Merge pull request #59 from NHSDigital/feature/CCM-8881-backport-version-bumps

m-houston · web-flow · commit 5be9883bd167 · 2025-03-27T14:33:21.000Z
CCM-8881: Backport version bumps
diff --git a/.github/actions/create-lines-of-code-report/action.yaml b/.github/actions/create-lines-of-code-report/action.yaml
@@ -44,7 +44,7 @@ runs:
         echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT
     - name: "Authenticate to send the report"
       if: steps.check.outputs.secrets_exist == 'true'
-      uses: aws-actions/configure-aws-credentials@v2
+      uses: aws-actions/configure-aws-credentials@v4
       with:
         role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }}
         aws-region: ${{ inputs.idp_aws_report_upload_region }}
diff --git a/.github/actions/scan-dependencies/action.yaml b/.github/actions/scan-dependencies/action.yaml
@@ -58,7 +58,7 @@ runs:
       run: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT
     - name: "Authenticate to send the reports"
       if: steps.check.outputs.secrets_exist == 'true'
-      uses: aws-actions/configure-aws-credentials@v2
+      uses: aws-actions/configure-aws-credentials@v4
       with:
         role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }}
         aws-region: ${{ inputs.idp_aws_report_upload_region }}
diff --git a/.github/workflows/manual-combine-dependabot-prs.yaml b/.github/workflows/manual-combine-dependabot-prs.yaml
@@ -15,7 +15,7 @@ jobs:
     steps:
       - name: combine-prs
         id: combine-prs
-        uses: github/combine-prs@v5.1.0
+        uses: github/combine-prs@v5.2.0
         with:
           ci_required: false
           labels: dependencies
diff --git a/.github/workflows/scheduled-repository-template-sync.yaml b/.github/workflows/scheduled-repository-template-sync.yaml
@@ -27,12 +27,12 @@ jobs:
 
     - name: Run syncronisation script
       run: |
-        ./scripts/githooks/sync-template-repo.sh
+        ./nhs-notify-repository-template/scripts/githooks/sync-template-repo.sh
         rm -Rf ./nhs-notify-repository-template
 
     - name: Create Pull Request
       if: ${{ !env.ACT }}
-      uses: peter-evans/create-pull-request@v7.0.1
+      uses: peter-evans/create-pull-request@v7.0.6
       with:
         token: ${{ secrets.GITHUB_TOKEN }}
         commit-message: Drift from template
diff --git a/.github/workflows/stage-1-commit.yaml b/.github/workflows/stage-1-commit.yaml
@@ -36,7 +36,7 @@ jobs:
   scan-secrets:
     name: "Scan secrets"
     runs-on: ubuntu-latest
-    timeout-minutes: 2
+    timeout-minutes: 5
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v4
@@ -47,7 +47,7 @@ jobs:
   check-file-format:
     name: "Check file format"
     runs-on: ubuntu-latest
-    timeout-minutes: 2
+    timeout-minutes: 5
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v4
@@ -58,7 +58,7 @@ jobs:
   check-markdown-format:
     name: "Check Markdown format"
     runs-on: ubuntu-latest
-    timeout-minutes: 2
+    timeout-minutes: 5
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v4
@@ -93,7 +93,7 @@ jobs:
   check-english-usage:
     name: "Check English usage"
     runs-on: ubuntu-latest
-    timeout-minutes: 2
+    timeout-minutes: 5
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v4
@@ -127,7 +127,7 @@ jobs:
   lint-terraform:
     name: "Lint Terraform"
     runs-on: ubuntu-latest
-    timeout-minutes: 2
+    timeout-minutes: 5
     needs: detect-terraform-changes
     if: needs.detect-terraform-changes.outputs.terraform_changed == 'true'
     steps:
@@ -156,7 +156,7 @@ jobs:
     permissions:
       id-token: write
       contents: read
-    timeout-minutes: 2
+    timeout-minutes: 5
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v4
@@ -175,7 +175,7 @@ jobs:
     permissions:
       id-token: write
       contents: read
-    timeout-minutes: 2
+    timeout-minutes: 5
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v4
diff --git a/.github/workflows/stage-5-publish.yaml b/.github/workflows/stage-5-publish.yaml
@@ -104,7 +104,7 @@ jobs:
         run: echo "secret_exist=${{ secrets.TEAMS_NOTIFICATION_WEBHOOK_URL != '' }}" >> $GITHUB_OUTPUT
       - name: "Notify on publishing packages"
         if: steps.check.outputs.secret_exist == 'true'
-        uses: nhs-england-tools/notify-msteams-action@v0.0.4
+        uses: nhs-england-tools/notify-msteams-action@v1.0.0
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           teams-webhook-url: ${{ secrets.TEAMS_NOTIFICATION_WEBHOOK_URL }}
diff --git a/.gitleaksignore b/.gitleaksignore
@@ -1,5 +1,6 @@
 # SEE: https://github.com/gitleaks/gitleaks/blob/master/README.md#gitleaksignore
 
 cd9c0efec38c5d63053dd865e5d4e207c0760d91:docs/guides/Perform_static_analysis.md:generic-api-key:37
+cd9c0efec38c5d63053dd865e5d4e207c0760d91:docs/guides/Perform_static_analysis.md:sonar-api-token:37
 96096685ab3d6876671e2bc9a6ff4d48fc56e521:src/helloworld/helloworld.sln:ipv4:4
 4f4e8c15629b2cb09356a7fed4d72953590227ce:docs/Gemfile.lock:ipv4:4
diff --git a/.tool-versions b/.tool-versions
@@ -1,18 +1,19 @@
 act 0.2.64
-gitleaks 8.18.4
+gitleaks 8.24.0
 pre-commit 3.6.0
 terraform 1.9.2
 terraform-docs 0.19.0
 tfsec 1.28.10
 vale 3.6.0
+python 3.13.2
 
 # ==============================================================================
 # The section below is reserved for Docker image versions.
 
 # TODO: Move this section - consider using a different file for the repository template dependencies.
 # docker/ghcr.io/anchore/grype v0.69.1@sha256:d41fcb371d0af59f311e72123dff46900ebd6d0482391b5a830853ee4f9d1a76 # SEE: https://github.com/anchore/grype/pkgs/container/grype
 # docker/ghcr.io/anchore/syft v0.92.0@sha256:63c60f0a21efb13e80aa1359ab243e49213b6cc2d7e0f8179da38e6913b997e0 # SEE: https://github.com/anchore/syft/pkgs/container/syft
-# docker/ghcr.io/gitleaks/gitleaks v8.18.0@sha256:fd2b5cab12b563d2cc538b14631764a1c25577780e3b7dba71657d58da45d9d9 # SEE: https://github.com/gitleaks/gitleaks/pkgs/container/gitleaks
+# docker/ghcr.io/gitleaks/gitleaks:v8.24.0@sha256:b8e9bf46893c2f20e10bfb4b2e783adaef519dea981b01ca6221ac325e836040 # SEE: https://github.com/gitleaks/gitleaks/pkgs/container/gitleaks
 # docker/ghcr.io/igorshubovych/markdownlint-cli v0.37.0@sha256:fb3e79946fce78e1cde84d6798c6c2a55f2de11fc16606a40d49411e281d950d # SEE: https://github.com/igorshubovych/markdownlint-cli/pkgs/container/markdownlint-cli
 # docker/ghcr.io/make-ops-tools/gocloc latest@sha256:6888e62e9ae693c4ebcfed9f1d86c70fd083868acb8815fe44b561b9a73b5032 # SEE: https://github.com/make-ops-tools/gocloc/pkgs/container/gocloc
 # docker/ghcr.io/nhs-england-tools/github-runner-image 20230909-321fd1e-rt@sha256:ce4fd6035dc450a50d3cbafb4986d60e77cb49a71ab60a053bb1b9518139a646 # SEE: https://github.com/nhs-england-tools/github-runner-image/pkgs/container/github-runner-image
diff --git a/infrastructure/terraform/bin/terraform.sh b/infrastructure/terraform/bin/terraform.sh
@@ -793,8 +793,8 @@ case "${action}" in
     ;;
   *)
     echo -e "Generic action case invoked. Only the additional arguments will be passed to terraform, you break it you fix it:";
-    echo -e "\tterraform ${action} ${extra_args}";
-    terraform "${action}" ${extra_args} \
+    echo -e "\tterraform ${action} ${extra_args} | tee terraform_output";
+    terraform "${action}" ${extra_args} | tee terraform_output \
       || error_and_die "Terraform ${action} failed.";
     ;;
 esac;
diff --git a/scripts/config/.repository-template-sync-ignore b/scripts/config/.repository-template-sync-ignore
@@ -1,17 +1,22 @@
 # Files and folders to ignore when syncing nhs-notify-repository-template back in to this repository
-.github/workflows/
 nhs-notify-repository-template/
 
 # Files and Folders in this repository to ignore
+.editorconfig
+.github/CODEOWNERS
+.gitleaksignore
 .vscode/
+/Makefile
 CHANGELOG.md
-project.code-workspace
 README.md
 VERSION
+project.code-workspace
+scripts/config/sonar-scanner.properties
+scripts/tests/
 
 # Files and Folders in the template repository to disregard
 .devcontainer/
 .github/workflows/cicd-*.yaml
-*/examples/
 docs/
 infrastructure/terraform/components/
+scripts/**/examples/
diff --git a/scripts/config/.repository-template-sync-merge b/scripts/config/.repository-template-sync-merge
@@ -3,5 +3,6 @@ scripts/config/.repository-template-sync-ignore
 scripts/config/.repository-template-sync-merge
 .tool-versions
 .gitignore
+scripts/config/vale/vale.ini
 scripts/config/vale/styles/config/vocabularies/words/accept.txt
 scripts/config/vale/styles/config/vocabularies/words/reject.txt
diff --git a/scripts/config/gitleaks.toml b/scripts/config/gitleaks.toml
@@ -1,4 +1,5 @@
 # SEE: https://github.com/gitleaks/gitleaks/#configuration
+# Do not edit this file directly as it will be overwritten by changes from the nhs-notify-repository-template on next sync
 
 [extend]
 useDefault = true # SEE: https://github.com/gitleaks/gitleaks/blob/master/config/gitleaks.toml
diff --git a/scripts/config/pre-commit.yaml b/scripts/config/pre-commit.yaml
@@ -9,7 +9,6 @@ repos:
       - id: check-symlinks
       - id: detect-private-key
       - id: end-of-file-fixer
-        exclude: .+\.cs
       - id: forbid-new-submodules
       - id: mixed-line-ending
       - id: pretty-format-json
diff --git a/scripts/config/vale/styles/config/vocabularies/words/accept.txt b/scripts/config/vale/styles/config/vocabularies/words/accept.txt
@@ -9,7 +9,7 @@ drawio
 endcapture
 endfor
 endraw
-GitHub
+Git[Hh]ub
 Gitleaks
 Grype
 idempotence
diff --git a/scripts/githooks/sort-dictionary.sh b/scripts/githooks/sort-dictionary.sh
@@ -25,7 +25,8 @@ function main() {
   mv $root/accept.sorted.txt $root/accept.txt
   mv $root/reject.sorted.txt $root/reject.txt
 
-  git add -uv $root/*
+  # Update the sorted files in the staged git index
+  git add --update --verbose $root/*
 }
 
 # ==============================================================================
diff --git a/scripts/githooks/sync-template-repo.sh b/scripts/githooks/sync-template-repo.sh
@@ -42,15 +42,13 @@ if [ ! -f "${MERGE_FILE}" ]; then
   echo "# Files and folders to merge when syncing ${TEMPLATE_REPO_DIR} back in to this repository" > ${MERGE_FILE}
 fi
 
-# Read the .template-ignore file into an array
-while IFS= read -r line || [ -n "$line" ]; do
-  IGNORED_PATHS+=("$line")
-done < "$IGNORE_FILE"
+TMP_SYNC_IGNORE=${PWD}/tmp-sync-ignore
+mkdir -p "${TMP_SYNC_IGNORE}"
+cp "${IGNORE_FILE}" "${TMP_SYNC_IGNORE}/.gitignore"
 
-# Read the .template-merge file into an array
-while IFS= read -r line || [ -n "$line" ]; do
-  MERGED_PATHS+=("$line")
-done < "$MERGE_FILE"
+TMP_SYNC_MERGE=${PWD}/tmp-sync-merge
+mkdir -p "${TMP_SYNC_MERGE}"
+cp "${MERGE_FILE}" "${TMP_SYNC_MERGE}/.gitignore"
 
 # Check if a file is ignored.
 is_ignored() {
@@ -61,27 +59,25 @@ is_ignored() {
     return 0
   fi
 
-  for ignored in "${IGNORED_PATHS[@]}"; do
-    if [[ -n "$ignored" && "$file" =~ $ignored ]]; then
-      return 0
-    fi
-  done
-  return 1
+  pushd "${TMP_SYNC_IGNORE}" > /dev/null
+  git check-ignore -q "${file}"
+  R=$?
+  popd > /dev/null
+  return $R
 }
 
 is_merge() {
   local file=${1}
 
-  for merged in "${MERGED_PATHS[@]}"; do
-    if [[ -n "$merged" && "$file" =~ $merged ]]; then
-      return 0
-    fi
-  done
-  return 1
+  pushd "${TMP_SYNC_MERGE}" > /dev/null
+  git check-ignore -q "${file}"
+  R=$?
+  popd > /dev/null
+  return $R
 }
 
 # Navigate to the template directory
-cd "${TEMPLATE_REPO_DIR}" || exit
+pushd "${TEMPLATE_REPO_DIR}" || exit
 FILES_ADDED=()
 FILES_WITH_CHANGES=()
 
@@ -127,6 +123,9 @@ while IFS= read -r -d '' file || [[ -n $file ]]; do
   fi
 done < <(find . -type f -print0)
 
+popd
+rm -rf "${TMP_SYNC_IGNORE}" "${TMP_SYNC_MERGE}"
+
 echo ------------------------------------------
 echo "${#FILES_ADDED[@]} files added, ${#FILES_WITH_CHANGES[@]} files with changes detected."
 
diff --git a/scripts/init.mk b/scripts/init.mk
@@ -7,7 +7,7 @@ include scripts/tests/test.mk
 # ==============================================================================
 
 runner-act: # Run GitHub Actions locally - mandatory: workflow=[workflow file name], job=[job name] @Development
-	source ./scripts/docker/docker.lib.sh
+	. ./scripts/docker/docker.lib.sh
 	act $(shell [[ "${VERBOSE}" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$$ ]] && echo --verbose) \
 		--container-architecture linux/amd64 \
 		--platform ubuntu-latest=$$(name="ghcr.io/nhs-england-tools/github-runner-image" docker-get-image-version-and-pull) \
@@ -21,7 +21,7 @@ runner-act: # Run GitHub Actions locally - mandatory: workflow=[workflow file na
 		--job ${job}
 
 version-create-effective-file: # Create effective version file - optional: dir=[path to the VERSION file to use, default is '.'], BUILD_DATETIME=[build date and time in the '%Y-%m-%dT%H:%M:%S%z' format generated by the CI/CD pipeline, default is current date and time] @Development
-	source scripts/docker/docker.lib.sh
+	. ./scripts/docker/docker.lib.sh
 	version-create-effective-file
 
 shellscript-lint-all: # Lint all shell scripts in this project, do not fail on error, just print the error messages @Quality
diff --git a/scripts/maintenance/merge.js b/scripts/maintenance/merge.js
@@ -25,7 +25,7 @@ const tokenize = line => {
   if (line === '') {
     return [];
   }
-  return line.split(/\s+/).filter(x => x !== '#').slice(0, 1);
+  return line.split(/\s+|[:=]/).filter(x => x !== '#' && x !== '').slice(0, 1);
 };
 const lines1Tokens = lines1.flatMap(tokenize);
 
