[PRM-537] Introduce markdown validation check on PRs (#910)

Author: chrisbloe

.github/workflows/automated-pr-validator.yml

@@ -6,13 +6,12 @@ on:
       - main
     types: [opened, edited, synchronize]
 
-permissions:
-  contents: read
-  pull-requests: read
-
 jobs:
   checklist_validator:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6
@@ -27,3 +26,118 @@ jobs:
           python3 scripts/github/checklist_validator/main.py
         env:
           PR_BODY: ${{ github.event.pull_request.body }}
+
+  sbom_scan:
+    name: SBOM Repo Scan
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read # Required for anchore/sbom-action
+      contents: write # Required for anchore/sbom-action
+      id-token: write # Required for requesting the JWT
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
+
+      - uses: anchore/sbom-action@v0
+        with:
+          path: "."
+          format: cyclonedx-json
+          output-file: sbom-repo-${{ github.event.repository.name }}-${{ github.sha }}.cdx.json
+
+      - uses: anchore/scan-action@v7
+        id: sbom-scan
+        with:
+          sbom: sbom-repo-${{ github.event.repository.name }}-${{ github.sha }}.cdx.json
+          fail-build: true
+          severity-cutoff: low
+          only-fixed: true
+          output-format: sarif
+
+      - name: Upload Anchore scan SARIF report
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: ${{ steps.sbom-scan.outputs.sarif }}
+
+      - name: Add/Update SBOM failure comment
+        uses: actions/github-script@v8
+        if: always() && failure()
+        with:
+          script: |
+            // 1. Retrieve existing bot comments for the PR
+            const { data: comments } = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+            })
+
+            const botComment = comments.find(comment => {
+              return comment.user.type === 'Bot' && comment.body.includes('Code security issues found')
+            })
+
+            // 2. Prepare format of the comment
+            const output = `### Code security issues found
+
+            View full details [here](https://github.com/${{ github.repository }}/security/code-scanning?query=is%3Aopen+pr%3A${{ github.event.pull_request.number }}).`;
+
+            // 3. If we have a comment, update it, otherwise create a new one
+            if (botComment) {
+              github.rest.issues.deleteComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: botComment.id,
+                body: output
+              })
+            }
+
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: output
+            })
+
+      - name: Delete SBOM failure comment
+        uses: actions/github-script@v8
+        if: always() && success()
+        with:
+          script: |
+            // 1. Retrieve existing bot comments for the PR
+            const { data: comments } = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+            })
+
+            const botComment = comments.find(comment => {
+              return comment.user.type === 'Bot' && comment.body.includes('Code security issues found')
+            })
+
+            // 2. If we have a comment, update it, otherwise create a new one
+            if (botComment) {
+              github.rest.issues.deleteComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: botComment.id
+              })
+            }
+
+  markdown-validation:
+    name: Markdown Validation
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Run Markdown Validation Script
+        id: validate
+        run: |
+          BRANCH_NAME=${{ github.event.repository.default_branch }}
+          chmod +x scripts/markdown-validator.sh
+          scripts/markdown-validator.sh

.github/workflows/automated-sbom-repo-scan.yml

@@ -0,0 +1,4 @@
+{
+    "MD013": false,
+    "MD033": false
+}

.markdownlint.jsonc

@@ -1,16 +1,10 @@
 # national-document-repository
 
-## Lamda Function Intro
+## Links
 
-Our Lambda function readme can be found [here](lambdas/README.md)
-
-## React User Interface Intro
-
-Our React User Interface readme can be found [here](app/README.md)
-
-## End-to-End Tests Intro
-
-Our E2E test readme can be found [here](lambdas/tests/e2e/README.md). We have E2E tests for our FHIR endpoints and APIM setup.
+- [Lambda function README.md](lambdas/README.md).
+- [React User Interface README.md](app/README.md).
+- [E2E test README.md](lambdas/tests/e2e/README.md) (we have E2E tests for our FHIR endpoints and APIM setup).
 
 ## Installation
 

README.md

@@ -1,22 +1,14 @@
-## National Document Repository User Interface
+# National Document Repository User Interface
 
-### Intro
+## Intro
 
 The National Document Repository user interface (UI) has been developed with React. This is a developer's guide to run the UI and tools locally.
 
-## Table Of Contents
+## Requirements
 
-1. [Setup](#setup)
-2. [Running Locally](#running-locally)
-3. [Testing](#testing)
-4. [Accessibility](#accessibility)
-5. [Design](#design)
-
-### Requirements
-
--   Node: Version 24.x
--   NPM: this should come installed with Node but if not version 11.4.1 or greater is recommended.
--   Browser: Of your choice, although Chrome has better development tools.
+- Node: Version 24.x
+- NPM: this should come installed with Node but if not version 11.4.1 or greater is recommended.
+- Browser: Of your choice, although Chrome has better development tools.
 
 ## Setup
 
@@ -46,7 +38,7 @@ Once the packages have been installed, you can then run the app through the foll
 make start
 ```
 
-Once everything is up and running you should see a prompt in the CLI that the app is running on http://localhost:xxxx, where xxxx is the value of PORT specified in `.env` file. You should now be able to visit the site in a browser of your choice.
+Once everything is up and running you should see a prompt in the CLI that the app is running on <http://localhost:xxxx>, where xxxx is the value of PORT specified in `.env` file. You should now be able to visit the site in a browser of your choice.
 
 ## Testing
 
@@ -82,10 +74,10 @@ This will open a new Chromium window with the options to either run the E2E test
 
 ## Accessibility
 
--   [WAVE Chrome extension](https://chrome.google.com/webstore/detail/wave-evaluation-tool/jbbplnpkjmmeebjpijfedlgcdilocofh)
--   Use a screen reader
--   Use keyboard navigation
--   Use NHS components rather than custom styling
+- [WAVE Chrome extension](https://chrome.google.com/webstore/detail/wave-evaluation-tool/jbbplnpkjmmeebjpijfedlgcdilocofh)
+- Use a screen reader
+- Use keyboard navigation
+- Use NHS components rather than custom styling
 
 ## Design