Initial commit

Author: jrdh

.commitlintrc.yml

@@ -0,0 +1,14 @@
+extends:
+  - '@commitlint/config-conventional'
+rules:
+  type-enum: [2, 'always', [
+    'build',
+    'docs',
+    'feat',
+    'fix',
+    'perf',
+    'refactor',
+    'revert',
+    'test'
+  ]]
+  scope-empty: [0, 'never']

.editorconfig

@@ -0,0 +1,19 @@
+# EditorConfig is awesome: https://editorconfig.org
+
+# top-most EditorConfig file
+root = true
+
+[{*,*.{js, json, md, mjs, yaml, yml}}]
+indent_style = space
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+charset = utf-8
+indent_size = 2
+
+[docs/**/*.md]
+# turn off max line length on docs markdown files because line breaks have meaning in the docs when rendered by 11ty
+max_line_length = off
+
+[*.js]
+max_line_length = 88

.github/dependabot.yml

@@ -0,0 +1,20 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "build"
+
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "build"

.github/workflows/codeql.yml

@@ -0,0 +1,101 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL Advanced"
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [ "main", "sandbox" ]
+  pull_request:
+    branches: [ "main", "sandbox" ]
+  schedule:
+    - cron: '41 9 * * 5'
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    # Runner size impacts CodeQL analysis time. To learn more, please see:
+    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
+    #   - https://gh.io/supported-runners-and-hardware-resources
+    #   - https://gh.io/using-larger-runners (GitHub.com only)
+    # Consider using larger runners or machines with greater resources for possible analysis time improvements.
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+    permissions:
+      # required for all workflows
+      security-events: write
+
+      # required to fetch internal or private CodeQL packs
+      packages: read
+
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+        - language: actions
+          build-mode: none
+        - language: javascript-typescript
+          build-mode: none
+        # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift'
+        # Use `c-cpp` to analyze code written in C, C++ or both
+        # Use 'java-kotlin' to analyze code written in Java, Kotlin or both
+        # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
+        # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
+        # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
+        # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
+        # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v5
+
+    # Add any setup steps before running the `github/codeql-action/init` action.
+    # This includes steps like installing compilers or runtimes (`actions/setup-node`
+    # or others). This is typically only required for manual builds.
+    # - name: Setup runtime (example)
+    #   uses: actions/setup-example@v1
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{ matrix.language }}
+        build-mode: ${{ matrix.build-mode }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+
+        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        # queries: security-extended,security-and-quality
+
+    # If the analyze step fails for one of the languages you are analyzing with
+    # "We were unable to automatically build your code", modify the matrix above
+    # to set the build mode to "manual" for that language. Then modify this step
+    # to build your code.
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+    - if: matrix.build-mode == 'manual'
+      shell: bash
+      run: |
+        echo 'If you are using a "manual" build mode for one or more of the' \
+          'languages you are analyzing, replace this with the commands to build' \
+          'your code, for example:'
+        echo '  make bootstrap'
+        echo '  make release'
+        exit 1
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:${{matrix.language}}"

.github/workflows/fast-forward-pr-merge-init.md

@@ -0,0 +1,76 @@
+# GitHub Actions Workflow: `fast-forward-pr-merge-init.yml`
+
+This document explains the purpose, logic, and security rationale behind the [`.github/workflows/fast-forward-pr-merge-init.yml`][1] workflow in this repository.
+
+## Overview
+
+This workflow is the **first phase** of a two-phase secure PR merge process designed to control and secure the merging of pull requests (PRs) via the addition of a special `fast-forward` label to a pull request. It ensures that only users with sufficient repository permissions (`write` or `admin`) can trigger a merge, and provides clear feedback to users who lack the required permissions.
+
+If the user passes these checks, a second workflow, [`fast-forward-pr-merge-privileged.yml`][2], is triggered to perform the actual fast-forward merge and post the final result.
+
+It is especially important when accepting contributions from external users via a forked repository, which is how most open source contributions are made.
+
+## When Does This Workflow Run?
+
+The workflow is triggered when a pull request receives the `fast-forward` label (`pull_request` event, type `labeled`).
+
+## What Does the Workflow Do?
+
+### 1. Checks User Permissions
+
+- The workflow determines the GitHub username of the user who added the label.
+- It uses the GitHub CLI (`gh api`) to fetch the user's permission level on the repository (e.g., `read`, `triage`, `write`, `maintain`, `admin`).
+- The permission is stored for use in later steps.
+
+### 2. Handles Insufficient Permissions
+
+- If the user **DOES NOT** have `write` or `admin` permissions:
+  - The workflow fails with a clear error message, preventing any further merge automation.
+  - The privileged workflow (second phase) will post a comment on the PR stating that the user does not have permission to merge the PR and should contact a member of the [API Standards Team][3] for assistance.
+
+### 3. Event Payload Publishing
+
+- If the user **DOES** have `write` or `admin` permissions:
+  - The workflow saves the full event payload (the GitHub event data) as an artifact for use with the second phase of the workflow, but it's also useful for auditing or debugging purposes.
+
+## Why Is This Workflow Needed?
+
+- **True Fast-Forward Merges:** GitHub's "Rebase and merge" option is not a true fast-forward merge. Instead, it rewrites commit SHAs and the process strips any commit signatures, which can break commit verification and audit trails. This workflow enables a genuine fast-forward merge, preserving original commit SHAs and signatures (at least until GitHub support a true fast-forward merge).
+  - See: [GitHub Docs – About merge methods on GitHub][4]
+  - See: [GitHub Community - Feature Request: Only allow for --ff merges for PRs][5]
+  - See: [GitHub Community – GPG signature lost when merging a PR][6]
+
+- **Preserves Conventional Commit History:** True fast-forward merges retain the original commits and their message structure intact, which is especially valuable for our adoption of [Conventional Commits][7]. Unlike GitHub's `squash-merges` which combine all changes into a single commit with limited control over the structure of the final commit message (making it difficult to ensure it adheres to the conventional commit standard). This enables automated changelog generation, better traceability of features and fixes, and more meaningful project history.
+
+## Why is the Workflow Split into Two Phases?
+
+Splitting the merge process into two distinct workflows is a best practice for securing GitHub Actions, especially when privileged operations (like merging to a protected branch) are involved. This approach is recommended by GitHub Security Lab and is designed to mitigate several classes of vulnerabilities:
+
+### Security Boundaries
+
+By separating the unprivileged (label-triggered) phase from the privileged (merge-executing) phase, you create a strong security boundary. The first workflow runs with minimal permissions and only performs checks and artifact publishing. The second, privileged workflow (triggered by `workflow_run`) runs with elevated permissions and only after all checks have passed.
+
+### Prevents Privilege Escalation
+
+If a single workflow both checked permissions and performed the merge, an attacker could potentially exploit timing or event confusion such as **Time Of Check to Time Of Use** ([TOCTOU][8]) attacks to escalate privileges or inject malicious code between steps. By splitting the workflows, the privileged phase only runs after the unprivileged phase has completed and its outputs (artifacts) are validated.
+
+### Mitigates Artifact Poisoning
+
+Artifacts passed from the unprivileged to the privileged workflow are treated as untrusted. This separation allows you to validate and sanitise any data before it is used in a privileged context, reducing the risk of artifact poisoning attacks.
+
+### Reduces Risk from Untrusted Triggers
+
+Triggers like `issue_comment` or `pull_request_target` can be abused by attackers to execute workflows with elevated permissions. By using a label gate and a two-phase approach, you ensure that only trusted actors (with `write` or `admin` permissions) can initiate the privileged merge, and that the code being merged is exactly what was reviewed and approved.
+
+### Aligns with GitHub Security Guidance
+
+GitHub’s own security research recommends splitting workflows into unprivileged and privileged components, using `workflow_run` as a secure handoff point. This pattern is now widely adopted in the open source community to prevent supply chain attacks and workflow abuse.
+
+[1]: ./.github/workflows/fast-forward-pr-merge-init.yml
+[2]: ./fast-forward-pr-merge-privileged.md
+[3]: https://github.com/orgs/ukhsa-collaboration/teams/api-standards-team
+[4]: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/about-merge-methods-on-github#rebasing-and-merging-your-commits
+[5]: https://github.com/orgs/community/discussions/4618
+[6]: https://github.com/orgs/community/discussions/10410
+[7]: https://www.conventionalcommits.org/
+[8]: https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use

.github/workflows/fast-forward-pr-merge-init.yml

@@ -0,0 +1,52 @@
+name: Fast Forward PR Merge Initialise
+
+on:
+  pull_request:
+    types: [labeled]
+
+    branches:
+      - main
+
+jobs:
+  initialise-workflow:
+    if: |
+      github.event.label.name == 'fast-forward' &&
+      !github.event.pull_request.closed_at &&
+      github.event.pull_request.state == 'open'
+
+    name: Initialise Workflow
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+
+    env:
+      USERNAME: ${{ github.actor }}
+
+    steps:
+
+      - name: Get permissions
+        id: permission
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_API_VERSION: '2022-11-28'
+        run: |
+          echo "Fetching permissions for user: $USERNAME"
+          RESPONSE=$(gh api \
+            -H "Accept: application/vnd.github+json" \
+            -H "X-GitHub-Api-Version: $GH_API_VERSION" \
+            repos/$GITHUB_REPOSITORY/collaborators/$USERNAME/permission | jq -r .permission)
+          echo "Permission: $RESPONSE"
+          echo "permission=$RESPONSE" >> $GITHUB_OUTPUT
+
+      - name: Set failure message
+        uses: actions/github-script@v8
+        if: ${{ steps.permission.outputs.permission != 'write' && steps.permission.outputs.permission != 'admin' }}
+        with:
+          script: core.setFailed("You do not have permission to merge this PR. Please contact a member of ${{ github.server_url }}/orgs/${{ github.repository_owner }}/teams/api-standards-team for assistance.");
+
+      - name: Upload Event Artifact
+        if: ${{ always() }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: event-artifact
+          path: ${{ github.event_path }}

.github/workflows/fast-forward-pr-merge-privileged.md

@@ -0,0 +1,60 @@
+# GitHub Actions Workflow: `fast-forward-pr-merge-privileged.yml`
+
+This document explains the purpose, logic, and security rationale behind the [`.github/workflows/fast-forward-pr-merge-privileged.yml`][1] workflow in this repository.
+
+## Purpose and Overview
+
+This workflow is the **second phase** of a two-phase pull request (PR) merge process. It works in tandem with the [`fast-forward-pr-merge-init.yml`][2] workflow to allow privileged users to trigger a fast-forward merge of a PR by adding the `fast-forward` label to an open pull request.
+
+The workflow ensures that only users with `write` or `admin` permissions can perform this action, and that the PR is in a clean, mergeable state. It provides clear feedback to users and maintains a full audit trail of the event and actions taken.
+
+## How Does It Work?
+
+### 1. Triggering
+
+- The workflow is triggered by a `workflow_run` event, specifically when the `Fast Forward PR Merge Initialise` workflow completes.
+- It only proceeds if the initial workflow succeeded and the event was an `pull_request` being labelled with `fast-forward` and is still open.
+
+### 2. Importing and Validating Event Data
+
+- Downloads the event artifact created by the initial workflow, which contains the full GitHub event payload (including the PR and label details).
+
+### 3. On Failure
+
+- If the initial workflow failed, this job posts a failure comment to the PR, sets a failure status, and removes the `fast-forward` label.
+
+### 4. On Success and Permission Check
+
+- If the initial workflow succeeded and the PR is still open and labelled correctly:
+  - Checks the permissions of the user who triggered the label.
+  - If the user does **not** have `write` or `admin` permissions at the time of merge, posts a failure comment and removes the label.
+
+### 5. Fast-Forward Merging
+
+- If all checks pass and the PR is in a `clean` (mergeable) state:
+  - Checks out the incoming PR branch and the base branch.
+  - Rebases the base branch onto the PR branch (fast-forward merge).
+  - Pushes the updated base branch to GitHub.
+- If the PR is not mergeable (e.g., conflicts), it does not attempt the merge and posts a failure comment.
+- After any attempt, the `fast-forward` label is removed from the PR.
+
+### 6. Feedback and Audit Trail
+
+- Posts a comment on the PR indicating success or failure, with a link to the workflow run for details.
+- Maintains a full audit trail by saving event data and merge results.
+
+## Why Is This Workflow Needed?
+
+- **True Fast-Forward Merges:** GitHub's "Rebase and merge" option is not a true fast-forward merge. Instead, it rewrites commit SHAs and the process strips any commit signatures, which can break commit verification and audit trails. This workflow enables a genuine fast-forward merge, preserving original commit SHAs and signatures (at least until GitHub supports a true fast-forward merge).
+  - See: [GitHub Docs – About merge methods on GitHub][3]
+  - See: [GitHub Community - Feature Request: Only allow for --ff merges for PRs][4]
+  - See: [GitHub Community – GPG signature lost when merging a PR][5]
+
+- **Preserves Conventional Commit History:** True fast-forward merges retain the original commits and their message structure intact, which is especially valuable for our adoption of [Conventional Commits][6]. Unlike GitHub's `squash-merges` which combine all changes into a single commit with limited control over the structure of the final commit message (making it difficult to ensure it adheres to the conventional commit standard). This enables automated changelog generation, better traceability of features and fixes, and more meaningful project history.
+
+[1]: ./fast-forward-pr-merge-privileged.yml
+[2]: ./fast-forward-pr-merge-init.md
+[3]: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/about-merge-methods-on-github#rebasing-and-merging-your-commits
+[4]: https://github.com/orgs/community/discussions/4618
+[5]: https://github.com/orgs/community/discussions/10410
+[6]: https://www.conventionalcommits.org/