NHSDigital
diff --git a/‎.azuredevops/pipelines/deploy-app.yml‎
Lines changed: 49 additions & 0 deletions b/‎.azuredevops/pipelines/deploy-app.yml‎
Lines changed: 49 additions & 0 deletions
diff --git a/‎.azuredevops/pipelines/deploy.yml‎
Lines changed: 55 additions & 0 deletions b/‎.azuredevops/pipelines/deploy.yml‎
Lines changed: 55 additions & 0 deletions
diff --git a/‎.github/ISSUE_TEMPLATE/1_support_request.yaml‎
Lines changed: 52 additions & 0 deletions b/‎.github/ISSUE_TEMPLATE/1_support_request.yaml‎
Lines changed: 52 additions & 0 deletions
diff --git a/‎.github/ISSUE_TEMPLATE/2_feature_request.yaml‎
Lines changed: 42 additions & 0 deletions b/‎.github/ISSUE_TEMPLATE/2_feature_request.yaml‎
Lines changed: 42 additions & 0 deletions
diff --git a/‎.github/ISSUE_TEMPLATE/3_bug_report.yaml‎
Lines changed: 63 additions & 0 deletions b/‎.github/ISSUE_TEMPLATE/3_bug_report.yaml‎
Lines changed: 63 additions & 0 deletions
diff --git a/‎.github/SECURITY.md‎
Lines changed: 34 additions & 0 deletions b/‎.github/SECURITY.md‎
Lines changed: 34 additions & 0 deletions
diff --git a/‎.github/workflows/cicd-1-pull-request.yaml‎
Lines changed: 40 additions & 2 deletions b/‎.github/workflows/cicd-1-pull-request.yaml‎
Lines changed: 40 additions & 2 deletions
@@ -0,0 +1,49 @@
+trigger: none
+pr: none
+
+parameters:
+  - name: releaseTag
+    displayName: Release tag to deploy
+    type: string
+
+  - name: environment
+    displayName: Environment
+    type: string
+
+  - name: pool
+    displayName: ADO management pool
+    type: string
+
+
+stages:
+  - stage: ${{ parameters.environment }}
+    displayName: Deploy gateway app to ${{ parameters.environment }}
+    pool:
+      name: ${{ parameters.pool }}
+    lockBehavior: sequential
+    isSkippable: false
+
+    jobs:
+      - deployment: DeployGatewayApp
+        displayName: Deploy gateway app
+        environment: ${{ parameters.environment }}
+        strategy:
+          runOnce:
+            deploy:
+              steps:
+                - checkout: self
+
+                - task: AzureCLI@2
+                  displayName: Deploy gateway app to ${{ parameters.environment }}
+                  inputs:
+                    azureSubscription: manbgw-${{ parameters.environment }}
+                    scriptType: bash
+                    scriptLocation: inlineScript
+                    addSpnToEnvironment: true
+                    inlineScript: |
+                      export ARM_TENANT_ID="$tenantId"
+                      export ARM_CLIENT_ID="$servicePrincipalId"
+                      export ARM_OIDC_TOKEN="$idToken"
+                      export ARM_USE_OIDC=true
+                      export ARM_USE_AZUREAD=true
+                      make ci ${{ parameters.environment }} deploy-app RELEASE_TAG="${{ parameters.releaseTag }}"
@@ -0,0 +1,55 @@
+trigger: none
+pr: none
+
+parameters:
+  - name: commitSHA
+    displayName: Commit SHA
+    type: string
+  - name: environment
+    displayName: Environment
+    type: string
+  - name: pool
+    displayName: ADO management pool
+    type: string
+
+stages:
+  - stage: ${{ parameters.environment }}
+    displayName: Deploy Arc infrastructure to ${{ parameters.environment }}
+    pool:
+      name: ${{ parameters.pool }}
+    lockBehavior: sequential
+    isSkippable: false
+
+    jobs:
+      - deployment: DeployArcInfra
+        displayName: Deploy Arc infrastructure
+        environment: ${{ parameters.environment }}
+        strategy:
+          runOnce:
+            deploy:
+              steps:
+                - checkout: self
+
+                - bash: |
+                    TF_VERSION=$(grep "^terraform" .tool-versions | awk '{print $2}')
+                    echo "##vso[task.setvariable variable=TF_VERSION]$TF_VERSION"
+                  displayName: Get Terraform version from .tool-versions
+
+                - task: TerraformInstaller@1
+                  displayName: Install Terraform
+                  inputs:
+                    terraformVersion: $(TF_VERSION)
+
+                - task: AzureCLI@2
+                  displayName: Run Terraform
+                  inputs:
+                    azureSubscription: manbgw-${{ parameters.environment }}
+                    scriptType: bash
+                    scriptLocation: inlineScript
+                    addSpnToEnvironment: true
+                    inlineScript: |
+                      export ARM_TENANT_ID="$tenantId"
+                      export ARM_CLIENT_ID="$servicePrincipalId"
+                      export ARM_OIDC_TOKEN="$idToken"
+                      export ARM_USE_OIDC=true
+                      make ci ${{ parameters.environment }} terraform-apply
@@ -0,0 +1,52 @@
+# See:
+# - https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/configuring-issue-templates-for-your-repository
+# - https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/syntax-for-issue-forms
+# - https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/common-validation-errors-when-creating-issue-forms
+
+name: 🔧 Support Request
+description: Get help
+labels: ['support']
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to file a support request. Please fill out this form as completely as possible.
+  - type: textarea
+    attributes:
+      label: What exactly are you trying to do?
+      description: Describe in as much detail as possible.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: What have you tried so far?
+      description: Describe what you have tried so far.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Output of any commands you have tried
+      description: Please copy and paste any relevant output. This will be automatically formatted into codeblock.
+      render: Shell
+    validations:
+      required: false
+  - type: textarea
+    attributes:
+      label: Additional context
+      description: Add any other context about the problem here.
+    validations:
+      required: false
+  - type: checkboxes
+    attributes:
+      label: Code of Conduct
+      description: By submitting this issue you agree to follow our [Code of Conduct](../../docs/CODE_OF_CONDUCT.md)
+      options:
+        - label: I agree to follow this project's Code of Conduct
+          required: true
+  - type: checkboxes
+    attributes:
+      label: Sensitive Information Declaration
+      description: To ensure the utmost confidentiality and protect your privacy, we kindly ask you to NOT including [PII (Personal Identifiable Information) / PID (Personal Identifiable Data)](https://digital.nhs.uk/data-and-information/keeping-data-safe-and-benefitting-the-public) or any other sensitive data in this form. We appreciate your cooperation in maintaining the security of your information.
+      options:
+        - label: I confirm that neither PII/PID nor sensitive data are included in this form
+          required: true
@@ -0,0 +1,42 @@
+# See:
+# - https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/configuring-issue-templates-for-your-repository
+# - https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/syntax-for-issue-forms
+# - https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/common-validation-errors-when-creating-issue-forms
+
+name: 🚀 Feature Request
+description: Suggest an idea for this project
+labels: ['feature request']
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to file a feature request. Please fill out this form as completely as possible.
+  - type: textarea
+    attributes:
+      label: What is the problem this feature will solve?
+      description: Tell us why this change is needed or helpful and what problems it may help solve.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: What is the feature that you are proposing to solve the problem?
+      description: Provide detailed information for what we should add.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: What alternatives have you considered?
+  - type: checkboxes
+    attributes:
+      label: Code of Conduct
+      description: By submitting this issue you agree to follow our [Code of Conduct](../../docs/CODE_OF_CONDUCT.md)
+      options:
+        - label: I agree to follow this project's Code of Conduct
+          required: true
+  - type: checkboxes
+    attributes:
+      label: Sensitive Information Declaration
+      description: To ensure the utmost confidentiality and protect your privacy, we kindly ask you to NOT including [PII (Personal Identifiable Information) / PID (Personal Identifiable Data)](https://digital.nhs.uk/data-and-information/keeping-data-safe-and-benefitting-the-public) or any other sensitive data in this form. We appreciate your cooperation in maintaining the security of your information.
+      options:
+        - label: I confirm that neither PII/PID nor sensitive data are included in this form
+          required: true
@@ -0,0 +1,63 @@
+# See:
+# - https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/configuring-issue-templates-for-your-repository
+# - https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/syntax-for-issue-forms
+# - https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/common-validation-errors-when-creating-issue-forms
+
+name: 🐞 Bug Report
+description: File a bug report
+labels: ['bug', 'triage']
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to file a bug report. Please fill out this form as completely as possible.
+  - type: checkboxes
+    attributes:
+      label: Is there an existing issue for this?
+      description: Please, search the Issues to see if an issue already exists for the bug you have encountered.
+      options:
+        - label: I have searched the existing Issues
+          required: true
+  - type: textarea
+    attributes:
+      label: Current Behavior
+      description: A concise description of what you are experiencing.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Expected Behavior
+      description: A concise description of what you expect to happen.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Steps To Reproduce
+      description: Steps to reproduce the behavior
+      placeholder: |
+        1. In this environment...
+        2. With this config...
+        3. Run `...`
+    validations:
+      required: false
+  - type: textarea
+    attributes:
+      label: Output
+      description: Please copy and paste any relevant output. This will be automatically formatted into codeblock.
+      render: Shell
+    validations:
+      required: false
+  - type: checkboxes
+    attributes:
+      label: Code of Conduct
+      description: By submitting this issue you agree to follow our [Code of Conduct](../../docs/CODE_OF_CONDUCT.md)
+      options:
+        - label: I agree to follow this project's Code of Conduct
+          required: true
+  - type: checkboxes
+    attributes:
+      label: Sensitive Information Declaration
+      description: To ensure the utmost confidentiality and protect your privacy, we kindly ask you to NOT including [PII (Personal Identifiable Information) / PID (Personal Identifiable Data)](https://digital.nhs.uk/data-and-information/keeping-data-safe-and-benefitting-the-public) or any other sensitive data in this form. We appreciate your cooperation in maintaining the security of your information.
+      options:
+        - label: I confirm that neither PII/PID nor sensitive data are included in this form
+          required: true
@@ -0,0 +1,34 @@
+# Security
+
+NHS England takes security and the protection of private data extremely seriously. If you believe you have found a vulnerability or other issue which has compromised or could compromise the security of any of our systems and/or private data managed by our systems, please do not hesitate to contact us using the methods outlined below.
+
+## Table of Contents
+
+- [Security](#security)
+  - [Table of Contents](#table-of-contents)
+  - [Reporting a vulnerability](#reporting-a-vulnerability)
+    - [Email](#email)
+    - [NCSC](#ncsc)
+  - [General Security Enquiries](#general-security-enquiries)
+
+## Reporting a vulnerability
+
+Please note, email is our preferred method of receiving reports.
+
+### Email
+
+If you wish to notify us of a vulnerability via email, please include detailed information on the nature of the vulnerability and any steps required to reproduce it.
+
+You can reach us at:
+
+- [cybersecurity@nhs.net](cybersecurity@nhs.net)
+
+### NCSC
+
+You can send your report to the National Cyber Security Centre, who will assess your report and pass it on to NHS England if necessary.
+
+You can report vulnerabilities here: [https://www.ncsc.gov.uk/information/vulnerability-reporting](https://www.ncsc.gov.uk/information/vulnerability-reporting)
+
+## General Security Enquiries
+
+If you have general enquiries regarding our cybersecurity, please reach out to us at [cybersecurity@nhs.net](cybersecurity@nhs.net)
@@ -2,14 +2,17 @@ name: "CI/CD: Pull Request"
 
 on:
   pull_request:
+    types: [opened, synchronize, reopened, labeled]
 
 concurrency:
-  group: cicd-${{ github.ref }}
+  group: pr-${{ github.ref }}
   cancel-in-progress: true
 
 permissions:
-  contents: read
+  contents: write       # needed to create pre-releases
+  id-token: write
   security-events: write
+  attestations: write   # needed by stage-3-build (attest-build-provenance)
 
 jobs:
   commit-stage:
@@ -20,3 +23,38 @@ jobs:
     needs: commit-stage
     uses: ./.github/workflows/stage-2-test.yaml
     secrets: inherit
+
+  deploy-stage:
+    name: Deploy stage
+    needs: [commit-stage, test-stage]
+    permissions:
+      id-token: write
+    uses: ./.github/workflows/stage-4-deploy.yaml
+    with:
+      environments: '["review"]'
+      commit_sha: ${{ github.event.pull_request.head.sha }}
+    secrets: inherit
+
+  # Build and publish a pre-release when the 'deploy' label is present.
+  # Runs on every push while the label is active (synchronize re-triggers this).
+  build-for-deploy:
+    name: Build for deploy
+    needs: [commit-stage, test-stage]
+    if: contains(github.event.pull_request.labels.*.name, 'deploy')
+    uses: ./.github/workflows/stage-3-build.yaml
+    with:
+      pr_number: ${{ github.event.pull_request.number }}
+    secrets: inherit
+
+  deploy-app-stage:
+    name: Deploy app stage
+    needs: [build-for-deploy, deploy-stage]
+    if: contains(github.event.pull_request.labels.*.name, 'deploy')
+    permissions:
+      id-token: write
+    uses: ./.github/workflows/stage-4-deploy-app.yaml
+    with:
+      environments: '["review"]'
+      release_tag: pr-${{ github.event.pull_request.number }}
+      commit_sha: ${{ github.event.pull_request.head.sha }}
+    secrets: inherit