CCM-14029 centralise precommit gh as

.github/actions/check-english-usage/action.yaml

@@ -7,4 +7,4 @@ runs:
       shell: bash
       run: |
         export BRANCH_NAME=origin/${{ github.event.repository.default_branch }}
-        check=branch ./scripts/githooks/check-english-usage.sh
+        check=branch ${{ github.action_path }}/check-english-usage.sh

.github/actions/check-file-format/action.yaml

@@ -7,4 +7,4 @@ runs:
       shell: bash
       run: |
         export BRANCH_NAME=origin/${{ github.event.repository.default_branch }}
-        check=branch ./scripts/githooks/check-file-format.sh
+        check=branch ${{ github.action_path }}/check-file-format.sh

.github/actions/check-markdown-format/action.yaml

@@ -7,4 +7,4 @@ runs:
       shell: bash
       run: |
         export BRANCH_NAME=origin/${{ github.event.repository.default_branch }}
-        check=branch ./scripts/githooks/check-markdown-format.sh
+        check=branch ${{ github.action_path }}/check-markdown-format.sh

.github/actions/check-todo-usage/action.yaml

@@ -7,4 +7,4 @@ runs:
       shell: bash
       run: |
         export BRANCH_NAME=origin/${{ github.event.repository.default_branch }}
-        check=branch ./scripts/githooks/check-todos.sh
+        check=branch ${{ github.action_path }}/check-todos.sh

scripts/githooks/check-todos.sh → .github/actions/check-todo-usage/check-todos.sh

@@ -25,22 +25,39 @@ set -euo pipefail
 
 # ==============================================================================
 
-EXCLUDED_FILES=(
-  ".devcontainer/devcontainer.json"
-  ".tool-versions"
-  ".vscode/extensions.json"
-  "infrastructure/terraform/bin/terraform.sh"
-  "Makefile"
-  "project.code-workspace"
-  "src/jekyll-devcontainer/src/.devcontainer/devcontainer.json"
-)
-
-EXCLUDED_DIRS=(
-  ".git/"
-  ".venv/"
-  "docs/"
-  "node_modules/"
-)
+CONFIG_FILE="scripts/config/check-todos-ignore.conf"
+
+# Arrays to be populated from config file
+EXCLUDED_FILES=()
+EXCLUDED_DIRS=()
+
+
+# Load exclusions from configuration file
+function load_exclusions_from_config() {
+  local config_file="$1"
+  local section=""
+
+  while IFS= read -r line || [ -n "$line" ]; do
+    # Skip empty lines and comments
+    [[ -z "$line" || "$line" =~ ^[[:space:]]*# ]] && continue
+
+    # Check for section headers
+    if [[ "$line" =~ ^\[([^]]+)\]$ ]]; then
+      section="${BASH_REMATCH[1]}"
+      continue
+    fi
+
+    # Add entries to appropriate arrays based on current section
+    case "$section" in
+      files)
+        EXCLUDED_FILES+=("$line")
+        ;;
+      directories)
+        EXCLUDED_DIRS+=("$line")
+        ;;
+    esac
+  done < "$config_file"
+}
 
 
 # Get files to check based on mode
@@ -68,12 +85,7 @@ function get_files_to_check() {
 
 
 function build_exclude_args() {
-  local args=(
-    --exclude=".github/actions/check-todo-usage/action.yaml"
-    --exclude=".github/workflows/stage-1-commit.yaml"
-    --exclude="scripts/config/pre-commit.yaml"
-    --exclude="scripts/githooks/check-todos.sh"
-  ) # Exclude this script and its references by default, as it naturally contains TODOs. Todo todo todo <- see?
+  local args=() # Exclusions are now loaded from config file
 
   if [ ${#EXCLUDED_DIRS[@]} -gt 0 ]; then
     for dir in "${EXCLUDED_DIRS[@]}"; do
@@ -203,6 +215,9 @@ function print_output() {
 function main() {
   cd "$(git rev-parse --show-toplevel)"
 
+  # Load exclusions from config file
+  load_exclusions_from_config "$CONFIG_FILE"
+
   local check_mode="${check:-working-tree-changes}"
   local exclude_args=$(build_exclude_args)
   local todos=$(search_todos "$check_mode" $exclude_args)

.github/actions/lint-terraform/action.yaml

@@ -15,7 +15,7 @@ runs:
     - name: "Check Terraform format"
       shell: bash
       run: |
-        check_only=true scripts/githooks/check-terraform-format.sh
+        check_only=true ${{ github.action_path }}/check-terraform-format.sh
     - name: "Validate Terraform"
       shell: bash
       run: |

.github/actions/scan-secrets/action.yaml

@@ -7,4 +7,4 @@ runs:
       shell: bash
       run: |
         # Please do not change this `check=whole-history` setting, as new patterns may be added or history may be rewritten.
-        check=whole-history ./scripts/githooks/scan-secrets.sh
+        check=whole-history ${{ github.action_path }}/scan-secrets.sh

.github/actions/sync-template-repo/action.yaml

@@ -0,0 +1,25 @@
+name: "Sync Repository Template"
+description: "Synchronise changes from the nhs-notify-repository-template"
+inputs:
+  github_token:
+    description: "GitHub token for checking out the template repository"
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: "Check out template repository"
+      uses: actions/checkout@v4
+      with:
+        repository: NHSDigital/nhs-notify-repository-template
+        path: nhs-notify-repository-template
+        token: ${{ inputs.github_token }}
+
+    - name: "Run synchronisation script"
+      shell: bash
+      run: |
+        ./nhs-notify-repository-template/scripts/maintenance/sync-template-repo.sh
+
+    - name: "Clean up template repository"
+      shell: bash
+      run: |
+        rm -rf ./nhs-notify-repository-template

.github/actions/trivy-iac/action.yaml

@@ -0,0 +1,19 @@
+name: "Trivy IaC Scan"
+description: "Scan Terraform IaC using Trivy"
+runs:
+  using: "composite"
+  steps:
+    - name: "Trivy Terraform IaC Scan"
+      shell: bash
+      run: |
+        components_exit_code=0
+        modules_exit_code=0
+        asdf plugin add trivy || true
+        asdf install trivy || true
+        ./scripts/terraform/trivy-scan.sh --mode iac ./infrastructure/terraform/components || components_exit_code=$?
+        ./scripts/terraform/trivy-scan.sh --mode iac ./infrastructure/terraform/modules || modules_exit_code=$?
+
+        if [ $components_exit_code -ne 0 ] || [ $modules_exit_code -ne 0 ]; then
+          echo "Trivy misconfigurations detected."
+          exit 1
+        fi

.github/actions/trivy-package/action.yaml

@@ -0,0 +1,17 @@
+name: "Trivy Package Scan"
+description: "Scan project packages using Trivy"
+runs:
+  using: "composite"
+  steps:
+    - name: "Trivy Package Scan"
+      shell: bash
+      run: |
+        exit_code=0
+        asdf plugin add trivy || true
+        asdf install trivy || true
+        ./scripts/terraform/trivy-scan.sh --mode package . || exit_code=$?
+
+        if [ $exit_code -ne 0 ]; then
+          echo "Trivy has detected package vulnerablilites. Please refer to https://nhsd-confluence.digital.nhs.uk/spaces/RIS/pages/1257636917/PLAT-KOP-012+-+Trivy+Pipeline+Vulnerability+Scanning+Exemption"
+          exit 1
+        fi

.github/workflows/cicd-1-pull-request.yaml

@@ -127,18 +127,3 @@ jobs:
       terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
       version: "${{ needs.metadata.outputs.version }}"
     secrets: inherit
-  publish-stage: # Recommended maximum execution time is 10 minutes
-    name: "Publish stage"
-    needs: [metadata, acceptance-stage]
-    uses: ./.github/workflows/stage-5-publish.yaml
-    if: (github.event_name == 'push' && github.ref == 'refs/heads/main')
-    with:
-      build_datetime: "${{ needs.metadata.outputs.build_datetime }}"
-      build_timestamp: "${{ needs.metadata.outputs.build_timestamp }}"
-      build_epoch: "${{ needs.metadata.outputs.build_epoch }}"
-      nodejs_version: "${{ needs.metadata.outputs.nodejs_version }}"
-      python_version: "${{ needs.metadata.outputs.python_version }}"
-      terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
-      version: "${{ needs.metadata.outputs.version }}"
-      is_version_prerelease: "${{ needs.metadata.outputs.is_version_prerelease }}"
-    secrets: inherit

.github/workflows/release_created.yaml

@@ -25,7 +25,7 @@ jobs:
         run: |
           ARTIFACTS_DIR="$PWD/../../artifacts"
           mkdir -p "$ARTIFACTS_DIR"
-          cd infrastructure/modules
+          cd infrastructure/terraform/modules
           for module in */; do
             module_name=${module%/}
             echo "Zipping contents of $module_name..."

.github/workflows/scheduled-repository-template-sync.yaml

@@ -18,17 +18,10 @@ jobs:
     - name: Check out the repository
       uses: actions/checkout@v4
 
-    - name: Check out external repository
-      uses: actions/checkout@v4
+    - name: Sync repository template
+      uses: ./.github/actions/sync-template-repo
       with:
-        repository: NHSDigital/nhs-notify-repository-template
-        path: nhs-notify-repository-template
-        token: ${{ github.token }}
-
-    - name: Run syncronisation script
-      run: |
-        ./nhs-notify-repository-template/scripts/githooks/sync-template-repo.sh
-        rm -Rf ./nhs-notify-repository-template
+        github_token: ${{ github.token }}
 
     - name: Create Pull Request
       if: ${{ !env.ACT }}

.github/workflows/stage-1-commit.yaml

@@ -83,7 +83,7 @@ jobs:
           make terraform-docs
       - name: "Stage changes"
         run: |
-          git add infrastructure/modules/**/*.md
+          git add infrastructure/terraform/modules/**/*.md
       - name: "Check for changes in Terraform Docs"
         run: |
           if git diff --cached --name-only | grep -qE '\.md$'; then

.github/workflows/stage-3-build.yaml

@@ -33,17 +33,6 @@ on:
         type: string
 
 jobs:
-  artefact-jekyll-docs:
-    name: "Build Docs"
-    runs-on: ubuntu-latest
-    timeout-minutes: 3
-    steps:
-      - name: "Checkout code"
-        uses: actions/checkout@v4
-      - name: "Build docs"
-        uses: ./.github/actions/build-docs
-        with:
-          version: "${{ inputs.version }}"
   artefact-1:
     name: "Artefact 1"
     runs-on: ubuntu-latest