From 16274f75bd9dee6e0fbcad7f14553ae7b537ea5f Mon Sep 17 00:00:00 2001 From: aidenvaines-bjss <54067008+aidenvaines-bjss@users.noreply.github.com> Date: Sun, 1 Mar 2026 00:42:25 +0000 Subject: [PATCH] Drift from template --- .../dispatch_internal_repo_workflow.sh | 5 +- .../scheduled-repository-template-sync.yaml | 4 +- .github/workflows/scorecard.yml | 6 +-- scripts/config/pre-commit.yaml | 13 +---- scripts/githooks/check-file-format.sh | 2 - scripts/githooks/check-markdown-format.sh | 6 +-- scripts/githooks/check-todos.sh | 1 - scripts/lambda-container-build/docker.sh | 51 +++++++++---------- 8 files changed, 37 insertions(+), 51 deletions(-) diff --git a/.github/scripts/dispatch_internal_repo_workflow.sh b/.github/scripts/dispatch_internal_repo_workflow.sh index b73989e03..a52c1bbee 100755 --- a/.github/scripts/dispatch_internal_repo_workflow.sh +++ b/.github/scripts/dispatch_internal_repo_workflow.sh @@ -20,7 +20,7 @@ # All arguments are required except terraformAction, and internalRef. # Example: # ./dispatch_internal_repo_workflow.sh \ -# --infraRepoName "nhs-notify-web-template-management" \ +# --infraRepoName "nhs-notify-dns" \ # --releaseVersion "v1.2.3" \ # --targetWorkflow "deploy.yaml" \ # --targetEnvironment "prod" \ @@ -86,7 +86,7 @@ while [[ $# -gt 0 ]]; do ;; esac done -# Validate required parameters + if [[ -z "$APP_PEM_FILE" ]]; then echo "[ERROR] PEM_FILE environment variable is not set or is empty." exit 1 @@ -140,7 +140,6 @@ PR_TRIGGER_PAT=$(curl --request POST \ -H "Authorization: Bearer ${JWT}" \ -H "X-GitHub-Api-Version: 2022-11-28" | jq -r '.token') - # Set default values if not provided if [[ -z "$PR_TRIGGER_PAT" ]]; then echo "[ERROR] PR_TRIGGER_PAT environment variable is not set or is empty." diff --git a/.github/workflows/scheduled-repository-template-sync.yaml b/.github/workflows/scheduled-repository-template-sync.yaml index b8484e12a..e91148656 100644 --- a/.github/workflows/scheduled-repository-template-sync.yaml +++ b/.github/workflows/scheduled-repository-template-sync.yaml @@ -16,10 +16,10 @@ jobs: steps: - name: Check out the repository - uses: actions/checkout@v5.0.0 + uses: actions/checkout@v4 - name: Check out external repository - uses: actions/checkout@v5.0.0 + uses: actions/checkout@v4 with: repository: NHSDigital/nhs-notify-repository-template path: nhs-notify-repository-template diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 9794746d6..5552785d3 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -32,12 +32,12 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@v5.0.0 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2 + uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1 with: results_file: results.sarif results_format: sarif @@ -68,6 +68,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). # Commenting out will disable upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@df559355d593797519d70b90fc8edd5db049e7a2 # v3.29.9 + uses: github/codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19 with: sarif_file: results.sarif diff --git a/scripts/config/pre-commit.yaml b/scripts/config/pre-commit.yaml index 6b5f90d73..9c5e690af 100644 --- a/scripts/config/pre-commit.yaml +++ b/scripts/config/pre-commit.yaml @@ -3,11 +3,6 @@ repos: rev: v5.0.0 # Use the ref you want to point at hooks: - id: trailing-whitespace - exclude: | - (?x)^( - frontend/src/__tests__/.*\.tsx\.snap | - frontend/src/__tests__/utils/markdownit/fixtures/index\.ts - )$ - id: detect-aws-credentials args: [--allow-missing-credentials] - id: check-added-large-files @@ -17,12 +12,8 @@ repos: - id: forbid-new-submodules - id: mixed-line-ending - id: pretty-format-json - exclude: | - (?x)^( - .*/?package-lock.json | - packages/event-schemas/schemas/[^/]+/[^/]+\.json - )$ args: ['--autofix'] + exclude: '(^|/)package(-lock)?\.json$' # - id: ... - repo: local hooks: @@ -42,7 +33,7 @@ repos: hooks: - id: check-file-format name: Check file format - entry: /usr/bin/env check=branch exclude=frontend/src/__tests__/utils/markdownit/fixtures/index.ts ./scripts/githooks/check-file-format.sh + entry: /usr/bin/env check=branch ./scripts/githooks/check-file-format.sh language: script pass_filenames: false - repo: local diff --git a/scripts/githooks/check-file-format.sh b/scripts/githooks/check-file-format.sh index 79e44d571..b1e02efb9 100755 --- a/scripts/githooks/check-file-format.sh +++ b/scripts/githooks/check-file-format.sh @@ -67,10 +67,8 @@ function main() { esac if command -v editorconfig-checker > /dev/null 2>&1 && ! is-arg-true "${FORCE_USE_DOCKER:-false}"; then - echo "Running editorconfig-checker natively" filter="$filter" dry_run_opt="${dry_run_opt:-}" run-editorconfig-natively else - echo "Running editorconfig-checker in Docker" filter="$filter" dry_run_opt="${dry_run_opt:-}" run-editorconfig-in-docker fi } diff --git a/scripts/githooks/check-markdown-format.sh b/scripts/githooks/check-markdown-format.sh index 2c8f3ea7c..c39a080d4 100755 --- a/scripts/githooks/check-markdown-format.sh +++ b/scripts/githooks/check-markdown-format.sh @@ -52,7 +52,7 @@ function main() { esac if [ -n "$files" ]; then - if command -v markdownlint-cli > /dev/null 2>&1 && ! is-arg-true "${FORCE_USE_DOCKER:-false}"; then + if command -v markdownlint > /dev/null 2>&1 && ! is-arg-true "${FORCE_USE_DOCKER:-false}"; then files="$files" run-markdownlint-natively else files="$files" run-markdownlint-in-docker @@ -60,13 +60,13 @@ function main() { fi } -# Run markdownlint-cli natively. +# Run markdownlint natively. # Arguments (provided as environment variables): # files=[files to check] function run-markdownlint-natively() { # shellcheck disable=SC2086 - markdownlint-cli \ + markdownlint \ $files \ --config "$PWD/scripts/config/markdownlint.yaml" } diff --git a/scripts/githooks/check-todos.sh b/scripts/githooks/check-todos.sh index 49a3663be..83b7a80e8 100755 --- a/scripts/githooks/check-todos.sh +++ b/scripts/githooks/check-todos.sh @@ -33,7 +33,6 @@ EXCLUDED_FILES=( "Makefile" "project.code-workspace" "src/jekyll-devcontainer/src/.devcontainer/devcontainer.json" - ".eslintrc.json" ) EXCLUDED_DIRS=( diff --git a/scripts/lambda-container-build/docker.sh b/scripts/lambda-container-build/docker.sh index 85b00958d..b86a87493 100755 --- a/scripts/lambda-container-build/docker.sh +++ b/scripts/lambda-container-build/docker.sh @@ -34,29 +34,21 @@ GHCR_LOGIN_TOKEN="${GITHUB_TOKEN}" GHCR_LOGIN_USER="${GITHUB_ACTOR}" LAMBDA_NAME="${LAMBDA_NAME:-$(basename "$PWD")}" -## Set image tag suffix based on git metadata. -# Publish exactly one suffix: -# - release-- when HEAD is tagged -# - sha- otherwise -echo "Checking git metadata for image tag suffixes..." -SHORT_SHA="$(git rev-parse --short HEAD)" -SHA_SUFFIX="sha-${SHORT_SHA}" +## Set IMAGE_TAG_SUFFIX based on git tag or short SHA for unique lambda image tagging in ECR. +#This ensures that each build produces a uniquely identifiable image, and tagged releases are easily traceable. +echo "Checking if current commit is a tag..." GIT_TAG="$(git describe --tags --exact-match 2>/dev/null || true)" - if [ -n "$GIT_TAG" ]; then - RELEASE_VERSION="${GIT_TAG#v}" - RELEASE_SUFFIX="release-${RELEASE_VERSION}-${SHORT_SHA}" - FINAL_SUFFIX="${RELEASE_SUFFIX}" - echo "On tag: $GIT_TAG" - echo "Publishing suffix: $FINAL_SUFFIX" + TAGGED="tag-$GIT_TAG" + echo "On tag: $GIT_TAG, exporting IMAGE_TAG_SUFFIX as tag: $TAGGED" + export IMAGE_TAG_SUFFIX="$TAGGED" + else - echo "Not on a tag" - FINAL_SUFFIX="${SHA_SUFFIX}" - echo "Publishing suffix: $FINAL_SUFFIX" + SHORT_SHA="sha-$(git rev-parse --short HEAD)" + echo "Not on a tag, exporting IMAGE_TAG_SUFFIX as short SHA: $SHORT_SHA" + export IMAGE_TAG_SUFFIX="$SHORT_SHA" fi -export IMAGE_TAG_SUFFIX="$FINAL_SUFFIX" - ## Check if we are running in the context of a Terraform apply or plan, and set PUBLISH_LAMBDA_IMAGE accordingly. We only want to push images to ECR on apply, not on plan. echo "Checking if ACTION is 'apply' to set PUBLISH_LAMBDA_IMAGE..." if [ "$ACTION" = "apply" ]; then @@ -89,7 +81,6 @@ if [ -n "${GHCR_LOGIN_USER:-}" ] && [ -n "${GHCR_LOGIN_TOKEN:-}" ]; then echo "GHCR login successful." else echo "GHCR login failed!" >&2 - exit 1 fi fi @@ -99,10 +90,14 @@ IMAGE_TAG="${CSI}-${LAMBDA_NAME}" # Compose the full ECR image references. ECR_REPO_URI="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${ECR_REPO}" -# Final tag name we will produce. -IMAGE_TAG_FINAL="${ECR_REPO_URI}:${IMAGE_TAG}-${FINAL_SUFFIX}" +# Final tag names we will produce -echo "Will build and tag image: ${IMAGE_TAG_FINAL}" +IMAGE_TAG_LATEST="${ECR_REPO_URI}:${IMAGE_TAG}-latest" +IMAGE_TAG_SUFFIXED="${ECR_REPO_URI}:${IMAGE_TAG}-${IMAGE_TAG_SUFFIX}" + +echo "Will build and tag images:" +echo " LATEST -> ${IMAGE_TAG_LATEST}" +echo " SUFFIXED -> ${IMAGE_TAG_SUFFIXED}" # Build and tag the Docker image for the lambda. # --load makes the built image available to the local docker daemon (single-platform). @@ -112,16 +107,20 @@ docker buildx build \ --provenance=false \ --sbom=false \ --build-arg BASE_IMAGE="${BASE_IMAGE}" \ - -t "${IMAGE_TAG_FINAL}" \ + -t "${IMAGE_TAG_LATEST}" \ + -t "${IMAGE_TAG_SUFFIXED}" \ --load \ . -# Push the image tag to ECR on apply only. The Terraform configuration references the deterministic suffixed tag. +# Push the image tag(s) to ECR on apply only. The Terraform configuration will reference image digest. if [ "${PUBLISH_LAMBDA_IMAGE:-false}" = "true" ]; then echo "PUBLISH_LAMBDA_IMAGE is set to true. Pushing Docker images to ECR..." - echo "Pushing ${IMAGE_TAG_FINAL}..." - docker push "${IMAGE_TAG_FINAL}" + + for TAG in "${IMAGE_TAG_LATEST}" "${IMAGE_TAG_SUFFIXED}"; do + echo "Pushing ${TAG}..." + docker push "${TAG}" + done echo "Push complete." else