Skip to content
.github/workflows/stage-1-commit.yaml

CCM-14499: Pinning all GitHub Actions to SHAs #1

Sign in to view logs

CCM-14499: Pinning all GitHub Actions to SHAs

CCM-14499: Pinning all GitHub Actions to SHAs #1

Workflow file for this run

.github/workflows/stage-1-commit.yaml at cfadb7e
name: "Commit stage"
permissions:
contents: read
on:
workflow_call:
inputs:
build_datetime:
description: "Build datetime, set by the CI/CD pipeline workflow"
required: true
type: string
build_timestamp:
description: "Build timestamp, set by the CI/CD pipeline workflow"
required: true
type: string
build_epoch:
description: "Build epoch, set by the CI/CD pipeline workflow"
required: true
type: string
nodejs_version:
description: "Node.js version, set by the CI/CD pipeline workflow"
required: true
type: string
python_version:
description: "Python version, set by the CI/CD pipeline workflow"
required: true
type: string
# TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549
# skip_trivy_package:
# description: "Skip Trivy package scan when true"
# type: boolean
# default: false
terraform_version:
description: "Terraform version, set by the CI/CD pipeline workflow"
required: true
type: string
version:
description: "Version of the software, set by the CI/CD pipeline workflow"
required: true
type: string
jobs:
scan-secrets:
name: "Scan secrets"
runs-on: ubuntu-latest
timeout-minutes: 5
steps:

Check failure on line 48 in .github/workflows/stage-1-commit.yaml

View workflow run for this annotation

GitHub Actions / .github/workflows/stage-1-commit.yaml

Invalid workflow file 

You have an error in your yaml syntax on line 48
- name: "Checkout code"
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with:
fetch-depth: 0 # Full history is needed to scan all commits
- name: "Scan secrets"
uses: NHSDigital/nhs-notify-shared-modules/.github/actions/scan-secrets@3.0.8
check-file-format:
name: "Check file format"
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- name: "Checkout code"
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with:
fetch-depth: 0 # Full history is needed to compare branches
- name: "Check file format"
uses: NHSDigital/nhs-notify-shared-modules/.github/actions/check-file-format@3.0.8
check-markdown-format:
name: "Check Markdown format"
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- name: "Checkout code"
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with:
fetch-depth: 0 # Full history is needed to compare branches
- name: "Check Markdown format"
uses: NHSDigital/nhs-notify-shared-modules/.github/actions/check-markdown-format@3.0.8
terraform-docs:
name: "Run terraform-docs"
runs-on: ubuntu-latest
needs: detect-terraform-changes
if: needs.detect-terraform-changes.outputs.terraform_changed == 'true'
permissions:
contents: write
steps:
- name: "Checkout code"
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with:
fetch-depth: 0 # Full history is needed to compare branches
- name: "Check to see if Terraform Docs are up-to-date"
run: |
make terraform-docs
- name: "Stage changes"
run: |
git add infrastructure/terraform/**/*.md
- name: "Check for changes in Terraform Docs"
run: |
if git diff --cached --name-only | grep -qE '\.md$'; then
echo "Markdown files have changed. Please run 'make terraform-docs' and commit the changes."
exit 1
fi
check-english-usage:
name: "Check English usage"
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- name: "Checkout code"
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with:
fetch-depth: 0 # Full history is needed to compare branches
- name: "Check English usage"
uses: NHSDigital/nhs-notify-shared-modules/.github/actions/check-english-usage@3.0.8
check-todo-usage:
name: "Check TODO usage"
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- name: "Checkout code"
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with:
fetch-depth: 0 # Full history is needed to compare branches
- name: "Check TODO usage"
uses: NHSDigital/nhs-notify-shared-modules/.github/actions/check-todo-usage@3.0.8
detect-terraform-changes:
name: "Detect Terraform Changes"
runs-on: ubuntu-latest
outputs:
terraform_changed: ${{ steps.check.outputs.terraform_changed }}
steps:
- name: "Checkout code"
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
- name: "Check for Terraform changes"
id: check
run: |
git fetch origin main || true # Ensure you have the latest main branch
CHANGED_FILES=$(git diff --name-only HEAD origin/main)
echo "Changed files: $CHANGED_FILES"
if echo "$CHANGED_FILES" | grep -qE '\.tf$'; then
echo "Terraform files have changed."
echo "terraform_changed=true" >> $GITHUB_OUTPUT
else
echo "No Terraform changes detected."
echo "terraform_changed=false" >> $GITHUB_OUTPUT
fi
lint-terraform:
name: "Lint Terraform"
runs-on: ubuntu-latest
timeout-minutes: 5
needs: detect-terraform-changes
if: needs.detect-terraform-changes.outputs.terraform_changed == 'true'
steps:
- name: "Checkout code"
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Setup ASDF"
uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302
- name: "Lint Terraform"
uses: NHSDigital/nhs-notify-shared-modules/.github/actions/lint-terraform@3.0.8
# TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549
# trivy-iac:
# name: "Trivy IaC Scan"
# permissions:
# contents: read
# packages: read
# runs-on: ubuntu-latest
# timeout-minutes: 10
# needs: detect-terraform-changes
# if: needs.detect-terraform-changes.outputs.terraform_changed == 'true'
# env:
# NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# steps:
# - name: "Checkout code"
# uses: actions/checkout@v4
# - name: "Setup ASDF"
# uses: asdf-vm/actions/setup@b7bcd026f18772e44fe1026d729e1611cc435d47
# - name: "Trivy IaC Scan"
# uses: ./.github/actions/trivy-iac
# trivy-package:
# if: ${{ !inputs.skip_trivy_package }}
# name: "Trivy Package Scan"
# permissions:
# contents: read
# packages: read
# runs-on: ubuntu-latest
# timeout-minutes: 10
# steps:
# - name: "Checkout code"
# uses: actions/checkout@v4
# - name: "Setup ASDF"
# uses: asdf-vm/actions/setup@b7bcd026f18772e44fe1026d729e1611cc435d47
# - name: "Trivy Package Scan"
# uses: ./.github/actions/trivy-package
count-lines-of-code:
name: "Count lines of code"
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
timeout-minutes: 5
steps:
- name: "Checkout code"
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Count lines of code"
uses: NHSDigital/nhs-notify-shared-modules/.github/actions/create-lines-of-code-report@3.0.8
with:
build_datetime: "${{ inputs.build_datetime }}"
build_timestamp: "${{ inputs.build_timestamp }}"
idp_aws_report_upload_account_id: "${{ secrets.IDP_AWS_REPORT_UPLOAD_ACCOUNT_ID }}"
idp_aws_report_upload_region: "${{ secrets.IDP_AWS_REPORT_UPLOAD_REGION }}"
idp_aws_report_upload_role_name: "${{ secrets.IDP_AWS_REPORT_UPLOAD_ROLE_NAME }}"
idp_aws_report_upload_bucket_endpoint: "${{ secrets.IDP_AWS_REPORT_UPLOAD_BUCKET_ENDPOINT }}"
scan-dependencies:
name: "Scan dependencies"
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
timeout-minutes: 5
steps:
- name: "Checkout code"
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Scan dependencies"
uses: NHSDigital/nhs-notify-shared-modules/.github/actions/scan-dependencies@3.0.8
with:
build_datetime: "${{ inputs.build_datetime }}"
build_timestamp: "${{ inputs.build_timestamp }}"
idp_aws_report_upload_account_id: "${{ secrets.IDP_AWS_REPORT_UPLOAD_ACCOUNT_ID }}"
idp_aws_report_upload_region: "${{ secrets.IDP_AWS_REPORT_UPLOAD_REGION }}"
idp_aws_report_upload_role_name: "${{ secrets.IDP_AWS_REPORT_UPLOAD_ROLE_NAME }}"
idp_aws_report_upload_bucket_endpoint: "${{ secrets.IDP_AWS_REPORT_UPLOAD_BUCKET_ENDPOINT }}"
detect-event-schema-package-changes:
name: "Check for changes to event schema package compared to main branch"
runs-on: ubuntu-latest
permissions:
contents: read
outputs:
changed: ${{ steps.check.outputs.changed }}
main_version: ${{ steps.check.outputs.main_version }}
steps:
- name: "Checkout code"
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with:
fetch-depth: 0
- name: Detect package changes and current version
id: check
run: |
git fetch origin main
if git diff --quiet origin/main...HEAD -- internal/events; then
echo "No changes in event schemas package"
echo "changed=false" >> $GITHUB_OUTPUT
else
echo "Changes detected in event schemas"
echo "changed=true" >> $GITHUB_OUTPUT
fi
if content=$(git show origin/main:internal/events/package.json 2>/dev/null); then
version=$(jq -r .version <<< $content);
else
version=null;
fi
echo "Detected package version $version in main branch"
echo "main_version=$version" >> $GITHUB_OUTPUT
check-schema-version-change:
name: Check event schema version has been updated
needs: detect-event-schema-package-changes
if: needs.detect-event-schema-package-changes.outputs.changed == 'true'
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout code
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: Check schema versions
run: |
source scripts/is_valid_increment.sh
main_version="${{ needs.detect-event-schema-package-changes.outputs.main_version }}"
echo "Main version: ${{ needs.detect-event-schema-package-changes.outputs.main_version }}"
local_version=$(jq -r '.version' internal/events/package.json)
echo "Local version: $local_version"
if ! is_valid_increment "$main_version" "$local_version" ; then
echo "Error: Event Schema package has changed, but new version ($local_version) is not a valid increment from latest version on main branch ($main_version)."
exit 1
fi
check-event-schemas-version-change:
name: Check for event schemas package version change
needs: detect-event-schema-package-changes
if: needs.detect-event-schema-package-changes.outputs.changed == 'true'
outputs:
version_changed: ${{ steps.check-version.outputs.version_changed }}
runs-on: ubuntu-latest
permissions:
contents: read
packages: read
steps:
- name: Checkout code
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.0
- name: Setup NodeJS
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with:
node-version: ${{ inputs.nodejs_version }}
registry-url: "https://npm.pkg.github.com"
- name: check if local version differs from latest published version
id: check-version
env:
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
published_version=$(npm view @nhsdigital/nhs-notify-event-schemas-supplier-api --json 2>/dev/null | jq -r '.["dist-tags"].latest // "null"')
echo "Published version: $published_version"
local_version=$(jq -r '.version' internal/events/package.json)
echo "Local version: $local_version"
if [[ $local_version = $published_version ]]; then
echo "ERROR: Local version is the same as the latest published version, but event schemas have changed"
echo "version_changed=false" >> $GITHUB_OUTPUT
exit 1
else
echo "Local version is different to the latest published version - a new version will be published"
echo "version_changed=true" >> $GITHUB_OUTPUT
fi