs.build_timestamp }}-vulnerabilities-report.json.zip
diff --git a/.github/actions/scan-secrets/action.yaml b/.github/actions/scan-secrets/action.yaml
@@ -0,0 +1,10 @@
+name: "Scan secrets"
+description: "Scan secrets"
+runs:
+  using: "composite"
+  steps:
+    - name: "Scan secrets"
+      shell: bash
+      run: |
+        export ALL_FILES=true
+        ./scripts/githooks/scan-secrets.sh
diff --git a/.github/workflows/cicd-1-pull-request.yaml b/.github/workflows/cicd-1-pull-request.yaml
@@ -1,45 +1,49 @@
-name: CI/CD Pull Request
+name: "CI/CD Pull Request"
 
 # The total recommended execution time for the "CI/CD Pull Request" workflow is around 20 minutes.
 
 on:
   push:
     branches:
-      - "main"
-  # pull_request:
-  #   types: [opened, reopened]
+      - "**"
+  pull_request:
+    types: [opened, reopened]
 
 jobs:
   metadata:
     runs-on: ubuntu-latest
     timeout-minutes: 1
     outputs:
-      build_datetime_local: ${{ steps.variables.outputs.build_datetime_local }}
+      build_datetime_london: ${{ steps.variables.outputs.build_datetime_london }}
       build_datetime: ${{ steps.variables.outputs.build_datetime }}
       build_timestamp: ${{ steps.variables.outputs.build_timestamp }}
       build_epoch: ${{ steps.variables.outputs.build_epoch }}
-      golang_version: ${{ steps.variables.outputs.golang_version }}
+      nodejs_version: ${{ steps.variables.outputs.nodejs_version }}
+      python_version: ${{ steps.variables.outputs.python_version }}
+      terraform_version: ${{ steps.variables.outputs.terraform_version }}
       version: ${{ steps.variables.outputs.version }}
       does_pull_request_exist: ${{ steps.pr_exists.outputs.does_pull_request_exist }}
     steps:
-      - name: Check out the repository
+      - name: "Checkout code"
         uses: actions/checkout@v3
-      - name: Set CI/CD variables
+      - name: "Set CI/CD variables"
         id: variables
         run: |
           datetime=$(date -u +'%Y-%m-%dT%H:%M:%S%z')
-          echo "build_datetime_local=$(TZ=Europe/London date --date=$datetime +'%Y-%m-%dT%H:%M:%S%z')" >> $GITHUB_OUTPUT
+          echo "build_datetime_london=$(TZ=Europe/London date --date=$datetime +'%Y-%m-%dT%H:%M:%S%z')" >> $GITHUB_OUTPUT
           echo "build_datetime=$datetime" >> $GITHUB_OUTPUT
           echo "build_timestamp=$(date --date=$datetime -u +'%Y%m%d%H%M%S')" >> $GITHUB_OUTPUT
           echo "build_epoch=$(date --date=$datetime -u +'%s')" >> $GITHUB_OUTPUT
-          echo "golang_version=$(grep golang .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
+          echo "nodejs_version=$(grep nodejs .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
+          echo "python_version=$(grep python .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
+          echo "terraform_version=$(grep terraform .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
           echo "version=$(cat VERSION)" >> $GITHUB_OUTPUT
-      - name: Check if pull request exists for this branch
+      - name: "Check if pull request exists for this branch"
         id: pr_exists
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          branch_name=${GITHUB_REF#refs/heads/}
+          branch_name=${GITHUB_HEAD_REF:-$(echo $GITHUB_REF | sed 's#refs/heads/##')}
           echo "Current branch is '$branch_name'"
           if gh pr list --head $branch_name | grep -q .; then
             echo "Pull request exists"
@@ -48,22 +52,65 @@ jobs:
             echo "Pull request doesn't exist"
             echo "does_pull_request_exist=false" >> $GITHUB_OUTPUT
           fi
-      - name: List variables
+      - name: "List variables"
         run: |
-          export BUILD_DATETIME_LOCAL="${{ steps.variables.outputs.build_datetime_local }}"
+          export BUILD_DATETIME_LONDON="${{ steps.variables.outputs.build_datetime_london }}"
           export BUILD_DATETIME="${{ steps.variables.outputs.build_datetime }}"
           export BUILD_TIMESTAMP="${{ steps.variables.outputs.build_timestamp }}"
           export BUILD_EPOCH="${{ steps.variables.outputs.build_epoch }}"
+          export NODEJS_VERSION="${{ steps.variables.outputs.nodejs_version }}"
+          export PYTHON_VERSION="${{ steps.variables.outputs.python_version }}"
+          export TERRAFORM_VERSION="${{ steps.variables.outputs.terraform_version }}"
           export VERSION="${{ steps.variables.outputs.version }}"
-          export GOLANG_VERSION="${{ steps.variables.outputs.golang_version }}"
           export DOES_PULL_REQUEST_EXIST="${{ steps.pr_exists.outputs.does_pull_request_exist }}"
           make list-variables
+  commit-stage: # Recommended maximum execution time is 2 minutes
+    needs: [metadata]
+    uses: ./.github/workflows/stage-1-commit.yaml
+    with:
+      build_datetime: "${{ needs.metadata.outputs.build_datetime }}"
+      build_timestamp: "${{ needs.metadata.outputs.build_timestamp }}"
+      build_epoch: "${{ needs.metadata.outputs.build_epoch }}"
+      nodejs_version: "${{ needs.metadata.outputs.nodejs_version }}"
+      python_version: "${{ needs.metadata.outputs.python_version }}"
+      terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
+      version: "${{ needs.metadata.outputs.version }}"
+    secrets: inherit
   test-stage: # Recommended maximum execution time is 5 minutes
-    needs: [metadata] # ,commit-stage]
+    needs: [metadata, commit-stage]
     uses: ./.github/workflows/stage-2-test.yaml
     with:
       build_datetime: "${{ needs.metadata.outputs.build_datetime }}"
-      golang_version: "${{ needs.metadata.outputs.golang_version }}"
-    secrets:
-      UPDATE_FROM_TEMPLATE_GH_APP_ID: "${{ secrets.UPDATE_FROM_TEMPLATE_GH_APP_ID }}"
-      UPDATE_FROM_TEMPLATE_GH_APP_PK: "${{ secrets.UPDATE_FROM_TEMPLATE_GH_APP_PK }}"
+      build_timestamp: "${{ needs.metadata.outputs.build_timestamp }}"
+      build_epoch: "${{ needs.metadata.outputs.build_epoch }}"
+      nodejs_version: "${{ needs.metadata.outputs.nodejs_version }}"
+      python_version: "${{ needs.metadata.outputs.python_version }}"
+      terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
+      version: "${{ needs.metadata.outputs.version }}"
+    secrets: inherit
+  build-stage: # Recommended maximum execution time is 3 minutes
+    needs: [metadata, test-stage]
+    uses: ./.github/workflows/stage-3-build.yaml
+    if: needs.metadata.outputs.does_pull_request_exist == 'true' || (github.event_name == 'pull_request' && (github.event.action == 'opened' || github.event.action == 'reopened'))
+    with:
+      build_datetime: "${{ needs.metadata.outputs.build_datetime }}"
+      build_timestamp: "${{ needs.metadata.outputs.build_timestamp }}"
+      build_epoch: "${{ needs.metadata.outputs.build_epoch }}"
+      nodejs_version: "${{ needs.metadata.outputs.nodejs_version }}"
+      python_version: "${{ needs.metadata.outputs.python_version }}"
+      terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
+      version: "${{ needs.metadata.outputs.version }}"
+    secrets: inherit
+  acceptance-stage: # Recommended maximum execution time is 10 minutes
+    needs: [metadata, build-stage]
+    uses: ./.github/workflows/stage-4-acceptance.yaml
+    if: needs.metadata.outputs.does_pull_request_exist == 'true' || (github.event_name == 'pull_request' && (github.event.action == 'opened' || github.event.action == 'reopened'))
+    with:
+      build_datetime: "${{ needs.metadata.outputs.build_datetime }}"
+      build_timestamp: "${{ needs.metadata.outputs.build_timestamp }}"
+      build_epoch: "${{ needs.metadata.outputs.build_epoch }}"
+      nodejs_version: "${{ needs.metadata.outputs.nodejs_version }}"
+      python_version: "${{ needs.metadata.outputs.python_version }}"
+      terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
+      version: "${{ needs.metadata.outputs.version }}"
+    secrets: inherit