merge main

Signed-off-by: Tim Ireland <tim.ireland@hscic.gov.uk>

Author: timireland

.eslintrc.json

@@ -67,7 +67,8 @@
         "devDependencies": [
           "jest.config.ts",
           "jest.setup.ts",
-          "**/__tests__/**"
+          "**/__tests__/**",
+          "**/*.dev.[jt]s?(x)"
         ]
       }
     ],

.github/CODEOWNERS

@@ -1,16 +1,15 @@
 # NHS Notify Code Owners
 
-*                         @NHSDigital/nhs-notify-web-template-management
+*                           @NHSDigital/nhs-notify-web-template-management
 
-/.github/                 @NHSDigital/nhs-notify-web-template-management-admins
-*.code-workspace          @NHSDigital/nhs-notify-web-template-management-admins
-/docs/                    @NHSDigital/nhs-notify-web-template-management
-/docs/testing/            @NHSDigital/nhs-notify-web-template-management-testers
-/tests/test-team/         @NHSDigital/nhs-notify-web-template-management-testers
+/.github/                   @NHSDigital/nhs-notify-web-template-management-admins
+*.code-workspace            @NHSDigital/nhs-notify-web-template-management-admins
+/docs/                      @NHSDigital/nhs-notify-web-template-management
+/infrastructure/terraform/  @NHSDigital/nhs-notify-platform
 
 # Codeowners must be final check
-/.github/CODEOWNERS       @NHSDigital/nhs-notify-code-owners
-/CODEOWNERS               @NHSDigital/nhs-notify-code-owners
+/.github/CODEOWNERS         @NHSDigital/nhs-notify-code-owners
+/CODEOWNERS                 @NHSDigital/nhs-notify-code-owners
 
 
 # Each NHS Notify repository should have clear code owners set.

.github/actions/tfsec/action.yaml .github/actions/trivy/action.yaml.github/actions/tfsec/action.yaml renamed to .github/actions/trivy/action.yaml

@@ -1,18 +1,17 @@
-name: "TFSec Scan"
-description: "Scan HCL using TFSec"
+name: "Trivy Scan"
 runs:
   using: "composite"
   steps:
-    - name: "TFSec Scan - Components"
+    - name: "Trivy Terraform IAC Scan"
       shell: bash
       run: |
         components_exit_code=0
         modules_exit_code=0
 
-        ./scripts/terraform/tfsec.sh ./infrastructure/terraform/components || components_exit_code=$?
-        ./scripts/terraform/tfsec.sh ./infrastructure/terraform/modules || modules_exit_code=$?
+        ./scripts/terraform/trivy.sh ./infrastructure/terraform/components || components_exit_code=$?
+        ./scripts/terraform/trivy.sh ./infrastructure/terraform/modules || modules_exit_code=$?
 
         if [ $components_exit_code -ne 0 ] || [ $modules_exit_code -ne 0 ]; then
-          echo "One or more TFSec scans failed."
+          echo "Trivy misconfigurations detected."
           exit 1
         fi

.github/workflows/stage-1-commit.yaml

@@ -135,8 +135,8 @@ jobs:
         uses: actions/checkout@v4
       - name: "Lint Terraform"
         uses: ./.github/actions/lint-terraform
-  tfsec:
-    name: "TFSec Scan"
+  trivy:
+    name: "Trivy Scan"
     runs-on: ubuntu-latest
     timeout-minutes: 5
     needs: detect-terraform-changes
@@ -148,8 +148,8 @@ jobs:
         uses: asdf-vm/actions/setup@v3
       - name: "Perform Setup"
         uses: ./.github/actions/setup
-      - name: "TFSec Scan"
-        uses: ./.github/actions/tfsec
+      - name: "Trivy Scan"
+        uses: ./.github/actions/trivy
   count-lines-of-code:
     name: "Count lines of code"
     runs-on: ubuntu-latest

.github/workflows/stage-4-acceptance.yaml

@@ -54,7 +54,7 @@ jobs:
         uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ASSUME_ROLE_NAME }}
-          role-session-name: deployInfra
+          role-session-name: templates-ci-sandbox-setup
           aws-region: ${{ env.AWS_REGION }}
       - name: "Get normalized branch name"
         id: normalize_branch_name
@@ -108,7 +108,7 @@ jobs:
         uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ASSUME_ROLE_NAME }}
-          role-session-name: deployInfra
+          role-session-name: templates-ci-accessibility-tests
           aws-region: eu-west-2
       - name: "Run accessibility test"
         run: make test-accessibility
@@ -143,7 +143,7 @@ jobs:
         uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ASSUME_ROLE_NAME }}
-          role-session-name: deployInfra
+          role-session-name: templates-ci-component-tests
           aws-region: eu-west-2
       - name: "Run ui component test"
         run: |
@@ -179,7 +179,7 @@ jobs:
         uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ASSUME_ROLE_NAME }}
-          role-session-name: deployInfra
+          role-session-name: templates-ci-api-tests
           aws-region: eu-west-2
       - name: "Run API test"
         run: |
@@ -190,7 +190,43 @@ jobs:
         with:
           name: API test report
           path: "tests/test-team/playwright-report"
-
+  test-e2e:
+    name: "E2E test"
+    runs-on: ubuntu-latest
+    needs: [sandbox-set-up]
+    environment: dev
+    timeout-minutes: 10
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v4
+      - uses: actions/download-artifact@v4
+        with:
+          name: sandbox_tf_outputs.json
+          path: ./
+      - uses: actions/download-artifact@v4
+        with:
+          name: amplify_outputs.json
+          path: ./frontend
+      - name: "Repo setup"
+        run: |
+          npm ci
+      - name: Install Playwright Browsers
+        run: npx playwright install --with-deps
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ASSUME_ROLE_NAME }}
+          role-session-name: templates-ci-e2e-tests
+          aws-region: eu-west-2
+      - name: "Run E2E test"
+        run:
+          npm -w tests/test-team run test:e2e
+      - name: Archive e2e test results
+        if: success() || failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: e2e test report
+          path: "tests/test-team/playwright-report"
   sandbox-tear-down:
     name: "Sandbox tear down"
     if: success() || failure()
@@ -199,6 +235,7 @@ jobs:
       - test-accessibility
       - test-ui-component
       - test-api
+      - test-e2e
     environment: dev
     steps:
       - uses: hashicorp/setup-terraform@v3
@@ -209,7 +246,7 @@ jobs:
         uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ASSUME_ROLE_NAME }}
-          role-session-name: deployInfra
+          role-session-name: templates-ci-sandbox-teardown
           aws-region: eu-west-2
       - name: "Get normalized branch name"
         id: normalize_branch_name

.gitignore

@@ -35,6 +35,7 @@ node_modules
 
 # production
 /build
+dist
 
 # misc
 .DS_Store
@@ -63,6 +64,7 @@ reports
 tests/screenshots/*
 plugin-cache/
 
+# terraform
 *.terraform*
 terraform.tfstate
 terraform.tfstate.backup
@@ -86,3 +88,6 @@ tests/test-team/playwright-report/
 tests/test-team/blob-report/
 tests/test-team/playwright/.cache/
 lambdas/backend-api/src/email/email-template.json
+
+# vscode
+.vscode/settings.local.json

.gitleaksignore

@@ -1,7 +1,9 @@
-# SEE: https://github.com/gitleaks/gitleaks/blob/master/README.md#gitleaksignore
+# SEE: <https://github.com/gitleaks/gitleaks/blob/master/README.md#gitleaksignore>
 
 cd9c0efec38c5d63053dd865e5d4e207c0760d91:docs/guides/Perform_static_analysis.md:generic-api-key:37
 87312c6a627a7b0420956d49187fd15b130df170:src/__tests__/components/molecules/LoginStatus.test.tsx:jwt:23
 37ca9f5670f4cd7d91869845ca27defbe6156bb9:src/__tests__/components/molecules/LoginStatus.test.tsx:jwt:23
 b19d88d1d92b0530f065feefcf25d8cdd82a876a:tests/test-team/auth/user.json:jwt:15
 b19d88d1d92b0530f065feefcf25d8cdd82a876a:tests/test-team/auth/user.json:jwt:25
+bc79df4f82052918ae6bf69d36279e5dd391d61e:tests/test-team/auth/user.json:jwt:15
+bc79df4f82052918ae6bf69d36279e5dd391d61e:tests/test-team/auth/user.json:jwt:25

.tool-versions

@@ -1,15 +1,14 @@
 act 0.2.64
 gitleaks 8.24.0
+jq 1.6
+nodejs 20.18.2
+make 4.4
 pre-commit 3.6.0
 terraform 1.9.2
 terraform-docs 0.19.0
+trivy 0.61.0
 vale 3.6.0
-tfsec 1.28.10
-nodejs 20.18.2
-jq 1.6
-python 3.9.18
-direnv 2.32.1
-make 4.4
+python 3.12.2
 
 # ==============================================================================
 # The section below is reserved for Docker image versions.

.vscode/settings.json

@@ -1,11 +1,13 @@
 {
   "markdownlint.config": {
     "MD013": false,
-    "MD024": { "siblings_only": true },
+    "MD024": {
+      "siblings_only": true
+    },
     "MD033": false
   },
   "editor.codeActionsOnSave": {
     "source.fixAll.eslint": "explicit"
   },
-  "eslint.codeActionsOnSave.mode": "problems"
+  "eslint.codeActionsOnSave.mode": "problems",
 }

frontend/jest.config.ts

@@ -22,6 +22,7 @@ const config: Config = {
   ...baseJestConfig,
 
   coveragePathIgnorePatterns: [
+    ...(baseJestConfig.coveragePathIgnorePatterns ?? []),
     '.types.ts',
     'layout.tsx',
     'container.tsx',