Drift from template

.editorconfig

@@ -19,3 +19,13 @@ indent_size = 4
 
 [{Makefile,*.mk,go.mod,go.sum,*.go,.gitmodules}]
 indent_style = tab
+
+# Ignore paths
+[Gemfile.lock]
+charset = unset
+end_of_line = unset
+insert_final_newline = unset
+trim_trailing_whitespace = unset
+indent_style = unset
+indent_size = unset
+generated_code = true

.github/CODEOWNERS

@@ -1,8 +1,9 @@
 # NHS Notify Code Owners
 
-* @rossbugginsnhs @m-houston @edmundcraske2-nhs @timireland
+# Notify default owners
+* @rossbugginsnhs @m-houston @aidenvaines-bjss @timireland
 
-# Default protection for codeowners, must be last in file.
+# Codeowners must be final check
 /.github/CODEOWNERS @NHSDigital/nhs-notify-code-owners
 /CODEOWNERS @NHSDigital/nhs-notify-code-owners
 

.github/actions/lint-terraform/action.yaml

@@ -16,5 +16,6 @@ runs:
       run: |
         stacks=${{ inputs.root-modules }}
         for dir in $(find infrastructure/environments -maxdepth 1 -mindepth 1 -type d; echo ${stacks//,/$'\n'}); do
+          dir=$dir opts='-backend=false' make terraform-init
           dir=$dir make terraform-validate
         done

.gitignore

@@ -6,12 +6,8 @@
 *vulnerabilities*report*.json
 *report*json.zip
 .version
-*.rej
-*.porig
-
+version.json
 *.code-workspace
 !project.code-workspace
 
 # Please, add your custom content below!
-
-!nhs-notify-dns.code-workspace

.gitleaksignore

@@ -1,3 +1,5 @@
 # SEE: https://github.com/gitleaks/gitleaks/blob/master/README.md#gitleaksignore
 
 cd9c0efec38c5d63053dd865e5d4e207c0760d91:docs/guides/Perform_static_analysis.md:generic-api-key:37
+96096685ab3d6876671e2bc9a6ff4d48fc56e521:src/helloworld/helloworld.sln:ipv4:4
+4f4e8c15629b2cb09356a7fed4d72953590227ce:docs/Gemfile.lock:ipv4:4

.tool-versions

@@ -1,9 +1,10 @@
-# This file is for you! Please, updated to the versions agreed by your team.
-
+act 0.2.64
+gitleaks 8.18.4
 pre-commit 3.6.0
-gitleaks 8.15.3
+terraform 1.9.2
 tfsec 1.28.10
 vale 3.6.0
+
 # ==============================================================================
 # The section below is reserved for Docker image versions.
 

Makefile

@@ -11,7 +11,7 @@ dependencies: # Install dependencies needed to build and test the project @Pipel
 	# TODO: Implement installation of your project dependencies
 
 build: # Build the project artefact @Pipeline
-	# TODO: Implement the artefact build step
+	(cd docs && make build)
 
 publish: # Publish the project artefact @Pipeline
 	# TODO: Implement the artefact publishing step
@@ -20,12 +20,16 @@ deploy: # Deploy the project artefact to the target environment @Pipeline
 	# TODO: Implement the artefact deployment step
 
 clean:: # Clean-up project resources (main) @Operations
+	rm -f .version
 	# TODO: Implement project resources clean-up step
 
-config:: # Configure development environment (main) @Configuration
-	# TODO: Use only 'make' targets that are specific to this project, e.g. you may not need to install Node.js
-	make _install-dependencies
+config:: _install-dependencies version # Configure development environment (main) @Configuration
+	(cd docs && make install)
 
+version:
+	rm -f .version
+	make version-create-effective-file dir=.
+	echo "{ \"schemaVersion\": 1, \"label\": \"version\", \"message\": \"$$(head -n 1 .version 2> /dev/null || echo unknown)\", \"color\": \"orange\" }" > version.json
 # ==============================================================================
 
 ${VERBOSE}.SILENT: \

infrastructure/terraform/.gitignore

@@ -3,6 +3,13 @@
 # Transient backends
 components/**/backend_tfscaffold.tf
 
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
 # Compiled files
 **/*.tfstate
 **/*.tfplan

infrastructure/terraform/README

@@ -0,0 +1,3 @@
+This is an implementation of https://github.com/tfutils/tfscaffold for NHS Notify
+
+Update the `etc/global.tfvars` file according to your NHS Notify Domain, and follow https://github.com/tfutils/tfscaffold?tab=readme-ov-file#bootstrapping to get your tfstate s3 bucket set up

infrastructure/terraform/bin/terraform.sh

@@ -8,7 +8,7 @@
 ##
 # Set Script Version
 ##
-readonly script_ver="1.8.0";
+readonly script_ver="1.8.1";
 
 ##
 # Standardised failure function
@@ -399,13 +399,16 @@ fi;
 pushd "${component_path}";
 readonly component_name=$(basename ${component_path});
 
-# Check for presence of tfenv (https://github.com/kamatama41/tfenv)
-# and a .terraform-version file. If both present, ensure required
-# version of terraform for this component is installed automagically.
-tfenv_bin="$(which tfenv 2>/dev/null)";
-if [[ -n "${tfenv_bin}" && -x "${tfenv_bin}" && -f .terraform-version ]]; then
-  ${tfenv_bin} install;
-fi;
+# install terraform
+# verify terraform version matches .tool-versions
+echo ${PWD}
+tool_version=$(grep "terraform " .tool-versions | cut -d ' ' -f 2)
+asdf plugin-add terraform && asdf install terraform "${tool_version}"
+current_version=$(terraform --version | head -n 1 | cut -d 'v' -f 2)
+
+if [ -z "${current_version}" ] || [ "${current_version}" != "${tool_version}" ]; then
+  error_and_die "Terraform version mismatch. Expected: ${tool_version}, Actual: ${current_version}"
+fi
 
 # Regardless of bootstrapping or not, we'll be using this string.
 # If bootstrapping, we will fill it with variables,

scripts/config/gitleaks.toml

@@ -16,4 +16,15 @@ regexes = [
 ]
 
 [allowlist]
-paths = ['''.terraform.lock.hcl''', '''poetry.lock''', '''yarn.lock''']
+paths = [
+  '''.terraform.lock.hcl''',
+  '''poetry.lock''',
+  '''yarn.lock''',
+  '''Gemfile.lock''',
+]
+
+# Exclude Chrome version in user agent
+regexTarget = "line"
+regexes = [
+  '''Chrome/[\d.]+'''
+]

scripts/config/pre-commit.yaml

@@ -1,40 +1,59 @@
 repos:
-- repo: local
-  hooks:
-  - id: scan-secrets
-    name: Scan secrets
-    entry: ./scripts/githooks/scan-secrets.sh
-    args: ["check=staged-changes"]
-    language: script
-    pass_filenames: false
-- repo: local
-  hooks:
-  - id: check-file-format
-    name: Check file format
-    entry: ./scripts/githooks/check-file-format.sh
-    args: ["check=staged-changes"]
-    language: script
-    pass_filenames: false
-- repo: local
-  hooks:
-  - id: check-markdown-format
-    name: Check Markdown format
-    entry: ./scripts/githooks/check-markdown-format.sh
-    args: ["check=staged-changes"]
-    language: script
-    pass_filenames: false
-- repo: local
-  hooks:
-  - id: check-english-usage
-    name: Check English usage
-    entry: ./scripts/githooks/check-english-usage.sh
-    args: ["check=staged-changes"]
-    language: script
-    pass_filenames: false
-- repo: local
-  hooks:
-  - id: lint-terraform
-    name: Lint Terraform
-    entry: ./scripts/githooks/check-terraform-format.sh
-    language: script
-    pass_filenames: false
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.6.0 # Use the ref you want to point at
+    hooks:
+      - id: trailing-whitespace
+      - id: detect-aws-credentials
+        args: [--allow-missing-credentials]
+      - id: check-added-large-files
+      - id: check-symlinks
+      - id: detect-private-key
+      - id: end-of-file-fixer
+        exclude: .+\.cs
+      - id: forbid-new-submodules
+      - id: mixed-line-ending
+      - id: pretty-format-json
+        args: ['--autofix']
+    # -   id: ...
+  - repo: local
+    hooks:
+      - id: sort-dictionary
+        name: Sort dictionary
+        entry: ./scripts/githooks/sort-dictionary.sh
+        language: script
+        pass_filenames: false
+  - repo: local
+    hooks:
+      - id: scan-secrets
+        name: Scan secrets
+        entry: /usr/bin/env check=whole-history ./scripts/githooks/scan-secrets.sh
+        language: script
+        pass_filenames: false
+  - repo: local
+    hooks:
+      - id: check-file-format
+        name: Check file format
+        entry: /usr/bin/env check=branch ./scripts/githooks/check-file-format.sh
+        language: script
+        pass_filenames: false
+  - repo: local
+    hooks:
+      - id: check-markdown-format
+        name: Check Markdown format
+        entry: /usr/bin/env check=branch ./scripts/githooks/check-markdown-format.sh
+        language: script
+        pass_filenames: false
+  - repo: local
+    hooks:
+      - id: check-english-usage
+        name: Check English usage
+        entry: /usr/bin/env check=branch ./scripts/githooks/check-english-usage.sh
+        language: script
+        pass_filenames: false
+  - repo: local
+    hooks:
+      - id: lint-terraform
+        name: Lint Terraform
+        entry: ./scripts/githooks/check-terraform-format.sh
+        language: script
+        pass_filenames: false

scripts/config/vale/styles/config/vocabularies/words/accept.txt

@@ -1,23 +1,26 @@
 [A-Z]+s
 Bitwarden
 bot
-config
+Cognito
 Cyber
 Dependabot
 draw.io
 drawio
+endcapture
 endfor
 endraw
-env
 GitHub
 Gitleaks
 Grype
 idempotence
+Jira
 OAuth
 Octokit
 onboarding
 Podman
 Python
+rawContent
+sed
 Syft
 Terraform
 toolchain

scripts/docker/examples/python/assets/hello_world/requirements.txt

@@ -6,7 +6,7 @@ itsdangerous==2.1.2
 Jinja2==3.1.4
 MarkupSafe==2.1.3
 pip==23.3
-setuptools==70.0.0
+setuptools==65.5.1
 Werkzeug==3.0.3
 wheel==0.41.1
 WTForms==3.0.1

scripts/git-repo/auto-link.md

@@ -0,0 +1,11 @@
+# GitHub
+
+## Auto link Protection Rules
+
+This will create the auto link to Jira.
+
+```sh
+./auto-link.sh $reponame $PAT
+```
+
+PAT must have `administration:write`. [Create an auto link](https://docs.github.com/en/rest/repos/autolinks?apiVersion=2022-11-28#create-an-autolink-for-a-repository)

scripts/git-repo/auto-link.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+curl -L \
+  -X POST \
+  -H "Accept: application/vnd.github+json" \
+  -H "Authorization: Bearer $2" \
+  -H "X-GitHub-Api-Version: 2022-11-28" \
+  https://api.github.com/repos/NHSDigital/$1/autolinks \
+  -d '{"key_prefix":"CCM-","url_template":" https://nhsd-jira.digital.nhs.uk/browse/CCM-<num>","is_alphanumeric":true}'

scripts/git-repo/branch-protection.md

@@ -0,0 +1,11 @@
+# GitHub
+
+## Branch Protection Rules
+
+This will create the default branch protection rules using GitHub API.
+
+```sh
+./branch-protection.sh $reponame $PAT
+```
+
+PAT must have `administration:write`. [Create a repository rule set](https://docs.github.com/en/rest/repos/rules?apiVersion=2022-11-28#create-a-repository-ruleset)

scripts/git-repo/branch-protection.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+
+curl --location "https://api.github.com/repos/NHSDigital/$1/rulesets" \
+--header 'X-GitHub-Api-Version: 2022-11-28' \
+--header 'Accept: application/vnd.github+json' \
+--header "Authorization: Bearer $2" \
+--header 'Content-Type: application/json' \
+--data '{
+    "name": "nhs-notify-default",
+    "target": "branch",
+    "enforcement": "active",
+    "conditions": {
+        "ref_name": {
+            "exclude": [],
+            "include": [
+                "~DEFAULT_BRANCH"
+            ]
+        }
+    },
+    "rules": [
+        {
+            "type": "deletion"
+        },
+        {
+            "type": "non_fast_forward"
+        },
+        {
+            "type": "pull_request",
+            "parameters": {
+                "required_approving_review_count": 1,
+                "dismiss_stale_reviews_on_push": true,
+                "require_code_owner_review": true,
+                "require_last_push_approval": true,
+                "required_review_thread_resolution": true
+            }
+        },
+        {
+            "type": "required_signatures"
+        },
+        {
+            "type": "required_status_checks",
+            "parameters": {
+                "strict_required_status_checks_policy": true,
+                "required_status_checks": []
+            }
+        }
+    ]
+}'

scripts/githooks/check-markdown-format.sh

@@ -38,7 +38,7 @@ function main() {
   check=${check:-working-tree-changes}
   case $check in
     "all")
-      files="$(find ./ -type f -name "*.md")"
+      files="$(git ls-files "*.md")"
       ;;
     "staged-changes")
       files="$(git diff --diff-filter=ACMRT --name-only --cached "*.md")"