Merge remote-tracking branch 'origin/main' into dev_container_build

Author: anthony-nhs

.devcontainer/Dockerfile

@@ -62,9 +62,7 @@ RUN ASDF_VERSION=$(awk '!/^#/ && NF {print $1; exit}' /tmp/.tool-versions.asdf)
     tar -xvzf /tmp/asdf.tar.gz && \
     mv asdf /usr/bin
 
-USER vscode
-
-ENV PATH="$PATH:/home/vscode/.asdf/shims/:/workspaces/eps-prescription-tracker-ui/node_modules/.bin:/workspaces/eps-workflow-quality-checks/.venv/bin"
+ENV PATH="$PATH:/home/vscode/.asdf/bin/:/workspaces/eps-prescription-tracker-ui/node_modules/.bin:/workspaces/eps-common-workflows/.venv/bin"
 
 # Install ASDF plugins#
 RUN asdf plugin add nodejs https://github.com/asdf-vm/asdf-nodejs.git && \
@@ -73,9 +71,9 @@ RUN asdf plugin add nodejs https://github.com/asdf-vm/asdf-nodejs.git && \
     asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git && \
     asdf plugin add python
 
-WORKDIR /workspaces/eps-workflow-quality-checks
+WORKDIR /workspaces/eps-common-workflows
 
-ADD .tool-versions /workspaces/eps-workflow-quality-checks/.tool-versions
+ADD .tool-versions /workspaces/eps-common-workflows/.tool-versions
 ADD .tool-versions /home/vscode/.tool-versions
 
 RUN asdf install python && \

.devcontainer/devcontainer.json

@@ -18,7 +18,7 @@
     ],
     "containerUser": "vscode",
     "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" },
-    "postAttachCommand": "docker build -f /workspaces/eps-workflow-quality-checks/dockerfiles/nhsd-git-secrets.dockerfile -t git-secrets . && pre-commit install --install-hooks -f",
+    "postAttachCommand": "docker build -f /workspaces/eps-common-workflows/dockerfiles/nhsd-git-secrets.dockerfile -t git-secrets . && pre-commit install --install-hooks -f",
     "features": {
       "ghcr.io/devcontainers/features/docker-outside-of-docker:1": {
         "version": "latest",

.github/dependabot.yaml

@@ -12,3 +12,31 @@ updates:
     open-pull-requests-limit: 20
     commit-message:
       prefix: "Upgrade: [dependabot] - "
+
+  ###################################
+  # NPM workspace  ##################
+  ###################################
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "friday"
+      time: "18:00" # UTC
+    open-pull-requests-limit: 20
+    versioning-strategy: increase
+    commit-message:
+      prefix: "Upgrade: [dependabot] - "
+
+  ###################################
+  # Poetry  #########################
+  ###################################
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "friday"
+      time: "18:00" # UTC
+    open-pull-requests-limit: 20
+    versioning-strategy: increase
+    commit-message:
+      prefix: "Upgrade: [dependabot] - "

.github/workflows/combine-dependabot-prs.yml

@@ -0,0 +1,67 @@
+name: "Combine PRs"
+
+on:
+    workflow_call:
+        inputs:
+            branchPrefix:
+                description: "Branch prefix to find combinable PRs based on"
+                default: "dependabot"
+                type: string
+            mustBeGreen:
+                description: "Only combine PRs that are green (status is success)"
+                default: true
+                type: boolean
+            combineBranchName:
+                description: "Name of the branch to combine PRs into"
+                default: "combine-dependabot-PRs"
+                type: string
+            ignoreLabel:
+                description: "Exclude PRs with this label"
+                default: "nocombine"
+                type: string
+
+    # Allow manual triggering of the workflow for this repo
+    workflow_dispatch:
+        inputs:
+            branchPrefix:
+                description: "Branch prefix to find combinable PRs based on"
+                default: "dependabot"
+                type: string
+            mustBeGreen:
+                description: "Only combine PRs that are green (status is success)"
+                default: true
+                type: boolean
+            combineBranchName:
+                description: "Name of the branch to combine PRs into"
+                default: "combine-dependabot-PRs"
+                type: string
+            ignoreLabel:
+                description: "Exclude PRs with this label"
+                default: "nocombine"
+                type: string
+
+jobs:
+    combine-prs:
+        runs-on: ubuntu-22.04
+        steps:
+            - name: Checkout repository
+              uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+              with:
+                  repository: NHSDigital/eps-common-workflows
+                  sparse-checkout-cone-mode: false
+                  sparse-checkout: |
+                      combine-prs.js
+
+            - name: Create Combined PR
+              uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd
+              id: create-combined-pr
+              env:
+                  branchPrefix: ${{ inputs.branchPrefix }}
+                  mustBeGreen: ${{ inputs.mustBeGreen }}
+                  combineBranchName: ${{ inputs.combineBranchName }}
+                  ignoreLabel: ${{ inputs.ignoreLabel }}
+              with:
+                  github-token: ${{secrets.GITHUB_TOKEN}}
+                  script: |
+                      const combinePRs = require('./combine-prs.js');
+                      await combinePRs({ github, context, core });

.github/workflows/dependabot-auto-approve-and-merge.yml

@@ -0,0 +1,61 @@
+name: Dependabot auto-approve
+
+on:
+    workflow_call:
+        secrets:
+            AUTOMERGE_APP_ID:
+                required: true
+            AUTOMERGE_PEM:
+                required: true
+
+permissions:
+    pull-requests: write
+    contents: write
+
+jobs:
+    dependabot:
+        runs-on: ubuntu-22.04
+        if: ${{ github.actor == 'dependabot[bot]' }}
+        steps:
+            - name: Get token from Github App
+              id: get_app_token
+              uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42
+              with:
+                  app-id: ${{ secrets.AUTOMERGE_APP_ID }}
+                  private-key: ${{ secrets.AUTOMERGE_PEM }}
+
+            - name: Dependabot metadata
+              id: dependabot-metadata
+              uses: dependabot/fetch-metadata@08eff52bf64351f401fb50d4972fa95b9f2c2d1b
+              with:
+                  github-token: "${{ secrets.GITHUB_TOKEN }}"
+
+            - name: Approve patch and minor updates
+              if: ${{steps.dependabot-metadata.outputs.update-type == 'version-update:semver-patch' || steps.dependabot-metadata.outputs.update-type == 'version-update:semver-minor'}}
+              run: gh pr review "$PR_URL" --approve -b "I'm **approving** this pull request because **it includes a patch or minor update**"
+              env:
+                  PR_URL: ${{github.event.pull_request.html_url}}
+                  GITHUB_TOKEN: ${{ steps.get_app_token.outputs.token }}
+
+            - name: Approve major updates of development dependencies
+              if: ${{steps.dependabot-metadata.outputs.update-type == 'version-update:semver-major' && steps.dependabot-metadata.outputs.dependency-type == 'direct:development'}}
+              run: gh pr review "$PR_URL" --approve -b "I'm **approving** this pull request because **it includes a major update of a dependency used only in development**"
+              env:
+                  PR_URL: ${{github.event.pull_request.html_url}}
+                  GITHUB_TOKEN: ${{ steps.get_app_token.outputs.token }}
+
+            - name: Comment on major updates of non-development dependencies
+              if: ${{steps.dependabot-metadata.outputs.update-type == 'version-update:semver-major' && steps.dependabot-metadata.outputs.dependency-type == 'direct:production'}}
+              run: |
+                  gh pr comment "$PR_URL" --body "I'm **not approving** this PR because **it includes a major update of a dependency used in production**"
+                  gh pr edit "$PR_URL" --add-label "requires-manual-qa"
+              env:
+                  PR_URL: ${{github.event.pull_request.html_url}}
+                  GITHUB_TOKEN: ${{ steps.get_app_token.outputs.token }}
+
+            # enable auto merge on all dependabot prs
+            - name: Enable auto-merge for Dependabot PRs
+              run: gh pr merge --auto --squash "$PR_URL"
+              env:
+                  PR_URL: ${{github.event.pull_request.html_url}}
+                  GITHUB_TOKEN: ${{ steps.get_app_token.outputs.token }}

.github/workflows/pr_title_check.yml

@@ -0,0 +1,88 @@
+name: PR Title Check
+
+on:
+    workflow_call:
+
+jobs:
+    pr_title_format_check:
+        runs-on: ubuntu-22.04
+        permissions:
+            pull-requests: write
+        steps:
+            - name: Check PR Title is Prefixed with Change Type
+              id: check_prefix
+              continue-on-error: true
+              env:
+                  PR_TITLE: ${{ github.event.pull_request.title }}
+              run: |
+                  if [[ "$PR_TITLE" =~ ^(Fix|Update|New|Breaking|Docs|Build|Upgrade|Chore):.*$ ]]; then
+                    echo "PR title is prefixed with change type."
+                  else
+                    echo "PR title is not prefixed with change type."
+                    exit 1
+                  fi
+
+            - name: Check PR Title contains Ticket/Dependabot Reference
+              id: check_ticket_reference
+              continue-on-error: true
+              env:
+                  PR_TITLE: ${{ github.event.pull_request.title }}
+              run: |
+                  if [[ "$PR_TITLE" =~ ^.*:.*\[([A-Z]+-[0-9]+|dependabot)\].*-.*$ ]]; then
+                    echo "PR title contains ticket or dependabot reference."
+                  else
+                    echo "PR title does not contain ticket or dependabot reference."
+                    exit 1
+                  fi
+
+            - name: Extract Ticket Reference
+              id: extract_ticket_reference
+              if: steps.check_ticket_reference.outcome == 'success'
+              env:
+                  PR_TITLE: ${{ github.event.pull_request.title }}
+              run: |
+                  if [[ "$PR_TITLE" =~ ^.*:.*\[([A-Z]+-[0-9]+|dependabot)\].*-.*$ ]]; then
+                    TICKET_REF="${BASH_REMATCH[1]}"
+                    echo "Extracted ticket reference: $TICKET_REF"
+                    echo "TICKET_REF=$TICKET_REF" > "$GITHUB_OUTPUT"
+                  else
+                    echo "No ticket reference found."
+                    exit 1
+                  fi
+
+            - name: Comment on PR with Jira Link
+              if: steps.extract_ticket_reference.outcome == 'success' && steps.extract_ticket_reference.outputs.TICKET_REF != 'dependabot'
+              uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b
+              env:
+                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+                  TICKET_REF: ${{ steps.extract_ticket_reference.outputs.TICKET_REF }}
+              with:
+                  message: |
+                      This PR is linked to a ticket in an NHS Digital JIRA Project. Here's a handy link to the ticket:
+                      # [${{ env.TICKET_REF }}](https://nhsd-jira.digital.nhs.uk/browse/${{ env.TICKET_REF }})
+                  comment-tag: pr-link
+
+            - name: Comment on PR for dependabot
+              if: steps.extract_ticket_reference.outcome == 'success' && steps.extract_ticket_reference.outputs.TICKET_REF == 'dependabot'
+              uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b
+              env:
+                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+              with:
+                  message: |
+                      This PR is raised by Dependabot to update a dependency.
+                  comment-tag: pr-link
+
+            - name: Comment on PR for bad format
+              if: steps.check_prefix.outcome != 'success' || steps.check_ticket_reference.outcome != 'success'
+              uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b
+              env:
+                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+              with:
+                  message: |
+                      The PR title does not conform to the required format.
+                      Please ensure your PR title is prefixed with a change type (Fix, Update, New, Breaking, Docs, Build, Upgrade, Chore)
+                      and contains a ticket reference (eg. 'Fix: [AEA-####] - ...', or 'Chore: [dependabot] - ...'),
+                      then push an empty commit or recreate your PR.
+                      See the contributing guide for more details:
+                      https://github.com/NHSDigital/eps-common-workflows/blob/main/CONTRIBUTING.md
+                  comment-tag: pr-link

.github/workflows/pull_request.yml

@@ -49,12 +49,12 @@ jobs:
           echo "sha_short=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT"
   dependabot-auto-approve-and-merge:
     needs: quality_checks
-    uses: NHSDigital/eps-workflow-dependabot/.github/workflows/dependabot-auto-approve-and-merge.yml@4b56ed8edd7c5357fd0123a2bd84b3429d3a6b20
+    uses: ./.github/workflows/dependabot-auto-approve-and-merge.yml
     secrets:
       AUTOMERGE_APP_ID: ${{ secrets.AUTOMERGE_APP_ID }}
       AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }}
   pr_title_format_check:
-    uses: NHSDigital/eps-workflow-semantic-release/.github/workflows/pr_title_check.yml@f3d071da30cd01dc0e4472ac0e2d7452db78d1c7
+    uses: ./.github/workflows/pr_title_check.yml
   get_asdf_version:
     runs-on: ubuntu-22.04
     outputs:
@@ -94,7 +94,7 @@ jobs:
 
   tag_release:
     needs: [quality_checks, get_asdf_version]
-    uses: NHSDigital/eps-workflow-semantic-release/.github/workflows/tag-release.yml@f3d071da30cd01dc0e4472ac0e2d7452db78d1c7
+    uses: ./.github/workflows/tag-release.yml
     with:
       dry_run: true
       asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}

.github/workflows/quality-checks.yml

@@ -361,7 +361,7 @@ jobs:
           path: cfn_guard_output
 
       - name: Generate and check SBOMs
-        uses: NHSDigital/eps-action-sbom@ae6916d542c092ec1636f9a0ba14464ba25a97d1
+        uses: NHSDigital/eps-action-sbom@7684ce6314e515df7b7929fac08b4464f8a03d06
 
       - name: "check is SONAR_TOKEN exists"
         env:

.github/workflows/release.yml

@@ -63,7 +63,7 @@ jobs:
       PUSH_IMAGE_ROLE: ${{ secrets.DEV_CONTAINER_PUSH_IMAGE_ROLE }}
   tag_release:
     needs: [quality_checks, get_asdf_version]
-    uses: NHSDigital/eps-workflow-semantic-release/.github/workflows/tag-release.yml@f3d071da30cd01dc0e4472ac0e2d7452db78d1c7
+    uses: ./.github/workflows/tag-release.yml
     with:
       dry_run: false
       asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}