Merge branch 'main' into feature/CCM-13343_Trivy_Package_and_Library_Scans

Author: jamesthompson26-nhs

.devcontainer/devcontainer.json

@@ -2,9 +2,9 @@
   "containerEnv": {
     "GITHUBMONITOR": "false",
     "MAKECONFIG": "true",
-    "SHOWWELCOME": "true",
+    "SHOWWELCOME": "false",
     "UPDATEFROMTEMPLATE": "false"
   },
-  "image": "ghcr.io/nhsdigital/nhs-notify-devcontainer-loaded-codespaces:main",
-  "name": "Codespaces Online Development"
+  "image": "ghcr.io/nhsdigital/nhs-notify-devcontainer-loaded-codespaces:1.0.19",
+  "name": "Codespaces"
 }

…fy-devcontainer-loaded/devcontainer.json .devcontainer/local-dev/devcontainer.json.devcontainer/nhs-notify-devcontainer-loaded/devcontainer.json renamed to .devcontainer/local-dev/devcontainer.json .devcontainer/nhs-notify-devcontainer-loaded/devcontainer.json renamed to .devcontainer/local-dev/devcontainer.json

@@ -2,10 +2,10 @@
   "containerEnv": {
     "GITHUBMONITOR": "false",
     "MAKECONFIG": "true",
-    "SHOWWELCOME": "true",
+    "SHOWWELCOME": "false",
     "UPDATEFROMTEMPLATE": "false"
   },
-  "image": "ghcr.io/nhsdigital/nhs-notify-devcontainer-loaded:1.0.17",
-  "name": "Notify Loaded 1.0.17",
+  "image": "ghcr.io/nhsdigital/nhs-notify-devcontainer-loaded:1.0.19",
+  "name": "Local Development",
   "postStartCommand": "mkdir -p ~/.gnupg && echo '## 1-day timeout' > ~/.gnupg/gpg-agent.conf && echo 'default-cache-ttl 86400' >> ~/.gnupg/gpg-agent.conf && echo 'max-cache-ttl 86400' >> ~/.gnupg/gpg-agent.conf && gpg-connect-agent reloadagent /bye 2>/dev/null || true"
 }

.devcontainer/ubuntu/devcontainer.json

@@ -0,0 +1,4 @@
+{
+  "image": "mcr.microsoft.com/devcontainers/base:ubuntu-24.04",
+  "name": "Ubuntu 24"
+}

.github/actions/build-docs/action.yml

@@ -30,10 +30,12 @@ runs:
       working-directory: ./docs
       # Outputs to the './_site' directory by default
       shell: bash
-      run: make build-ci BASE_URL=${{ steps.pages.outputs.base_path }} VERSION=${{ inputs.version }}
+      run: make build-ci BASE_URL="${BASE_URL}" VERSION="${VERSION}"
       #run: bundle exec jekyll build --baseurl "${{ steps.pages.outputs.base_path }}"
       env:
         JEKYLL_ENV: production
+        BASE_URL: ${{ steps.pages.outputs.base_path }}
+        VERSION: ${{ inputs.version }}
     - name: Upload artifact
       # Automatically uploads an artifact from the './_site' directory by default
       uses: actions/upload-pages-artifact@v3

.github/actions/create-lines-of-code-report/action.yaml

@@ -24,8 +24,9 @@ runs:
   steps:
     - name: "Create CLOC report"
       shell: bash
+      env:
+        BUILD_DATETIME: ${{ inputs.build_datetime }}
       run: |
-        export BUILD_DATETIME=${{ inputs.build_datetime }}
         ./scripts/reports/create-lines-of-code-report.sh
     - name: "Compress CLOC report"
       shell: bash
@@ -51,7 +52,10 @@ runs:
     - name: "Send the CLOC report to the central location"
       shell: bash
       if: steps.check.outputs.secrets_exist == 'true'
+      env:
+        BUCKET_ENDPOINT: ${{ inputs.idp_aws_report_upload_bucket_endpoint }}
+        BUILD_TIMESTAMP: ${{ inputs.build_timestamp }}
       run: |
         aws s3 cp \
           ./lines-of-code-report.json.zip \
-          ${{ inputs.idp_aws_report_upload_bucket_endpoint }}/${{ inputs.build_timestamp }}-lines-of-code-report.json.zip
+          "$BUCKET_ENDPOINT/$BUILD_TIMESTAMP-lines-of-code-report.json.zip"

.github/actions/scan-dependencies/action.yaml

@@ -24,8 +24,9 @@ runs:
   steps:
     - name: "Generate SBOM"
       shell: bash
+      env:
+        BUILD_DATETIME: ${{ inputs.build_datetime }}
       run: |
-        export BUILD_DATETIME=${{ inputs.build_datetime }}
         ./scripts/reports/create-sbom-report.sh
     - name: "Compress SBOM report"
       shell: bash
@@ -39,8 +40,9 @@ runs:
         retention-days: 21
     - name: "Scan vulnerabilities"
       shell: bash
+      env:
+        BUILD_DATETIME: ${{ inputs.build_datetime }}
       run: |
-        export BUILD_DATETIME=${{ inputs.build_datetime }}
         ./scripts/reports/scan-vulnerabilities.sh
     - name: "Compress vulnerabilities report"
       shell: bash
@@ -65,10 +67,13 @@ runs:
     - name: "Send the SBOM and vulnerabilities reports to the central location"
       shell: bash
       if: steps.check.outputs.secrets_exist == 'true'
+      env:
+        BUCKET_ENDPOINT: ${{ inputs.idp_aws_report_upload_bucket_endpoint }}
+        BUILD_TIMESTAMP: ${{ inputs.build_timestamp }}
       run: |
         aws s3 cp \
           ./sbom-repository-report.json.zip \
-          ${{ inputs.idp_aws_report_upload_bucket_endpoint }}/${{ inputs.build_timestamp }}-sbom-repository-report.json.zip
+          "$BUCKET_ENDPOINT/$BUILD_TIMESTAMP-sbom-repository-report.json.zip"
         aws s3 cp \
           ./vulnerabilities-repository-report.json.zip \
-          ${{ inputs.idp_aws_report_upload_bucket_endpoint }}/${{ inputs.build_timestamp }}-vulnerabilities-repository-report.json.zip
+          "$BUCKET_ENDPOINT/$BUILD_TIMESTAMP-vulnerabilities-repository-report.json.zip"

.github/workflows/scheduled-repository-template-sync.yaml

@@ -32,7 +32,7 @@ jobs:
 
     - name: Create Pull Request
       if: ${{ !env.ACT }}
-      uses: peter-evans/[email protected]
+      uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
       with:
         token: ${{ secrets.GITHUB_TOKEN }}
         commit-message: Drift from template

.github/workflows/stage-2-test.yaml

@@ -52,6 +52,9 @@ jobs:
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v5
+      - uses: actions/setup-node@v6
+        with:
+          node-version: 24.10.0
       - name: "Repo setup"
         run: |
           npm ci
@@ -66,12 +69,12 @@ jobs:
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v5
-      - name: "Repo setup"
-        run: |
-          npm ci
-      - name: "Generate dependencies"
-        run: |
-          npm run generate-dependencies
+      - uses: actions/setup-node@v6
+        with:
+          node-version: 24.10.0
+      - uses: actions/setup-python@v6
+        with:
+          python-version: '3.14'
       - name: "Run unit test suite"
         run: |
           make test-unit
@@ -99,12 +102,9 @@ jobs:
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v5
-      - name: "Repo setup"
-        run: |
-          npm ci
-      - name: "Generate dependencies"
-        run: |
-          npm run generate-dependencies
+      - uses: actions/setup-node@v6
+        with:
+          node-version: 24.10.0
       - name: "Run linting"
         run: |
           make test-lint
@@ -115,12 +115,9 @@ jobs:
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v5
-      - name: "Repo setup"
-        run: |
-          npm ci
-      - name: "Generate dependencies"
-        run: |
-          npm run generate-dependencies
+      - uses: actions/setup-node@v6
+        with:
+          node-version: 24.10.0
       - name: "Run typecheck"
         run: |
           make test-typecheck

.tool-versions

@@ -3,7 +3,7 @@ gitleaks 8.24.0
 jq 1.6
 nodejs 24.10.0
 pre-commit 3.6.0
-python 3.13.2
+python 3.14.0
 terraform 1.10.1
 terraform-docs 0.19.0
 trivy 0.61.0

Makefile

@@ -28,11 +28,11 @@ deploy: # Deploy the project artefact to the target environment @Pipeline
 	# TODO: Implement the artefact deployment step
 
 clean:: # Clean-up project resources (main) @Operations
-	$(MAKE) -C docs clean
-	$(MAKE) -C src/cloudevents clean
-	$(MAKE) -C src/eventcatalogasyncapiimporter clean
-	$(MAKE) -C src/eventcatalogasyncapiimporter clean-output
-	$(MAKE) -C src/python-schema-generator clean
+	$(MAKE) -C docs clean && \
+	$(MAKE) -C src/cloudevents clean && \
+	$(MAKE) -C src/eventcatalogasyncapiimporter clean && \
+	$(MAKE) -C src/eventcatalogasyncapiimporter clean-output && \
+	$(MAKE) -C src/python-schema-generator clean && \
 	rm -f .version
 	npm run clean