From e435a2ab58f8616db34fe15047de6a98a19f1ab4 Mon Sep 17 00:00:00 2001 From: aidenvaines-bjss <54067008+aidenvaines-bjss@users.noreply.github.com> Date: Tue, 1 Oct 2024 00:04:58 +0000 Subject: [PATCH] Drift from template --- .editorconfig | 10 ++ .github/CODEOWNERS | 79 +++++++++++++++ .github/actions/lint-terraform/action.yaml | 1 + .gitignore | 5 +- .gitleaksignore | 2 + .tool-versions | 9 +- Makefile | 15 +-- infrastructure/.gitignore | 21 +++- infrastructure/modules/.gitkeep | 0 infrastructure/terraform/.gitignore | 10 +- infrastructure/terraform/README | 3 + infrastructure/terraform/modules/.gitkeep | 0 scripts/config/gitleaks.toml | 13 ++- scripts/config/pre-commit.yaml | 97 +++++++++++-------- .../config/vocabularies/words/accept.txt | 27 ++++++ .../config/vocabularies/words/reject.txt | 1 + .../assets/hello_world/requirements.txt | 4 +- scripts/git-repo/auto-link.md | 11 +++ scripts/git-repo/auto-link.sh | 9 ++ scripts/git-repo/branch-protection.md | 11 +++ scripts/git-repo/branch-protection.sh | 48 +++++++++ scripts/githooks/check-markdown-format.sh | 2 +- scripts/githooks/sort-dictionary.sh | 48 +++++++++ tests/.gitkeep | 0 24 files changed, 363 insertions(+), 63 deletions(-) create mode 100644 .github/CODEOWNERS create mode 100644 infrastructure/modules/.gitkeep create mode 100644 infrastructure/terraform/README create mode 100644 infrastructure/terraform/modules/.gitkeep create mode 100644 scripts/config/vale/styles/config/vocabularies/words/accept.txt create mode 100644 scripts/config/vale/styles/config/vocabularies/words/reject.txt create mode 100644 scripts/git-repo/auto-link.md create mode 100644 scripts/git-repo/auto-link.sh create mode 100644 scripts/git-repo/branch-protection.md create mode 100755 scripts/git-repo/branch-protection.sh create mode 100755 scripts/githooks/sort-dictionary.sh create mode 100644 tests/.gitkeep diff --git a/.editorconfig b/.editorconfig index 02e8abc..fd5c354 100644 --- a/.editorconfig +++ b/.editorconfig @@ -19,3 +19,13 @@ indent_size = 4 [{Makefile,*.mk,go.mod,go.sum,*.go,.gitmodules}] indent_style = tab + +# Ignore paths +[Gemfile.lock] +charset = unset +end_of_line = unset +insert_final_newline = unset +trim_trailing_whitespace = unset +indent_style = unset +indent_size = unset +generated_code = true diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..44937ff --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,79 @@ +# NHS Notify Code Owners + +# Notify default owners +* @rossbugginsnhs @m-houston @aidenvaines-bjss @timireland + +# Codeowners must be final check +/.github/CODEOWNERS @NHSDigital/nhs-notify-code-owners +/CODEOWNERS @NHSDigital/nhs-notify-code-owners + + +# Each NHS Notify repository should have clear code owners set. +# Do not use GitHub team names, instead use the GitHub usernames +# of the people who are responsible for the code maintenance. + +# This is a comment. +# Each line is a file pattern followed by one or more owners. + +# These owners will be the default owners for everything in +# the repo. Unless a later match takes precedence, +# @global-owner1 and @global-owner2 will be requested for +# review when someone opens a pull request. +# * @global-owner1 @global-owner2 + +# Order is important; the last matching pattern takes the most +# precedence. When someone opens a pull request that only +# modifies JS files, only @js-owner and not the global +# owner(s) will be requested for a review. +# *.js @js-owner #This is an inline comment. + +# You can also use email addresses if you prefer. They'll be +# used to look up users just like we do for commit author +# emails. +# *.go docs@example.com + +# Teams can be specified as code owners as well. Teams should +# be identified in the format @org/team-name. Teams must have +# explicit write access to the repository. In this example, +# the octocats team in the octo-org organization owns all .txt files. +# *.txt @octo-org/octocats + +# In this example, @doctocat owns any files in the build/logs +# directory at the root of the repository and any of its +# subdirectories. +# /build/logs/ @doctocat + +# The `docs/*` pattern will match files like +# `docs/getting-started.md` but not further nested files like +# `docs/build-app/troubleshooting.md`. +# docs/* docs@example.com + +# In this example, @octocat owns any file in an apps directory +# anywhere in your repository. +# apps/ @octocat + +# In this example, @doctocat owns any file in the `/docs` +# directory in the root of your repository and any of its +# subdirectories. +# /docs/ @doctocat + +# In this example, any change inside the `/scripts` directory +# will require approval from @doctocat or @octocat. +# /scripts/ @doctocat @octocat + +# In this example, @octocat owns any file in a `/logs` directory such as +# `/build/logs`, `/scripts/logs`, and `/deeply/nested/logs`. Any changes +# in a `/logs` directory will require approval from @octocat. +# **/logs @octocat + +# In this example, @octocat owns any file in the `/apps` +# directory in the root of your repository except for the `/apps/github` +# subdirectory, as its owners are left empty. +# /apps/ @octocat +# /apps/github + +# In this example, @octocat owns any file in the `/apps` +# directory in the root of your repository except for the `/apps/github` +# subdirectory, as this subdirectory has its own owner @doctocat +# /apps/ @octocat +# /apps/github @doctocat diff --git a/.github/actions/lint-terraform/action.yaml b/.github/actions/lint-terraform/action.yaml index d5dfe35..28d990c 100644 --- a/.github/actions/lint-terraform/action.yaml +++ b/.github/actions/lint-terraform/action.yaml @@ -16,5 +16,6 @@ runs: run: | stacks=${{ inputs.root-modules }} for dir in $(find infrastructure/environments -maxdepth 1 -mindepth 1 -type d; echo ${stacks//,/$'\n'}); do + dir=$dir opts='-backend=false' make terraform-init dir=$dir make terraform-validate done diff --git a/.gitignore b/.gitignore index 2ff3a87..a0ad8fe 100644 --- a/.gitignore +++ b/.gitignore @@ -6,11 +6,8 @@ *vulnerabilities*report*.json *report*json.zip .version - +version.json *.code-workspace !project.code-workspace # Please, add your custom content below! - -#plugin-cache -plugin-cache/ diff --git a/.gitleaksignore b/.gitleaksignore index cceb449..1c92293 100644 --- a/.gitleaksignore +++ b/.gitleaksignore @@ -1,3 +1,5 @@ # SEE: https://github.com/gitleaks/gitleaks/blob/master/README.md#gitleaksignore cd9c0efec38c5d63053dd865e5d4e207c0760d91:docs/guides/Perform_static_analysis.md:generic-api-key:37 +96096685ab3d6876671e2bc9a6ff4d48fc56e521:src/helloworld/helloworld.sln:ipv4:4 +4f4e8c15629b2cb09356a7fed4d72953590227ce:docs/Gemfile.lock:ipv4:4 diff --git a/.tool-versions b/.tool-versions index 0e6e096..13b6acd 100644 --- a/.tool-versions +++ b/.tool-versions @@ -1,8 +1,9 @@ -# This file is for you! Please, updated to the versions agreed by your team. - +act 0.2.64 +gitleaks 8.18.4 pre-commit 3.6.0 -terraform 1.7.0 +terraform 1.9.2 tfsec 1.28.10 +vale 3.6.0 # ============================================================================== # The section below is reserved for Docker image versions. @@ -16,7 +17,7 @@ tfsec 1.28.10 # docker/ghcr.io/nhs-england-tools/github-runner-image 20230909-321fd1e-rt@sha256:ce4fd6035dc450a50d3cbafb4986d60e77cb49a71ab60a053bb1b9518139a646 # SEE: https://github.com/nhs-england-tools/github-runner-image/pkgs/container/github-runner-image # docker/hadolint/hadolint 2.12.0-alpine@sha256:7dba9a9f1a0350f6d021fb2f6f88900998a4fb0aaf8e4330aa8c38544f04db42 # SEE: https://hub.docker.com/r/hadolint/hadolint/tags # docker/hashicorp/terraform 1.5.6@sha256:180a7efa983386a27b43657ed610e9deed9e6c3848d54f9ea9b6cb8a5c8c25f5 # SEE: https://hub.docker.com/r/hashicorp/terraform/tags -# docker/jdkato/vale v2.29.7@sha256:5ccfac574231b006284513ac3e4e9f38833989d83f2a68db149932c09de85149 # SEE: https://hub.docker.com/r/jdkato/vale/tags +# docker/jdkato/vale v3.6.0@sha256:0ef22c8d537f079633cfff69fc46f69a2196072f69cab1ab232e8a79a388e425 # SEE: https://hub.docker.com/r/jdkato/vale/tags # docker/koalaman/shellcheck latest@sha256:e40388688bae0fcffdddb7e4dea49b900c18933b452add0930654b2dea3e7d5c # SEE: https://hub.docker.com/r/koalaman/shellcheck/tags # docker/mstruebing/editorconfig-checker 2.7.1@sha256:dd3ca9ea50ef4518efe9be018d669ef9cf937f6bb5cfe2ef84ff2a620b5ddc24 # SEE: https://hub.docker.com/r/mstruebing/editorconfig-checker/tags # docker/sonarsource/sonar-scanner-cli 5.0.1@sha256:494ecc3b5b1ee1625bd377b3905c4284e4f0cc155cff397805a244dee1c7d575 # SEE: https://hub.docker.com/r/sonarsource/sonar-scanner-cli/tags diff --git a/Makefile b/Makefile index 9013a5b..ea70e95 100644 --- a/Makefile +++ b/Makefile @@ -11,7 +11,7 @@ dependencies: # Install dependencies needed to build and test the project @Pipel # TODO: Implement installation of your project dependencies build: # Build the project artefact @Pipeline - # TODO: Implement the artefact build step + (cd docs && make build) publish: # Publish the project artefact @Pipeline # TODO: Implement the artefact publishing step @@ -20,15 +20,16 @@ deploy: # Deploy the project artefact to the target environment @Pipeline # TODO: Implement the artefact deployment step clean:: # Clean-up project resources (main) @Operations + rm -f .version # TODO: Implement project resources clean-up step -config:: # Configure development environment (main) @Configuration - # TODO: Use only 'make' targets that are specific to this project, e.g. you may not need to install Node.js - make _install-dependencies - -deploy_local: - ./cd_utils/local_package_and_deploy.sh $(filter-out $@,$(MAKECMDGOALS)) +config:: _install-dependencies version # Configure development environment (main) @Configuration + (cd docs && make install) +version: + rm -f .version + make version-create-effective-file dir=. + echo "{ \"schemaVersion\": 1, \"label\": \"version\", \"message\": \"$$(head -n 1 .version 2> /dev/null || echo unknown)\", \"color\": \"orange\" }" > version.json # ============================================================================== ${VERBOSE}.SILENT: \ diff --git a/infrastructure/.gitignore b/infrastructure/.gitignore index c4772e5..22ebdac 100644 --- a/infrastructure/.gitignore +++ b/infrastructure/.gitignore @@ -15,6 +15,23 @@ crash.*.log # password, private keys, and other secrets. These should not be part of version # control as they are data points which are potentially sensitive and subject # to change depending on the environment. -*_output.* -**/plugin-cache/**/* +*.tfvars +*.tfvars.json +# Ignore override files as they are usually used to override resources locally and so +# are not checked in +override.tf +override.tf.json +*_override.tf +*_override.tf.json + +# Include override files you do wish to add to version control using negated pattern +# !example_override.tf + +# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan +# example: *tfplan* +*tfplan* + +# Ignore CLI configuration files +.terraformrc +terraform.rc diff --git a/infrastructure/modules/.gitkeep b/infrastructure/modules/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/infrastructure/terraform/.gitignore b/infrastructure/terraform/.gitignore index ed83c6d..579b641 100644 --- a/infrastructure/terraform/.gitignore +++ b/infrastructure/terraform/.gitignore @@ -3,6 +3,13 @@ # Transient backends components/**/backend_tfscaffold.tf +# Exclude all .tfvars files, which are likely to contain sensitive data, such as +# password, private keys, and other secrets. These should not be part of version +# control as they are data points which are potentially sensitive and subject +# to change depending on the environment. +*.tfvars +*.tfvars.json + # Compiled files **/*.tfstate **/*.tfplan @@ -14,9 +21,6 @@ components/**/backend_tfscaffold.tf **/work/* **/*tfstate.lock.info -# NHS Notify Build context -bootstrap - # Scaffold Plugin Cache plugin-cache/* diff --git a/infrastructure/terraform/README b/infrastructure/terraform/README new file mode 100644 index 0000000..838d177 --- /dev/null +++ b/infrastructure/terraform/README @@ -0,0 +1,3 @@ +This is an implementation of https://github.com/tfutils/tfscaffold for NHS Notify + +Update the `etc/global.tfvars` file according to your NHS Notify Domain, and follow https://github.com/tfutils/tfscaffold?tab=readme-ov-file#bootstrapping to get your tfstate s3 bucket set up diff --git a/infrastructure/terraform/modules/.gitkeep b/infrastructure/terraform/modules/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/scripts/config/gitleaks.toml b/scripts/config/gitleaks.toml index af5f0bb..188bfdf 100644 --- a/scripts/config/gitleaks.toml +++ b/scripts/config/gitleaks.toml @@ -16,4 +16,15 @@ regexes = [ ] [allowlist] -paths = ['''.terraform.lock.hcl''', '''poetry.lock''', '''yarn.lock'''] +paths = [ + '''.terraform.lock.hcl''', + '''poetry.lock''', + '''yarn.lock''', + '''Gemfile.lock''', +] + +# Exclude Chrome version in user agent +regexTarget = "line" +regexes = [ + '''Chrome/[\d.]+''' +] diff --git a/scripts/config/pre-commit.yaml b/scripts/config/pre-commit.yaml index 37ca637..5a5ba09 100644 --- a/scripts/config/pre-commit.yaml +++ b/scripts/config/pre-commit.yaml @@ -1,40 +1,59 @@ repos: -- repo: local - hooks: - - id: scan-secrets - name: Scan secrets - entry: ./scripts/githooks/scan-secrets.sh - args: ["check=staged-changes"] - language: script - pass_filenames: false -- repo: local - hooks: - - id: check-file-format - name: Check file format - entry: ./scripts/githooks/check-file-format.sh - args: ["check=staged-changes"] - language: script - pass_filenames: false -- repo: local - hooks: - - id: check-markdown-format - name: Check Markdown format - entry: ./scripts/githooks/check-markdown-format.sh - args: ["check=staged-changes"] - language: script - pass_filenames: false -- repo: local - hooks: - - id: check-english-usage - name: Check English usage - entry: ./scripts/githooks/check-english-usage.sh - args: ["check=staged-changes"] - language: script - pass_filenames: false -- repo: local - hooks: - - id: lint-terraform - name: Lint Terraform - entry: ./scripts/githooks/check-terraform-format.sh - language: script - pass_filenames: false + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.6.0 # Use the ref you want to point at + hooks: + - id: trailing-whitespace + - id: detect-aws-credentials + args: [--allow-missing-credentials] + - id: check-added-large-files + - id: check-symlinks + - id: detect-private-key + - id: end-of-file-fixer + exclude: .+\.cs + - id: forbid-new-submodules + - id: mixed-line-ending + - id: pretty-format-json + args: ['--autofix'] + # - id: ... + - repo: local + hooks: + - id: sort-dictionary + name: Sort dictionary + entry: ./scripts/githooks/sort-dictionary.sh + language: script + pass_filenames: false + - repo: local + hooks: + - id: scan-secrets + name: Scan secrets + entry: /usr/bin/env check=whole-history ./scripts/githooks/scan-secrets.sh + language: script + pass_filenames: false + - repo: local + hooks: + - id: check-file-format + name: Check file format + entry: /usr/bin/env check=branch ./scripts/githooks/check-file-format.sh + language: script + pass_filenames: false + - repo: local + hooks: + - id: check-markdown-format + name: Check Markdown format + entry: /usr/bin/env check=branch ./scripts/githooks/check-markdown-format.sh + language: script + pass_filenames: false + - repo: local + hooks: + - id: check-english-usage + name: Check English usage + entry: /usr/bin/env check=branch ./scripts/githooks/check-english-usage.sh + language: script + pass_filenames: false + - repo: local + hooks: + - id: lint-terraform + name: Lint Terraform + entry: ./scripts/githooks/check-terraform-format.sh + language: script + pass_filenames: false diff --git a/scripts/config/vale/styles/config/vocabularies/words/accept.txt b/scripts/config/vale/styles/config/vocabularies/words/accept.txt new file mode 100644 index 0000000..3b07d50 --- /dev/null +++ b/scripts/config/vale/styles/config/vocabularies/words/accept.txt @@ -0,0 +1,27 @@ +[A-Z]+s +Bitwarden +bot +Cognito +Cyber +Dependabot +draw.io +drawio +endcapture +endfor +endraw +GitHub +Gitleaks +Grype +idempotence +Jira +OAuth +Octokit +onboarding +Podman +Python +rawContent +sed +Syft +Terraform +toolchain +Trufflehog diff --git a/scripts/config/vale/styles/config/vocabularies/words/reject.txt b/scripts/config/vale/styles/config/vocabularies/words/reject.txt new file mode 100644 index 0000000..fdc793e --- /dev/null +++ b/scripts/config/vale/styles/config/vocabularies/words/reject.txt @@ -0,0 +1 @@ +python diff --git a/scripts/docker/examples/python/assets/hello_world/requirements.txt b/scripts/docker/examples/python/assets/hello_world/requirements.txt index a38fca7..a3611c8 100644 --- a/scripts/docker/examples/python/assets/hello_world/requirements.txt +++ b/scripts/docker/examples/python/assets/hello_world/requirements.txt @@ -3,10 +3,10 @@ click==8.1.7 Flask-WTF==1.2.0 Flask==2.3.3 itsdangerous==2.1.2 -Jinja2==3.1.3 +Jinja2==3.1.4 MarkupSafe==2.1.3 pip==23.3 setuptools==65.5.1 -Werkzeug==3.0.1 +Werkzeug==3.0.3 wheel==0.41.1 WTForms==3.0.1 diff --git a/scripts/git-repo/auto-link.md b/scripts/git-repo/auto-link.md new file mode 100644 index 0000000..dfb68a6 --- /dev/null +++ b/scripts/git-repo/auto-link.md @@ -0,0 +1,11 @@ +# GitHub + +## Auto link Protection Rules + +This will create the auto link to Jira. + +```sh +./auto-link.sh $reponame $PAT +``` + +PAT must have `administration:write`. [Create an auto link](https://docs.github.com/en/rest/repos/autolinks?apiVersion=2022-11-28#create-an-autolink-for-a-repository) diff --git a/scripts/git-repo/auto-link.sh b/scripts/git-repo/auto-link.sh new file mode 100644 index 0000000..a827bd0 --- /dev/null +++ b/scripts/git-repo/auto-link.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +curl -L \ + -X POST \ + -H "Accept: application/vnd.github+json" \ + -H "Authorization: Bearer $2" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + https://api.github.com/repos/NHSDigital/$1/autolinks \ + -d '{"key_prefix":"CCM-","url_template":" https://nhsd-jira.digital.nhs.uk/browse/CCM-","is_alphanumeric":true}' diff --git a/scripts/git-repo/branch-protection.md b/scripts/git-repo/branch-protection.md new file mode 100644 index 0000000..0e513f8 --- /dev/null +++ b/scripts/git-repo/branch-protection.md @@ -0,0 +1,11 @@ +# GitHub + +## Branch Protection Rules + +This will create the default branch protection rules using GitHub API. + +```sh +./branch-protection.sh $reponame $PAT +``` + +PAT must have `administration:write`. [Create a repository rule set](https://docs.github.com/en/rest/repos/rules?apiVersion=2022-11-28#create-a-repository-ruleset) diff --git a/scripts/git-repo/branch-protection.sh b/scripts/git-repo/branch-protection.sh new file mode 100755 index 0000000..f98597a --- /dev/null +++ b/scripts/git-repo/branch-protection.sh @@ -0,0 +1,48 @@ +#!/bin/bash + +curl --location "https://api.github.com/repos/NHSDigital/$1/rulesets" \ +--header 'X-GitHub-Api-Version: 2022-11-28' \ +--header 'Accept: application/vnd.github+json' \ +--header "Authorization: Bearer $2" \ +--header 'Content-Type: application/json' \ +--data '{ + "name": "nhs-notify-default", + "target": "branch", + "enforcement": "active", + "conditions": { + "ref_name": { + "exclude": [], + "include": [ + "~DEFAULT_BRANCH" + ] + } + }, + "rules": [ + { + "type": "deletion" + }, + { + "type": "non_fast_forward" + }, + { + "type": "pull_request", + "parameters": { + "required_approving_review_count": 1, + "dismiss_stale_reviews_on_push": true, + "require_code_owner_review": true, + "require_last_push_approval": true, + "required_review_thread_resolution": true + } + }, + { + "type": "required_signatures" + }, + { + "type": "required_status_checks", + "parameters": { + "strict_required_status_checks_policy": true, + "required_status_checks": [] + } + } + ] +}' diff --git a/scripts/githooks/check-markdown-format.sh b/scripts/githooks/check-markdown-format.sh index 698df4a..c39a080 100755 --- a/scripts/githooks/check-markdown-format.sh +++ b/scripts/githooks/check-markdown-format.sh @@ -38,7 +38,7 @@ function main() { check=${check:-working-tree-changes} case $check in "all") - files="$(find ./ -type f -name "*.md")" + files="$(git ls-files "*.md")" ;; "staged-changes") files="$(git diff --diff-filter=ACMRT --name-only --cached "*.md")" diff --git a/scripts/githooks/sort-dictionary.sh b/scripts/githooks/sort-dictionary.sh new file mode 100755 index 0000000..45a3952 --- /dev/null +++ b/scripts/githooks/sort-dictionary.sh @@ -0,0 +1,48 @@ +#!/bin/bash + +set -euo pipefail + +# Pre-commit git hook to sort the Vale dictionary in a consistent manner to avoid future merge conflicts and aid insertion of new terms +# +# Usage: +# $ [options] ./sort-dictionary.sh +# +# Options: +# +# +# Exit codes: +# 0 - Successfully sorted the dictionary +# non-zero - failed to sort dictionary + +# ============================================================================== + +function main() { + root=scripts/config/vale/styles/config/vocabularies/words + opts="--dictionary-order --ignore-case -s" + sort $opts $root/accept.txt > $root/accept.sorted.txt + sort $opts $root/reject.txt > $root/reject.sorted.txt + + mv $root/accept.sorted.txt $root/accept.txt + mv $root/reject.sorted.txt $root/reject.txt + + git add -uv $root/* +} + +# ============================================================================== + +function is-arg-true() { + + if [[ "$1" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$ ]]; then + return 0 + else + return 1 + fi +} + +# ============================================================================== + +is-arg-true "${VERBOSE:-false}" && set -x + +main "$@" + +exit 0 diff --git a/tests/.gitkeep b/tests/.gitkeep new file mode 100644 index 0000000..e69de29