updates.

Author: RossBugginsNHS

.coverage

@@ -2,9 +2,9 @@
   "containerEnv": {
     "GITHUBMONITOR": "false",
     "MAKECONFIG": "true",
-    "SHOWWELCOME": "true",
+    "SHOWWELCOME": "false",
     "UPDATEFROMTEMPLATE": "false"
   },
-  "image": "ghcr.io/nhsdigital/nhs-notify-devcontainer-loaded-codespaces:main",
-  "name": "Codespaces Online Development"
+  "image": "ghcr.io/nhsdigital/nhs-notify-devcontainer-loaded-codespaces:1.0.19",
+  "name": "Codespaces"
 }

.devcontainer/devcontainer.json

@@ -2,10 +2,10 @@
   "containerEnv": {
     "GITHUBMONITOR": "false",
     "MAKECONFIG": "true",
-    "SHOWWELCOME": "true",
+    "SHOWWELCOME": "false",
     "UPDATEFROMTEMPLATE": "false"
   },
-  "image": "ghcr.io/nhsdigital/nhs-notify-devcontainer-loaded:1.0.17",
-  "name": "Notify Loaded 1.0.17",
+  "image": "ghcr.io/nhsdigital/nhs-notify-devcontainer-loaded:1.0.19",
+  "name": "Local Development",
   "postStartCommand": "mkdir -p ~/.gnupg && echo '## 1-day timeout' > ~/.gnupg/gpg-agent.conf && echo 'default-cache-ttl 86400' >> ~/.gnupg/gpg-agent.conf && echo 'max-cache-ttl 86400' >> ~/.gnupg/gpg-agent.conf && gpg-connect-agent reloadagent /bye 2>/dev/null || true"
 }

…fy-devcontainer-loaded/devcontainer.json .devcontainer/local-dev/devcontainer.json.devcontainer/nhs-notify-devcontainer-loaded/devcontainer.json renamed to .devcontainer/local-dev/devcontainer.json .devcontainer/nhs-notify-devcontainer-loaded/devcontainer.json renamed to .devcontainer/local-dev/devcontainer.json

@@ -0,0 +1,4 @@
+{
+  "image": "mcr.microsoft.com/devcontainers/base:ubuntu-24.04",
+  "name": "Ubuntu 24"
+}

.devcontainer/ubuntu/devcontainer.json

@@ -9,31 +9,39 @@ runs:
   steps:
     - name: Checkout
       uses: actions/checkout@v5
-    - uses: actions/setup-node@v6
-      with:
-        node-version: 24
-    - name: Npm cli install
-      working-directory: ./docs
-      run: npm ci
-      shell: bash
-    - name: Setup Ruby
-      uses: ruby/[email protected]
-      with:
-        ruby-version: "3.4.7" # Not needed with a .ruby-version file
-        bundler-cache: false # runs 'bundle install' and caches installed gems automatically
-        #cache-version: 0 # Increment this number if you need to re-download cached gems
-        working-directory: "./docs"
+
+    - name: "Setup dependencies and asdf with cache"
+      uses: ./.github/actions/setup-dependencies-asdf-with-cache
+
+    # - uses: actions/setup-node@v6
+    #   with:
+    #     node-version: 24
+    # - name: Npm cli install
+    #   working-directory: ./docs
+    #   run: npm ci
+    #   shell: bash
+    # - name: Setup Ruby
+    #   uses: ruby/[email protected]
+    #   with:
+    #     ruby-version: "3.4.7" # Not needed with a .ruby-version file
+    #     bundler-cache: false # runs 'bundle install' and caches installed gems automatically
+    #     #cache-version: 0 # Increment this number if you need to re-download cached gems
+    #     working-directory: "./docs"
+
     - name: Setup Pages
       id: pages
       uses: actions/configure-pages@v5
     - name: Build with Jekyll
       working-directory: ./docs
       # Outputs to the './_site' directory by default
       shell: bash
-      run: make build-ci BASE_URL=${{ steps.pages.outputs.base_path }} VERSION=${{ inputs.version }}
+      #run: make build-ci BASE_URL=${{ steps.pages.outputs.base_path }} VERSION=${{ inputs.version }}
+      run: make build BASE_URL="${BASE_URL}" VERSION="${VERSION}"
       #run: bundle exec jekyll build --baseurl "${{ steps.pages.outputs.base_path }}"
       env:
         JEKYLL_ENV: production
+        BASE_URL: ${{ steps.pages.outputs.base_path }}
+        VERSION: ${{ inputs.version }}
     - name: Upload artifact
       # Automatically uploads an artifact from the './_site' directory by default
       uses: actions/upload-pages-artifact@v3

.github/actions/build-docs/action.yml

@@ -24,8 +24,9 @@ runs:
   steps:
     - name: "Create CLOC report"
       shell: bash
+      env:
+        BUILD_DATETIME: ${{ inputs.build_datetime }}
       run: |
-        export BUILD_DATETIME=${{ inputs.build_datetime }}
         ./scripts/reports/create-lines-of-code-report.sh
     - name: "Compress CLOC report"
       shell: bash
@@ -51,7 +52,10 @@ runs:
     - name: "Send the CLOC report to the central location"
       shell: bash
       if: steps.check.outputs.secrets_exist == 'true'
+      env:
+        BUCKET_ENDPOINT: ${{ inputs.idp_aws_report_upload_bucket_endpoint }}
+        BUILD_TIMESTAMP: ${{ inputs.build_timestamp }}
       run: |
         aws s3 cp \
           ./lines-of-code-report.json.zip \
-          ${{ inputs.idp_aws_report_upload_bucket_endpoint }}/${{ inputs.build_timestamp }}-lines-of-code-report.json.zip
+          "$BUCKET_ENDPOINT/$BUILD_TIMESTAMP-lines-of-code-report.json.zip"

.github/actions/build-schemas/action.yml

@@ -10,19 +10,55 @@ inputs:
   sonar_token:
     description: "Sonar token, the API key"
     required: false
+  # Note, conmpsite actions only support string inputs
+  ignore_sonar_failure:
+    description: "Whether to fail the build if the quality gate fails"
+    default: 'false'
+
+outputs:
+  sonar_report_url:
+    description: "URL to the SonarCloud report for this branch"
+    value: ${{ steps.report.outputs.url }}
+
 runs:
   using: "composite"
   steps:
+    - name: "Warn that ignore failure is enabled"
+      if: ${{ fromJSON(inputs.ignore_sonar_failure) }}
+      shell: bash
+      run: |
+        echo "WARNING: SonarQube failures will be ignored as per configuration."
+        echo "::warning title=Ignore Sonar failures is enabled:: SonarQube failures will be ignored as per configuration."
     - name: "Check prerequisites for performing static analysis"
       shell: bash
       id: check
       run: echo "secret_exist=${{ inputs.sonar_token != '' }}" >> $GITHUB_OUTPUT
     - name: "Perform static analysis"
       shell: bash
+      id: sonar
       if: steps.check.outputs.secret_exist == 'true'
+      continue-on-error: ${{ fromJSON(inputs.ignore_sonar_failure) }}
+      env:
+        SONAR_ORGANISATION_KEY: ${{ inputs.sonar_organisation_key }}
+        SONAR_PROJECT_KEY: ${{ inputs.sonar_project_key }}
+        SONAR_TOKEN: ${{ inputs.sonar_token }}
       run: |
         export BRANCH_NAME=${GITHUB_HEAD_REF:-$(echo $GITHUB_REF | sed 's#refs/heads/##')}
-        export SONAR_ORGANISATION_KEY=${{ inputs.sonar_organisation_key }}
-        export SONAR_PROJECT_KEY=${{ inputs.sonar_project_key }}
-        export SONAR_TOKEN=${{ inputs.sonar_token }}
         ./scripts/reports/perform-static-analysis.sh
+    - name: "Add SonarCloud report link to step summary"
+      shell: bash
+      id: report
+      if: steps.sonar.outcome == 'success' || (steps.sonar.outcome == 'failure' && fromJSON(inputs.ignore_sonar_failure))
+      env:
+        SONAR_ORGANISATION_KEY: ${{ inputs.sonar_organisation_key }}
+        SONAR_PROJECT_KEY: ${{ inputs.sonar_project_key }}
+      run: |
+        export BRANCH_NAME=${GITHUB_HEAD_REF:-$(echo $GITHUB_REF | sed 's#refs/heads/##')}
+        ENCODED_BRANCH=$(echo "$BRANCH_NAME" | sed 's/\//%2F/g')
+        SONAR_URL="https://sonarcloud.io/summary/overall?id=${SONAR_PROJECT_KEY}&branch=${ENCODED_BRANCH}"
+        echo "url=${SONAR_URL}" >> $GITHUB_OUTPUT
+        echo "### :bar_chart: SonarCloud Analysis Report" >> $GITHUB_STEP_SUMMARY
+        echo "" >> $GITHUB_STEP_SUMMARY
+        echo "**Branch:** \`${BRANCH_NAME}\`" >> $GITHUB_STEP_SUMMARY
+        echo "" >> $GITHUB_STEP_SUMMARY
+        echo "[View detailed SonarCloud report →]($SONAR_URL)" >> $GITHUB_STEP_SUMMARY

.github/actions/create-lines-of-code-report/action.yaml

@@ -0,0 +1,82 @@
+name: "Build Docs"
+description: "build jekyll docs"
+inputs:
+      version:
+        description: "Version of the software, set by the CI/CD pipeline workflow"
+        required: true
+        type: string
+      is_version_prerelease:
+        description: "Is this a semantically versioned pre release, set by the CI/CD pipeline workflow"
+        required: true
+        type: string
+
+runs:
+  using: "composite"
+  steps:
+    - name: "Checkout code"
+      uses: actions/checkout@v5
+
+    - name: "Get artifacts: jekyll docs"
+      uses: actions/download-artifact@v5
+      with:
+        path: ./artifacts/jekyll-docs-${{ inputs.version }}
+        name: jekyll-docs-${{ inputs.version }}
+
+    - name: "Get artifacts: schema"
+      uses: actions/download-artifact@v5
+      with:
+        path: ./artifacts/schemas-${{ inputs.version }}
+        name: schemas-${{ inputs.version }}
+
+    - name: Draft Release
+      shell: bash
+      env:
+        GH_TOKEN: ${{ github.token }}
+        GH_REPO: ${{ github.repository }}
+        VERSION: ${{ inputs.version }}
+        IS_PRERELEASE: ${{ inputs.is_version_prerelease }}
+      run: |
+        PRERELEASE_FLAG=""
+        if [ "$IS_PRERELEASE" = "true" ]; then
+          PRERELEASE_FLAG="--prerelease"
+        fi
+        gh release create \
+        "$VERSION" \
+        --draft \
+        --latest \
+        --title "$VERSION" \
+        --notes "Release of $VERSION" \
+        $PRERELEASE_FLAG
+
+    - name: "Upload jeykll docs release asset"
+      shell: bash
+      env:
+        GH_TOKEN: ${{ github.token }}
+        GH_REPO: ${{ github.repository }}
+        VERSION: ${{ inputs.version }}
+      run: |
+        cp "./artifacts/jekyll-docs-$VERSION/artifact.tar" "$RUNNER_TEMP/jekyll-docs-$VERSION.tar"
+        gh release upload \
+        "$VERSION" \
+        "$RUNNER_TEMP/jekyll-docs-$VERSION.tar#jekyll-docs-$VERSION"
+
+    - name: "Upload schema release asset"
+      shell: bash
+      env:
+        GH_TOKEN: ${{ github.token }}
+        GH_REPO: ${{ github.repository }}
+        VERSION: ${{ inputs.version }}
+      run: |
+        cp "./artifacts/schemas-$VERSION/artifact.tar" "$RUNNER_TEMP/schemas-$VERSION.tar"
+        gh release upload \
+        "$VERSION" \
+        "$RUNNER_TEMP/schemas-$VERSION.tar#schemas-$VERSION"
+
+
+    - name: Publish Release
+      shell: bash
+      env:
+        GH_TOKEN: ${{ github.token }}
+        GH_REPO: ${{ github.repository }}
+        VERSION: ${{ inputs.version }}
+      run: gh release edit "$VERSION" --draft=false

.github/actions/perform-static-analysis/action.yaml

@@ -24,8 +24,9 @@ runs:
   steps:
     - name: "Generate SBOM"
       shell: bash
+      env:
+        BUILD_DATETIME: ${{ inputs.build_datetime }}
       run: |
-        export BUILD_DATETIME=${{ inputs.build_datetime }}
         ./scripts/reports/create-sbom-report.sh
     - name: "Compress SBOM report"
       shell: bash
@@ -39,8 +40,9 @@ runs:
         retention-days: 21
     - name: "Scan vulnerabilities"
       shell: bash
+      env:
+        BUILD_DATETIME: ${{ inputs.build_datetime }}
       run: |
-        export BUILD_DATETIME=${{ inputs.build_datetime }}
         ./scripts/reports/scan-vulnerabilities.sh
     - name: "Compress vulnerabilities report"
       shell: bash
@@ -65,10 +67,13 @@ runs:
     - name: "Send the SBOM and vulnerabilities reports to the central location"
       shell: bash
       if: steps.check.outputs.secrets_exist == 'true'
+      env:
+        BUCKET_ENDPOINT: ${{ inputs.idp_aws_report_upload_bucket_endpoint }}
+        BUILD_TIMESTAMP: ${{ inputs.build_timestamp }}
       run: |
         aws s3 cp \
           ./sbom-repository-report.json.zip \
-          ${{ inputs.idp_aws_report_upload_bucket_endpoint }}/${{ inputs.build_timestamp }}-sbom-repository-report.json.zip
+          "$BUCKET_ENDPOINT/$BUILD_TIMESTAMP-sbom-repository-report.json.zip"
         aws s3 cp \
           ./vulnerabilities-repository-report.json.zip \
-          ${{ inputs.idp_aws_report_upload_bucket_endpoint }}/${{ inputs.build_timestamp }}-vulnerabilities-repository-report.json.zip
+          "$BUCKET_ENDPOINT/$BUILD_TIMESTAMP-vulnerabilities-repository-report.json.zip"