updates.

Author: RossBugginsNHS

.coverage

@@ -2,9 +2,9 @@
   "containerEnv": {
     "GITHUBMONITOR": "false",
     "MAKECONFIG": "true",
-    "SHOWWELCOME": "true",
+    "SHOWWELCOME": "false",
     "UPDATEFROMTEMPLATE": "false"
   },
-  "image": "ghcr.io/nhsdigital/nhs-notify-devcontainer-loaded-codespaces:main",
-  "name": "Codespaces Online Development"
+  "image": "ghcr.io/nhsdigital/nhs-notify-devcontainer-loaded-codespaces:1.0.19",
+  "name": "Codespaces"
 }

.devcontainer/devcontainer.json

@@ -2,10 +2,10 @@
   "containerEnv": {
     "GITHUBMONITOR": "false",
     "MAKECONFIG": "true",
-    "SHOWWELCOME": "true",
+    "SHOWWELCOME": "false",
     "UPDATEFROMTEMPLATE": "false"
   },
-  "image": "ghcr.io/nhsdigital/nhs-notify-devcontainer-loaded:1.0.17",
-  "name": "Notify Loaded 1.0.17",
+  "image": "ghcr.io/nhsdigital/nhs-notify-devcontainer-loaded:1.0.19",
+  "name": "Local Development",
   "postStartCommand": "mkdir -p ~/.gnupg && echo '## 1-day timeout' > ~/.gnupg/gpg-agent.conf && echo 'default-cache-ttl 86400' >> ~/.gnupg/gpg-agent.conf && echo 'max-cache-ttl 86400' >> ~/.gnupg/gpg-agent.conf && gpg-connect-agent reloadagent /bye 2>/dev/null || true"
 }

…fy-devcontainer-loaded/devcontainer.json .devcontainer/local-dev/devcontainer.json.devcontainer/nhs-notify-devcontainer-loaded/devcontainer.json renamed to .devcontainer/local-dev/devcontainer.json .devcontainer/nhs-notify-devcontainer-loaded/devcontainer.json renamed to .devcontainer/local-dev/devcontainer.json

@@ -0,0 +1,4 @@
+{
+  "image": "mcr.microsoft.com/devcontainers/base:ubuntu-24.04",
+  "name": "Ubuntu 24"
+}

.devcontainer/ubuntu/devcontainer.json

@@ -9,31 +9,39 @@ runs:
   steps:
     - name: Checkout
       uses: actions/checkout@v5
-    - uses: actions/setup-node@v6
-      with:
-        node-version: 24
-    - name: Npm cli install
-      working-directory: ./docs
-      run: npm ci
-      shell: bash
-    - name: Setup Ruby
-      uses: ruby/setup-ruby@v1.267.0
-      with:
-        ruby-version: "3.4.7" # Not needed with a .ruby-version file
-        bundler-cache: false # runs 'bundle install' and caches installed gems automatically
-        #cache-version: 0 # Increment this number if you need to re-download cached gems
-        working-directory: "./docs"
+
+    - name: "Setup dependencies and asdf with cache"
+      uses: ./.github/actions/setup-dependencies-asdf-with-cache
+
+    # - uses: actions/setup-node@v6
+    #   with:
+    #     node-version: 24
+    # - name: Npm cli install
+    #   working-directory: ./docs
+    #   run: npm ci
+    #   shell: bash
+    # - name: Setup Ruby
+    #   uses: ruby/setup-ruby@v1.267.0
+    #   with:
+    #     ruby-version: "3.4.7" # Not needed with a .ruby-version file
+    #     bundler-cache: false # runs 'bundle install' and caches installed gems automatically
+    #     #cache-version: 0 # Increment this number if you need to re-download cached gems
+    #     working-directory: "./docs"
+
     - name: Setup Pages
       id: pages
       uses: actions/configure-pages@v5
     - name: Build with Jekyll
       working-directory: ./docs
       # Outputs to the './_site' directory by default
       shell: bash
-      run: make build-ci BASE_URL=${{ steps.pages.outputs.base_path }} VERSION=${{ inputs.version }}
+      #run: make build-ci BASE_URL=${{ steps.pages.outputs.base_path }} VERSION=${{ inputs.version }}
+      run: make build BASE_URL="${BASE_URL}" VERSION="${VERSION}"
       #run: bundle exec jekyll build --baseurl "${{ steps.pages.outputs.base_path }}"
       env:
         JEKYLL_ENV: production
+        BASE_URL: ${{ steps.pages.outputs.base_path }}
+        VERSION: ${{ inputs.version }}
     - name: Upload artifact
       # Automatically uploads an artifact from the './_site' directory by default
       uses: actions/upload-pages-artifact@v3

.github/actions/build-docs/action.yml

@@ -10,6 +10,10 @@ inputs:
   sonar_token:
     description: "Sonar token, the API key"
     required: false
+  fail_on_quality_gate_failure:
+    description: "Whether to fail the build if the quality gate fails"
+    required: false
+    default: "true"
 runs:
   using: "composite"
   steps:
@@ -20,6 +24,7 @@ runs:
     - name: "Perform static analysis"
       shell: bash
       if: steps.check.outputs.secret_exist == 'true'
+      continue-on-error: ${{ inputs.fail_on_quality_gate_failure != 'true' }}
       run: |
         export BRANCH_NAME=${GITHUB_HEAD_REF:-$(echo $GITHUB_REF | sed 's#refs/heads/##')}
         export SONAR_ORGANISATION_KEY=${{ inputs.sonar_organisation_key }}

.github/actions/perform-static-analysis/action.yaml

@@ -0,0 +1,48 @@
+name: 'Setup depenasdf with cache'
+description: 'Restores asdf cache, installs dependencies, and saves cache'
+runs:
+  using: "composite"
+  steps:
+    - name: "Restore asdf cache"
+      id: cache-asdf
+      uses: actions/cache/restore@v4
+      with:
+        path: |
+          ~/.asdf
+        key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}
+        restore-keys: |
+          ${{ runner.os }}-asdf-
+
+    - name: "Check cache status"
+      shell: bash
+      run: |
+        if [ "${{ steps.cache-asdf.outputs.cache-hit }}" == "true" ]; then
+          echo "✅ Cache hit! asdf and tools restored from cache. 🚀🚀🚀"
+        else
+          echo "❌ Cache miss. asdf and tools will be installed from scratch. 🔨🔨🔨"
+        fi
+
+    - name: "Install dependencies"
+      shell: bash -l {0}
+      run: |
+        make dependencies
+
+    - name: "Save asdf cache"
+      id: save-asdf-cache
+      if: steps.cache-asdf.outputs.cache-hit != 'true'
+      uses: actions/cache/save@v4
+      with:
+        path: |
+          ~/.asdf
+        key: ${{ steps.cache-asdf.outputs.cache-primary-key }}
+
+    - name: "Check cache save status"
+      shell: bash
+      run: |
+        if [ "${{ steps.cache-asdf.outputs.cache-hit }}" == "true" ]; then
+          echo "ℹ️  Cache was restored from previous run - no save needed"
+        elif [ "${{ steps.save-asdf-cache.outcome }}" == "success" ]; then
+          echo "✅ Cache saved successfully for future runs! 💾"
+        else
+          echo "⚠️  Cache save was skipped or failed"
+        fi

.github/actions/setup-dependencies-asdf-with-cache/action.yml

@@ -162,10 +162,11 @@ jobs:
     secrets:
       APP_PEM_FILE: ${{ secrets.APP_PEM_FILE }}
       APP_CLIENT_ID: ${{ secrets.APP_CLIENT_ID }}
+
   publish-stage: # Recommended maximum execution time is 10 minutes
     name: "Publish stage"
-    needs: [metadata, acceptance-stage] #PUT THIS BACK WHEN ACCEPTANCE STAGE IS ENABLED
-    #needs: [metadata, build-stage] BYPASSING ACCEPTANCE STAGE
+    needs: [metadata, acceptance-stage]
+    #needs: [metadata, build-stage] #For forks where there is no dynamic environment stage
     uses: ./.github/workflows/stage-5-publish.yaml
     if: (github.event_name == 'push' && github.ref == 'refs/heads/main')
     with:
@@ -177,4 +178,3 @@ jobs:
       terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
       version: "${{ needs.metadata.outputs.version }}"
       is_version_prerelease: "${{ needs.metadata.outputs.is_version_prerelease }}"
-#    secrets: inherit

.github/workflows/cicd-1-pull-request.yaml

@@ -0,0 +1,157 @@
+name: "2. CI/CD publish"
+
+on:
+  workflow_dispatch:
+
+
+jobs:
+  metadata:
+    name: "Set CI/CD metadata"
+    runs-on: ubuntu-latest
+    timeout-minutes: 1
+    outputs:
+      build_datetime_london: ${{ steps.variables.outputs.build_datetime_london }}
+      build_datetime: ${{ steps.variables.outputs.build_datetime }}
+      build_timestamp: ${{ steps.variables.outputs.build_timestamp }}
+      build_epoch: ${{ steps.variables.outputs.build_epoch }}
+      nodejs_version: ${{ steps.variables.outputs.nodejs_version }}
+      python_version: ${{ steps.variables.outputs.python_version }}
+      terraform_version: ${{ steps.variables.outputs.terraform_version }}
+      version: ${{ steps.variables.outputs.version }}
+      is_version_prerelease: ${{ steps.variables.outputs.is_version_prerelease }}
+      does_pull_request_exist: ${{ steps.pr_exists.outputs.does_pull_request_exist }}
+      pr_number: ${{ steps.pr_exists.outputs.pr_number }}
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v5
+      - name: "Set CI/CD variables"
+        id: variables
+        run: |
+          datetime=$(date -u +'%Y-%m-%dT%H:%M:%S%z')
+          BUILD_DATETIME=$datetime make version-create-effective-file dir=.
+          version=$(head -n 1 .version 2> /dev/null || echo unknown)
+          echo "build_datetime_london=$(TZ=Europe/London date --date=$datetime +'%Y-%m-%dT%H:%M:%S%z')" >> $GITHUB_OUTPUT
+          echo "build_datetime=$datetime" >> $GITHUB_OUTPUT
+          echo "build_timestamp=$(date --date=$datetime -u +'%Y%m%d%H%M%S')" >> $GITHUB_OUTPUT
+          echo "build_epoch=$(date --date=$datetime -u +'%s')" >> $GITHUB_OUTPUT
+          echo "nodejs_version=$(grep "^nodejs\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
+          echo "python_version=$(grep "^python\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
+          echo "terraform_version=$(grep "^terraform\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
+          echo "version=$(echo $version)" >> $GITHUB_OUTPUT
+          echo "is_version_prerelease=$(if [[ $version == *-* ]]; then echo "true"; else echo "false"; fi)" >> $GITHUB_OUTPUT
+
+      - name: "Check if pull request exists for this branch"
+        id: pr_exists
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          branch_name=${GITHUB_HEAD_REF:-$(echo $GITHUB_REF | sed 's#refs/heads/##')}
+          echo "Current branch is '$branch_name'"
+
+          pr_json=$(gh pr list --head "$branch_name" --state open --json number --limit 1)
+          pr_number=$(echo "$pr_json" | jq -r '.[0].number // empty')
+
+          if [[ -n "$pr_number" ]]; then
+            echo "Pull request exists: #$pr_number"
+            echo "does_pull_request_exist=true" >> $GITHUB_OUTPUT
+            echo "pr_number=$pr_number" >> $GITHUB_OUTPUT
+          else
+            echo "Pull request doesn't exist"
+            echo "does_pull_request_exist=false" >> $GITHUB_OUTPUT
+            echo "pr_number=" >> $GITHUB_OUTPUT
+          fi
+
+      - name: "List variables"
+        run: |
+          export BUILD_DATETIME_LONDON="${{ steps.variables.outputs.build_datetime_london }}"
+          export BUILD_DATETIME="${{ steps.variables.outputs.build_datetime }}"
+          export BUILD_TIMESTAMP="${{ steps.variables.outputs.build_timestamp }}"
+          export BUILD_EPOCH="${{ steps.variables.outputs.build_epoch }}"
+          export NODEJS_VERSION="${{ steps.variables.outputs.nodejs_version }}"
+          export PYTHON_VERSION="${{ steps.variables.outputs.python_version }}"
+          export TERRAFORM_VERSION="${{ steps.variables.outputs.terraform_version }}"
+          export VERSION="${{ steps.variables.outputs.version }}"
+          export DOES_PULL_REQUEST_EXIST="${{ steps.pr_exists.outputs.does_pull_request_exist }}"
+          export IS_VERSION_PRERELEASE="${{ steps.variables.outputs.is_version_prerelease }}"
+          make list-variables
+
+  publish:
+    name: "Publish packages"
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    needs: [metadata]
+    env:
+      build_datetime: "${{ needs.metadata.outputs.build_datetime }}"
+      build_timestamp: "${{ needs.metadata.outputs.build_timestamp }}"
+      build_epoch: "${{ needs.metadata.outputs.build_epoch }}"
+      nodejs_version: "${{ needs.metadata.outputs.nodejs_version }}"
+      python_version: "${{ needs.metadata.outputs.python_version }}"
+      terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
+      version: "${{ needs.metadata.outputs.version }}"
+      is_version_prerelease: "${{ needs.metadata.outputs.is_version_prerelease }}"
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v5
+
+      - name: "Get artifacts: jekyll docs"
+        uses: actions/download-artifact@v5
+        with:
+          path: ./artifacts/jekyll-docs-${{ env.version }}
+          name: jekyll-docs-${{ env.version }}
+
+      - name: "Get artifacts: schema"
+        uses: actions/download-artifact@v5
+        with:
+          path: ./artifacts/schemas-${{ env.version }}
+          name: schemas-${{ env.version }}
+
+
+      - name: Draft Release
+        env:
+          GH_TOKEN: ${{ github.token }}
+          GH_REPO: ${{ github.repository }}
+          VERSION: ${{ env.version }}
+          IS_PRERELEASE: ${{ env.is_version_prerelease }}
+        run: |
+          PRERELEASE_FLAG=""
+          if [ "$IS_PRERELEASE" = "true" ]; then
+            PRERELEASE_FLAG="--prerelease"
+          fi
+          gh release create \
+          "$VERSION" \
+          --draft \
+          --latest \
+          --title "$VERSION" \
+          --notes "Release of $VERSION" \
+          $PRERELEASE_FLAG
+
+      - name: "Upload jeykll docs release asset"
+        env:
+          GH_TOKEN: ${{ github.token }}
+          GH_REPO: ${{ github.repository }}
+          VERSION: ${{ env.version }}
+        run: |
+          cp ./artifacts/jekyll-docs-$VERSION/artifact.tar $RUNNER_TEMP/jekyll-docs-$VERSION.tar
+          gh release upload \
+          "$VERSION" \
+          $RUNNER_TEMP/jekyll-docs-$VERSION.tar#jekyll-docs-$VERSION
+
+      - name: "Upload schema release asset"
+        env:
+          GH_TOKEN: ${{ github.token }}
+          GH_REPO: ${{ github.repository }}
+          VERSION: ${{ env.version }}
+        run: |
+          cp ./artifacts/schemas-$VERSION/artifact.tar $RUNNER_TEMP/schemas-$VERSION.tar
+          gh release upload \
+          "$VERSION" \
+          $RUNNER_TEMP/schemas-$VERSION.tar#schemas-$VERSION
+
+
+      - name: Publish Release
+        env:
+          GH_TOKEN: ${{ github.token }}
+          GH_REPO: ${{ github.repository }}
+          VERSION: ${{ env.version }}
+        run: gh release edit "$VERSION" --draft=false

.github/workflows/cicd-2-publish.yaml.disabled

@@ -1,11 +1,6 @@
-name: "2. Deploy docs to GitHub Pages"
+name: "3. CI/CD deploy"
 
 on:
-  workflow_run:
-      workflows: ["1. CI/CD pull request"]
-      types:
-        - completed
-      branches: [main]
   workflow_dispatch:
     inputs:
       include_prereleases:
@@ -65,17 +60,17 @@ jobs:
           echo "terraform_version=$(grep "^terraform\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
           echo "version=$(head -n 1 .version 2> /dev/null || echo unknown)" >> $GITHUB_OUTPUT
           # echo "tag=${{ github.event.inputs.tag }}" >> $GITHUB_OUTPUT
-      - name: "List variables"
-        run: |
-          export BUILD_DATETIME="${{ steps.variables.outputs.build_datetime }}"
-          export BUILD_TIMESTAMP="${{ steps.variables.outputs.build_timestamp }}"
-          export BUILD_EPOCH="${{ steps.variables.outputs.build_epoch }}"
-          export NODEJS_VERSION="${{ steps.variables.outputs.nodejs_version }}"
-          export PYTHON_VERSION="${{ steps.variables.outputs.python_version }}"
-          export TERRAFORM_VERSION="${{ steps.variables.outputs.terraform_version }}"
-          export VERSION="${{ steps.variables.outputs.version }}"
-          # export TAG="${{ steps.variables.outputs.tag }}"
-          make list-variables
+  #     - name: "List variables"
+  #       run: |
+  #         export BUILD_DATETIME="${{ steps.variables.outputs.build_datetime }}"
+  #         export BUILD_TIMESTAMP="${{ steps.variables.outputs.build_timestamp }}"
+  #         export BUILD_EPOCH="${{ steps.variables.outputs.build_epoch }}"
+  #         export NODEJS_VERSION="${{ steps.variables.outputs.nodejs_version }}"
+  #         export PYTHON_VERSION="${{ steps.variables.outputs.python_version }}"
+  #         export TERRAFORM_VERSION="${{ steps.variables.outputs.terraform_version }}"
+  #         export VERSION="${{ steps.variables.outputs.version }}"
+  #         # export TAG="${{ steps.variables.outputs.tag }}"
+  #         make list-variables
 
   deploy-jekyll:
     environment: