CCM-13342: Build changes

Author: nhsd-angel-pastor

.devcontainer/devcontainer.json

@@ -2,9 +2,9 @@
   "containerEnv": {
     "GITHUBMONITOR": "false",
     "MAKECONFIG": "true",
-    "SHOWWELCOME": "true",
+    "SHOWWELCOME": "false",
     "UPDATEFROMTEMPLATE": "false"
   },
-  "image": "ghcr.io/nhsdigital/nhs-notify-devcontainer-loaded-codespaces:main",
-  "name": "Codespaces Online Development"
+  "image": "ghcr.io/nhsdigital/nhs-notify-devcontainer-loaded-codespaces:1.0.19",
+  "name": "Codespaces"
 }

.devcontainer/local-dev/devcontainer.json

@@ -0,0 +1,11 @@
+{
+  "containerEnv": {
+    "GITHUBMONITOR": "false",
+    "MAKECONFIG": "true",
+    "SHOWWELCOME": "false",
+    "UPDATEFROMTEMPLATE": "false"
+  },
+  "image": "ghcr.io/nhsdigital/nhs-notify-devcontainer-loaded:1.0.19",
+  "name": "Local Development",
+  "postStartCommand": "mkdir -p ~/.gnupg && echo '## 1-day timeout' > ~/.gnupg/gpg-agent.conf && echo 'default-cache-ttl 86400' >> ~/.gnupg/gpg-agent.conf && echo 'max-cache-ttl 86400' >> ~/.gnupg/gpg-agent.conf && gpg-connect-agent reloadagent /bye 2>/dev/null || true"
+}

.devcontainer/ubuntu/devcontainer.json

@@ -0,0 +1,4 @@
+{
+  "image": "mcr.microsoft.com/devcontainers/base:ubuntu-24.04",
+  "name": "Ubuntu 24"
+}

.github/actions/build-docs/action.yml

@@ -9,31 +9,21 @@ runs:
   steps:
     - name: Checkout
       uses: actions/checkout@v5
-    - uses: actions/setup-node@v6
-      with:
-        node-version: 24
-    - name: Npm cli install
-      working-directory: ./docs
-      run: npm ci
-      shell: bash
-    - name: Setup Ruby
-      uses: ruby/setup-ruby@v1.267.0
-      with:
-        ruby-version: "3.4.7" # Not needed with a .ruby-version file
-        bundler-cache: false # runs 'bundle install' and caches installed gems automatically
-        #cache-version: 0 # Increment this number if you need to re-download cached gems
-        working-directory: "./docs"
+
+    - name: "Setup dependencies and asdf with cache"
+      uses: ./.github/actions/setup-dependencies-asdf-with-cache
     - name: Setup Pages
       id: pages
       uses: actions/configure-pages@v5
     - name: Build with Jekyll
       working-directory: ./docs
       # Outputs to the './_site' directory by default
       shell: bash
-      run: make build-ci BASE_URL=${{ steps.pages.outputs.base_path }} VERSION=${{ inputs.version }}
-      #run: bundle exec jekyll build --baseurl "${{ steps.pages.outputs.base_path }}"
+      run: make build BASE_URL="${BASE_URL}" VERSION="${VERSION}"
       env:
         JEKYLL_ENV: production
+        BASE_URL: ${{ steps.pages.outputs.base_path }}
+        VERSION: ${{ inputs.version }}
     - name: Upload artifact
       # Automatically uploads an artifact from the './_site' directory by default
       uses: actions/upload-pages-artifact@v3

.github/actions/create-lines-of-code-report/action.yaml

@@ -24,8 +24,9 @@ runs:
   steps:
     - name: "Create CLOC report"
       shell: bash
+      env:
+        BUILD_DATETIME: ${{ inputs.build_datetime }}
       run: |
-        export BUILD_DATETIME=${{ inputs.build_datetime }}
         ./scripts/reports/create-lines-of-code-report.sh
     - name: "Compress CLOC report"
       shell: bash
@@ -51,7 +52,10 @@ runs:
     - name: "Send the CLOC report to the central location"
       shell: bash
       if: steps.check.outputs.secrets_exist == 'true'
+      env:
+        BUCKET_ENDPOINT: ${{ inputs.idp_aws_report_upload_bucket_endpoint }}
+        BUILD_TIMESTAMP: ${{ inputs.build_timestamp }}
       run: |
         aws s3 cp \
           ./lines-of-code-report.json.zip \
-          ${{ inputs.idp_aws_report_upload_bucket_endpoint }}/${{ inputs.build_timestamp }}-lines-of-code-report.json.zip
+          "$BUCKET_ENDPOINT/$BUILD_TIMESTAMP-lines-of-code-report.json.zip"

.github/actions/scan-dependencies/action.yaml

@@ -24,8 +24,9 @@ runs:
   steps:
     - name: "Generate SBOM"
       shell: bash
+      env:
+        BUILD_DATETIME: ${{ inputs.build_datetime }}
       run: |
-        export BUILD_DATETIME=${{ inputs.build_datetime }}
         ./scripts/reports/create-sbom-report.sh
     - name: "Compress SBOM report"
       shell: bash
@@ -39,8 +40,9 @@ runs:
         retention-days: 21
     - name: "Scan vulnerabilities"
       shell: bash
+      env:
+        BUILD_DATETIME: ${{ inputs.build_datetime }}
       run: |
-        export BUILD_DATETIME=${{ inputs.build_datetime }}
         ./scripts/reports/scan-vulnerabilities.sh
     - name: "Compress vulnerabilities report"
       shell: bash
@@ -65,10 +67,13 @@ runs:
     - name: "Send the SBOM and vulnerabilities reports to the central location"
       shell: bash
       if: steps.check.outputs.secrets_exist == 'true'
+      env:
+        BUCKET_ENDPOINT: ${{ inputs.idp_aws_report_upload_bucket_endpoint }}
+        BUILD_TIMESTAMP: ${{ inputs.build_timestamp }}
       run: |
         aws s3 cp \
           ./sbom-repository-report.json.zip \
-          ${{ inputs.idp_aws_report_upload_bucket_endpoint }}/${{ inputs.build_timestamp }}-sbom-repository-report.json.zip
+          "$BUCKET_ENDPOINT/$BUILD_TIMESTAMP-sbom-repository-report.json.zip"
         aws s3 cp \
           ./vulnerabilities-repository-report.json.zip \
-          ${{ inputs.idp_aws_report_upload_bucket_endpoint }}/${{ inputs.build_timestamp }}-vulnerabilities-repository-report.json.zip
+          "$BUCKET_ENDPOINT/$BUILD_TIMESTAMP-vulnerabilities-repository-report.json.zip"

.github/actions/setup-dependencies-asdf-with-cache/action.yml

@@ -0,0 +1,48 @@
+name: 'Setup depenasdf with cache'
+description: 'Restores asdf cache, installs dependencies, and saves cache'
+runs:
+  using: "composite"
+  steps:
+    - name: "Restore asdf cache"
+      id: cache-asdf
+      uses: actions/cache/restore@v4
+      with:
+        path: |
+          ~/.asdf
+        key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}
+        restore-keys: |
+          ${{ runner.os }}-asdf-
+
+    - name: "Check cache status"
+      shell: bash
+      run: |
+        if [ "${{ steps.cache-asdf.outputs.cache-hit }}" == "true" ]; then
+          echo "✅ Cache hit! asdf and tools restored from cache. 🚀🚀🚀"
+        else
+          echo "❌ Cache miss. asdf and tools will be installed from scratch. 🔨🔨🔨"
+        fi
+
+    - name: "Install dependencies"
+      shell: bash -l {0}
+      run: |
+        make dependencies
+
+    - name: "Save asdf cache"
+      id: save-asdf-cache
+      if: steps.cache-asdf.outputs.cache-hit != 'true'
+      uses: actions/cache/save@v4
+      with:
+        path: |
+          ~/.asdf
+        key: ${{ steps.cache-asdf.outputs.cache-primary-key }}
+
+    - name: "Check cache save status"
+      shell: bash
+      run: |
+        if [ "${{ steps.cache-asdf.outputs.cache-hit }}" == "true" ]; then
+          echo "ℹ️  Cache was restored from previous run - no save needed"
+        elif [ "${{ steps.save-asdf-cache.outcome }}" == "success" ]; then
+          echo "✅ Cache saved successfully for future runs! 💾"
+        else
+          echo "⚠️  Cache save was skipped or failed"
+        fi

.github/workflows/scheduled-repository-template-sync.yaml

@@ -32,7 +32,7 @@ jobs:
 
     - name: Create Pull Request
       if: ${{ !env.ACT }}
-      uses: peter-evans/create-pull-request@v7.0.8
+      uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
       with:
         token: ${{ secrets.GITHUB_TOKEN }}
         commit-message: Drift from template

.github/workflows/stage-1-commit.yaml

@@ -156,7 +156,7 @@ jobs:
       - name: "Checkout code"
         uses: actions/checkout@v5
       - name: "Setup ASDF"
-        uses: asdf-vm/actions/setup@v4
+        uses: asdf-vm/actions/setup@b7bcd026f18772e44fe1026d729e1611cc435d47 # v
       - name: "Perform Setup"
         uses: ./.github/actions/setup
       - name: "Trivy Scan"

.github/workflows/stage-2-test.yaml

@@ -48,21 +48,21 @@ jobs:
   check-generated-dependencies:
     name: "Check generated dependencies"
     runs-on: ubuntu-latest
-    timeout-minutes: 5
+    timeout-minutes: 10
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v5
-      - name: "Repo setup"
-        run: |
-          npm ci
+      - name: "Setup dependencies and asdf with cache"
+        uses: ./.github/actions/setup-dependencies-asdf-with-cache
+
       - name: "Generate dependencies"
         run: |
           npm run generate-dependencies --workspaces --if-present
           git diff --exit-code
   test-unit:
     name: "Unit tests"
     runs-on: ubuntu-latest
-    timeout-minutes: 5
+    timeout-minutes: 20
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v5