CCM-11327: Update client config schema for MVP

.github/actions/build-docs/action.yml

@@ -9,12 +9,17 @@ runs:
   steps:
     - name: Checkout
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+    - name: Setup pnpm
+      uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+      with:
+        version: 10.33.0
+        cache: true
     - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
       with:
         node-version: 18
-    - name: Npm cli install
-      working-directory: ./docs
-      run: npm ci
+        cache: pnpm
+    - name: Install node dependencies
+      run: pnpm install --frozen-lockfile
       shell: bash
     - name: Setup Ruby
       uses: ruby/setup-ruby@3783f195e29b74ae398d7caca108814bbafde90e # v1.180.1

.github/actions/create-lines-of-code-report/action.yaml

@@ -24,8 +24,9 @@ runs:
   steps:
     - name: "Create CLOC report"
       shell: bash
+      env:
+        BUILD_DATETIME: ${{ inputs.build_datetime }}
       run: |
-        export BUILD_DATETIME=${{ inputs.build_datetime }}
         ./scripts/reports/create-lines-of-code-report.sh
     - name: "Compress CLOC report"
       shell: bash
@@ -40,8 +41,15 @@ runs:
     - name: "Check prerequisites for sending the report"
       shell: bash
       id: check
+      env:
+        ROLE_NAME: ${{ inputs.idp_aws_report_upload_role_name }}
+        BUCKET_ENDPOINT: ${{ inputs.idp_aws_report_upload_bucket_endpoint }}
       run: |
-        echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT
+        if [[ -n "$ROLE_NAME" && -n "$BUCKET_ENDPOINT" ]]; then
+          echo "secrets_exist=true" >> "$GITHUB_OUTPUT"
+        else
+          echo "secrets_exist=false" >> "$GITHUB_OUTPUT"
+        fi
     - name: "Authenticate to send the report"
       if: steps.check.outputs.secrets_exist == 'true'
       uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6
@@ -51,7 +59,10 @@ runs:
     - name: "Send the CLOC report to the central location"
       shell: bash
       if: steps.check.outputs.secrets_exist == 'true'
+      env:
+        BUCKET_ENDPOINT: ${{ inputs.idp_aws_report_upload_bucket_endpoint }}
+        BUILD_TIMESTAMP: ${{ inputs.build_timestamp }}
       run: |
         aws s3 cp \
           ./lines-of-code-report.json.zip \
-          ${{ inputs.idp_aws_report_upload_bucket_endpoint }}/${{ inputs.build_timestamp }}-lines-of-code-report.json.zip
+          "$BUCKET_ENDPOINT/$BUILD_TIMESTAMP-lines-of-code-report.json.zip"

.github/actions/perform-static-analysis/action.yaml

@@ -16,13 +16,21 @@ runs:
     - name: "Check prerequisites for performing static analysis"
       shell: bash
       id: check
-      run: echo "secret_exist=${{ inputs.sonar_token != '' }}" >> $GITHUB_OUTPUT
+      env:
+        SONAR_TOKEN: ${{ inputs.sonar_token }}
+      run: |
+        if [[ -n "$SONAR_TOKEN" ]]; then
+          echo "secret_exist=true" >> "$GITHUB_OUTPUT"
+        else
+          echo "secret_exist=false" >> "$GITHUB_OUTPUT"
+        fi
     - name: "Perform static analysis"
       shell: bash
       if: steps.check.outputs.secret_exist == 'true'
+      env:
+        SONAR_ORGANISATION_KEY: ${{ inputs.sonar_organisation_key }}
+        SONAR_PROJECT_KEY: ${{ inputs.sonar_project_key }}
+        SONAR_TOKEN: ${{ inputs.sonar_token }}
       run: |
         export BRANCH_NAME=${GITHUB_HEAD_REF:-$(echo $GITHUB_REF | sed 's#refs/heads/##')}
-        export SONAR_ORGANISATION_KEY=${{ inputs.sonar_organisation_key }}
-        export SONAR_PROJECT_KEY=${{ inputs.sonar_project_key }}
-        export SONAR_TOKEN=${{ inputs.sonar_token }}
         ./scripts/reports/perform-static-analysis.sh

.github/actions/scan-dependencies/action.yaml

@@ -24,8 +24,9 @@ runs:
   steps:
     - name: "Generate SBOM"
       shell: bash
+      env:
+        BUILD_DATETIME: ${{ inputs.build_datetime }}
       run: |
-        export BUILD_DATETIME=${{ inputs.build_datetime }}
         ./scripts/reports/create-sbom-report.sh
     - name: "Compress SBOM report"
       shell: bash
@@ -39,8 +40,9 @@ runs:
         retention-days: 21
     - name: "Scan vulnerabilities"
       shell: bash
+      env:
+        BUILD_DATETIME: ${{ inputs.build_datetime }}
       run: |
-        export BUILD_DATETIME=${{ inputs.build_datetime }}
         ./scripts/reports/scan-vulnerabilities.sh
     - name: "Compress vulnerabilities report"
       shell: bash
@@ -55,7 +57,15 @@ runs:
     - name: "Check prerequisites for sending the reports"
       shell: bash
       id: check
-      run: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT
+      env:
+        ROLE_NAME: ${{ inputs.idp_aws_report_upload_role_name }}
+        BUCKET_ENDPOINT: ${{ inputs.idp_aws_report_upload_bucket_endpoint }}
+      run: |
+        if [[ -n "$ROLE_NAME" && -n "$BUCKET_ENDPOINT" ]]; then
+          echo "secrets_exist=true" >> "$GITHUB_OUTPUT"
+        else
+          echo "secrets_exist=false" >> "$GITHUB_OUTPUT"
+        fi
     - name: "Authenticate to send the reports"
       if: steps.check.outputs.secrets_exist == 'true'
       uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6
@@ -65,10 +75,13 @@ runs:
     - name: "Send the SBOM and vulnerabilities reports to the central location"
       shell: bash
       if: steps.check.outputs.secrets_exist == 'true'
+      env:
+        BUCKET_ENDPOINT: ${{ inputs.idp_aws_report_upload_bucket_endpoint }}
+        BUILD_TIMESTAMP: ${{ inputs.build_timestamp }}
       run: |
         aws s3 cp \
           ./sbom-repository-report.json.zip \
-          ${{ inputs.idp_aws_report_upload_bucket_endpoint }}/${{ inputs.build_timestamp }}-sbom-repository-report.json.zip
+          "$BUCKET_ENDPOINT/$BUILD_TIMESTAMP-sbom-repository-report.json.zip"
         aws s3 cp \
           ./vulnerabilities-repository-report.json.zip \
-          ${{ inputs.idp_aws_report_upload_bucket_endpoint }}/${{ inputs.build_timestamp }}-vulnerabilities-repository-report.json.zip
+          "$BUCKET_ENDPOINT/$BUILD_TIMESTAMP-vulnerabilities-repository-report.json.zip"

.github/scripts/dispatch_internal_repo_workflow.sh

@@ -50,6 +50,7 @@ Usage:
     [--overrideProjectName <name>] \
     [--overrideRoleName <name>]
 EOF
+  return 0
 }
 
 require_arg() {
@@ -61,6 +62,8 @@ require_arg() {
     usage
     exit 1
   fi
+
+  return 0
 }
 
 while [[ $# -gt 0 ]]; do
@@ -110,7 +113,7 @@ while [[ $# -gt 0 ]]; do
       shift 2
       ;;
     *)
-    echo "[ERROR] Unknown argument: $1"
+    echo "[ERROR] Unknown argument: $1" >&2
       exit 1
       ;;
   esac
@@ -124,20 +127,23 @@ require_arg "--targetComponent" "${targetComponent:-}"
 require_arg "--targetAccountGroup" "${targetAccountGroup:-}"
 
 if [[ -z "$APP_PEM_FILE" ]]; then
-  echo "[ERROR] PEM_FILE environment variable is not set or is empty."
+  echo "[ERROR] PEM_FILE environment variable is not set or is empty." >&2
   exit 1
 fi
 
 if [[ -z "$APP_CLIENT_ID" ]]; then
-  echo "[ERROR] CLIENT_ID environment variable is not set or is empty."
+  echo "[ERROR] CLIENT_ID environment variable is not set or is empty." >&2
   exit 1
 fi
 
 now=$(date +%s)
 iat=$((${now} - 60)) # Issues 60 seconds in the past
 exp=$((${now} + 600)) # Expires 10 minutes in the future
 
-b64enc() { openssl base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n'; }
+b64enc() {
+  openssl base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n'
+  return 0
+}
 
 header_json='{
     "typ":"JWT",
@@ -178,7 +184,7 @@ PR_TRIGGER_PAT=$(curl --request POST \
 
 # Set default values if not provided
 if [[ -z "$PR_TRIGGER_PAT" ]]; then
-  echo "[ERROR] PR_TRIGGER_PAT environment variable is not set or is empty."
+  echo "[ERROR] PR_TRIGGER_PAT environment variable is not set or is empty." >&2
   exit 1
 fi
 
@@ -244,7 +250,7 @@ trigger_response=$(curl -s -L \
   -d "$DISPATCH_EVENT" 2>&1)
 
 if [[ $? -ne 0 ]]; then
-  echo "[ERROR] Failed to trigger workflow. Response: $trigger_response"
+  echo "[ERROR] Failed to trigger workflow. Response: $trigger_response" >&2
   exit 1
 fi
 
@@ -264,8 +270,8 @@ for _ in {1..18}; do
     "https://api.github.com/repos/NHSDigital/nhs-notify-internal/actions/runs?event=workflow_dispatch")
 
   if ! echo "$response" | jq empty 2>/dev/null; then
-    echo "[ERROR] Invalid JSON response from GitHub API during workflow polling:"
-    echo "$response"
+    echo "[ERROR] Invalid JSON response from GitHub API during workflow polling:" >&2
+    echo "$response" >&2
     exit 1
   fi
 
@@ -303,7 +309,7 @@ for _ in {1..18}; do
 done
 
 if [[ -z "$workflow_run_url" || "$workflow_run_url" == null ]]; then
-  echo "[ERROR] Failed to get the workflow run url. Exiting."
+  echo "[ERROR] Failed to get the workflow run url. Exiting." >&2
   exit 1
 fi
 
@@ -318,21 +324,21 @@ while true; do
   status=$(echo "$response" | jq -r '.status')
   echo "[$(date '+%Y-%m-%d %H:%M:%S')] Workflow status: $status"
 
-  if [ "$status" == "completed" ]; then
+  if [[ "$status" == "completed"  ]]; then
     conclusion=$(echo "$response" | jq -r '.conclusion')
     echo "[$(date '+%Y-%m-%d %H:%M:%S')] Workflow conclusion: $conclusion"
 
-    if [ -z "$conclusion" ] || [ "$conclusion" == "null" ]; then
+    if [[ -z "$conclusion" || "$conclusion" == "null" ]]; then
       echo "[WARN] Workflow marked completed but conclusion not yet available, retrying..."
       sleep 5
       continue
     fi
 
-    if [ "$conclusion" == "success" ]; then
+    if [[ "$conclusion" == "success"  ]]; then
       echo "[SUCCESS] Workflow completed successfully!"
       exit 0
     else
-      echo "[FAIL] Workflow failed with conclusion: $conclusion"
+      echo "[FAIL] Workflow failed with conclusion: $conclusion" >&2
       exit 1
     fi
   fi

.github/workflows/cicd-1-pull-request.yaml

@@ -26,6 +26,7 @@ jobs:
       build_timestamp: ${{ steps.variables.outputs.build_timestamp }}
       build_epoch: ${{ steps.variables.outputs.build_epoch }}
       nodejs_version: ${{ steps.variables.outputs.nodejs_version }}
+      pnpm_version: ${{ steps.variables.outputs.pnpm_version }}
       python_version: ${{ steps.variables.outputs.python_version }}
       terraform_version: ${{ steps.variables.outputs.terraform_version }}
       version: ${{ steps.variables.outputs.version }}
@@ -46,6 +47,7 @@ jobs:
           echo "build_timestamp=$(date --date=$datetime -u +'%Y%m%d%H%M%S')" >> $GITHUB_OUTPUT
           echo "build_epoch=$(date --date=$datetime -u +'%s')" >> $GITHUB_OUTPUT
           echo "nodejs_version=$(grep "^nodejs\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
+          echo "pnpm_version=$(grep "^pnpm\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
           echo "python_version=$(grep "^python\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
           echo "terraform_version=$(grep "^terraform\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
           echo "version=$(echo $version)" >> $GITHUB_OUTPUT
@@ -59,7 +61,12 @@ jobs:
           branch_name=${GITHUB_HEAD_REF:-$(echo $GITHUB_REF | sed 's#refs/heads/##')}
           echo "Current branch is '$branch_name'"
 
-          pr_json=$(gh pr list --head "$branch_name" --state open --json number --limit 1)
+          pr_json=$(gh pr list \
+            --repo "$GITHUB_REPOSITORY" \
+            --head "$branch_name" \
+            --state open \
+            --json number \
+            --limit 1)
           pr_number=$(echo "$pr_json" | jq -r '.[0].number // empty')
 
           if [[ -n "$pr_number" ]]; then
@@ -79,6 +86,7 @@ jobs:
           export BUILD_EPOCH="${{ steps.variables.outputs.build_epoch }}"
           export NODEJS_VERSION="${{ steps.variables.outputs.nodejs_version }}"
           export PYTHON_VERSION="${{ steps.variables.outputs.python_version }}"
+          export PNPM_VERSION="${{ steps.variables.outputs.pnpm_version }}"
           export TERRAFORM_VERSION="${{ steps.variables.outputs.terraform_version }}"
           export VERSION="${{ steps.variables.outputs.version }}"
           export DOES_PULL_REQUEST_EXIST="${{ steps.pr_exists.outputs.does_pull_request_exist }}"
@@ -88,12 +96,20 @@ jobs:
     name: "Commit stage"
     needs: [metadata]
     uses: ./.github/workflows/stage-1-commit.yaml
+    permissions:
+      id-token: write
+      contents: write
+      issues: read
+      packages: read
+      pull-requests: read
     with:
       build_datetime: "${{ needs.metadata.outputs.build_datetime }}"
       build_timestamp: "${{ needs.metadata.outputs.build_timestamp }}"
       build_epoch: "${{ needs.metadata.outputs.build_epoch }}"
       nodejs_version: "${{ needs.metadata.outputs.nodejs_version }}"
+      pnpm_version: "${{ needs.metadata.outputs.pnpm_version }}"
       python_version: "${{ needs.metadata.outputs.python_version }}"
+      pr_number: "${{ needs.metadata.outputs.pr_number }}"
       terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
       version: "${{ needs.metadata.outputs.version }}"
     secrets: inherit
@@ -106,6 +122,7 @@ jobs:
       build_timestamp: "${{ needs.metadata.outputs.build_timestamp }}"
       build_epoch: "${{ needs.metadata.outputs.build_epoch }}"
       nodejs_version: "${{ needs.metadata.outputs.nodejs_version }}"
+      pnpm_version: "${{ needs.metadata.outputs.pnpm_version }}"
       python_version: "${{ needs.metadata.outputs.python_version }}"
       terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
       version: "${{ needs.metadata.outputs.version }}"
@@ -120,6 +137,7 @@ jobs:
       build_timestamp: "${{ needs.metadata.outputs.build_timestamp }}"
       build_epoch: "${{ needs.metadata.outputs.build_epoch }}"
       nodejs_version: "${{ needs.metadata.outputs.nodejs_version }}"
+      pnpm_version: "${{ needs.metadata.outputs.pnpm_version }}"
       python_version: "${{ needs.metadata.outputs.python_version }}"
       terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
       version: "${{ needs.metadata.outputs.version }}"
@@ -134,8 +152,8 @@ jobs:
       build_timestamp: "${{ needs.metadata.outputs.build_timestamp }}"
       build_epoch: "${{ needs.metadata.outputs.build_epoch }}"
       nodejs_version: "${{ needs.metadata.outputs.nodejs_version }}"
+      pnpm_version: "${{ needs.metadata.outputs.pnpm_version }}"
       python_version: "${{ needs.metadata.outputs.python_version }}"
       terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
       version: "${{ needs.metadata.outputs.version }}"
-      pr_number: ${{ needs.metadata.outputs.pr_number }}
     secrets: inherit