refactor: FTRS-313 Refactor GitHub workflows to enhance SonarQube security

Author: mmg-nhse

.github/actions/action-infrastructure-stack/action.yaml

@@ -44,12 +44,13 @@ runs:
     - name: "Action Infrastructure Stack"
       id: "action_stack"
       shell: bash
+      env:
+        MGMT_ACCOUNT_ID: ${{ inputs.mgmt_account_id }}
+        ACTION: ${{ inputs.action }}
+        STACK: ${{ inputs.stack }}
+        ENVIRONMENT: ${{ inputs.environment }}
+        WORKSPACE: ${{ inputs.workspace }}
+        PROJECT: ${{ inputs.project }}
+        RELEASE_TAG: ${{ inputs.release_tag }}
       run: |
-        export MGMT_ACCOUNT_ID=${{ inputs.mgmt_account_id }}
-        export ACTION=${{ inputs.action }}
-        export STACK=${{ inputs.stack }}
-        export ENVIRONMENT=${{ inputs.environment }}
-        export WORKSPACE=${{ inputs.workspace }}
-        export PROJECT=${{ inputs.project }}
-        export RELEASE_TAG=${{ inputs.release_tag }}
         /bin/bash ./scripts/workflow/action-infra-stack.sh

.github/actions/artefact-cleardown/action.yaml

@@ -14,7 +14,8 @@ runs:
     - name: Delete artefacts
       id: delete_artefacts
       shell: bash
+      env:
+        WORKSPACE: ${{ inputs.workspace }}
+        ARTEFACT_BUCKET_NAME: ${{ inputs.artefact_bucket_name }}
       run: |
-        export WORKSPACE=${{inputs.workspace}}
-        export ARTEFACT_BUCKET_NAME=${{inputs.artefact_bucket_name}}
         ./scripts/workflow/cleardown-artefacts.sh

.github/actions/build-service/action.yaml

@@ -15,7 +15,8 @@ runs:
   steps:
       - name: Build Service
         shell: bash
+        env:
+          SERVICE: ${{ inputs.service }}
+          DIRECTORY: ${{ inputs.directory }}
         run: |
-          export SERVICE=${{ inputs.service }}
-          export DIRECTORY=${{ inputs.directory }}
           /bin/bash ./uec-dos-management/scripts/workflow/build-service.sh

.github/actions/check-tf-state/action.yaml

@@ -14,7 +14,8 @@ runs:
     - name: Delete terraform state
       id: delete_tf_state
       shell: bash
+      env:
+        WORKSPACE: ${{ inputs.workspace }}
+        ENVIRONMENT: ${{ inputs.environment }}
       run: |
-        export WORKSPACE=${{inputs.workspace}}
-        export ENVIRONMENT=${{inputs.environment}}
         ./scripts/workflow/check-terraform-state.sh

.github/actions/cleardown-opensearch-network-policy/action.yaml

@@ -15,8 +15,8 @@ runs:
     - name: Delete OpenSearch Network Policy
       id: delete_os_policy
       shell: bash
+      env:
+        WORKSPACE: ${{ inputs.workspace }}
+        STACK: ${{ inputs.stack }}
       run: |
-        export WORKSPACE="${{ inputs.workspace }}"
-        export STACK="${{ inputs.stack }}"
-
         ./scripts/workflow/cleardown-opensearch-network-policy.sh

.github/actions/cleardown-tf-state/action.yaml

@@ -17,8 +17,9 @@ runs:
     - name: Delete terraform state
       id: delete_tf_state
       shell: bash
+      env:
+        WORKSPACE: ${{ inputs.workspace }}
+        ENVIRONMENT: ${{ inputs.environment }}
+        STACK: ${{ inputs.stack }}
       run: |
-        export WORKSPACE=${{inputs.workspace}}
-        export ENVIRONMENT=${{inputs.environment}}
-        export STACK=${{inputs.stack}}
         ./scripts/workflow/cleardown-terraform-state.sh

.github/actions/create-lines-of-code-report/action.yaml

@@ -24,8 +24,9 @@ runs:
   steps:
     - name: "Create CLOC report"
       shell: bash
+      env:
+        BUILD_DATETIME: ${{ inputs.build_datetime }}
       run: |
-        export BUILD_DATETIME=${{ inputs.build_datetime }}
         ./scripts/reports/create-lines-of-code-report.sh
     - name: "Compress CLOC report"
       shell: bash
@@ -51,7 +52,10 @@ runs:
     - name: "Send the CLOC report to the central location"
       shell: bash
       if: steps.check.outputs.secrets_exist == 'true'
+      env:
+        BUILD_TIMESTAMP: ${{ inputs.build_timestamp }}
+        BUCKET_ENDPOINT: ${{ inputs.idp_aws_report_upload_bucket_endpoint }}
       run: |
         aws s3 cp \
-          ./lines-of-code-report-${{ inputs.build_timestamp }}.json.zip \
-          ${{ inputs.idp_aws_report_upload_bucket_endpoint }}/${{ inputs.build_timestamp }}-lines-of-code-report.json.zip
+          ./lines-of-code-report-${BUILD_TIMESTAMP}.json.zip \
+          ${BUCKET_ENDPOINT}/${BUILD_TIMESTAMP}-lines-of-code-report.json.zip

.github/actions/deploy-service/action.yaml

@@ -30,12 +30,13 @@ runs:
   steps:
     - name: Deploy Service
       shell: bash
+      env:
+        SERVICE: ${{ inputs.service }}
+        APPLICATION_ROOT_DIR: ${{ inputs.directory }}
+        TAG: ${{ inputs.ref }}
+        WORKSPACE: ${{ inputs.workspace }}
+        ARTEFACT_SUB_DIR: ${{ inputs.artefact_sub_dir }}
+        ARTEFACT_BUCKET_NAME: ${{ inputs.artefact_bucket_name }}
+        ENVIRONMENT: ${{ inputs.environment }}
       run: |
-        export SERVICE=${{ inputs.service }}
-        export APPLICATION_ROOT_DIR=${{ inputs.directory }}
-        export TAG=${{ inputs.ref }}
-        export WORKSPACE=${{ inputs.workspace }}
-        export ARTEFACT_SUB_DIR=${{ inputs.artefact_sub_dir }}
-        export ARTEFACT_BUCKET_NAME=${{ inputs.artefact_bucket_name }}
-        export ENVIRONMENT=${{ inputs.environment }}
         /bin/bash ./uec-dos-management/scripts/workflow/deploy-service.sh

.github/actions/push-tag/action.yaml

@@ -14,7 +14,8 @@ runs:
   steps:
     - name: Push tag
       shell: bash
+      env:
+        TAG_TO_PUSH: ${{ inputs.tag_to_push }}
+        TAG_OVERWRITE: ${{ inputs.tag_overwrite }}
       run: |
-        export TAG_TO_PUSH=${{ inputs.tag_to_push }}
-        export TAG_OVERWRITE=${{ inputs.tag_overwrite }}
         . uec-dos-management/scripts/workflow/push-tag.sh

.github/actions/run-powerpipe-benchmarks/action.yaml

@@ -19,18 +19,23 @@ runs:
   steps:
     - name: Create reports directory
       shell: bash
+      env:
+        REPORTS_DIR: ${{ inputs.reports-dir }}
       run: |
-        mkdir -p "${{ inputs.reports-dir }}"
+        mkdir -p "${REPORTS_DIR}"
 
     - name: Run Powerpipe benchmarks
       shell: bash
+      env:
+        MODS_DIR: ${{ inputs.mods-dir }}
+        REPORTS_DIR: ${{ inputs.reports-dir }}
+        BENCHMARKS: ${{ inputs.benchmarks }}
       run: |
-        cd "${{ inputs.mods-dir }}"
+        cd "${MODS_DIR}"
         DATE=$(date +%Y-%m-%d)
         echo "Generating reports with date stamp: $DATE"
 
         # Parse the benchmarks JSON array
-        BENCHMARKS='${{ inputs.benchmarks }}'
         echo "Processing benchmarks: $BENCHMARKS"
 
         # Extract benchmark count
@@ -51,7 +56,7 @@ runs:
           set +e
           powerpipe benchmark run "$BENCHMARK" \
             --output html \
-            --export "../${{ inputs.reports-dir }}/aws_${NAME}_report_${DATE}.html"
+            --export "../${REPORTS_DIR}/aws_${NAME}_report_${DATE}.html"
           EXIT_CODE=$?
 
           if [ $EXIT_CODE -ne 0 ]; then