CCM-11345 Manual Repo Sync (#85)

aidenvaines-cgi · web-flow · commit f443107e664a · 2025-07-30T14:22:49.000+01:00
* CCM-11345 Manual Repo Sync * CCM-11345 Manual Repo Sync * CCM-11345 Manual Repo Sync * CCM-11345 Manual Repo Sync
diff --git a/.github/actions/check-todo-usage/action.yaml b/.github/actions/check-todo-usage/action.yaml
@@ -0,0 +1,10 @@
+name: "Check Todo usage"
+description: "Check Todo usage"
+runs:
+  using: "composite"
+  steps:
+    - name: "Check Todo usage"
+      shell: bash
+      run: |
+        export BRANCH_NAME=origin/${{ github.event.repository.default_branch }}
+        check=branch ./scripts/githooks/check-todos.sh
diff --git a/.github/workflows/cicd-3-deploy.yaml b/.github/workflows/cicd-3-deploy.yaml
@@ -48,7 +48,6 @@ jobs:
           echo "nodejs_version=$(grep "^nodejs\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
           echo "python_version=$(grep "^python\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
           echo "terraform_version=$(grep "^terraform\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
-          # TODO: Get the version, but it may not be the .version file as this should come from the CI/CD Pull Request Workflow
           echo "version=$(head -n 1 .version 2> /dev/null || echo unknown)" >> $GITHUB_OUTPUT
           # echo "tag=${{ github.event.inputs.tag }}" >> $GITHUB_OUTPUT
       - name: "List variables"
diff --git a/.github/workflows/scheduled-repository-template-sync.yaml b/.github/workflows/scheduled-repository-template-sync.yaml
@@ -27,7 +27,7 @@ jobs:
 
     - name: Run syncronisation script
       run: |
-        ./scripts/githooks/sync-template-repo.sh
+        ./nhs-notify-repository-template/scripts/githooks/sync-template-repo.sh
         rm -Rf ./nhs-notify-repository-template
 
     - name: Create Pull Request
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -27,25 +27,25 @@ jobs:
       # Needed to publish results and get a badge (see publish_results below).
       id-token: write
       # Uncomment the permissions below if installing in a private repository.
-      # contents: read
-      # actions: read
+      contents: read
+      actions: read
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
+        uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
         with:
           results_file: results.sarif
           results_format: sarif
           # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
           # - you want to enable the Branch-Protection check on a *public* repository, or
           # - you are installing Scorecard on a *private* repository
           # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional.
-          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+          repo_token: ${{ secrets.SCORECARD_TOKEN }}
 
           # Public repositories:
           #   - Publish results to OpenSSF REST API for easy access by consumers
diff --git a/.github/workflows/stage-1-commit.yaml b/.github/workflows/stage-1-commit.yaml
@@ -36,7 +36,7 @@ jobs:
   scan-secrets:
     name: "Scan secrets"
     runs-on: ubuntu-latest
-    timeout-minutes: 2
+    timeout-minutes: 5
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v4
@@ -47,7 +47,7 @@ jobs:
   check-file-format:
     name: "Check file format"
     runs-on: ubuntu-latest
-    timeout-minutes: 2
+    timeout-minutes: 5
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v4
@@ -58,7 +58,7 @@ jobs:
   check-markdown-format:
     name: "Check Markdown format"
     runs-on: ubuntu-latest
-    timeout-minutes: 2
+    timeout-minutes: 5
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v4
@@ -93,14 +93,25 @@ jobs:
   check-english-usage:
     name: "Check English usage"
     runs-on: ubuntu-latest
-    timeout-minutes: 2
+    timeout-minutes: 5
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v4
         with:
           fetch-depth: 0 # Full history is needed to compare branches
       - name: "Check English usage"
         uses: ./.github/actions/check-english-usage
+  check-todo-usage:
+    name: "Check TODO usage"
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # Full history is needed to compare branches
+      - name: "Check TODO usage"
+        uses: ./.github/actions/check-todo-usage
   detect-terraform-changes:
     name: "Detect Terraform Changes"
     runs-on: ubuntu-latest
@@ -127,7 +138,7 @@ jobs:
   lint-terraform:
     name: "Lint Terraform"
     runs-on: ubuntu-latest
-    timeout-minutes: 2
+    timeout-minutes: 5
     needs: detect-terraform-changes
     if: needs.detect-terraform-changes.outputs.terraform_changed == 'true'
     steps:
@@ -145,7 +156,7 @@ jobs:
       - name: "Checkout code"
         uses: actions/checkout@v4
       - name: "Setup ASDF"
-        uses: asdf-vm/actions/setup@v3
+        uses: asdf-vm/actions/setup@v4
       - name: "Perform Setup"
         uses: ./.github/actions/setup
       - name: "Trivy Scan"
@@ -156,7 +167,7 @@ jobs:
     permissions:
       id-token: write
       contents: read
-    timeout-minutes: 2
+    timeout-minutes: 5
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v4
@@ -175,7 +186,7 @@ jobs:
     permissions:
       id-token: write
       contents: read
-    timeout-minutes: 2
+    timeout-minutes: 5
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v4
diff --git a/.github/workflows/stage-3-build.yaml b/.github/workflows/stage-3-build.yaml
@@ -97,7 +97,7 @@ jobs:
   #     - name: "Upload artefact 1"
   #       run: |
   #         echo "Uploading artefact 1 ..."
-  #         # TODO: Use either action/cache or action/upload-artifact
+  #         # Use either action/cache or action/upload-artifact
   # artefact-n:
   #   name: "Artefact n"
   #   runs-on: ubuntu-latest
@@ -114,4 +114,4 @@ jobs:
   #     - name: "Upload artefact n"
   #       run: |
   #         echo "Uploading artefact n ..."
-  #         # TODO: Use either action/cache or action/upload-artifact
+  #         # Use either action/cache or action/upload-artifact
diff --git a/scripts/config/.repository-template-sync-ignore b/scripts/config/.repository-template-sync-ignore
@@ -4,19 +4,30 @@ nhs-notify-repository-template/
 # Files and Folders in this repository to ignore
 .editorconfig
 .github/CODEOWNERS
+.github/ISSUE_TEMPLATE
+.github/workflows/cicd-*.yaml
+.github/workflows/stage-*.yaml
 .gitleaksignore
 .vscode/
-/Makefile
+Makefile
 CHANGELOG.md
-README.md
-VERSION
 project.code-workspace
+README.md
 scripts/config/sonar-scanner.properties
 scripts/tests/
+VERSION
 
 # Files and Folders in the template repository to disregard
 .devcontainer/
-.github/workflows/cicd-*.yaml
+.github/actions/build-docs
+.github/workflows/*.disabled
+*/examples/
 docs/
+eslint.config.mjs
 infrastructure/terraform/components/
+lambdas/example-lambda/
+package-lock.json
+package.json
 scripts/**/examples/
+scripts/terraform/terraform.mk
+src/.vscode/
diff --git a/scripts/config/.repository-template-sync-merge b/scripts/config/.repository-template-sync-merge
@@ -1,6 +1,9 @@
 # Files and folders to merge when syncing nhs-notify-repository-template back in to this repository
+.github/workflows/cicd-*.yaml
+.github/workflows/stage-*.yaml
 scripts/config/.repository-template-sync-ignore
 scripts/config/.repository-template-sync-merge
+scripts/config/pre-commit.yaml
 .tool-versions
 .gitignore
 scripts/config/vale/vale.ini
diff --git a/scripts/config/markdownlint.yaml b/scripts/config/markdownlint.yaml
@@ -1,4 +1,11 @@
+# SEE: https://github.com/DavidAnson/markdownlint/blob/main/schema/.markdownlint.yaml
+
+# https://github.com/DavidAnson/markdownlint/blob/main/doc/md013.md
 MD013: false
+
+# https://github.com/DavidAnson/markdownlint/blob/main/doc/md024.md
 MD024:
   siblings_only: true
+
+# https://github.com/DavidAnson/markdownlint/blob/main/doc/md033.md
 MD033: false
diff --git a/scripts/config/pre-commit.yaml b/scripts/config/pre-commit.yaml
@@ -70,3 +70,10 @@ repos:
         entry: ./scripts/githooks/check-terraform-docs.sh
         language: script
         pass_filenames: false
+  - repo: local
+    hooks:
+      - id: check-todo-usage
+        name: Check TODO usage
+        entry: /usr/bin/env check=branch ./scripts/githooks/check-todos.sh
+        language: script
+        pass_filenames: false
diff --git a/scripts/githooks/check-english-usage.sh b/scripts/githooks/check-english-usage.sh
@@ -25,6 +25,7 @@ set -euo pipefail
 # ==============================================================================
 
 function main() {
+
   cd "$(git rev-parse --show-toplevel)"
 
   check=${check:-working-tree-changes}
@@ -57,6 +58,7 @@ function main() {
 # Arguments (provided as environment variables):
 #   filter=[git command to filter the files to check]
 function run-vale-natively() {
+
   # shellcheck disable=SC2046
   vale \
     --config "$PWD/scripts/config/vale/vale.ini" \
@@ -67,29 +69,23 @@ function run-vale-natively() {
 # Arguments (provided as environment variables):
 #   filter=[git command to filter the files to check]
 function run-vale-in-docker() {
+
   # shellcheck disable=SC1091
   source ./scripts/docker/docker.lib.sh
 
   # shellcheck disable=SC2155
   local image=$(name=jdkato/vale docker-get-image-version-and-pull)
-
-  echo "Image is: $image"
-  echo "Filter is: $filter"
   # We use /dev/null here to stop `vale` from complaining that it's
   # not been called correctly if the $filter happens to return an
   # empty list. As long as there's a filename, even if it's one that
   # will be ignored, `vale` is happy.
   # shellcheck disable=SC2046,SC2086
-
-  set -x
   docker run --rm --platform linux/amd64 \
     --volume "$PWD:/workdir" \
     --workdir /workdir \
     "$image" \
       --config /workdir/scripts/config/vale/vale.ini \
       $($filter) /dev/null
-
-  set +x
 }
 
 # ==============================================================================
diff --git a/scripts/githooks/check-file-format.sh b/scripts/githooks/check-file-format.sh
@@ -89,6 +89,7 @@ function run-editorconfig-natively() {
 #   dry_run_opt=[dry run option]
 #   filter=[git command to filter the files to check]
 function run-editorconfig-in-docker() {
+
   # shellcheck disable=SC1091
   source ./scripts/docker/docker.lib.sh
 
@@ -97,12 +98,10 @@ function run-editorconfig-in-docker() {
   # We use /dev/null here as a backstop in case there are no files in the state
   # we choose. If the filter comes back empty, adding `/dev/null` onto it has
   # the effect of preventing `ec` from treating "no files" as "all the files".
-  set -x
   docker run --rm --platform linux/amd64 \
     --volume "$PWD":/check \
     "$image" \
-      sh -c "ec --exclude '.git/' --config .editorconfig-checker.json $dry_run_opt \$($filter) /dev/null"
-  set +x
+      sh -c "ec --exclude '.git/' $dry_run_opt \$($filter) /dev/null"
 }
 
 # ==============================================================================
diff --git a/scripts/githooks/check-markdown-format.sh b/scripts/githooks/check-markdown-format.sh
@@ -32,7 +32,7 @@ set -euo pipefail
 # ==============================================================================
 
 function main() {
-  echo "CHECKING MARKDOWN!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+
   cd "$(git rev-parse --show-toplevel)"
 
   check=${check:-working-tree-changes}
@@ -64,7 +64,7 @@ function main() {
 # Arguments (provided as environment variables):
 #   files=[files to check]
 function run-markdownlint-natively() {
-  echo "RUNNING MARKDOWN LINT NATIVELY"
+
   # shellcheck disable=SC2086
   markdownlint \
     $files \
@@ -75,25 +75,18 @@ function run-markdownlint-natively() {
 # Arguments (provided as environment variables):
 #   files=[files to check]
 function run-markdownlint-in-docker() {
-  echo "RUNNING MARKDOWN LINT IN DOCKER"
+
   # shellcheck disable=SC1091
   source ./scripts/docker/docker.lib.sh
 
   # shellcheck disable=SC2155
   local image=$(name=ghcr.io/igorshubovych/markdownlint-cli docker-get-image-version-and-pull)
   # shellcheck disable=SC2086
-
-  echo "Config:"
-  cat scripts/config/markdownlint.yaml
-
-  set -x
   docker run --rm --platform linux/amd64 \
     --volume "$PWD":/workdir \
     "$image" \
       $files \
       --config /workdir/scripts/config/markdownlint.yaml
-
-  set +x
 }
 
 # ==============================================================================
diff --git a/scripts/githooks/check-todos.sh b/scripts/githooks/check-todos.sh
