Drift from template

.editorconfig

@@ -19,3 +19,13 @@ indent_size = 4
 
 [{Makefile,*.mk,go.mod,go.sum,*.go,.gitmodules}]
 indent_style = tab
+
+# Ignore paths
+[Gemfile.lock]
+charset = unset
+end_of_line = unset
+insert_final_newline = unset
+trim_trailing_whitespace = unset
+indent_style = unset
+indent_size = unset
+generated_code = true

.github/CODEOWNERS

@@ -1,16 +1,11 @@
 # NHS Notify Code Owners
 
-*                         @NHSDigital/nhs-notify-iam-webauth
-
-/.github/                 @NHSDigital/nhs-notify-iam-admins
-*.code-workspace          @NHSDigital/nhs-notify-iam-admins
-/docs/                    @NHSDigital/nhs-notify-iam-webauth
-/docs/testing/            @NHSDigital/nhs-notify-iam-webauth-testers
-/tests/test-team/         @NHSDigital/nhs-notify-iam-webauth-testers
+# Notify default owners
+* @rossbugginsnhs @m-houston @aidenvaines-bjss @timireland
 
 # Codeowners must be final check
-/.github/CODEOWNERS       @NHSDigital/nhs-notify-code-owners
-/CODEOWNERS               @NHSDigital/nhs-notify-code-owners
+/.github/CODEOWNERS @NHSDigital/nhs-notify-code-owners
+/CODEOWNERS @NHSDigital/nhs-notify-code-owners
 
 
 # Each NHS Notify repository should have clear code owners set.

.github/actions/lint-terraform/action.yaml

@@ -16,5 +16,6 @@ runs:
       run: |
         stacks=${{ inputs.root-modules }}
         for dir in $(find infrastructure/environments -maxdepth 1 -mindepth 1 -type d; echo ${stacks//,/$'\n'}); do
+          dir=$dir opts='-backend=false' make terraform-init
           dir=$dir make terraform-validate
         done

.gitignore

@@ -6,61 +6,8 @@
 *vulnerabilities*report*.json
 *report*json.zip
 .version
-
+version.json
 *.code-workspace
 !project.code-workspace
 
 # Please, add your custom content below!
-
-# dependencies
-/node_modules
-/.pnp
-.pnp.js
-
-# testing
-/coverage
-
-# next.js
-/.next/
-/out/
-
-# production
-/build
-
-# misc
-.DS_Store
-*.pem
-
-# debug
-npm-debug.log*
-
-# local env files
-.env*.local
-.env
-
-# vercel
-.vercel
-
-# typescript
-*.tsbuildinfo
-next-env.d.ts
-
-# reports
-.reports
-
-# typescript
-*.tsbuildinfo
-next-env.d.ts
-/test-results/
-/playwright-report/
-/blob-report/
-/playwright/.cache/
-
-# playwright
-tests/test-team/test-results/
-tests/test-team/playwright-report/
-tests/test-team/blob-report/
-tests/test-team/playwright/.cache/
-
-#plugin-cache
-plugin-cache/

.gitleaksignore

@@ -1,3 +1,5 @@
 # SEE: https://github.com/gitleaks/gitleaks/blob/master/README.md#gitleaksignore
 
 cd9c0efec38c5d63053dd865e5d4e207c0760d91:docs/guides/Perform_static_analysis.md:generic-api-key:37
+96096685ab3d6876671e2bc9a6ff4d48fc56e521:src/helloworld/helloworld.sln:ipv4:4
+4f4e8c15629b2cb09356a7fed4d72953590227ce:docs/Gemfile.lock:ipv4:4

.tool-versions

@@ -1,11 +1,9 @@
-# This file is for you! Please, updated to the versions agreed by your team.
-
-terraform 1.9.2
-pre-commit 3.6.0
-nodejs 20.13.1
-direnv 2.32.1
+act 0.2.64
 gitleaks 8.18.4
+pre-commit 3.6.0
+terraform 1.9.2
 tfsec 1.28.10
+vale 3.6.0
 
 # ==============================================================================
 # The section below is reserved for Docker image versions.

Makefile

@@ -11,7 +11,7 @@ dependencies: # Install dependencies needed to build and test the project @Pipel
 	# TODO: Implement installation of your project dependencies
 
 build: # Build the project artefact @Pipeline
-	# TODO: Implement the artefact build step
+	(cd docs && make build)
 
 publish: # Publish the project artefact @Pipeline
 	# TODO: Implement the artefact publishing step
@@ -20,12 +20,16 @@ deploy: # Deploy the project artefact to the target environment @Pipeline
 	# TODO: Implement the artefact deployment step
 
 clean:: # Clean-up project resources (main) @Operations
+	rm -f .version
 	# TODO: Implement project resources clean-up step
 
-config:: # Configure development environment (main) @Configuration
-	# TODO: Use only 'make' targets that are specific to this project, e.g. you may not need to install Node.js
-	make _install-dependencies
+config:: _install-dependencies version # Configure development environment (main) @Configuration
+	(cd docs && make install)
 
+version:
+	rm -f .version
+	make version-create-effective-file dir=.
+	echo "{ \"schemaVersion\": 1, \"label\": \"version\", \"message\": \"$$(head -n 1 .version 2> /dev/null || echo unknown)\", \"color\": \"orange\" }" > version.json
 # ==============================================================================
 
 ${VERBOSE}.SILENT: \

infrastructure/terraform/.gitignore

@@ -3,6 +3,13 @@
 # Transient backends
 components/**/backend_tfscaffold.tf
 
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
 # Compiled files
 **/*.tfstate
 **/*.tfplan
@@ -14,9 +21,6 @@ components/**/backend_tfscaffold.tf
 **/work/*
 **/*tfstate.lock.info
 
-# NHS Notify Build context
-bootstrap
-
 # Scaffold Plugin Cache
 plugin-cache/*
 

infrastructure/terraform/README

@@ -0,0 +1,3 @@
+This is an implementation of https://github.com/tfutils/tfscaffold for NHS Notify
+
+Update the `etc/global.tfvars` file according to your NHS Notify Domain, and follow https://github.com/tfutils/tfscaffold?tab=readme-ov-file#bootstrapping to get your tfstate s3 bucket set up

scripts/config/gitleaks.toml

@@ -16,4 +16,15 @@ regexes = [
 ]
 
 [allowlist]
-paths = ['''.terraform.lock.hcl''', '''poetry.lock''', '''yarn.lock''']
+paths = [
+  '''.terraform.lock.hcl''',
+  '''poetry.lock''',
+  '''yarn.lock''',
+  '''Gemfile.lock''',
+]
+
+# Exclude Chrome version in user agent
+regexTarget = "line"
+regexes = [
+  '''Chrome/[\d.]+'''
+]

scripts/config/pre-commit.yaml

@@ -1,40 +1,59 @@
 repos:
-- repo: local
-  hooks:
-  - id: scan-secrets
-    name: Scan secrets
-    entry: ./scripts/githooks/scan-secrets.sh
-    args: ["check=staged-changes"]
-    language: script
-    pass_filenames: false
-- repo: local
-  hooks:
-  - id: check-file-format
-    name: Check file format
-    entry: ./scripts/githooks/check-file-format.sh
-    args: ["check=staged-changes"]
-    language: script
-    pass_filenames: false
-- repo: local
-  hooks:
-  - id: check-markdown-format
-    name: Check Markdown format
-    entry: ./scripts/githooks/check-markdown-format.sh
-    args: ["check=staged-changes"]
-    language: script
-    pass_filenames: false
-- repo: local
-  hooks:
-  - id: check-english-usage
-    name: Check English usage
-    entry: ./scripts/githooks/check-english-usage.sh
-    args: ["check=staged-changes"]
-    language: script
-    pass_filenames: false
-- repo: local
-  hooks:
-  - id: lint-terraform
-    name: Lint Terraform
-    entry: ./scripts/githooks/check-terraform-format.sh
-    language: script
-    pass_filenames: false
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.6.0 # Use the ref you want to point at
+    hooks:
+      - id: trailing-whitespace
+      - id: detect-aws-credentials
+        args: [--allow-missing-credentials]
+      - id: check-added-large-files
+      - id: check-symlinks
+      - id: detect-private-key
+      - id: end-of-file-fixer
+        exclude: .+\.cs
+      - id: forbid-new-submodules
+      - id: mixed-line-ending
+      - id: pretty-format-json
+        args: ['--autofix']
+    # -   id: ...
+  - repo: local
+    hooks:
+      - id: sort-dictionary
+        name: Sort dictionary
+        entry: ./scripts/githooks/sort-dictionary.sh
+        language: script
+        pass_filenames: false
+  - repo: local
+    hooks:
+      - id: scan-secrets
+        name: Scan secrets
+        entry: /usr/bin/env check=whole-history ./scripts/githooks/scan-secrets.sh
+        language: script
+        pass_filenames: false
+  - repo: local
+    hooks:
+      - id: check-file-format
+        name: Check file format
+        entry: /usr/bin/env check=branch ./scripts/githooks/check-file-format.sh
+        language: script
+        pass_filenames: false
+  - repo: local
+    hooks:
+      - id: check-markdown-format
+        name: Check Markdown format
+        entry: /usr/bin/env check=branch ./scripts/githooks/check-markdown-format.sh
+        language: script
+        pass_filenames: false
+  - repo: local
+    hooks:
+      - id: check-english-usage
+        name: Check English usage
+        entry: /usr/bin/env check=branch ./scripts/githooks/check-english-usage.sh
+        language: script
+        pass_filenames: false
+  - repo: local
+    hooks:
+      - id: lint-terraform
+        name: Lint Terraform
+        entry: ./scripts/githooks/check-terraform-format.sh
+        language: script
+        pass_filenames: false

scripts/config/vale/styles/config/vocabularies/words/accept.txt

@@ -1,23 +1,26 @@
 [A-Z]+s
 Bitwarden
 bot
-config
+Cognito
 Cyber
 Dependabot
 draw.io
 drawio
+endcapture
 endfor
 endraw
-env
 GitHub
 Gitleaks
 Grype
 idempotence
+Jira
 OAuth
 Octokit
 onboarding
 Podman
 Python
+rawContent
+sed
 Syft
 Terraform
 toolchain

scripts/docker/examples/python/assets/hello_world/requirements.txt

@@ -6,7 +6,7 @@ itsdangerous==2.1.2
 Jinja2==3.1.4
 MarkupSafe==2.1.3
 pip==23.3
-setuptools==70.0.0
+setuptools==65.5.1
 Werkzeug==3.0.3
 wheel==0.41.1
 WTForms==3.0.1

scripts/git-repo/auto-link.md

@@ -0,0 +1,11 @@
+# GitHub
+
+## Auto link Protection Rules
+
+This will create the auto link to Jira.
+
+```sh
+./auto-link.sh $reponame $PAT
+```
+
+PAT must have `administration:write`. [Create an auto link](https://docs.github.com/en/rest/repos/autolinks?apiVersion=2022-11-28#create-an-autolink-for-a-repository)

scripts/git-repo/auto-link.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+curl -L \
+  -X POST \
+  -H "Accept: application/vnd.github+json" \
+  -H "Authorization: Bearer $2" \
+  -H "X-GitHub-Api-Version: 2022-11-28" \
+  https://api.github.com/repos/NHSDigital/$1/autolinks \
+  -d '{"key_prefix":"CCM-","url_template":" https://nhsd-jira.digital.nhs.uk/browse/CCM-<num>","is_alphanumeric":true}'

scripts/git-repo/branch-protection.md

@@ -0,0 +1,11 @@
+# GitHub
+
+## Branch Protection Rules
+
+This will create the default branch protection rules using GitHub API.
+
+```sh
+./branch-protection.sh $reponame $PAT
+```
+
+PAT must have `administration:write`. [Create a repository rule set](https://docs.github.com/en/rest/repos/rules?apiVersion=2022-11-28#create-a-repository-ruleset)