CCM-11345 manual repo sync

.github/SECURITY.md

@@ -21,8 +21,8 @@ If you wish to notify us of a vulnerability via email, please include detailed i
 
 You can reach us at:
 
-- _[ A product team email address ]_
-- [cybersecurity@nhs.net](cybersecurity@nhs.net)
+- [england.nhsnotify@nhs.net](mailto:england.nhsnotify@nhs.net)
+- [cybersecurity@nhs.net](mailto:cybersecurity@nhs.net)
 
 ### NCSC
 

.github/actions/check-todo-usage/action.yaml

@@ -0,0 +1,10 @@
+name: "Check Todo usage"
+description: "Check Todo usage"
+runs:
+  using: "composite"
+  steps:
+    - name: "Check Todo usage"
+      shell: bash
+      run: |
+        export BRANCH_NAME=origin/${{ github.event.repository.default_branch }}
+        check=branch ./scripts/githooks/check-todos.sh

.github/actions/create-lines-of-code-report/action.yaml

@@ -44,7 +44,7 @@ runs:
         echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT
     - name: "Authenticate to send the report"
       if: steps.check.outputs.secrets_exist == 'true'
-      uses: aws-actions/configure-aws-credentials@v2
+      uses: aws-actions/configure-aws-credentials@v4
       with:
         role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }}
         aws-region: ${{ inputs.idp_aws_report_upload_region }}

.github/actions/scan-dependencies/action.yaml

@@ -58,7 +58,7 @@ runs:
       run: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT
     - name: "Authenticate to send the reports"
       if: steps.check.outputs.secrets_exist == 'true'
-      uses: aws-actions/configure-aws-credentials@v2
+      uses: aws-actions/configure-aws-credentials@v4
       with:
         role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }}
         aws-region: ${{ inputs.idp_aws_report_upload_region }}

.github/actions/trivy/action.yaml

@@ -5,9 +5,11 @@ runs:
     - name: "Trivy Terraform IAC Scan"
       shell: bash
       run: |
+        components_exit_code=0
         modules_exit_code=0
 
-        ./scripts/terraform/trivy.sh ./infrastructure/modules || modules_exit_code=$?
+        ./scripts/terraform/trivy.sh ./infrastructure/terraform/components || components_exit_code=$?
+        ./scripts/terraform/trivy.sh ./infrastructure/terraform/modules || modules_exit_code=$?
 
         if [ $components_exit_code -ne 0 ] || [ $modules_exit_code -ne 0 ]; then
           echo "Trivy misconfigurations detected."

.github/workflows/cicd-3-deploy.yaml

@@ -48,7 +48,6 @@ jobs:
           echo "nodejs_version=$(grep "^nodejs\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
           echo "python_version=$(grep "^python\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
           echo "terraform_version=$(grep "^terraform\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
-          # TODO: Get the version, but it may not be the .version file as this should come from the CI/CD Pull Request Workflow
           echo "version=$(head -n 1 .version 2> /dev/null || echo unknown)" >> $GITHUB_OUTPUT
           # echo "tag=${{ github.event.inputs.tag }}" >> $GITHUB_OUTPUT
       - name: "List variables"

.github/workflows/scheduled-repository-template-sync.yaml

@@ -0,0 +1,55 @@
+name: Repository Template Sync
+
+on:
+  schedule:
+    - cron: '0 0 1 * *'
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+  checks: read
+
+jobs:
+  update-external-repo:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Check out the repository
+      uses: actions/checkout@v4
+
+    - name: Check out external repository
+      uses: actions/checkout@v4
+      with:
+        repository: NHSDigital/nhs-notify-repository-template
+        path: nhs-notify-repository-template
+        token: ${{ github.token }}
+
+    - name: Run syncronisation script
+      run: |
+        ./nhs-notify-repository-template/scripts/githooks/sync-template-repo.sh
+        rm -Rf ./nhs-notify-repository-template
+
+    - name: Create Pull Request
+      if: ${{ !env.ACT }}
+      uses: peter-evans/create-pull-request@v7.0.8
+      with:
+        token: ${{ secrets.GITHUB_TOKEN }}
+        commit-message: Drift from template
+        branch: scheduledTemplateRepositorySync
+        delete-branch: true
+        title: '[Template Sync] Drift from template-repository remediation'
+        body: |
+          # Resultant drift from repository template
+
+          ## Who should respond to this PR?
+          The team which owns the responsibility for this component repository. You may want to consult other contributors.
+
+          ## How to progress this PR
+          The repositories guardians should review the contents of the PR and decide how to proceed, you may wish to back-out certain changes or accept them from the upstream `nhsdigital/nhs-notify-repository-template` repository.
+
+          If there are changes you do not wish to see again, it is recommended you add exclusions to `scripts/config/.repository-template-sync-ignore`.
+        labels: |
+          template
+          automation
+        draft: false

.github/workflows/scorecard.yml

@@ -27,25 +27,25 @@ jobs:
       # Needed to publish results and get a badge (see publish_results below).
       id-token: write
       # Uncomment the permissions below if installing in a private repository.
-      # contents: read
-      # actions: read
+      contents: read
+      actions: read
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
         with:
           results_file: results.sarif
           results_format: sarif
           # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
           # - you want to enable the Branch-Protection check on a *public* repository, or
           # - you are installing Scorecard on a *private* repository
           # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional.
-          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+          repo_token: ${{ secrets.SCORECARD_TOKEN }}
 
           # Public repositories:
           #   - Publish results to OpenSSF REST API for easy access by consumers
@@ -59,7 +59,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20
+        uses: actions/upload-artifact@v4
         with:
           name: SARIF file
           path: results.sarif
@@ -68,6 +68,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
+        uses: github/codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
         with:
           sarif_file: results.sarif

.github/workflows/stage-1-commit.yaml

@@ -101,6 +101,17 @@ jobs:
           fetch-depth: 0 # Full history is needed to compare branches
       - name: "Check English usage"
         uses: ./.github/actions/check-english-usage
+  check-todo-usage:
+    name: "Check TODO usage"
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # Full history is needed to compare branches
+      - name: "Check TODO usage"
+        uses: ./.github/actions/check-todo-usage
   detect-terraform-changes:
     name: "Detect Terraform Changes"
     runs-on: ubuntu-latest
@@ -145,7 +156,7 @@ jobs:
       - name: "Checkout code"
         uses: actions/checkout@v4
       - name: "Setup ASDF"
-        uses: asdf-vm/actions/setup@v3
+        uses: asdf-vm/actions/setup@v4
       - name: "Perform Setup"
         uses: ./.github/actions/setup
       - name: "Trivy Scan"

.github/workflows/stage-3-build.yaml

@@ -60,7 +60,7 @@ jobs:
       - name: "Upload artefact 1"
         run: |
           echo "Uploading artefact 1 ..."
-          # TODO: Use either action/cache or action/upload-artifact
+          # Use either action/cache or action/upload-artifact
   artefact-n:
     name: "Artefact n"
     runs-on: ubuntu-latest
@@ -77,4 +77,4 @@ jobs:
       - name: "Upload artefact n"
         run: |
           echo "Uploading artefact n ..."
-          # TODO: Use either action/cache or action/upload-artifact
+          # Use either action/cache or action/upload-artifact

.gitignore

@@ -10,4 +10,15 @@ version.json
 *.code-workspace
 !project.code-workspace
 
-infrastructure/modules/eventpub/lambda/*.zip
+# Please, add your custom content below!
+
+# dependencies
+node_modules
+.node-version
+*/node_modules
+/.pnp
+.pnp.js
+/build
+dist
+.DS_Store
+.reports

.gitleaksignore

@@ -1,5 +1,6 @@
 # SEE: https://github.com/gitleaks/gitleaks/blob/master/README.md#gitleaksignore
 
 cd9c0efec38c5d63053dd865e5d4e207c0760d91:docs/guides/Perform_static_analysis.md:generic-api-key:37
+cd9c0efec38c5d63053dd865e5d4e207c0760d91:docs/guides/Perform_static_analysis.md:sonar-api-token:37
 96096685ab3d6876671e2bc9a6ff4d48fc56e521:src/helloworld/helloworld.sln:ipv4:4
 4f4e8c15629b2cb09356a7fed4d72953590227ce:docs/Gemfile.lock:ipv4:4

.tool-versions

@@ -1,22 +1,21 @@
-# This file is for you! Please, updated to the versions agreed by your team.
-
-gitleaks 8.18.4
+act 0.2.64
+gitleaks 8.24.0
+jq 1.6
 nodejs 22.15.1
 pre-commit 3.6.0
 terraform 1.9.2
 terraform-docs 0.19.0
-terraform-docs 0.19.0
 trivy 0.61.0
 vale 3.6.0
-
+# python 3.13.2
 
 # ==============================================================================
 # The section below is reserved for Docker image versions.
 
 # TODO: Move this section - consider using a different file for the repository template dependencies.
-# docker/ghcr.io/anchore/grype v0.69.1@sha256:d41fcb371d0af59f311e72123dff46900ebd6d0482391b5a830853ee4f9d1a76 # SEE: https://github.com/anchore/grype/pkgs/container/grype
-# docker/ghcr.io/anchore/syft v0.92.0@sha256:63c60f0a21efb13e80aa1359ab243e49213b6cc2d7e0f8179da38e6913b997e0 # SEE: https://github.com/anchore/syft/pkgs/container/syft
-# docker/ghcr.io/gitleaks/gitleaks v8.18.0@sha256:fd2b5cab12b563d2cc538b14631764a1c25577780e3b7dba71657d58da45d9d9 # SEE: https://github.com/gitleaks/gitleaks/pkgs/container/gitleaks
+# docker/ghcr.io/anchore/grype v0.92.2@sha256:651e558f9ba84f2a790b3449c8a57cbbf4f34e004f7d3f14ae8f8cbeede4cd33  # SEE: https://github.com/anchore/grype/pkgs/container/grype
+# docker/ghcr.io/anchore/syft v1.26.0@sha256:de078f51704a213906970b1475edd6006b8af50aa159852e125518237487b8c6  # SEE: https://github.com/anchore/syft/pkgs/container/syft
+# docker/ghcr.io/gitleaks/gitleaks:v8.24.0@sha256:b8e9bf46893c2f20e10bfb4b2e783adaef519dea981b01ca6221ac325e836040 # SEE: https://github.com/gitleaks/gitleaks/pkgs/container/gitleaks
 # docker/ghcr.io/igorshubovych/markdownlint-cli v0.37.0@sha256:fb3e79946fce78e1cde84d6798c6c2a55f2de11fc16606a40d49411e281d950d # SEE: https://github.com/igorshubovych/markdownlint-cli/pkgs/container/markdownlint-cli
 # docker/ghcr.io/make-ops-tools/gocloc latest@sha256:6888e62e9ae693c4ebcfed9f1d86c70fd083868acb8815fe44b561b9a73b5032 # SEE: https://github.com/make-ops-tools/gocloc/pkgs/container/gocloc
 # docker/ghcr.io/nhs-england-tools/github-runner-image 20230909-321fd1e-rt@sha256:ce4fd6035dc450a50d3cbafb4986d60e77cb49a71ab60a053bb1b9518139a646 # SEE: https://github.com/nhs-england-tools/github-runner-image/pkgs/container/github-runner-image

LICENCE.md

@@ -1,6 +1,6 @@
 # MIT Licence
 
-Copyright (c) 2024 Crown Copyright NHS England.
+Copyright (c) 2025 Crown Copyright NHS England.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

infrastructure/terraform/.gitignore

@@ -0,0 +1,67 @@
+### Terraform ###
+
+# Transient backends
+components/**/backend_tfscaffold.tf
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Compiled files
+**/*.tfstate
+**/*.tfplan
+**/*.tfstate.backup
+**/.terraform
+**/.terraform.lock.hcl
+**/.terraform/*
+**/build/*
+**/work/*
+**/*tfstate.lock.info
+
+# Scaffold Plugin Cache
+plugin-cache/*
+
+# PyCache
+**/__pycache__
+
+### OSX ###
+**/.DS_Store
+**/.AppleDouble
+**/.LSOverride
+
+# Icon must end with two \r
+Icon
+
+# Thumbnails
+._*
+
+# Files that might appear in the root of a volume
+.DocumentRevisions-V100
+.fseventsd
+.Spotlight-V100
+.TemporaryItems
+.Trashes
+.VolumeIcon.icns
+
+# Directories potentially created on remote AFP share
+.AppleDB
+.AppleDesktop
+Network Trash Folder
+Temporary Items
+.apdisk
+
+*.swp
+.nyc_output
+
+# VS Code
+.vscode
+
+# IntelliJ Idea
+.idea
+**/*.iml
+
+# js
+node_modules

scripts/config/.repository-template-sync-ignore

@@ -0,0 +1,36 @@
+# Files and folders to ignore when syncing nhs-notify-repository-template back in to this repository
+nhs-notify-repository-template/
+
+# Files and Folders in this repository to ignore
+.editorconfig
+.github/CODEOWNERS
+.github/ISSUE_TEMPLATE
+.github/workflows/cicd-*.yaml
+.github/workflows/stage-*.yaml
+.gitleaksignore
+.vscode/
+CHANGELOG.md
+Makefile
+project.code-workspace
+README.md
+scripts/config/sonar-scanner.properties
+scripts/githooks/check-terraform-docs.sh
+scripts/tests/
+VERSION
+
+# Files and Folders in the template repository to disregard
+.devcontainer/
+.github/actions/build-docs
+.github/workflows/*.disabled
+*/examples/
+docs/
+eslint.config.mjs
+infrastructure/terraform/
+infrastructure/terraform/components/
+lambdas/example-lambda/
+package-lock.json
+package.json
+scripts/**/examples/
+scripts/terraform/terraform.lib.sh
+scripts/terraform/terraform.mk
+src/.vscode/

scripts/config/.repository-template-sync-merge

@@ -0,0 +1,9 @@
+# Files and folders to merge when syncing nhs-notify-repository-template back in to this repository
+.github/workflows/cicd-*.yaml
+scripts/config/.repository-template-sync-ignore
+scripts/config/.repository-template-sync-merge
+scripts/config/vale/vale.ini
+.tool-versions
+.gitignore
+scripts/config/vale/styles/config/vocabularies/words/accept.txt
+scripts/config/vale/styles/config/vocabularies/words/reject.txt

scripts/config/gitleaks.toml

@@ -1,4 +1,5 @@
 # SEE: https://github.com/gitleaks/gitleaks/#configuration
+# Do not edit this file directly as it will be overwritten by changes from the nhs-notify-repository-template on next sync
 
 [extend]
 useDefault = true # SEE: https://github.com/gitleaks/gitleaks/blob/master/config/gitleaks.toml
@@ -22,3 +23,9 @@ paths = [
   '''yarn.lock''',
   '''Gemfile.lock''',
 ]
+
+# Exclude Chrome version in user agent
+regexTarget = "line"
+regexes = [
+  '''Chrome/[\d.]+'''
+]