Merge remote-tracking branch 'origin/main' into dev_container_build

Author: anthony-nhs

.devcontainer/Dockerfile

@@ -9,7 +9,7 @@ RUN apt-get update \
     jq apt-transport-https ca-certificates gnupg-agent \
     software-properties-common bash-completion python3-pip make libbz2-dev \
     libreadline-dev libsqlite3-dev wget llvm libncurses5-dev libncursesw5-dev \
-    xz-utils tk-dev liblzma-dev netcat-traditional libyaml-dev pre-commit
+    xz-utils tk-dev liblzma-dev netcat-traditional libyaml-dev
 
 USER vscode
 
@@ -18,15 +18,20 @@ RUN git clone https://github.com/asdf-vm/asdf.git ~/.asdf --branch v0.11.3; \
     echo '. $HOME/.asdf/asdf.sh' >> ~/.bashrc; \
     echo '. $HOME/.asdf/completions/asdf.bash' >> ~/.bashrc;
 
-ENV PATH="$PATH:/home/vscode/.asdf/bin/:/workspaces/eps-prescription-tracker-ui/node_modules/.bin"
+ENV PATH="$PATH:/home/vscode/.asdf/bin/:/workspaces/eps-prescription-tracker-ui/node_modules/.bin:/workspaces/eps-workflow-quality-checks/.venv/bin"
 
 # Install ASDF plugins#
-RUN asdf plugin add nodejs https://github.com/asdf-vm/asdf-nodejs.git
+RUN asdf plugin add nodejs https://github.com/asdf-vm/asdf-nodejs.git; \
+    asdf plugin add actionlint; \
+    asdf plugin add shellcheck https://github.com/luizm/asdf-shellcheck.git; \
+    asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git; \
+    asdf plugin add python
 
 WORKDIR /workspaces/eps-workflow-quality-checks
 
 ADD .tool-versions /workspaces/eps-workflow-quality-checks/.tool-versions
 ADD .tool-versions /home/vscode/.tool-versions
 
-RUN asdf install; \
+RUN asdf install python; \
+    asdf install; \
     asdf reshim nodejs;

.gitallowed

@@ -0,0 +1,2 @@
+token: ?"?\$\{\{\s*secrets\.GITHUB_TOKEN\s*\}\}"?
+.*\.gitallowed.*

.github/config/settings.yml

@@ -0,0 +1 @@
+TAG_FORMAT: "v${version}"

.github/scripts/ignore.sh

@@ -0,0 +1,2 @@
+#!/usr/bin/env bash
+# dummy file for shellcheck to work

.github/workflows/pull_request.yml

@@ -0,0 +1,46 @@
+name: pr
+
+on:
+  pull_request:
+    branches: [main]
+
+env:
+  BRANCH_NAME: ${{ github.event.pull_request.head.ref }}
+
+jobs:
+  pr_title_format_check:
+    uses: NHSDigital/eps-workflow-semantic-release/.github/workflows/pr_title_check.yml@f80157cecce288dd175e61b477a1d2dbe9c88b99
+  get_asdf_version:
+    runs-on: ubuntu-22.04
+    outputs:
+      asdf_version: ${{ steps.asdf-version.outputs.version }}
+      tag_format: ${{ steps.load-config.outputs.TAG_FORMAT }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+
+      - name: Get asdf version
+        id: asdf-version
+        run: echo "version=$(awk '!/^#/ && NF {print $1; exit}' .tool-versions.asdf)" >> "$GITHUB_OUTPUT"
+      - name: Load config value
+        id: load-config
+        run: |
+          TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml)
+          echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT"
+  quality_checks:
+    uses: ./.github/workflows/quality-checks.yml
+    needs: [get_asdf_version]
+    with:
+      asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}
+    secrets:
+      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+  tag_release:
+    needs: [quality_checks, get_asdf_version]
+    uses: NHSDigital/eps-workflow-semantic-release/.github/workflows/tag-release.yml@f80157cecce288dd175e61b477a1d2dbe9c88b99
+    with:
+      dry_run: true
+      asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}
+      branch_name: ${{ github.event.pull_request.head.ref }}
+      publish_package: false
+      tag_format: ${{ needs.get_asdf_version.outputs.tag_format }}
+    secrets: inherit

.github/workflows/quality-checks.yml

@@ -16,6 +16,9 @@ on:
         description: Toggle to run sonar code analyis on this repository.
         default: true
         required: false
+      asdfVersion:
+        type: string
+        required: true
       reinstall_poetry:
         type: boolean
         description: Toggle to reinstall poetry on top of python version installed by asdf.
@@ -31,8 +34,8 @@ jobs:
       - uses: actions/setup-java@v5
         if: ${{ inputs.install_java }}
         with:
-          java-version: '21'
-          distribution: 'corretto'
+          java-version: "21"
+          distribution: "corretto"
 
       - name: Checkout code
         uses: actions/checkout@v5
@@ -99,7 +102,7 @@ jobs:
         run: |
           poetry_tool_version=$(cat .tool-versions | grep poetry)
           poetry_version=${poetry_tool_version//"poetry "}
-          asdf uninstall poetry $poetry_version
+          asdf uninstall poetry "$poetry_version"
           asdf install poetry
 
       - name: Setting up .npmrc
@@ -116,16 +119,16 @@ jobs:
       - name: Check if project uses Poetry
         id: check_poetry
         run: |
-          if [ -f pyproject.toml ] && grep -q '\[tool.poetry\]' pyproject.toml; then
+          if [ -f "pyproject.toml" ] && grep -q '\[tool.poetry\]' "pyproject.toml"; then
             echo "****************"
             echo "Project uses poetry"
             echo "****************"
-            echo "uses_poetry=true" >> $GITHUB_OUTPUT
+            echo "uses_poetry=true" >> "$GITHUB_OUTPUT"
           else
             echo "****************"
             echo "Project does not use poetry"
             echo "****************"
-            echo "uses_poetry=false" >> $GITHUB_OUTPUT
+            echo "uses_poetry=false" >> "$GITHUB_OUTPUT"
           fi
 
       - name: Check if project uses Java
@@ -135,27 +138,27 @@ jobs:
             echo "****************"
             echo "Detected a Java project"
             echo "****************"
-            echo "uses_java=true" >> $GITHUB_OUTPUT
+            echo "uses_java=true" >> "$GITHUB_OUTPUT"
           else
             echo "****************"
             echo "Project does not use Java"
             echo "****************"
-            echo "uses_java=false" >> $GITHUB_OUTPUT
+            echo "uses_java=false" >> "$GITHUB_OUTPUT"
           fi
-    
+
       - name: Check for SAM templates
         id: check_sam_templates
         run: |
           if [ -d "SAMtemplates" ]; then
             echo "****************"
             echo "Project has SAM templates"
             echo "****************"
-            echo "sam_exists=true" >> $GITHUB_OUTPUT
+            echo "sam_exists=true" >> "$GITHUB_OUTPUT"
           else
             echo "****************"
             echo "Project does not have SAM templates"
             echo "****************"
-            echo "sam_exists=false" >> $GITHUB_OUTPUT
+            echo "sam_exists=false" >> "$GITHUB_OUTPUT"
           fi
 
       - name: Check for cloudformation templates
@@ -165,27 +168,27 @@ jobs:
             echo "****************"
             echo "Project has cloudformation templates"
             echo "****************"
-            echo "cf_exists=true" >> $GITHUB_OUTPUT
+            echo "cf_exists=true" >> "$GITHUB_OUTPUT"
           else
             echo "****************"
             echo "Project does not have cloudformation templates"
             echo "****************"
-            echo "cf_exists=false" >> $GITHUB_OUTPUT
+            echo "cf_exists=false" >> "$GITHUB_OUTPUT"
           fi
-  
+
       - name: Check for cdk
         id: check_cdk
         run: |
           if [ -d "packages/cdk" ]; then
             echo "****************"
             echo "Project has cdk"
             echo "****************"
-            echo "cdk_exists=true" >> $GITHUB_OUTPUT
+            echo "cdk_exists=true" >> "$GITHUB_OUTPUT"
           else
             echo "****************"
             echo "Project does not have cdk"
             echo "****************"
-            echo "cdk_exists=false" >> $GITHUB_OUTPUT
+            echo "cdk_exists=false" >> "$GITHUB_OUTPUT"
           fi
 
       - name: Check licenses (Makefile)
@@ -206,7 +209,7 @@ jobs:
 
           # known packages with dual licensing
           IGNORE_PACKAGES="PyGithub chardet text-unidecode"
-          LICENSES=$(poetry run pip-licenses  --ignore-packages ${IGNORE_PACKAGES})
+          LICENSES=$(poetry run pip-licenses  --ignore-packages "${IGNORE_PACKAGES}")
           INCOMPATIBLE_LIBS=$(echo "$LICENSES" | grep 'GPL' || true)
 
           if [[ -z $INCOMPATIBLE_LIBS ]]; then
@@ -217,7 +220,7 @@ jobs:
               echo "$INCOMPATIBLE_LIBS"
               exit 1
           fi
-  
+
       - name: Run code lint
         run: make lint
 
@@ -242,12 +245,12 @@ jobs:
 
       - name: Run unit tests
         run: make test
-  
+
       - name: Run cdk-synth
         if: steps.check_cdk.outputs.cdk_exists == 'true'
         run: |
           make cdk-synth
-  
+
       - name: Install AWS SAM CLI
         if: steps.check_sam_templates.outputs.sam_exists == 'true'
         run: |
@@ -342,8 +345,8 @@ jobs:
         uses: NHSDigital/eps-action-sbom@main
 
       - name: "check is SONAR_TOKEN exists"
-        env: 
-            super_secret: ${{ secrets.SONAR_TOKEN }}
+        env:
+          super_secret: ${{ secrets.SONAR_TOKEN }}
         if: ${{ env.super_secret != '' && inputs.run_sonar == true }}
         run: echo "SONAR_TOKEN_EXISTS=true" >> "$GITHUB_ENV"
 

.github/workflows/release.yml

@@ -8,83 +8,37 @@ env:
   BRANCH_NAME: ${{ github.event.ref.BRANCH_NAME }}
 
 jobs:
-  tag_release:
-    runs-on: ubuntu-latest
+  get_asdf_version:
+    runs-on: ubuntu-22.04
     outputs:
-      version_tag: ${{ steps.output_version_tag.outputs.VERSION_TAG }}
+      asdf_version: ${{ steps.asdf-version.outputs.version }}
+      tag_format: ${{ steps.load-config.outputs.TAG_FORMAT }}
     steps:
       - name: Checkout code
         uses: actions/checkout@v5
-        with:
-          ref: ${{ env.BRANCH_NAME }}
-          fetch-depth: 0
-
-      # using git commit sha for version of action to ensure we have stable version
-      - name: Install asdf
-        uses: asdf-vm/actions/setup@05e0d2ed97b598bfce82fd30daf324ae0c4570e6
-        with:
-          asdf_branch: v0.14.1
-  
-      - name: Cache asdf
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~/.asdf
-          key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}
-          restore-keys: |
-            ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}
-
-      - name: Install asdf dependencies in .tool-versions
-        uses: asdf-vm/actions/install@05e0d2ed97b598bfce82fd30daf324ae0c4570e6
-        with:
-          asdf_branch: v0.14.1
-
-      - name: Install dependencies
-        run: |
-          make install
-  
-      - name: Set VERSION_TAG to be next tag varsion
-        id: output_version_tag
-        run: |
-          NEXT_VERSION=$(npx semantic-release --dry-run | grep -i 'The next release version is' | sed -E 's/.* ([[:digit:].]+)$/\1/')
-          tagFormat=$(node -e "const config=require('./release.config.js'); console.log(config.tagFormat)")
-          if [ "${tagFormat}" = "null" ]
-          then
-            tagFormat="v\${version}"
-          fi
-          # disabling shellcheck as replace does not work
-          # shellcheck disable=SC2001
-          VERSION_TAG=$(echo "$tagFormat" | sed "s/\${version}/$NEXT_VERSION/")
-          echo "## VERSION TAG : ${VERSION_TAG}" >> "$GITHUB_STEP_SUMMARY"
-          echo "VERSION_TAG=${VERSION_TAG}" >> "$GITHUB_OUTPUT"
-          echo "VERSION_TAG=${VERSION_TAG}" >> "$GITHUB_ENV"
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
 
-      - name: tag release
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Get asdf version
+        id: asdf-version
+        run: echo "version=$(awk '!/^#/ && NF {print $1; exit}' .tool-versions.asdf)" >> "$GITHUB_OUTPUT"
+      - name: Load config value
+        id: load-config
         run: |
-          npx semantic-release
-
-      - name: Get release for editing
-        id: get_release
-        # version 1.2.4
-        uses: cardinalby/git-get-release-action@5172c3a026600b1d459b117738c605fabc9e4e44
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-        with:
-          tag: ${{ env.VERSION_TAG }}
-
-      - name: Edit Release
-        # version 1.2.0
-        uses: irongut/EditRelease@ccf529ad26dddf9996e7dd0f24ca5da4ea507cc2
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          id: ${{ steps.get_release.outputs.id }}
-          body: |
-            ## Info
-            [See code diff](${{ github.event.compare }})
-            [Release workflow run](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})
-
-            It was initialized by [${{ github.event.sender.login }}](${{ github.event.sender.html_url }})
+          TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml)
+          echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT"
+  quality_checks:
+    needs: [get_asdf_version]
+    uses: ./.github/workflows/quality-checks.yml
+    with:
+      asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}
+    secrets:
+      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+  tag_release:
+    needs: [quality_checks, get_asdf_version]
+    uses: NHSDigital/eps-workflow-semantic-release/.github/workflows/tag-release.yml@f80157cecce288dd175e61b477a1d2dbe9c88b99
+    with:
+      dry_run: false
+      asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}
+      branch_name: main
+      publish_package: false
+      tag_format: ${{ needs.get_asdf_version.outputs.tag_format }}
+    secrets: inherit