diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 7b81420a..e7f47952 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -59,7 +59,8 @@ } } }, - "postCreateCommand": "rm -f ~/.docker/config.json; git config --global --add safe.directory /workspaces/electronic-prescription-service-api-regression-tests; make install" + "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" }, + "postCreateCommand": "rm -f ~/.docker/config.json; git config --global --add safe.directory /workspaces/electronic-prescription-service-api-regression-tests; make install; docker build -f https://raw.githubusercontent.com/NHSDigital/eps-workflow-quality-checks/refs/heads/main/dockerfiles/nhsd-git-secrets.dockerfile -t git-secrets ." // "features": {}, // Use 'forwardPorts' to make a list of ports inside the container available locally. // "forwardPorts": [], diff --git a/.gitallowed b/.gitallowed new file mode 100644 index 00000000..c0e1b1f5 --- /dev/null +++ b/.gitallowed @@ -0,0 +1,15 @@ +char\[\] password = System\.getenv\("MVNW_PASSWORD"\)\.toCharArray\(\); +wget --http-user=\$MVNW_USERNAME --http-.* +1\.8\.0\.1<\/version> +github-token: ?"?\$\{\{\s*secrets\.GITHUB_TOKEN\s*\}\}"? +"code": "1\.2\.840\.10065\.1\.12\.1\.1" +java corretto-21\.0\.2\.14\.1 +CidrIp: "0\.0\.0\.0\/0" +CidrBlock:\s?"?10\.0\.\d+\.\d+\/\d+" +.*cloudfront\/IOPSValidation\.yaml.* +.*tcp:\/\/0\.0\.0\.0:8888.* +.*\.gitallowed.* +.*steps\.generate-token\.outputs\.token.* +.*token_response\[\"access_token\"\].* +.*password=None.* +.*secrets.REGRESSION_TESTS_PAT.* diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index adc9f501..9983efb2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -9,7 +9,7 @@ env: jobs: quality_checks: - uses: NHSDigital/eps-workflow-quality-checks/.github/workflows/quality-checks.yml@v3.0.0 + uses: NHSDigital/eps-workflow-quality-checks/.github/workflows/quality-checks.yml@v4.0.2 secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} diff --git a/.github/workflows/pr-link.yml b/.github/workflows/pr-link.yml index 228f684c..ef9072d0 100644 --- a/.github/workflows/pr-link.yml +++ b/.github/workflows/pr-link.yml @@ -42,5 +42,5 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: msg: | - This branch is work on a ticket in an NHS England JIRA Project. Here's a handy link to the ticket: + This branch is work on a ticket in an NHS Digital JIRA Project. Here's a handy link to the ticket: # [${{ env.TICKET_NAME }}](https://nhsd-jira.digital.nhs.uk/browse/${{ env.TICKET_NAME }}) diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 01460728..4cc2ed37 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -9,7 +9,7 @@ env: jobs: quality_checks: - uses: NHSDigital/eps-workflow-quality-checks/.github/workflows/quality-checks.yml@v3.0.0 + uses: NHSDigital/eps-workflow-quality-checks/.github/workflows/quality-checks.yml@v4.0.2 secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8d738d63..915d0bc3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,7 +8,7 @@ env: jobs: quality_checks: - uses: NHSDigital/eps-workflow-quality-checks/.github/workflows/quality-checks.yml@v3.0.0 + uses: NHSDigital/eps-workflow-quality-checks/.github/workflows/quality-checks.yml@v4.0.2 secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 68a85b5f..603bdf8f 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -47,7 +47,17 @@ repos: entry: flake8 language: system types: [python] - + + - repo: local + hooks: + - id: git-secrets + name: Git Secrets + description: git-secrets scans commits, commit messages, and --no-ff merges to prevent adding secrets into your git repositories. + entry: bash + args: + - -c + - 'docker run -v "$LOCAL_WORKSPACE_FOLDER:/src" git-secrets --pre_commit_hook' + language: system fail_fast: false default_stages: [pre-commit, commit]