Moving docs and schemas to separate workflow.

Author: RossBugginsNHS

.github/workflows/docs-cicd-1-docs.yaml

@@ -0,0 +1,164 @@
+name: "Docs 1. CI/CD"
+
+# The total recommended execution time for the "CI/CD Pull Request" workflow is around 20 minutes.
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - "**"
+  pull_request:
+    types: [opened, reopened, synchronize]
+    branches:
+      - main
+
+permissions:
+  id-token: write
+  contents: write
+
+jobs:
+  changes:
+    name: "Only run on docs change"
+    runs-on: ubuntu-latest
+    timeout-minutes: 1
+    steps:
+      - uses: dorny/paths-filter@v3
+        id: changes
+        with:
+          filters: |
+            docs:`
+              - 'docs/**'
+            src:`
+              - 'src/**'
+    outputs:
+      docs: ${{ steps.changes.outputs.docs }}
+      src: ${{ steps.changes.outputs.src }}
+
+  metadata:
+    name: "Set CI/CD metadata"
+    runs-on: ubuntu-latest
+    timeout-minutes: 1
+    needs: changes
+    if: ${{ needs.changes.outputs.docs == 'true' || needs.changes.outputs.src == 'true' }}
+
+    outputs:
+      build_datetime_london: ${{ steps.variables.outputs.build_datetime_london }}
+      build_datetime: ${{ steps.variables.outputs.build_datetime }}
+      build_timestamp: ${{ steps.variables.outputs.build_timestamp }}
+      build_epoch: ${{ steps.variables.outputs.build_epoch }}
+      nodejs_version: ${{ steps.variables.outputs.nodejs_version }}
+      python_version: ${{ steps.variables.outputs.python_version }}
+      terraform_version: ${{ steps.variables.outputs.terraform_version }}
+      version: ${{ steps.variables.outputs.version }}
+      is_version_prerelease: ${{ steps.variables.outputs.is_version_prerelease }}
+      does_pull_request_exist: ${{ steps.pr_exists.outputs.does_pull_request_exist }}
+      pr_number: ${{ steps.pr_exists.outputs.pr_number }}
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v5
+      - name: "Set CI/CD variables"
+        id: variables
+        run: |
+          datetime=$(date -u +'%Y-%m-%dT%H:%M:%S%z')
+          BUILD_DATETIME=$datetime make version-create-effective-file dir=.
+          version=$(head -n 1 .version 2> /dev/null || echo unknown)
+          echo "build_datetime_london=$(TZ=Europe/London date --date=$datetime +'%Y-%m-%dT%H:%M:%S%z')" >> $GITHUB_OUTPUT
+          echo "build_datetime=$datetime" >> $GITHUB_OUTPUT
+          echo "build_timestamp=$(date --date=$datetime -u +'%Y%m%d%H%M%S')" >> $GITHUB_OUTPUT
+          echo "build_epoch=$(date --date=$datetime -u +'%s')" >> $GITHUB_OUTPUT
+          echo "nodejs_version=$(grep "^nodejs\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
+          echo "python_version=$(grep "^python\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
+          echo "terraform_version=$(grep "^terraform\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
+          echo "version=$(echo $version)" >> $GITHUB_OUTPUT
+          echo "is_version_prerelease=$(if [[ $version == *-* ]]; then echo "true"; else echo "false"; fi)" >> $GITHUB_OUTPUT
+
+      - name: "Check if pull request exists for this branch"
+        id: pr_exists
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          branch_name=${GITHUB_HEAD_REF:-$(echo $GITHUB_REF | sed 's#refs/heads/##')}
+          echo "Current branch is '$branch_name'"
+
+          pr_json=$(gh pr list --head "$branch_name" --state open --json number --limit 1)
+          pr_number=$(echo "$pr_json" | jq -r '.[0].number // empty')
+
+          if [[ -n "$pr_number" ]]; then
+            echo "Pull request exists: #$pr_number"
+            echo "does_pull_request_exist=true" >> $GITHUB_OUTPUT
+            echo "pr_number=$pr_number" >> $GITHUB_OUTPUT
+          else
+            echo "Pull request doesn't exist"
+            echo "does_pull_request_exist=false" >> $GITHUB_OUTPUT
+            echo "pr_number=" >> $GITHUB_OUTPUT
+          fi
+
+      - name: "List variables"
+        run: |
+          export BUILD_DATETIME_LONDON="${{ steps.variables.outputs.build_datetime_london }}"
+          export BUILD_DATETIME="${{ steps.variables.outputs.build_datetime }}"
+          export BUILD_TIMESTAMP="${{ steps.variables.outputs.build_timestamp }}"
+          export BUILD_EPOCH="${{ steps.variables.outputs.build_epoch }}"
+          export NODEJS_VERSION="${{ steps.variables.outputs.nodejs_version }}"
+          export PYTHON_VERSION="${{ steps.variables.outputs.python_version }}"
+          export TERRAFORM_VERSION="${{ steps.variables.outputs.terraform_version }}"
+          export VERSION="${{ steps.variables.outputs.version }}"
+          export DOES_PULL_REQUEST_EXIST="${{ steps.pr_exists.outputs.does_pull_request_exist }}"
+          export IS_VERSION_PRERELEASE="${{ steps.variables.outputs.is_version_prerelease }}"
+          make list-variables
+  commit-stage: # Recommended maximum execution time is 2 minutes
+    name: "Commit stage"
+    needs: [metadata]
+    uses: ./.github/workflows/docs-stage-1-commit.yaml
+    with:
+      build_datetime: "${{ needs.metadata.outputs.build_datetime }}"
+      build_timestamp: "${{ needs.metadata.outputs.build_timestamp }}"
+      build_epoch: "${{ needs.metadata.outputs.build_epoch }}"
+      nodejs_version: "${{ needs.metadata.outputs.nodejs_version }}"
+      python_version: "${{ needs.metadata.outputs.python_version }}"
+      terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
+      version: "${{ needs.metadata.outputs.version }}"
+  #    secrets: inherit
+  test-stage: # Recommended maximum execution time is 5 minutes
+    name: "Test stage"
+    needs: [metadata, commit-stage]
+    uses: ./.github/workflows/docs-stage-2-test.yaml
+    with:
+      build_datetime: "${{ needs.metadata.outputs.build_datetime }}"
+      build_timestamp: "${{ needs.metadata.outputs.build_timestamp }}"
+      build_epoch: "${{ needs.metadata.outputs.build_epoch }}"
+      nodejs_version: "${{ needs.metadata.outputs.nodejs_version }}"
+      python_version: "${{ needs.metadata.outputs.python_version }}"
+      terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
+      version: "${{ needs.metadata.outputs.version }}"
+    secrets: #inherit
+      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+  build-stage: # Recommended maximum execution time is 3 minutes
+    name: "Build stage"
+    needs: [metadata, test-stage]
+    uses: ./.github/workflows/docs-stage-3-build.yaml
+    if: needs.metadata.outputs.does_pull_request_exist == 'true' || (github.event_name == 'pull_request' && (github.event.action == 'opened' || github.event.action == 'reopened')) || (github.event_name == 'push' && github.ref == 'refs/heads/main')
+    with:
+      build_datetime: "${{ needs.metadata.outputs.build_datetime }}"
+      build_timestamp: "${{ needs.metadata.outputs.build_timestamp }}"
+      build_epoch: "${{ needs.metadata.outputs.build_epoch }}"
+      nodejs_version: "${{ needs.metadata.outputs.nodejs_version }}"
+      python_version: "${{ needs.metadata.outputs.python_version }}"
+      terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
+      version: "${{ needs.metadata.outputs.version }}"
+  #    secrets: inherit
+  publish-stage: # Recommended maximum execution time is 10 minutes
+    name: "Publish stage"
+    needs: [metadata, build-stage]
+    uses: ./.github/workflows/docs-stage-5-publish.yaml
+    if: (github.event_name == 'push' && github.ref == 'refs/heads/main')
+    with:
+      build_datetime: "${{ needs.metadata.outputs.build_datetime }}"
+      build_timestamp: "${{ needs.metadata.outputs.build_timestamp }}"
+      build_epoch: "${{ needs.metadata.outputs.build_epoch }}"
+      nodejs_version: "${{ needs.metadata.outputs.nodejs_version }}"
+      python_version: "${{ needs.metadata.outputs.python_version }}"
+      terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
+      version: "${{ needs.metadata.outputs.version }}"
+      is_version_prerelease: "${{ needs.metadata.outputs.is_version_prerelease }}"
+#    secrets: inherit

.github/workflows/docs-stage-1-commit.yaml

@@ -0,0 +1,201 @@
+name: "Commit stage"
+
+on:
+  workflow_call:
+    inputs:
+      build_datetime:
+        description: "Build datetime, set by the CI/CD pipeline workflow"
+        required: true
+        type: string
+      build_timestamp:
+        description: "Build timestamp, set by the CI/CD pipeline workflow"
+        required: true
+        type: string
+      build_epoch:
+        description: "Build epoch, set by the CI/CD pipeline workflow"
+        required: true
+        type: string
+      nodejs_version:
+        description: "Node.js version, set by the CI/CD pipeline workflow"
+        required: true
+        type: string
+      python_version:
+        description: "Python version, set by the CI/CD pipeline workflow"
+        required: true
+        type: string
+      terraform_version:
+        description: "Terraform version, set by the CI/CD pipeline workflow"
+        required: true
+        type: string
+      version:
+        description: "Version of the software, set by the CI/CD pipeline workflow"
+        required: true
+        type: string
+
+jobs:
+  scan-secrets:
+    name: "Scan secrets"
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0 # Full history is needed to scan all commits
+      - name: "Scan secrets"
+        uses: ./.github/actions/scan-secrets
+  check-file-format:
+    name: "Check file format"
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0 # Full history is needed to compare branches
+      - name: "Check file format"
+        uses: ./.github/actions/check-file-format
+  check-markdown-format:
+    name: "Check Markdown format"
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0 # Full history is needed to compare branches
+      - name: "Check Markdown format"
+        uses: ./.github/actions/check-markdown-format
+  terraform-docs:
+    name: "Run terraform-docs"
+    runs-on: ubuntu-latest
+    needs: detect-terraform-changes
+    if: needs.detect-terraform-changes.outputs.terraform_changed == 'true'
+    permissions:
+        contents: write
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0 # Full history is needed to compare branches
+      - name: "Check to see if Terraform Docs are up-to-date"
+        run: |
+          make terraform-docs
+      - name: "Stage changes"
+        run: |
+          git add infrastructure/terraform/**/*.md
+      - name: "Check for changes in Terraform Docs"
+        run: |
+          if git diff --cached --name-only | grep -qE '\.md$'; then
+            echo "Markdown files have changed. Please run 'make terraform-docs' and commit the changes."
+            exit 1
+          fi
+  check-english-usage:
+    name: "Check English usage"
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0 # Full history is needed to compare branches
+      - name: "Check English usage"
+        uses: ./.github/actions/check-english-usage
+  check-todo-usage:
+    name: "Check TODO usage"
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0 # Full history is needed to compare branches
+      - name: "Check TODO usage"
+        uses: ./.github/actions/check-todo-usage
+  detect-terraform-changes:
+    name: "Detect Terraform Changes"
+    runs-on: ubuntu-latest
+    outputs:
+      terraform_changed: ${{ steps.check.outputs.terraform_changed }}
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v5
+
+      - name: "Check for Terraform changes"
+        id: check
+        run: |
+          git fetch origin main || true  # Ensure you have the latest main branch
+          CHANGED_FILES=$(git diff --name-only HEAD origin/main)
+          echo "Changed files: $CHANGED_FILES"
+
+          if echo "$CHANGED_FILES" | grep -qE '\.tf$'; then
+            echo "Terraform files have changed."
+            echo "terraform_changed=true" >> $GITHUB_OUTPUT
+          else
+            echo "No Terraform changes detected."
+            echo "terraform_changed=false" >> $GITHUB_OUTPUT
+          fi
+  lint-terraform:
+    name: "Lint Terraform"
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    needs: detect-terraform-changes
+    if: needs.detect-terraform-changes.outputs.terraform_changed == 'true'
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v5
+      - name: "Lint Terraform"
+        uses: ./.github/actions/lint-terraform
+  trivy:
+    name: "Trivy Scan"
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    needs: detect-terraform-changes
+    if: needs.detect-terraform-changes.outputs.terraform_changed == 'true'
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v5
+      - name: "Setup ASDF"
+        uses: asdf-vm/actions/setup@v4
+      - name: "Perform Setup"
+        uses: ./.github/actions/setup
+      - name: "Trivy Scan"
+        uses: ./.github/actions/trivy
+  count-lines-of-code:
+    name: "Count lines of code"
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    timeout-minutes: 5
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v5
+      - name: "Count lines of code"
+        uses: ./.github/actions/create-lines-of-code-report
+        with:
+          build_datetime: "${{ inputs.build_datetime }}"
+          build_timestamp: "${{ inputs.build_timestamp }}"
+          idp_aws_report_upload_account_id: "${{ secrets.IDP_AWS_REPORT_UPLOAD_ACCOUNT_ID }}"
+          idp_aws_report_upload_region: "${{ secrets.IDP_AWS_REPORT_UPLOAD_REGION }}"
+          idp_aws_report_upload_role_name: "${{ secrets.IDP_AWS_REPORT_UPLOAD_ROLE_NAME }}"
+          idp_aws_report_upload_bucket_endpoint: "${{ secrets.IDP_AWS_REPORT_UPLOAD_BUCKET_ENDPOINT }}"
+  scan-dependencies:
+    name: "Scan dependencies"
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    timeout-minutes: 5
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v5
+      - name: "Scan dependencies"
+        uses: ./.github/actions/scan-dependencies
+        with:
+          build_datetime: "${{ inputs.build_datetime }}"
+          build_timestamp: "${{ inputs.build_timestamp }}"
+          idp_aws_report_upload_account_id: "${{ secrets.IDP_AWS_REPORT_UPLOAD_ACCOUNT_ID }}"
+          idp_aws_report_upload_region: "${{ secrets.IDP_AWS_REPORT_UPLOAD_REGION }}"
+          idp_aws_report_upload_role_name: "${{ secrets.IDP_AWS_REPORT_UPLOAD_ROLE_NAME }}"
+          idp_aws_report_upload_bucket_endpoint: "${{ secrets.IDP_AWS_REPORT_UPLOAD_BUCKET_ENDPOINT }}"