CCM-14499: Pinning all GitHub Actions to SHAs #1
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Commit stage" | ||
| permissions: | ||
| contents: read | ||
| on: | ||
| workflow_call: | ||
| inputs: | ||
| build_datetime: | ||
| description: "Build datetime, set by the CI/CD pipeline workflow" | ||
| required: true | ||
| type: string | ||
| build_timestamp: | ||
| description: "Build timestamp, set by the CI/CD pipeline workflow" | ||
| required: true | ||
| type: string | ||
| build_epoch: | ||
| description: "Build epoch, set by the CI/CD pipeline workflow" | ||
| required: true | ||
| type: string | ||
| nodejs_version: | ||
| description: "Node.js version, set by the CI/CD pipeline workflow" | ||
| required: true | ||
| type: string | ||
| python_version: | ||
| description: "Python version, set by the CI/CD pipeline workflow" | ||
| required: true | ||
| type: string | ||
| # TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549 | ||
| # skip_trivy_package: | ||
| # description: "Skip Trivy package scan when true" | ||
| # type: boolean | ||
| # default: false | ||
| terraform_version: | ||
| description: "Terraform version, set by the CI/CD pipeline workflow" | ||
| required: true | ||
| type: string | ||
| version: | ||
| description: "Version of the software, set by the CI/CD pipeline workflow" | ||
| required: true | ||
| type: string | ||
| jobs: | ||
| scan-secrets: | ||
| name: "Scan secrets" | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 5 | ||
| steps: | ||
| - name: "Checkout code" | ||
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: | ||
| fetch-depth: 0 # Full history is needed to scan all commits | ||
| - name: "Scan secrets" | ||
| uses: NHSDigital/nhs-notify-shared-modules/.github/actions/scan-secrets@3.0.8 | ||
| check-file-format: | ||
| name: "Check file format" | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 5 | ||
| steps: | ||
| - name: "Checkout code" | ||
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: | ||
| fetch-depth: 0 # Full history is needed to compare branches | ||
| - name: "Check file format" | ||
| uses: NHSDigital/nhs-notify-shared-modules/.github/actions/check-file-format@3.0.8 | ||
| check-markdown-format: | ||
| name: "Check Markdown format" | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 5 | ||
| steps: | ||
| - name: "Checkout code" | ||
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: | ||
| fetch-depth: 0 # Full history is needed to compare branches | ||
| - name: "Check Markdown format" | ||
| uses: NHSDigital/nhs-notify-shared-modules/.github/actions/check-markdown-format@3.0.8 | ||
| terraform-docs: | ||
| name: "Run terraform-docs" | ||
| runs-on: ubuntu-latest | ||
| needs: detect-terraform-changes | ||
| if: needs.detect-terraform-changes.outputs.terraform_changed == 'true' | ||
| permissions: | ||
| contents: write | ||
| steps: | ||
| - name: "Checkout code" | ||
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: | ||
| fetch-depth: 0 # Full history is needed to compare branches | ||
| - name: "Check to see if Terraform Docs are up-to-date" | ||
| run: | | ||
| make terraform-docs | ||
| - name: "Stage changes" | ||
| run: | | ||
| git add infrastructure/terraform/**/*.md | ||
| - name: "Check for changes in Terraform Docs" | ||
| run: | | ||
| if git diff --cached --name-only | grep -qE '\.md$'; then | ||
| echo "Markdown files have changed. Please run 'make terraform-docs' and commit the changes." | ||
| exit 1 | ||
| fi | ||
| check-english-usage: | ||
| name: "Check English usage" | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 5 | ||
| steps: | ||
| - name: "Checkout code" | ||
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: | ||
| fetch-depth: 0 # Full history is needed to compare branches | ||
| - name: "Check English usage" | ||
| uses: NHSDigital/nhs-notify-shared-modules/.github/actions/check-english-usage@3.0.8 | ||
| check-todo-usage: | ||
| name: "Check TODO usage" | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 5 | ||
| steps: | ||
| - name: "Checkout code" | ||
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: | ||
| fetch-depth: 0 # Full history is needed to compare branches | ||
| - name: "Check TODO usage" | ||
| uses: NHSDigital/nhs-notify-shared-modules/.github/actions/check-todo-usage@3.0.8 | ||
| detect-terraform-changes: | ||
| name: "Detect Terraform Changes" | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| terraform_changed: ${{ steps.check.outputs.terraform_changed }} | ||
| steps: | ||
| - name: "Checkout code" | ||
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 | ||
| - name: "Check for Terraform changes" | ||
| id: check | ||
| run: | | ||
| git fetch origin main || true # Ensure you have the latest main branch | ||
| CHANGED_FILES=$(git diff --name-only HEAD origin/main) | ||
| echo "Changed files: $CHANGED_FILES" | ||
| if echo "$CHANGED_FILES" | grep -qE '\.tf$'; then | ||
| echo "Terraform files have changed." | ||
| echo "terraform_changed=true" >> $GITHUB_OUTPUT | ||
| else | ||
| echo "No Terraform changes detected." | ||
| echo "terraform_changed=false" >> $GITHUB_OUTPUT | ||
| fi | ||
| lint-terraform: | ||
| name: "Lint Terraform" | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 5 | ||
| needs: detect-terraform-changes | ||
| if: needs.detect-terraform-changes.outputs.terraform_changed == 'true' | ||
| steps: | ||
| - name: "Checkout code" | ||
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Setup ASDF" | ||
| uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302 | ||
| - name: "Lint Terraform" | ||
| uses: NHSDigital/nhs-notify-shared-modules/.github/actions/lint-terraform@3.0.8 | ||
| # TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549 | ||
| # trivy-iac: | ||
| # name: "Trivy IaC Scan" | ||
| # permissions: | ||
| # contents: read | ||
| # packages: read | ||
| # runs-on: ubuntu-latest | ||
| # timeout-minutes: 10 | ||
| # needs: detect-terraform-changes | ||
| # if: needs.detect-terraform-changes.outputs.terraform_changed == 'true' | ||
| # env: | ||
| # NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| # steps: | ||
| # - name: "Checkout code" | ||
| # uses: actions/checkout@v4 | ||
| # - name: "Setup ASDF" | ||
| # uses: asdf-vm/actions/setup@b7bcd026f18772e44fe1026d729e1611cc435d47 | ||
| # - name: "Trivy IaC Scan" | ||
| # uses: ./.github/actions/trivy-iac | ||
| # trivy-package: | ||
| # if: ${{ !inputs.skip_trivy_package }} | ||
| # name: "Trivy Package Scan" | ||
| # permissions: | ||
| # contents: read | ||
| # packages: read | ||
| # runs-on: ubuntu-latest | ||
| # timeout-minutes: 10 | ||
| # steps: | ||
| # - name: "Checkout code" | ||
| # uses: actions/checkout@v4 | ||
| # - name: "Setup ASDF" | ||
| # uses: asdf-vm/actions/setup@b7bcd026f18772e44fe1026d729e1611cc435d47 | ||
| # - name: "Trivy Package Scan" | ||
| # uses: ./.github/actions/trivy-package | ||
| count-lines-of-code: | ||
| name: "Count lines of code" | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| id-token: write | ||
| contents: read | ||
| timeout-minutes: 5 | ||
| steps: | ||
| - name: "Checkout code" | ||
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Count lines of code" | ||
| uses: NHSDigital/nhs-notify-shared-modules/.github/actions/create-lines-of-code-report@3.0.8 | ||
| with: | ||
| build_datetime: "${{ inputs.build_datetime }}" | ||
| build_timestamp: "${{ inputs.build_timestamp }}" | ||
| idp_aws_report_upload_account_id: "${{ secrets.IDP_AWS_REPORT_UPLOAD_ACCOUNT_ID }}" | ||
| idp_aws_report_upload_region: "${{ secrets.IDP_AWS_REPORT_UPLOAD_REGION }}" | ||
| idp_aws_report_upload_role_name: "${{ secrets.IDP_AWS_REPORT_UPLOAD_ROLE_NAME }}" | ||
| idp_aws_report_upload_bucket_endpoint: "${{ secrets.IDP_AWS_REPORT_UPLOAD_BUCKET_ENDPOINT }}" | ||
| scan-dependencies: | ||
| name: "Scan dependencies" | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| id-token: write | ||
| contents: read | ||
| timeout-minutes: 5 | ||
| steps: | ||
| - name: "Checkout code" | ||
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Scan dependencies" | ||
| uses: NHSDigital/nhs-notify-shared-modules/.github/actions/scan-dependencies@3.0.8 | ||
| with: | ||
| build_datetime: "${{ inputs.build_datetime }}" | ||
| build_timestamp: "${{ inputs.build_timestamp }}" | ||
| idp_aws_report_upload_account_id: "${{ secrets.IDP_AWS_REPORT_UPLOAD_ACCOUNT_ID }}" | ||
| idp_aws_report_upload_region: "${{ secrets.IDP_AWS_REPORT_UPLOAD_REGION }}" | ||
| idp_aws_report_upload_role_name: "${{ secrets.IDP_AWS_REPORT_UPLOAD_ROLE_NAME }}" | ||
| idp_aws_report_upload_bucket_endpoint: "${{ secrets.IDP_AWS_REPORT_UPLOAD_BUCKET_ENDPOINT }}" | ||
| detect-event-schema-package-changes: | ||
| name: "Check for changes to event schema package compared to main branch" | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| outputs: | ||
| changed: ${{ steps.check.outputs.changed }} | ||
| main_version: ${{ steps.check.outputs.main_version }} | ||
| steps: | ||
| - name: "Checkout code" | ||
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: | ||
| fetch-depth: 0 | ||
| - name: Detect package changes and current version | ||
| id: check | ||
| run: | | ||
| git fetch origin main | ||
| if git diff --quiet origin/main...HEAD -- internal/events; then | ||
| echo "No changes in event schemas package" | ||
| echo "changed=false" >> $GITHUB_OUTPUT | ||
| else | ||
| echo "Changes detected in event schemas" | ||
| echo "changed=true" >> $GITHUB_OUTPUT | ||
| fi | ||
| if content=$(git show origin/main:internal/events/package.json 2>/dev/null); then | ||
| version=$(jq -r .version <<< $content); | ||
| else | ||
| version=null; | ||
| fi | ||
| echo "Detected package version $version in main branch" | ||
| echo "main_version=$version" >> $GITHUB_OUTPUT | ||
| check-schema-version-change: | ||
| name: Check event schema version has been updated | ||
| needs: detect-event-schema-package-changes | ||
| if: needs.detect-event-schema-package-changes.outputs.changed == 'true' | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | ||
| - name: Check schema versions | ||
| run: | | ||
| source scripts/is_valid_increment.sh | ||
| main_version="${{ needs.detect-event-schema-package-changes.outputs.main_version }}" | ||
| echo "Main version: ${{ needs.detect-event-schema-package-changes.outputs.main_version }}" | ||
| local_version=$(jq -r '.version' internal/events/package.json) | ||
| echo "Local version: $local_version" | ||
| if ! is_valid_increment "$main_version" "$local_version" ; then | ||
| echo "Error: Event Schema package has changed, but new version ($local_version) is not a valid increment from latest version on main branch ($main_version)." | ||
| exit 1 | ||
| fi | ||
| check-event-schemas-version-change: | ||
| name: Check for event schemas package version change | ||
| needs: detect-event-schema-package-changes | ||
| if: needs.detect-event-schema-package-changes.outputs.changed == 'true' | ||
| outputs: | ||
| version_changed: ${{ steps.check-version.outputs.version_changed }} | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| packages: read | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.0 | ||
| - name: Setup NodeJS | ||
| uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: | ||
| node-version: ${{ inputs.nodejs_version }} | ||
| registry-url: "https://npm.pkg.github.com" | ||
| - name: check if local version differs from latest published version | ||
| id: check-version | ||
| env: | ||
| NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: | | ||
| published_version=$(npm view @nhsdigital/nhs-notify-event-schemas-supplier-api --json 2>/dev/null | jq -r '.["dist-tags"].latest // "null"') | ||
| echo "Published version: $published_version" | ||
| local_version=$(jq -r '.version' internal/events/package.json) | ||
| echo "Local version: $local_version" | ||
| if [[ $local_version = $published_version ]]; then | ||
| echo "ERROR: Local version is the same as the latest published version, but event schemas have changed" | ||
| echo "version_changed=false" >> $GITHUB_OUTPUT | ||
| exit 1 | ||
| else | ||
| echo "Local version is different to the latest published version - a new version will be published" | ||
| echo "version_changed=true" >> $GITHUB_OUTPUT | ||
| fi | ||