eligibility-signposting-api/.github/workflows/stage-1-commit.yaml at 9bb0c64a88b67dd8d2355a2284da825f3ab5da14 · NHSDigital/eligibility-signposting-api · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
name: "Commit stage"

on:
  workflow_call:
    inputs:
      build_datetime:
        description: "Build datetime, set by the CI/CD pipeline workflow"
        required: true
        type: string
      build_timestamp:
        description: "Build timestamp, set by the CI/CD pipeline workflow"
        required: true
        type: string
      build_epoch:
        description: "Build epoch, set by the CI/CD pipeline workflow"
        required: true
        type: string
      nodejs_version:
        description: "Node.js version, set by the CI/CD pipeline workflow"
        required: true
        type: string
      python_version:
        description: "Python version, set by the CI/CD pipeline workflow"
        required: true
        type: string
      terraform_version:
        description: "Terraform version, set by the CI/CD pipeline workflow"
        required: true
        type: string
      version:
        description: "Version of the software, set by the CI/CD pipeline workflow"
        required: true
        type: string

jobs:
  scan-secrets:
    name: "Scan secrets"
    runs-on: ubuntu-latest
    timeout-minutes: 2
    steps:
      - name: "Checkout code"
        uses: actions/checkout@v6
        with:
          fetch-depth: 0 # Full history is needed to scan all commits
      - name: "Scan secrets"
        uses: ./.github/actions/scan-secrets
  check-file-format:
    name: "Check file format"
    runs-on: ubuntu-latest
    timeout-minutes: 2
    steps:
      - name: "Checkout code"
        uses: actions/checkout@v6
        with:
          fetch-depth: 0 # Full history is needed to compare branches
      - name: "Check file format"
        uses: ./.github/actions/check-file-format
  check-markdown-format:
    name: "Check Markdown format"
    runs-on: ubuntu-latest
    timeout-minutes: 2
    steps:
      - name: "Checkout code"
        uses: actions/checkout@v6
        with:
          fetch-depth: 0 # Full history is needed to compare branches
      - name: "Check Markdown format"
        uses: ./.github/actions/check-markdown-format
  check-english-usage:
    name: "Check English usage"
    runs-on: ubuntu-latest
    timeout-minutes: 2
    steps:
      - name: "Checkout code"
        uses: actions/checkout@v6
        with:
          fetch-depth: 0 # Full history is needed to compare branches
      - name: "Check English usage"
        uses: ./.github/actions/check-english-usage
  lint-terraform:
    name: "Lint Terraform"
    runs-on: ubuntu-latest
    timeout-minutes: 2
    steps:
      - name: "Checkout code"
        uses: actions/checkout@v6
      - name: "Lint Terraform"
        uses: ./.github/actions/lint-terraform
  checkov-terraform:
    name: "Checkov Terraform"
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
    timeout-minutes: 3
    steps:
      - name: "Checkout code"
        uses: actions/checkout@v6
      - name: "Run Checkov"
        uses: bridgecrewio/checkov-action@v12
        with:
          directory: infrastructure/
          soft_fail: false
          output_format: sarif
          output_file_path: checkov-report.sarif
      - name: "Upload Checkov results to GitHub Security tab"
        uses: github/codeql-action/upload-sarif@v4
        with:
          sarif_file: checkov-report.sarif
  count-lines-of-code:
    name: "Count lines of code"
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    timeout-minutes: 2
    steps:
      - name: "Checkout code"
        uses: actions/checkout@v6
      - name: "Count lines of code"
        uses: ./.github/actions/create-lines-of-code-report
        with:
          build_datetime: "${{ inputs.build_datetime }}"
          build_timestamp: "${{ inputs.build_timestamp }}"
          idp_aws_report_upload_account_id: "${{ secrets.IDP_AWS_REPORT_UPLOAD_ACCOUNT_ID }}"
          idp_aws_report_upload_region: "${{ secrets.IDP_AWS_REPORT_UPLOAD_REGION }}"
          idp_aws_report_upload_role_name: "${{ secrets.IDP_AWS_REPORT_UPLOAD_ROLE_NAME }}"
          idp_aws_report_upload_bucket_endpoint: "${{ secrets.IDP_AWS_REPORT_UPLOAD_BUCKET_ENDPOINT }}"
  scan-dependencies:
    name: "Scan dependencies"
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    timeout-minutes: 2
    steps:
      - name: "Checkout code"
        uses: actions/checkout@v6
      - name: "Scan dependencies"
        uses: ./.github/actions/scan-dependencies
        with:
          build_datetime: "${{ inputs.build_datetime }}"
          build_timestamp: "${{ inputs.build_timestamp }}"
          idp_aws_report_upload_account_id: "${{ secrets.IDP_AWS_REPORT_UPLOAD_ACCOUNT_ID }}"
          idp_aws_report_upload_region: "${{ secrets.IDP_AWS_REPORT_UPLOAD_REGION }}"
          idp_aws_report_upload_role_name: "${{ secrets.IDP_AWS_REPORT_UPLOAD_ROLE_NAME }}"
          idp_aws_report_upload_bucket_endpoint: "${{ secrets.IDP_AWS_REPORT_UPLOAD_BUCKET_ENDPOINT }}"
  owasp-dependency-scan:
    name: "OWASP Dependency Scan"
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
    timeout-minutes: 5
    steps:
      - name: "Checkout code"
        uses: actions/checkout@v6
      - name: "Run OWASP Dependency Scan"
        uses: ./.github/actions/owasp-dependency-scan