Merge branch 'main' into CCM-12869-excel-parser

# Conflicts:
#	AGENTS.md
#	README.md
#	package-lock.json
#	packages/event-builder/jest.config.ts
#	packages/event-builder/src/__tests__/pack-specification-event-builder.test.ts
#	packages/event-builder/src/letter-variant-event-builder.ts
#	packages/event-builder/src/pack-specification-event-builder.ts
#	packages/event-builder/src/supplier-allocation-event-builder.ts
#	packages/event-builder/src/supplier-event-builder.ts
#	packages/event-builder/src/supplier-pack-event-builder.ts
#	packages/event-builder/src/volume-group-event-builder.ts
#	packages/events/package.json
#	packages/events/src/cli/generate-erd.ts
#	packages/events/src/cli/generate-json.ts
#	packages/events/src/domain/__tests__/specification.test.ts
#	packages/events/src/domain/constraint.ts
#	packages/events/src/domain/pack-specification.ts
#	packages/events/src/examples/specification-examples.ts

Author: m-houston

.github/PULL_REQUEST_TEMPLATE.md

@@ -25,6 +25,8 @@
 - [ ] I have added tests to cover my changes
 - [ ] I have updated the documentation accordingly
 - [ ] This PR is a result of pair or mob programming
+<!-- - [ ] If I have used the 'skip-trivy-package' label I have done so responsibly and in the knowledge that this is being fixed as part of a separate ticket/PR. TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549 -->
+- [ ] This PR includes code generated by a coding agent
 
 ---
 

.github/SECURITY.md

@@ -21,8 +21,8 @@ If you wish to notify us of a vulnerability via email, please include detailed i
 
 You can reach us at:
 
-- _[ A product team email address ]_
-- [cybersecurity@nhs.net](cybersecurity@nhs.net)
+- [england.nhsnotify@nhs.net](mailto:england.nhsnotify@nhs.net)
+- [cybersecurity@nhs.net](mailto:cybersecurity@nhs.net)
 
 ### NCSC
 

.github/actions/build-docs/action.yml

@@ -8,8 +8,8 @@ runs:
   using: "composite"
   steps:
     - name: Checkout
-      uses: actions/checkout@v4
-    - uses: actions/setup-node@v4
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
       with:
         node-version: 18
     - name: Npm cli install

.github/actions/bundle-ddb-publish/action.yml

@@ -0,0 +1,65 @@
+name: "Bundle ddb-publish"
+description: "Build and package the ddb-publish release bundle (ddb-publish-bundle.tgz) from the workspace sources."
+
+inputs:
+  node-version:
+    description: "Node.js version to use"
+    required: true
+  run-typecheck:
+    description: "Run workspace typecheck before bundling"
+    required: false
+    default: "true"
+
+outputs:
+  tarball-path:
+    description: "Path to the generated tarball"
+    value: ${{ steps.bundle.outputs.tarball_path }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Set up Node.js
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+      with:
+        node-version: "${{ inputs.node-version }}"
+        cache: npm
+
+    - name: Install dependencies
+      shell: bash
+      run: |
+        set -euo pipefail
+        npm ci
+
+    - name: Generate dependencies
+      shell: bash
+      run: |
+        set -euo pipefail
+        npm run generate-dependencies --workspaces --if-present
+
+    - name: Typecheck
+      if: inputs.run-typecheck == 'true'
+      shell: bash
+      run: |
+        set -euo pipefail
+        npm run typecheck --workspaces --if-present
+
+    - name: Build ddb-publish bundle
+      shell: bash
+      run: |
+        set -euo pipefail
+        npm run bundle:release --workspace @supplier-config/ddb-publisher
+
+    - name: Smoke-test bundle
+      shell: bash
+      run: |
+        set -euo pipefail
+        node packages/ddb-publisher/artifacts/ddb-publish/index.cjs --help > /dev/null
+
+    - name: Package tarball
+      id: bundle
+      shell: bash
+      run: |
+        set -euo pipefail
+        tarball="ddb-publish-bundle.tgz"
+        tar -czf "$tarball" -C packages/ddb-publisher/artifacts/ddb-publish .
+        echo "tarball_path=$tarball" >> "$GITHUB_OUTPUT"

.github/actions/check-todo-usage/action.yaml

@@ -0,0 +1,10 @@
+name: "Check Todo usage"
+description: "Check Todo usage"
+runs:
+  using: "composite"
+  steps:
+    - name: "Check Todo usage"
+      shell: bash
+      run: |
+        export BRANCH_NAME=origin/${{ github.event.repository.default_branch }}
+        check=branch ./scripts/githooks/check-todos.sh

.github/actions/create-lines-of-code-report/action.yaml

@@ -32,7 +32,7 @@ runs:
       run: zip lines-of-code-report.json.zip lines-of-code-report.json
     - name: "Upload CLOC report as an artefact"
       if: ${{ !env.ACT }}
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
       with:
         name: lines-of-code-report.json.zip
         path: ./lines-of-code-report.json.zip
@@ -44,7 +44,7 @@ runs:
         echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT
     - name: "Authenticate to send the report"
       if: steps.check.outputs.secrets_exist == 'true'
-      uses: aws-actions/configure-aws-credentials@v4
+      uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6
       with:
         role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }}
         aws-region: ${{ inputs.idp_aws_report_upload_region }}

.github/actions/lint-terraform/action.yaml

@@ -7,15 +7,16 @@ inputs:
 runs:
   using: "composite"
   steps:
+    - name: "Install Terraform binary"
+      shell: bash
+      run: |
+        asdf plugin add terraform || true
+        asdf install terraform || true
     - name: "Check Terraform format"
       shell: bash
       run: |
         check_only=true scripts/githooks/check-terraform-format.sh
     - name: "Validate Terraform"
       shell: bash
       run: |
-        stacks=${{ inputs.root-modules }}
-        for dir in $(find infrastructure/environments -maxdepth 1 -mindepth 1 -type d; echo ${stacks//,/$'\n'}); do
-          dir=$dir opts='-backend=false' make terraform-init
-          dir=$dir make terraform-validate
-        done
+        make terraform-validate-all

.github/actions/scan-dependencies/action.yaml

@@ -32,7 +32,7 @@ runs:
       run: zip sbom-repository-report.json.zip sbom-repository-report.json
     - name: "Upload SBOM report as an artefact"
       if: ${{ !env.ACT }}
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
       with:
         name: sbom-repository-report.json.zip
         path: ./sbom-repository-report.json.zip
@@ -47,7 +47,7 @@ runs:
       run: zip vulnerabilities-repository-report.json.zip vulnerabilities-repository-report.json
     - name: "Upload vulnerabilities report as an artefact"
       if: ${{ !env.ACT }}
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
       with:
         name: vulnerabilities-repository-report.json.zip
         path: ./vulnerabilities-repository-report.json.zip
@@ -58,7 +58,7 @@ runs:
       run: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT
     - name: "Authenticate to send the reports"
       if: steps.check.outputs.secrets_exist == 'true'
-      uses: aws-actions/configure-aws-credentials@v4
+      uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6
       with:
         role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }}
         aws-region: ${{ inputs.idp_aws_report_upload_region }}

.github/actions/trivy-iac/action.yaml

@@ -0,0 +1,20 @@
+#TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549
+# name: "Trivy IaC Scan"
+# description: "Scan Terraform IaC using Trivy"
+# runs:
+#   using: "composite"
+#   steps:
+#     - name: "Trivy Terraform IaC Scan"
+#       shell: bash
+#       run: |
+#         components_exit_code=0
+#         modules_exit_code=0
+#         asdf plugin add trivy || true
+#         asdf install trivy || true
+#         ./scripts/terraform/trivy-scan.sh --mode iac ./infrastructure/terraform/components || components_exit_code=$?
+#         ./scripts/terraform/trivy-scan.sh --mode iac ./infrastructure/terraform/modules || modules_exit_code=$?
+
+#         if [ $components_exit_code -ne 0 ] || [ $modules_exit_code -ne 0 ]; then
+#           echo "Trivy misconfigurations detected."
+#           exit 1
+#         fi

.github/actions/trivy-package/action.yaml

@@ -0,0 +1,18 @@
+#TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549
+# name: "Trivy Package Scan"
+# description: "Scan project packages using Trivy"
+# runs:
+#   using: "composite"
+#   steps:
+#     - name: "Trivy Package Scan"
+#       shell: bash
+#       run: |
+#         exit_code=0
+#         asdf plugin add trivy || true
+#         asdf install trivy || true
+#         ./scripts/terraform/trivy-scan.sh --mode package . || exit_code=$?
+
+#         if [ $exit_code -ne 0 ]; then
+#           echo "Trivy has detected package vulnerabilities. Please refer to https://nhsd-confluence.digital.nhs.uk/spaces/RIS/pages/1257636917/PLAT-KOP-012+-+Trivy+Pipeline+Vulnerability+Scanning+Exemption"
+#           exit 1
+#         fi