dtos-manage-breast-screening/.github/workflows/stage-1-commit.yaml at main · NHSDigital/dtos-manage-breast-screening · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
name: 'Commit stage'

on:
  workflow_call:
    inputs:
      build_datetime:
        description: 'Build datetime, set by the CI/CD pipeline workflow'
        required: true
        type: string
      build_timestamp:
        description: 'Build timestamp, set by the CI/CD pipeline workflow'
        required: true
        type: string
      build_epoch:
        description: 'Build epoch, set by the CI/CD pipeline workflow'
        required: true
        type: string
      nodejs_version:
        description: 'Node.js version, set by the CI/CD pipeline workflow'
        required: true
        type: string
      python_version:
        description: 'Python version, set by the CI/CD pipeline workflow'
        required: true
        type: string
      terraform_version:
        description: 'Terraform version, set by the CI/CD pipeline workflow'
        required: true
        type: string
      version:
        description: 'Version of the software, set by the CI/CD pipeline workflow'
        required: true
        type: string

jobs:
  scan-secrets:
    name: 'Scan secrets'
    runs-on: ubuntu-latest
    timeout-minutes: 2
    steps:
      - name: 'Checkout code'
        with:
          # By default, the checkout action just checks out the latest commit, creating a "shallow" clone.
          # If we only scanned the latest commit, we might miss leaks that are not in the latest commit
          # but are still present in previous commits on the branch.
          #
          # We don't want to checkout (and scan) the entire repository though, because that would mean
          # 'bad' commits (including false-positives) block the CI for unrelated PRs, even if they're not
          # on main, or part of the new branch.
          #
          # To keep PRs independent of each other, we can fetch with an "infinite" depth, rather than
          # the special 0 value of actions/checkout, which means "fetch all history for all tags and branches"
          fetch-depth: 0x7fffffff # INFINITE_DEPTH
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
      - name: 'Scan secrets'
        uses: ./.github/actions/scan-secrets
  scan-dependencies:
    name: 'Scan dependencies'
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    timeout-minutes: 2
    steps:
      - name: 'Checkout code'
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
      - name: 'Scan dependencies'
        uses: ./.github/actions/scan-dependencies
        with:
          build_datetime: '${{ inputs.build_datetime }}'
          build_timestamp: '${{ inputs.build_timestamp }}'
          idp_aws_report_upload_account_id: '${{ secrets.IDP_AWS_REPORT_UPLOAD_ACCOUNT_ID }}'
          idp_aws_report_upload_region: '${{ secrets.IDP_AWS_REPORT_UPLOAD_REGION }}'
          idp_aws_report_upload_role_name: '${{ secrets.IDP_AWS_REPORT_UPLOAD_ROLE_NAME }}'
          idp_aws_report_upload_bucket_endpoint: '${{ secrets.IDP_AWS_REPORT_UPLOAD_BUCKET_ENDPOINT }}'