Chore: [AEA-0000] - use actions for sync copilot (#122)

## Summary

- Routine Change

### Details

- use action for sync copilot

Author: anthony-nhs

.devcontainer/devcontainer.json

@@ -12,7 +12,6 @@
     },
     "updateRemoteUserUID": false
   },
-  "postAttachCommand": "git-secrets --register-aws; git-secrets --add-provider -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt",
   "mounts": [
     "source=${env:HOME}${env:USERPROFILE}/.aws,target=/home/vscode/.aws,type=bind",
     "source=${env:HOME}${env:USERPROFILE}/.ssh,target=/home/vscode/.ssh,type=bind",

.github/dependabot.yaml

@@ -13,7 +13,7 @@ updates:
     commit-message:
       prefix: "Upgrade: [dependabot] - "
     cooldown:
-      default-days: 3
+      default-days: 7
 
   ###################################
   # Poetry  #########################
@@ -29,7 +29,7 @@ updates:
     commit-message:
       prefix: "Upgrade: [dependabot] - "
     cooldown:
-      default-days: 3
+      default-days: 7
 
   ###################################
   # NPM workspace  ##################
@@ -45,4 +45,4 @@ updates:
     commit-message:
       prefix: "Upgrade: [dependabot] - "
     cooldown:
-      default-days: 3
+      default-days: 7

.github/workflows/schedule_dev_container_update.yml

@@ -1,78 +1,22 @@
-name: Sync copilot instructions
+name: Sync Copilot Instructions
 
 on:
-  workflow_call:
-    inputs:
-      common_workflows_ref:
-        description: "The ref to sync from the central repository"
-        required: false
-        default: "main"
-        type: string
-      calling_repo_base_branch:
-        description: "The base branch from the calling repository that should be merged into"
-        required: false
-        type: string
-        default: main
+  workflow_dispatch:
+  schedule:
+    - cron: "0 6 * * 1"
 
 jobs:
-  sync:
+  sync-copilot-instructions:
     runs-on: ubuntu-22.04
-    environment: "create_pull_request"
+    environment: create_pull_request
     permissions:
       contents: read
-      pull-requests: write
 
     steps:
-      - name: Checkout calling repo code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - name: Sync shared instructions
+        uses: NHSDigital/eps-copilot-instructions@a7849a16aabd5c1edef13e29467a480fa08555f8
         with:
-          ref: ${{ inputs.calling_repo_base_branch }}
-          fetch-depth: 0
-
-      - name: Checkout central repo code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-        with:
-          ref: ${{ inputs.common_workflows_ref }}
-          fetch-depth: 0
-          path: eps-common-workflows
-          repository: NHSDigital/eps-common-workflows
-          sparse-checkout: |
-            .github/instructions/general
-            .github/instructions/languages
-            .github/copilot-instructions.md
-            .github/prompts
-
-      - name: Copy central instructions
-        run: |
-          rm -rf .github/instructions/general
-          rm -rf .github/instructions/languages
-          rm -rf .github/copilot-instructions.md
-          rm -rf .github/prompts
-          mkdir -p .github/instructions/
-          cp -R eps-common-workflows/.github/instructions/general .github/instructions/general
-          cp -R eps-common-workflows/.github/instructions/languages .github/instructions/languages
-          cp eps-common-workflows/.github/copilot-instructions.md .github/copilot-instructions.md
-          cp -R eps-common-workflows/.github/prompts .github/prompts
-          rm -rf eps-common-workflows
-
-      - name: Create GitHub App Token
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859
-        id: generate-token
-        with:
-          app-id: "${{ secrets.CREATE_PULL_REQUEST_APP_ID }}"
-          private-key: "${{ secrets.CREATE_PULL_REQUEST_PEM }}"
-
-      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0
-        with:
-          token: "${{ steps.generate-token.outputs.token }}"
-          commit-message: "Upgrade: [dependabot] - sync Copilot instructions"
-          title: "Upgrade: [dependabot] - sync Copilot instructions"
-          body: |
-            Syncing Copilot instructions from central repo.
-            Ref: `${{ inputs.common_workflows_ref }}`
-          branch: copilot-instructions-sync
-          base: ${{ inputs.calling_repo_base_branch }}
-          branch-suffix: random
-          sign-commits: true
-          delete-branch: true
+          copilot_instructions_ref: main
+          calling_repo_base_branch: main
+          CREATE_PULL_REQUEST_APP_ID: ${{ secrets.CREATE_PULL_REQUEST_APP_ID }}
+          CREATE_PULL_REQUEST_PEM: ${{ secrets.CREATE_PULL_REQUEST_PEM }}

.github/workflows/sync_copilot.yml

@@ -1,148 +1,23 @@
-name: Update Dev Container Image version
+name: Update devcontainer version
+
 on:
-  workflow_call:
-    inputs:
-      base_branch:
-        required: false
-        type: string
-        default: main
-    secrets:
-      CREATE_PULL_REQUEST_APP_ID:
-        required: true
-      CREATE_PULL_REQUEST_PEM:
-        required: true
+  workflow_dispatch:
+  schedule:
+    - cron: "0 6 * * 4"
+permissions: {}
+
 jobs:
-  update_devcontainer_version:
+  update-devcontainer-version:
     runs-on: ubuntu-22.04
+    environment: create_pull_request
     permissions:
       contents: read
       packages: read
-      pull-requests: write
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-        with:
-          fetch-depth: 0
-      - name: Load config value
-        id: load-config
-        run: |
-          set -euo pipefail
-          DEVCONTAINER_IMAGE=$(jq -r '.build.args.IMAGE_NAME' .devcontainer/devcontainer.json)
-
-          DEVCONTAINER_VERSION=$(jq -r '.build.args.IMAGE_VERSION' .devcontainer/devcontainer.json)
-
-          {
-            echo "DEVCONTAINER_IMAGE=$DEVCONTAINER_IMAGE"
-            echo "DEVCONTAINER_VERSION=$DEVCONTAINER_VERSION"
-          } >> "$GITHUB_ENV"
-      - name: Resolve latest devcontainer image version from GHCR
-        id: resolve-version
-        env:
-          GH_TOKEN: "${{ github.token }}"
-        run: |
-          set -euo pipefail
-
-
-          PACKAGE_NAME="eps-devcontainers/${DEVCONTAINER_IMAGE}"
-
-          ENCODED_PACKAGE_NAME=$(python3 -c 'import sys, urllib.parse;
-          print(urllib.parse.quote(sys.argv[1], safe=""))' "$PACKAGE_NAME")
-
-
-          VERSIONS_JSON=$(gh api \
-            -H "Accept: application/vnd.github+json" \
-            "/orgs/NHSDigital/packages/container/${ENCODED_PACKAGE_NAME}/versions?per_page=100")
-
-          LATEST_VIA_LATEST_TAG=$(jq -r '
-            [ .[]
-              | select((.metadata.container.tags // []) | index("latest"))
-            ]
-            | sort_by(.created_at)
-            | reverse
-            | .[0].metadata.container.tags // []
-            | map(select(test("^v")))
-            | .[0] // empty
-          ' <<< "$VERSIONS_JSON")
-
-
-          LATEST_V_TAG=$(jq -r '
-            [ .[]
-              | {created_at, tags: (.metadata.container.tags // [])}
-            ]
-            | sort_by(.created_at)
-            | reverse
-            | map(.tags[]? | select(test("^v")))
-            | .[0] // empty
-          ' <<< "$VERSIONS_JSON")
-
-
-          RESOLVED_VERSION="$LATEST_VIA_LATEST_TAG"
-
-          if [[ -z "$RESOLVED_VERSION" ]]; then
-            RESOLVED_VERSION="$LATEST_V_TAG"
-          fi
-
-
-          if [[ -z "$RESOLVED_VERSION" ]]; then
-            echo "No version tag matching ^v found for package ${PACKAGE_NAME}" >&2
-            exit 1
-          fi
-
 
-          echo "Resolved latest version: ${RESOLVED_VERSION}"
-
-          echo "LATEST_DEVCONTAINER_VERSION=${RESOLVED_VERSION}" >> "$GITHUB_ENV"
-
-          echo "latest_version=${RESOLVED_VERSION}" >> "$GITHUB_OUTPUT"
-      - name: Update devcontainer version in config
-        run: |
-          set -euo pipefail
-
-
-          TARGET_VERSION='${{ steps.resolve-version.outputs.latest_version }}'
-
-          if [[ "$TARGET_VERSION" == "$DEVCONTAINER_VERSION" ]]; then
-            echo "IMAGE_VERSION is already up to date (${DEVCONTAINER_VERSION})"
-            exit 0
-          fi
-
-
-          python3 - <<'PY'
-
-          import json
-
-          from pathlib import Path
-
-
-          config_file = Path('.devcontainer/devcontainer.json')
-
-          config = json.loads(config_file.read_text())
-
-          config['build']['args']['IMAGE_VERSION'] = '${{
-          steps.resolve-version.outputs.latest_version }}'
-
-          config_file.write_text(json.dumps(config, indent=2) + '\n')
-
-          PY
-
-
-          echo "Updated IMAGE_VERSION from ${DEVCONTAINER_VERSION} to
-          ${LATEST_DEVCONTAINER_VERSION}"
-      - name: Create GitHub App Token
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859
-        id: generate-token
-        with:
-          app-id: "${{ secrets.CREATE_PULL_REQUEST_APP_ID }}"
-          private-key: "${{ secrets.CREATE_PULL_REQUEST_PEM }}"
-      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0
+    steps:
+      - name: Update devcontainer version
+        uses: NHSDigital/eps-update-devcontainer@dc3a8c5f11e7226ee4f5f2bb35bd0d1265092306
         with:
-          token: "${{ steps.generate-token.outputs.token }}"
-          commit-message: Update devcontainer image version to ${{ steps.resolve-version.outputs.latest_version }}
-          title: "Upgrade: [dependabot] - Update devcontainer image version to ${{ steps.resolve-version.outputs.latest_version }}"
-          body: "This PR updates the devcontainer image version to ${{ steps.resolve-version.outputs.latest_version }}."
-          add-paths: .devcontainer/devcontainer.json
-          sign-commits: true
-          base: "${{ inputs.base_branch }}"
-          delete-branch: true
-          branch: update-devcontainer-version
+          calling_repo_base_branch: main
+          CREATE_PULL_REQUEST_APP_ID: ${{ secrets.CREATE_PULL_REQUEST_APP_ID }}
+          CREATE_PULL_REQUEST_PEM: ${{ secrets.CREATE_PULL_REQUEST_PEM }}

.github/workflows/update-dev-container-version.yml

@@ -17,6 +17,26 @@ repos:
         files: ^(.github)
   - repo: local
     hooks:
+      - id: check-commit-signing
+        name: Check commit signing
+        description: Ensures that commits are GPG signed
+        entry: bash
+        args:
+          - -c
+          - |
+            if ! git config --get commit.gpgsign | grep -q "true" > /dev/null 2>&1; then
+              echo "Error: Commit signing is not enabled."
+              echo "Please enable commit signing with:"
+              echo "  git config commit.gpgsign true"
+              echo ""
+              echo "For more information, see: https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits"
+              exit 1
+            fi
+            echo "Commit signing is properly configured."
+        language: system
+        pass_filenames: false
+        always_run: true
+
       - id: git-secrets
         name: Git Secrets
         description: git-secrets scans commits, commit messages, and --no-ff merges to prevent adding secrets into your git repositories.