CCM-11345 backported ASDF and scorecard versioning (#73)

aidenvaines-cgi · web-flow · commit 0e7f5c505ad4 · 2025-07-28T15:43:17.000+01:00
* CCM-11345 backported ASDF and scorecard versioning * CCM-11345 updating central ignore list * CCM-11345 updating central ignore list * CCM-11345 backported todo excludes * CCM-11345 fix todo detection for camelcase * CCM-11345 fix asdf version * CCM-11345 fix license security and precommit rev * CCM-11345 fix license security and precommit rev * CCM-11345 fix license security and precommit rev
diff --git a/.github/SECURITY.md b/.github/SECURITY.md
@@ -21,8 +21,8 @@ If you wish to notify us of a vulnerability via email, please include detailed i
 
 You can reach us at:
 
-- _[ A product team email address ]_
-- [cybersecurity@nhs.net](cybersecurity@nhs.net)
+- [england.nhsnotify@nhs.net](mailto:england.nhsnotify@nhs.net)
+- [cybersecurity@nhs.net](mailto:cybersecurity@nhs.net)
 
 ### NCSC
 
diff --git a/.github/workflows/scheduled-repository-template-sync.yaml b/.github/workflows/scheduled-repository-template-sync.yaml
@@ -32,7 +32,7 @@ jobs:
 
     - name: Create Pull Request
       if: ${{ !env.ACT }}
-      uses: peter-evans/create-pull-request@v7.0.6
+      uses: peter-evans/create-pull-request@v7.0.8
       with:
         token: ${{ secrets.GITHUB_TOKEN }}
         commit-message: Drift from template
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -27,25 +27,25 @@ jobs:
       # Needed to publish results and get a badge (see publish_results below).
       id-token: write
       # Uncomment the permissions below if installing in a private repository.
-      # contents: read
-      # actions: read
+      contents: read
+      actions: read
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
         with:
           results_file: results.sarif
           results_format: sarif
           # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
           # - you want to enable the Branch-Protection check on a *public* repository, or
           # - you are installing Scorecard on a *private* repository
           # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional.
-          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+          repo_token: ${{ secrets.SCORECARD_TOKEN }}
 
           # Public repositories:
           #   - Publish results to OpenSSF REST API for easy access by consumers
@@ -68,6 +68,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
+        uses: github/codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/stage-1-commit.yaml b/.github/workflows/stage-1-commit.yaml
@@ -156,7 +156,7 @@ jobs:
       - name: "Checkout code"
         uses: actions/checkout@v4
       - name: "Setup ASDF"
-        uses: asdf-vm/actions/setup@v3
+        uses: asdf-vm/actions/setup@v4
       - name: "Perform Setup"
         uses: ./.github/actions/setup
       - name: "Trivy Scan"
diff --git a/LICENCE.md b/LICENCE.md
@@ -1,6 +1,6 @@
 # MIT Licence
 
-Copyright (c) 2024 Crown Copyright NHS England.
+Copyright (c) 2025 Crown Copyright NHS England.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
diff --git a/infrastructure/terraform/bin/terraform.sh b/infrastructure/terraform/bin/terraform.sh
@@ -403,7 +403,7 @@ readonly component_name=$(basename ${component_path});
 # verify terraform version matches .tool-versions
 echo ${PWD}
 tool_version=$(grep "terraform " .tool-versions | cut -d ' ' -f 2)
-asdf plugin-add terraform && asdf install terraform "${tool_version}"
+asdf plugin add terraform && asdf install terraform "${tool_version}"
 current_version=$(terraform --version | head -n 1 | cut -d 'v' -f 2)
 
 if [ -z "${current_version}" ] || [ "${current_version}" != "${tool_version}" ]; then
diff --git a/scripts/config/.repository-template-sync-ignore b/scripts/config/.repository-template-sync-ignore
@@ -4,19 +4,28 @@ nhs-notify-repository-template/
 # Files and Folders in this repository to ignore
 .editorconfig
 .github/CODEOWNERS
+.github/ISSUE_TEMPLATE
 .gitleaksignore
 .vscode/
-/Makefile
+Makefile
 CHANGELOG.md
-README.md
-VERSION
 project.code-workspace
+README.md
 scripts/config/sonar-scanner.properties
 scripts/tests/
+VERSION
 
 # Files and Folders in the template repository to disregard
 .devcontainer/
-.github/workflows/cicd-*.yaml
+.github/actions/build-docs
+.github/workflows/*.disabled
+*/examples/
 docs/
+eslint.config.mjs
 infrastructure/terraform/components/
+lambdas/example-lambda/
+package-lock.json
+package.json
 scripts/**/examples/
+scripts/terraform/terraform.mk
+src/.vscode/
diff --git a/scripts/config/.repository-template-sync-merge b/scripts/config/.repository-template-sync-merge
@@ -1,8 +1,9 @@
 # Files and folders to merge when syncing nhs-notify-repository-template back in to this repository
+.github/workflows/cicd-*.yaml
+.gitignore
+.tool-versions
 scripts/config/.repository-template-sync-ignore
 scripts/config/.repository-template-sync-merge
-.tool-versions
-.gitignore
-scripts/config/vale/vale.ini
 scripts/config/vale/styles/config/vocabularies/words/accept.txt
 scripts/config/vale/styles/config/vocabularies/words/reject.txt
+scripts/config/vale/vale.ini
diff --git a/scripts/config/pre-commit.yaml b/scripts/config/pre-commit.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.6.0 # Use the ref you want to point at
+    rev: v5.0.0 # Use the ref you want to point at
     hooks:
       - id: trailing-whitespace
       - id: detect-aws-credentials
diff --git a/scripts/githooks/check-todos.sh b/scripts/githooks/check-todos.sh
@@ -28,6 +28,7 @@ set -euo pipefail
 EXCLUDED_FILES=(
   ".devcontainer/devcontainer.json"
   ".tool-versions"
+  ".vscode/extensions.json"
   "infrastructure/terraform/bin/terraform.sh"
   "Makefile"
   "project.code-workspace"
@@ -119,7 +120,7 @@ function search_todos() {
 
     # If the file is excluded, skip it
     if [ "$skip" = false ] && [ -f "$file" ]; then
-      file_todos=$(grep -nHi TODO "$file" || true)
+      file_todos=$(grep -nHiE '\bTODO\b' "$file" || true)
       [ -n "$file_todos" ] && todos+="$file_todos\n"
     fi
   done
@@ -135,7 +136,7 @@ function filter_todos_with_valid_jira_ticket() {
 
   while IFS= read -r line; do
     # Only lines with TODO but without a valid JIRA ticket
-    if grep -qi 'TODO' <<< "$line"; then
+    if grep -qnHiE '\bTODO\b' <<< "$line"; then
       if ! [[ "$line" =~ $jira_regex ]]; then
         todos_without_ticket+="$line\n"
       fi

-Original file line number
+Diff line change
 You can reach us at:
 -- _[ A product team email address ]_
 -- [[email protected]]([email protected])
 +- [[email protected]](mailto:[email protected])
 +- [[email protected]](mailto:[email protected])
 ### NCSC