Merge branch 'main' into CCM-9061_replaceTfsecTrivy

aidenvaines-cgi · web-flow · commit b0d290ed6efe · 2025-04-09T15:36:57.000+01:00
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -1,11 +1,15 @@
 # NHS Notify Code Owners
 
 # Notify default owners
-* @rossbugginsnhs @m-houston @aidenvaines-bjss @timireland
+*                           @NHSDigital/nhs-notify-repository-template
+
+/.github/                   @NHSDigital/nhs-notify-repository-template-admins
+*.code-workspace            @NHSDigital/nhs-notify-repository-template-admins
+/infrastructure/terraform/  @NHSDigital/nhs-notify-platform
 
 # Codeowners must be final check
-/.github/CODEOWNERS @NHSDigital/nhs-notify-code-owners
-/CODEOWNERS @NHSDigital/nhs-notify-code-owners
+/.github/CODEOWNERS         @NHSDigital/nhs-notify-code-owners
+/CODEOWNERS                 @NHSDigital/nhs-notify-code-owners
 
 
 # Each NHS Notify repository should have clear code owners set.
diff --git a/.github/actions/create-lines-of-code-report/action.yaml b/.github/actions/create-lines-of-code-report/action.yaml
@@ -44,7 +44,7 @@ runs:
         echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT
     - name: "Authenticate to send the report"
       if: steps.check.outputs.secrets_exist == 'true'
-      uses: aws-actions/configure-aws-credentials@v2
+      uses: aws-actions/configure-aws-credentials@v4
       with:
         role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }}
         aws-region: ${{ inputs.idp_aws_report_upload_region }}
diff --git a/.github/actions/scan-dependencies/action.yaml b/.github/actions/scan-dependencies/action.yaml
@@ -58,7 +58,7 @@ runs:
       run: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT
     - name: "Authenticate to send the reports"
       if: steps.check.outputs.secrets_exist == 'true'
-      uses: aws-actions/configure-aws-credentials@v2
+      uses: aws-actions/configure-aws-credentials@v4
       with:
         role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }}
         aws-region: ${{ inputs.idp_aws_report_upload_region }}
diff --git a/.github/workflows/manual-combine-dependabot-prs.yaml b/.github/workflows/manual-combine-dependabot-prs.yaml
@@ -15,7 +15,7 @@ jobs:
     steps:
       - name: combine-prs
         id: combine-prs
-        uses: github/combine-prs@v5.1.0
+        uses: github/combine-prs@v5.2.0
         with:
           ci_required: false
           labels: dependencies
diff --git a/.github/workflows/scheduled-repository-template-sync.yaml b/.github/workflows/scheduled-repository-template-sync.yaml
@@ -27,12 +27,12 @@ jobs:
 
     - name: Run syncronisation script
       run: |
-        ./scripts/githooks/sync-template-repo.sh
+        ./nhs-notify-repository-template/scripts/githooks/sync-template-repo.sh
         rm -Rf ./nhs-notify-repository-template
 
     - name: Create Pull Request
       if: ${{ !env.ACT }}
-      uses: peter-evans/create-pull-request@v7.0.1
+      uses: peter-evans/create-pull-request@v7.0.6
       with:
         token: ${{ secrets.GITHUB_TOKEN }}
         commit-message: Drift from template
diff --git a/.github/workflows/stage-1-commit.yaml b/.github/workflows/stage-1-commit.yaml
@@ -36,7 +36,7 @@ jobs:
   scan-secrets:
     name: "Scan secrets"
     runs-on: ubuntu-latest
-    timeout-minutes: 2
+    timeout-minutes: 5
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v4
@@ -47,7 +47,7 @@ jobs:
   check-file-format:
     name: "Check file format"
     runs-on: ubuntu-latest
-    timeout-minutes: 2
+    timeout-minutes: 5
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v4
@@ -58,7 +58,7 @@ jobs:
   check-markdown-format:
     name: "Check Markdown format"
     runs-on: ubuntu-latest
-    timeout-minutes: 2
+    timeout-minutes: 5
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v4
@@ -93,7 +93,7 @@ jobs:
   check-english-usage:
     name: "Check English usage"
     runs-on: ubuntu-latest
-    timeout-minutes: 2
+    timeout-minutes: 5
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v4
@@ -127,7 +127,7 @@ jobs:
   lint-terraform:
     name: "Lint Terraform"
     runs-on: ubuntu-latest
-    timeout-minutes: 2
+    timeout-minutes: 5
     needs: detect-terraform-changes
     if: needs.detect-terraform-changes.outputs.terraform_changed == 'true'
     steps:
@@ -156,7 +156,7 @@ jobs:
     permissions:
       id-token: write
       contents: read
-    timeout-minutes: 2
+    timeout-minutes: 5
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v4
@@ -175,7 +175,7 @@ jobs:
     permissions:
       id-token: write
       contents: read
-    timeout-minutes: 2
+    timeout-minutes: 5
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v4
diff --git a/.github/workflows/stage-5-publish.yaml b/.github/workflows/stage-5-publish.yaml
@@ -104,7 +104,7 @@ jobs:
         run: echo "secret_exist=${{ secrets.TEAMS_NOTIFICATION_WEBHOOK_URL != '' }}" >> $GITHUB_OUTPUT
       - name: "Notify on publishing packages"
         if: steps.check.outputs.secret_exist == 'true'
-        uses: nhs-england-tools/notify-msteams-action@v0.0.4
+        uses: nhs-england-tools/notify-msteams-action@v1.0.0
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           teams-webhook-url: ${{ secrets.TEAMS_NOTIFICATION_WEBHOOK_URL }}
diff --git a/.gitleaksignore b/.gitleaksignore
@@ -1,5 +1,6 @@
 # SEE: https://github.com/gitleaks/gitleaks/blob/master/README.md#gitleaksignore
 
 cd9c0efec38c5d63053dd865e5d4e207c0760d91:docs/guides/Perform_static_analysis.md:generic-api-key:37
+cd9c0efec38c5d63053dd865e5d4e207c0760d91:docs/guides/Perform_static_analysis.md:sonar-api-token:37
 96096685ab3d6876671e2bc9a6ff4d48fc56e521:src/helloworld/helloworld.sln:ipv4:4
 4f4e8c15629b2cb09356a7fed4d72953590227ce:docs/Gemfile.lock:ipv4:4
diff --git a/.tool-versions b/.tool-versions
@@ -1,18 +1,19 @@
 act 0.2.64
-gitleaks 8.18.4
+gitleaks 8.24.0
 pre-commit 3.6.0
 terraform 1.9.2
 terraform-docs 0.19.0
 trivy 0.61.0
 vale 3.6.0
+python 3.13.2
 
 # ==============================================================================
 # The section below is reserved for Docker image versions.
 
 # TODO: Move this section - consider using a different file for the repository template dependencies.
 # docker/ghcr.io/anchore/grype v0.69.1@sha256:d41fcb371d0af59f311e72123dff46900ebd6d0482391b5a830853ee4f9d1a76 # SEE: https://github.com/anchore/grype/pkgs/container/grype
 # docker/ghcr.io/anchore/syft v0.92.0@sha256:63c60f0a21efb13e80aa1359ab243e49213b6cc2d7e0f8179da38e6913b997e0 # SEE: https://github.com/anchore/syft/pkgs/container/syft
-# docker/ghcr.io/gitleaks/gitleaks v8.18.0@sha256:fd2b5cab12b563d2cc538b14631764a1c25577780e3b7dba71657d58da45d9d9 # SEE: https://github.com/gitleaks/gitleaks/pkgs/container/gitleaks
+# docker/ghcr.io/gitleaks/gitleaks:v8.24.0@sha256:b8e9bf46893c2f20e10bfb4b2e783adaef519dea981b01ca6221ac325e836040 # SEE: https://github.com/gitleaks/gitleaks/pkgs/container/gitleaks
 # docker/ghcr.io/igorshubovych/markdownlint-cli v0.37.0@sha256:fb3e79946fce78e1cde84d6798c6c2a55f2de11fc16606a40d49411e281d950d # SEE: https://github.com/igorshubovych/markdownlint-cli/pkgs/container/markdownlint-cli
 # docker/ghcr.io/make-ops-tools/gocloc latest@sha256:6888e62e9ae693c4ebcfed9f1d86c70fd083868acb8815fe44b561b9a73b5032 # SEE: https://github.com/make-ops-tools/gocloc/pkgs/container/gocloc
 # docker/ghcr.io/nhs-england-tools/github-runner-image 20230909-321fd1e-rt@sha256:ce4fd6035dc450a50d3cbafb4986d60e77cb49a71ab60a053bb1b9518139a646 # SEE: https://github.com/nhs-england-tools/github-runner-image/pkgs/container/github-runner-image
diff --git a/docs/Gemfile.lock b/docs/Gemfile.lock
@@ -15,7 +15,7 @@ GEM
       public_suffix (>= 2.0.2, < 6.0)
     base64 (0.2.0)
     bigdecimal (3.1.8)
-    cgi (0.4.1)
+    cgi (0.4.2)
     colorator (1.1.0)
     concurrent-ruby (1.2.3)
     connection_pool (2.4.1)
@@ -92,29 +92,27 @@ GEM
       jekyll-seo-tag (~> 2.1)
     minitest (5.24.1)
     mutex_m (0.2.0)
-    nokogiri (1.16.5-x86_64-linux)
+    nokogiri (1.18.3-x86_64-linux-gnu)
       racc (~> 1.4)
     pathutil (0.16.2)
       forwardable-extended (~> 2.6)
     public_suffix (5.0.5)
-    racc (1.8.0)
+    racc (1.8.1)
     rake (13.2.1)
     rb-fsevent (0.11.2)
     rb-inotify (0.11.1)
       ffi (~> 1.0)
-    rexml (3.3.6)
-      strscan
+    rexml (3.3.9)
     rouge (4.2.1)
     safe_yaml (1.0.5)
     sass-embedded (1.83.0-x86_64-linux-gnu)
       google-protobuf (~> 4.28)
-    strscan (3.1.0)
     terminal-table (3.0.2)
       unicode-display_width (>= 1.1.1, < 3)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
     unicode-display_width (2.5.0)
-    webrick (1.8.1)
+    webrick (1.8.2)
 
 PLATFORMS
   x86_64-linux
diff --git a/docs/adr/assets/ADR-003/examples/golang/go.mod b/docs/adr/assets/ADR-003/examples/golang/go.mod
@@ -1,10 +1,11 @@
 module github-app-get-tokent
 
 go 1.21.0
+toolchain go1.23.7
 
 require (
 	github.com/go-resty/resty/v2 v2.7.0
 	github.com/golang-jwt/jwt v3.2.2+incompatible
 )
 
-require golang.org/x/net v0.33.0 // indirect
+require golang.org/x/net v0.36.0 // indirect
diff --git a/docs/adr/assets/ADR-003/examples/golang/go.sum b/docs/adr/assets/ADR-003/examples/golang/go.sum
@@ -3,8 +3,8 @@ github.com/go-resty/resty/v2 v2.7.0/go.mod h1:9PWDzw47qPphMRFfhsyk0NnSgvluHcljSM
 github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
 github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
 golang.org/x/net v0.0.0-20211029224645-99673261e6eb/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
-golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
+golang.org/x/net v0.36.0 h1:vWF2fRbw4qslQsQzgFqZff+BItCvGFQqKzKIzx1rmoA=
+golang.org/x/net v0.36.0/go.mod h1:bFmbeoIPfrw4sMHNhb4J9f6+tPziuGjq7Jk/38fxi1I=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
diff --git a/infrastructure/terraform/bin/terraform.sh b/infrastructure/terraform/bin/terraform.sh
@@ -539,24 +539,26 @@ fi;
 [ -f "${dynamic_file_path}" ] && tf_var_file_paths+=("${dynamic_file_path}");
 
 # Warn on duplication
-duplicate_variables="$(cat "${tf_var_file_paths[@]}" | sed -n -e 's/\(^[a-zA-Z0-9_\-]\+\)\s*=.*$/\1/p' | sort | uniq -d)";
-[ -n "${duplicate_variables}" ] \
-  && echo -e "
-###################################################################
-# WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING #
-###################################################################
-The following input variables appear to be duplicated:
-
-${duplicate_variables}
-
-This could lead to unexpected behaviour. Overriding of variables
-has previously been unpredictable and is not currently supported,
-but it may work.
-
-Recent changes to terraform might give you useful overriding and
-map-merging functionality, please use with caution and report back
-on your successes & failures.
-###################################################################";
+if [ ${#tf_var_file_paths[@]} -gt 0 ]; then
+  duplicate_variables="$(cat "${tf_var_file_paths[@]}" | sed -n -e 's/\(^[a-zA-Z0-9_\-]\+\)\s*=.*$/\1/p' | sort | uniq -d)";
+  [ -n "${duplicate_variables}" ] \
+    && echo -e "
+  ###################################################################
+  # WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING #
+  ###################################################################
+  The following input variables appear to be duplicated:
+
+  ${duplicate_variables}
+
+  This could lead to unexpected behaviour. Overriding of variables
+  has previously been unpredictable and is not currently supported,
+  but it may work.
+
+  Recent changes to terraform might give you useful overriding and
+  map-merging functionality, please use with caution and report back
+  on your successes & failures.
+  ###################################################################";
+fi
 
 # Build up the tfvars arguments for terraform command line
 for file_path in "${tf_var_file_paths[@]}"; do
@@ -791,8 +793,8 @@ case "${action}" in
     ;;
   *)
     echo -e "Generic action case invoked. Only the additional arguments will be passed to terraform, you break it you fix it:";
-    echo -e "\tterraform ${action} ${extra_args}";
-    terraform "${action}" ${extra_args} \
+    echo -e "\tterraform ${action} ${extra_args} | tee terraform_output";
+    terraform "${action}" ${extra_args} | tee terraform_output \
       || error_and_die "Terraform ${action} failed.";
     ;;
 esac;
diff --git a/scripts/config/.repository-template-sync-ignore b/scripts/config/.repository-template-sync-ignore
@@ -1,17 +1,22 @@
 # Files and folders to ignore when syncing nhs-notify-repository-template back in to this repository
-.github/workflows/
 nhs-notify-repository-template/
 
 # Files and Folders in this repository to ignore
+.editorconfig
+.github/CODEOWNERS
+.gitleaksignore
 .vscode/
+/Makefile
 CHANGELOG.md
-project.code-workspace
 README.md
 VERSION
+project.code-workspace
+scripts/config/sonar-scanner.properties
+scripts/tests/
 
 # Files and Folders in the template repository to disregard
 .devcontainer/
 .github/workflows/cicd-*.yaml
-*/examples/
 docs/
 infrastructure/terraform/components/
+scripts/**/examples/
diff --git a/scripts/config/.repository-template-sync-merge b/scripts/config/.repository-template-sync-merge
@@ -3,5 +3,6 @@ scripts/config/.repository-template-sync-ignore
 scripts/config/.repository-template-sync-merge
 .tool-versions
 .gitignore
+scripts/config/vale/vale.ini
 scripts/config/vale/styles/config/vocabularies/words/accept.txt
 scripts/config/vale/styles/config/vocabularies/words/reject.txt
diff --git a/scripts/config/gitleaks.toml b/scripts/config/gitleaks.toml
@@ -1,4 +1,5 @@
 # SEE: https://github.com/gitleaks/gitleaks/#configuration
+# Do not edit this file directly as it will be overwritten by changes from the nhs-notify-repository-template on next sync
 
 [extend]
 useDefault = true # SEE: https://github.com/gitleaks/gitleaks/blob/master/config/gitleaks.toml
diff --git a/scripts/config/pre-commit.yaml b/scripts/config/pre-commit.yaml
@@ -9,7 +9,6 @@ repos:
       - id: check-symlinks
       - id: detect-private-key
       - id: end-of-file-fixer
-        exclude: .+\.cs
       - id: forbid-new-submodules
       - id: mixed-line-ending
       - id: pretty-format-json
diff --git a/scripts/config/vale/styles/config/vocabularies/words/accept.txt b/scripts/config/vale/styles/config/vocabularies/words/accept.txt
@@ -9,7 +9,7 @@ drawio
 endcapture
 endfor
 endraw
-GitHub
+Git[Hh]ub
 Gitleaks
 Grype
 idempotence
diff --git a/scripts/docker/examples/python/assets/hello_world/requirements.txt b/scripts/docker/examples/python/assets/hello_world/requirements.txt
@@ -6,7 +6,7 @@ itsdangerous==2.1.2
 Jinja2==3.1.5
 MarkupSafe==2.1.3
 pip==23.3
-setuptools==70.0.0
+setuptools==78.1.0
 Werkzeug==3.0.6
 wheel==0.41.1
 WTForms==3.0.1
diff --git a/scripts/githooks/sort-dictionary.sh b/scripts/githooks/sort-dictionary.sh
@@ -25,7 +25,8 @@ function main() {
   mv $root/accept.sorted.txt $root/accept.txt
   mv $root/reject.sorted.txt $root/reject.txt
 
-  git add -uv $root/*
+  # Update the sorted files in the staged git index
+  git add --update --verbose $root/*
 }
 
 # ==============================================================================
diff --git a/scripts/githooks/sync-template-repo.sh b/scripts/githooks/sync-template-repo.sh
diff --git a/scripts/init.mk b/scripts/init.mk
diff --git a/scripts/maintenance/merge.js b/scripts/maintenance/merge.js
