Merge branch 'main' into feature/CCM-14615_unit-test-quickening

Author: Ian-Hodges

.github/PULL_REQUEST_TEMPLATE.md

@@ -25,7 +25,7 @@
 - [ ] I have added tests to cover my changes
 - [ ] I have updated the documentation accordingly
 - [ ] This PR is a result of pair or mob programming
-- [ ] If I have used the 'skip-trivy-package' label I have done so responsibly and in the knowledge that this is being fixed as part of a separate ticket/PR.
+<!-- - [ ] If I have used the 'skip-trivy-package' label I have done so responsibly and in the knowledge that this is being fixed as part of a separate ticket/PR. TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549 -->
 
 ---
 

.github/actions/acceptance-tests/action.yaml

@@ -60,7 +60,7 @@ runs:
         ENVIRONMENT: ${{ inputs.targetEnvironment }}
     - name: Archive integration test results
       if: ${{ inputs.testType == 'integration' }}
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
       with:
         name: Integration test report
         path: "tests/playwright/playwright-report"

.github/actions/build-docs/action.yml

@@ -14,7 +14,7 @@ runs:
   using: "composite"
   steps:
     - name: Checkout
-      uses: actions/checkout@v5
+      uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
     - uses: ./.github/actions/node-install
       with:
         node-version: ${{ inputs.node-version }}
@@ -24,15 +24,15 @@ runs:
       run: npm ci
       shell: bash
     - name: Setup Ruby
-      uses: ruby/setup-ruby@v1.267.0
+      uses: ruby/setup-ruby@d5126b9b3579e429dd52e51e68624dda2e05be25 # v1.267.0
       with:
         ruby-version: "3.4.7" # Not needed with a .ruby-version file
         bundler-cache: true # Enable automatic gem caching
         cache-version: 0 # Increment this number if you need to re-download cached gems
         working-directory: "./docs"
     - name: Setup Pages
       id: pages
-      uses: actions/configure-pages@v5
+      uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5
     - name: Build with Jekyll
       working-directory: ./docs
       # Outputs to the './_site' directory by default
@@ -45,7 +45,7 @@ runs:
         VERSION: ${{ inputs.version }}
     - name: Upload artifact
       # Automatically uploads an artifact from the './_site' directory by default
-      uses: actions/upload-pages-artifact@v3
+      uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3
       with:
         path: "docs/_site/"
         name: jekyll-docs-${{ inputs.version }}
@@ -55,7 +55,7 @@ runs:
       shell: bash
 
     - name: Upload artifact
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
       with:
         path: "artifact.tar"
         name: schemas-${{ inputs.version }}

.github/actions/build-schemas/action.yml

@@ -8,8 +8,8 @@ runs:
   using: "composite"
   steps:
     - name: Checkout
-      uses: actions/checkout@v4
-    - uses: actions/setup-node@v4
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+    - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
       with:
         node-version: 18
 
@@ -28,7 +28,7 @@ runs:
       shell: bash
 
     - name: Upload artifact
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
       with:
         path: "artifact.tar"
         name: schemas-${{ inputs.version }}

.github/actions/create-lines-of-code-report/action.yaml

@@ -33,7 +33,7 @@ runs:
       run: zip lines-of-code-report.json.zip lines-of-code-report.json
     - name: "Upload CLOC report as an artefact"
       if: ${{ !env.ACT }}
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
       with:
         name: lines-of-code-report.json.zip
         path: ./lines-of-code-report.json.zip
@@ -45,7 +45,7 @@ runs:
         echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT
     - name: "Authenticate to send the report"
       if: steps.check.outputs.secrets_exist == 'true'
-      uses: aws-actions/configure-aws-credentials@v4
+      uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6
       with:
         role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }}
         aws-region: ${{ inputs.idp_aws_report_upload_region }}

.github/actions/node-install/action.yaml

@@ -13,7 +13,7 @@ runs:
   using: 'composite'
   steps:
     - name: 'Use Node.js'
-      uses: actions/setup-node@v6
+      uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
       with:
         node-version: '${{ inputs.node-version }}'
         cache: 'npm'

.github/actions/scan-dependencies/action.yaml

@@ -33,7 +33,7 @@ runs:
       run: zip sbom-repository-report.json.zip sbom-repository-report.json
     - name: "Upload SBOM report as an artefact"
       if: ${{ !env.ACT }}
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
       with:
         name: sbom-repository-report.json.zip
         path: ./sbom-repository-report.json.zip
@@ -49,7 +49,7 @@ runs:
       run: zip vulnerabilities-repository-report.json.zip vulnerabilities-repository-report.json
     - name: "Upload vulnerabilities report as an artefact"
       if: ${{ !env.ACT }}
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
       with:
         name: vulnerabilities-repository-report.json.zip
         path: ./vulnerabilities-repository-report.json.zip
@@ -60,7 +60,7 @@ runs:
       run: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT
     - name: "Authenticate to send the reports"
       if: steps.check.outputs.secrets_exist == 'true'
-      uses: aws-actions/configure-aws-credentials@v4
+      uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6
       with:
         role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }}
         aws-region: ${{ inputs.idp_aws_report_upload_region }}

.github/actions/trivy-iac/action.yaml

@@ -1,19 +1,20 @@
-name: "Trivy IaC Scan"
-description: "Scan Terraform IaC using Trivy"
-runs:
-  using: "composite"
-  steps:
-    - name: "Trivy Terraform IaC Scan"
-      shell: bash
-      run: |
-        components_exit_code=0
-        modules_exit_code=0
-        asdf plugin add trivy || true
-        asdf install trivy || true
-        ./scripts/terraform/trivy-scan.sh --mode iac ./infrastructure/terraform/components || components_exit_code=$?
-        ./scripts/terraform/trivy-scan.sh --mode iac ./infrastructure/terraform/modules || modules_exit_code=$?
+# TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549
+# name: "Trivy IaC Scan"
+# description: "Scan Terraform IaC using Trivy"
+# runs:
+#   using: "composite"
+#   steps:
+#     - name: "Trivy Terraform IaC Scan"
+#       shell: bash
+#       run: |
+#         components_exit_code=0
+#         modules_exit_code=0
+#         asdf plugin add trivy || true
+#         asdf install trivy || true
+#         ./scripts/terraform/trivy-scan.sh --mode iac ./infrastructure/terraform/components || components_exit_code=$?
+#         ./scripts/terraform/trivy-scan.sh --mode iac ./infrastructure/terraform/modules || modules_exit_code=$?
 
-        if [ $components_exit_code -ne 0 ] || [ $modules_exit_code -ne 0 ]; then
-          echo "Trivy misconfigurations detected."
-          exit 1
-        fi
+#         if [ $components_exit_code -ne 0 ] || [ $modules_exit_code -ne 0 ]; then
+#           echo "Trivy misconfigurations detected."
+#           exit 1
+#         fi

.github/actions/trivy-package/action.yaml

@@ -1,17 +1,18 @@
-name: "Trivy Package Scan"
-description: "Scan project packages using Trivy"
-runs:
-  using: "composite"
-  steps:
-    - name: "Trivy Package Scan"
-      shell: bash
-      run: |
-        exit_code=0
-        asdf plugin add trivy || true
-        asdf install trivy || true
-        ./scripts/terraform/trivy-scan.sh --mode package . || exit_code=$?
+# TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549
+# name: "Trivy Package Scan"
+# description: "Scan project packages using Trivy"
+# runs:
+#   using: "composite"
+#   steps:
+#     - name: "Trivy Package Scan"
+#       shell: bash
+#       run: |
+#         exit_code=0
+#         asdf plugin add trivy || true
+#         asdf install trivy || true
+#         ./scripts/terraform/trivy-scan.sh --mode package . || exit_code=$?
 
-        if [ $exit_code -ne 0 ]; then
-          echo "Trivy has detected package vulnerablilites. Please refer to https://nhsd-confluence.digital.nhs.uk/spaces/RIS/pages/1257636917/PLAT-KOP-012+-+Trivy+Pipeline+Vulnerability+Scanning+Exemption"
-          exit 1
-        fi
+#         if [ $exit_code -ne 0 ]; then
+#           echo "Trivy has detected package vulnerablilites. Please refer to https://nhsd-confluence.digital.nhs.uk/spaces/RIS/pages/1257636917/PLAT-KOP-012+-+Trivy+Pipeline+Vulnerability+Scanning+Exemption"
+#           exit 1
+#         fi

.github/workflows/cicd-1-pull-request.yaml

@@ -36,10 +36,11 @@ jobs:
       is_version_prerelease: ${{ steps.variables.outputs.is_version_prerelease }}
       does_pull_request_exist: ${{ steps.pr_exists.outputs.does_pull_request_exist }}
       pr_number: ${{ steps.pr_exists.outputs.pr_number }}
-      skip_trivy_package: ${{ steps.skip_trivy.outputs.skip_trivy_package }}
+      # TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549
+      # skip_trivy_package: ${{ steps.skip_trivy.outputs.skip_trivy_package }}
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
       - name: "Set CI/CD variables"
         id: variables
         run: |
@@ -76,26 +77,27 @@ jobs:
             echo "does_pull_request_exist=false" >> $GITHUB_OUTPUT
             echo "pr_number=" >> $GITHUB_OUTPUT
           fi
-      - name: "Determine if Trivy package scan should be skipped"
-        id: skip_trivy
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PR_NUMBER: ${{ steps.pr_exists.outputs.pr_number }}
-        run: |
-          if [[ -z "$PR_NUMBER" ]]; then
-            echo "No pull request detected; Trivy package scan will run."
-            echo "skip_trivy_package=false" >> $GITHUB_OUTPUT
-            exit 0
-          fi
+      # TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549
+      # - name: "Determine if Trivy package scan should be skipped"
+      #   id: skip_trivy
+      #   env:
+      #     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      #     PR_NUMBER: ${{ steps.pr_exists.outputs.pr_number }}
+      #   run: |
+      #     if [[ -z "$PR_NUMBER" ]]; then
+      #       echo "No pull request detected; Trivy package scan will run."
+      #       echo "skip_trivy_package=false" >> $GITHUB_OUTPUT
+      #       exit 0
+      #     fi
 
-          labels=$(gh pr view "$PR_NUMBER" --json labels --jq '.labels[].name')
-          echo "Labels on PR #$PR_NUMBER: $labels"
+      #     labels=$(gh pr view "$PR_NUMBER" --json labels --jq '.labels[].name')
+      #     echo "Labels on PR #$PR_NUMBER: $labels"
 
-          if echo "$labels" | grep -Fxq 'skip-trivy-package'; then
-            echo "skip_trivy_package=true" >> $GITHUB_OUTPUT
-          else
-            echo "skip_trivy_package=false" >> $GITHUB_OUTPUT
-          fi
+      #     if echo "$labels" | grep -Fxq 'skip-trivy-package'; then
+      #       echo "skip_trivy_package=true" >> $GITHUB_OUTPUT
+      #     else
+      #       echo "skip_trivy_package=false" >> $GITHUB_OUTPUT
+      #     fi
       - name: "List variables"
         run: |
           export BUILD_DATETIME_LONDON="${{ steps.variables.outputs.build_datetime_london }}"
@@ -119,7 +121,8 @@ jobs:
       build_epoch: "${{ needs.metadata.outputs.build_epoch }}"
       nodejs_version: "${{ needs.metadata.outputs.nodejs_version }}"
       python_version: "${{ needs.metadata.outputs.python_version }}"
-      skip_trivy_package: ${{ needs.metadata.outputs.skip_trivy_package == 'true' }}
+      # TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549
+      # skip_trivy_package: ${{ needs.metadata.outputs.skip_trivy_package == 'true' }}
       terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
       version: "${{ needs.metadata.outputs.version }}"
   #    secrets: inherit
@@ -160,7 +163,7 @@ jobs:
       id-token: write
     if: needs.metadata.outputs.does_pull_request_exist == 'true' || (github.event_name == 'pull_request' && (github.event.action == 'opened' || github.event.action == 'reopened'))
     steps:
-      - uses: actions/checkout@v5.0.0
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Trigger dynamic environment creation
         env:
           APP_PEM_FILE: ${{ secrets.APP_PEM_FILE }}