Merge pull request #1154 from NHSDigital/feature/made14-NRL-1922-refixup-sonarqube

[NRL-1922] Fix up some Sonarqube issues

Author: mattdean3-nhs

.github/workflows/activate-stack.yml

@@ -15,16 +15,15 @@ on:
         required: true
         type: string
 
-permissions:
-  id-token: write
-  contents: read
-  actions: write
-
 jobs:
   activate-stack:
     name: Activate ${{ inputs.stack_name }} for ${{ inputs.environment }}
     runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
     environment: ${{ inputs.environment }}
+    permissions:
+      contents: read
+      id-token: write
+      actions: write
 
     steps:
       - name: Git clone - ${{ github.ref }}

.github/workflows/deploy-account-wide-infra.yml

@@ -13,11 +13,6 @@ on:
         description: Branch to deploy
         required: true
 
-permissions:
-  id-token: write
-  contents: read
-  actions: write
-
 jobs:
   check-selected-environment:
     name: Check Workflow Env
@@ -39,6 +34,10 @@ jobs:
     environment: ${{ inputs.environment }}
     needs: [check-selected-environment]
     runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
+    permissions:
+      contents: read
+      id-token: write
+      actions: write
 
     steps:
       - name: Git clone - ${{ inputs.branch_name }}
@@ -116,6 +115,10 @@ jobs:
     needs: [terraform-plan]
     runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
     environment: ${{ inputs.environment }}
+    permissions:
+      contents: read
+      id-token: write
+      actions: write
 
     steps:
       - name: Git clone - ${{ inputs.branch_name }}

.github/workflows/persistent-environment.yml

@@ -14,15 +14,14 @@ on:
         description: Branch to deploy
         required: true
 
-permissions:
-  id-token: write
-  contents: read
-  actions: write
-
 jobs:
   build:
     name: Build - ${{ inputs.branch_name }}
     runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
+    permissions:
+      id-token: write
+      contents: read
+      actions: write
 
     steps:
       - name: Git clone - ${{ inputs.branch_name }}
@@ -78,6 +77,10 @@ jobs:
     needs: [build]
     environment: ${{ inputs.environment }}
     runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
+    permissions:
+      contents: read
+      id-token: write
+      actions: write
 
     steps:
       - name: Git clone - ${{ inputs.branch_name }}
@@ -151,6 +154,10 @@ jobs:
     needs: [terraform-plan]
     runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
     environment: ${{ inputs.environment }}
+    permissions:
+      contents: read
+      id-token: write
+      actions: write
 
     steps:
       - name: Git clone - ${{ inputs.branch_name }}
@@ -227,6 +234,10 @@ jobs:
     needs: [terraform-apply]
     runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
     environment: ${{ inputs.environment }}
+    permissions:
+      contents: read
+      id-token: write
+      actions: write
 
     steps:
       - name: Git clone - ${{ inputs.branch_name }}
@@ -258,6 +269,9 @@ jobs:
     needs: [activate-stack]
     runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
     environment: ${{ inputs.environment }}
+    permissions:
+      contents: read
+      id-token: write
 
     steps:
       - name: Git clone - ${{ inputs.branch_name }}
@@ -289,6 +303,9 @@ jobs:
     if: always() && ( needs.post-release-verify.result == 'failure' )
     runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
     environment: ${{ inputs.environment }}
+    permissions:
+      contents: read
+      id-token: write
 
     steps:
       - name: Git clone - ${{ inputs.branch_name }}

.github/workflows/pr-env-deploy.yml

@@ -9,13 +9,6 @@ concurrency:
   group: environment-${{ github.event.pull_request.number }}
   cancel-in-progress: false
 
-permissions:
-  id-token: write
-  contents: read
-  actions: write
-  issues: write
-  pull-requests: write
-
 jobs:
   set-environment-id:
     name: Set Environment ID
@@ -48,6 +41,13 @@ jobs:
     name: Build Application
     runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
     environment: pull-request
+    permissions:
+      id-token: write
+      contents: read
+      actions: write
+      issues: write
+      pull-requests: write
+
     steps:
       - name: Git Clone - ${{ github.event.pull_request.head.ref }}
         uses: actions/checkout@v4
@@ -110,6 +110,12 @@ jobs:
     runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
     environment: pull-request
     needs: [set-environment-id, build]
+    permissions:
+      id-token: write
+      contents: read
+      actions: write
+      issues: write
+      pull-requests: write
 
     steps:
       - name: Git Clone - ${{ github.event.pull_request.head.ref }}
@@ -194,6 +200,9 @@ jobs:
     needs: [set-environment-id, deploy]
     environment: pull-request
     runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
+    permissions:
+      id-token: write
+      contents: read
 
     steps:
       - name: Git Clone - ${{ github.event.pull_request.head.ref }}
@@ -232,6 +241,10 @@ jobs:
     needs: [set-environment-id, integration-test]
     environment: pull-request
     runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
+    permissions:
+      id-token: write
+      contents: read
+
     steps:
       - name: Git Clone - ${{ github.event.pull_request.head.ref }}
         uses: actions/checkout@v4
@@ -266,6 +279,10 @@ jobs:
     needs: [set-environment-id, integration-test]
     environment: pull-request
     runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
+    permissions:
+      id-token: write
+      contents: read
+      actions: write
 
     steps:
       - name: Git Clone - ${{ github.event.pull_request.head.ref }}

.github/workflows/pr-env-destroy.yml

@@ -10,13 +10,6 @@ concurrency:
   group: environment-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 
-permissions:
-  id-token: write
-  contents: read
-  actions: write
-  issues: write
-  pull-requests: write
-
 jobs:
   set-environment-id:
     name: Set Environment ID
@@ -50,6 +43,11 @@ jobs:
     needs: [set-environment-id]
     environment: pull-request
     runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
+    permissions:
+      id-token: write
+      contents: read
+      issues: write
+      pull-requests: write
 
     steps:
       - name: Git Clone - ${{ github.event.pull_request.head.ref }}

.github/workflows/release.yml

@@ -1,25 +1,22 @@
 name: Release Published
 run-name: Release NRL ${{ github.event.release.name }}
-permissions:
-  id-token: write
-  contents: write
-  actions: write
 
 env:
   SYFT_VERSION: "1.27.1"
 
 on:
   release:
     types: [published]
-  # push:
-  #   tags:
-  #     - v*
   workflow_dispatch:
 
 jobs:
   sbom:
     name: Generate Software Bill of Materials - ${{ github.event.release.name }}
     runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
+    permissions:
+      id-token: write
+      contents: write
+      actions: write
 
     steps:
       - name: Git clone - ${{ github.ref }}

.github/workflows/rollback-stack.yml

@@ -10,16 +10,15 @@ on:
         default: "dev"
         type: environment
 
-permissions:
-  id-token: write
-  contents: read
-  actions: write
-
 jobs:
   rollback-stack:
     name: Rollback to inactive stack for ${{ inputs.environment }}
     runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
     environment: ${{ inputs.environment }}
+    permissions:
+      id-token: write
+      contents: read
+      actions: write
 
     steps:
       - name: Git clone - ${{ github.ref }}

.github/workflows/update-lambda-permissions.yml

@@ -21,15 +21,13 @@ on:
         type: boolean
         default: true
 
-permissions:
-  id-token: write
-  contents: read
-  actions: write
-
 jobs:
   check-versions:
     name: Check versions
     runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
+    permissions:
+      id-token: write
+      contents: read
 
     steps:
       - name: Git clone - ${{ github.ref }}
@@ -80,6 +78,10 @@ jobs:
     name: Build permissions
     runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
     environment: ${{ inputs.environment }}
+    permissions:
+      id-token: write
+      contents: read
+      actions: write
 
     needs: [check-versions]
 
@@ -119,8 +121,11 @@ jobs:
     name: Pull deployed lambdas
     runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
     environment: ${{ inputs.environment }}
-
     needs: [check-versions]
+    permissions:
+      id-token: write
+      contents: read
+      actions: write
 
     steps:
       - name: Git clone - ${{ github.ref }}
@@ -161,8 +166,11 @@ jobs:
     name: Plan changes
     runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
     environment: ${{ inputs.environment }}
-
     needs: [build-permissions, pull-deployed-lambdas]
+    permissions:
+      id-token: write
+      contents: read
+      actions: write
 
     steps:
       - name: Git clone - ${{ github.ref }}
@@ -227,8 +235,11 @@ jobs:
     name: Apply permissions
     runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
     environment: ${{ inputs.environment }}
-
     needs: terraform-plan
+    permissions:
+      id-token: write
+      contents: read
+      actions: read
 
     steps:
       - name: Git clone - ${{ github.ref }}

.pre-commit-config.yaml

@@ -35,7 +35,7 @@ repos:
           - flake8-print
         args:
           - "--select=T201,F401,F402,F403"
-          - "--exclude=.git,__pycache__,dist,.venv,scripts/*,packages/feature_documentation/*,layer/psycopg2/*,changelog/scripts/changelog.py"
+          - "--exclude=.git,__pycache__,dist,.venv,scripts/*"
 
   - repo: https://github.com/psf/black
     rev: 24.3.0
@@ -70,28 +70,3 @@ repos:
         args:
           - --args=-write=true
           - --args=-recursive
-
-  # - repo: local
-  #   hooks:
-  #     - id: forbid_json_loads
-  #       name: Don't use json.loads - use json_loads instead
-  #       entry: json\.loads
-  #       language: pygrep
-  #       types: [python]
-  #       exclude: layer/nrlf/nrlf/core/validators.py|layer/psycopg2/.*|mi/.*
-
-  # - repo: local
-  #   hooks:
-  #     - id: forbid_json_load
-  #       name: Don't use json.load - use json_load instead
-  #       entry: json\.load
-  #       language: pygrep
-  #       types: [python]
-  #       exclude: layer/nrlf/nrlf/core/validators.py|layer/psycopg2/.*|mi/.*
-
-  - repo: local
-    hooks:
-      - id: create_changelog
-        name: Create changelog from changelog files
-        entry: changelog/scripts/changelog-pre-commit.sh
-        language: python