CCM-5104: GitHub repository configuration guidance (#53)

* CCM-5100: Revert changes to the way page titles are displayed

* CCM-5100: Make first heading in MD file H1 to satisfy linter

* CCM-5100: Remove hard-coded codeowners

* CCM-5100: Use AMET team as default codeowner

* CCM-5104: GitHub configuration guidance

- Add decisions around repo configuration
- Update CSS to use monospace font

* CCM-5104: Scan current branch in githooks, not just staged changes

* CCM-5104: Import changes from template repo

* CCM-5104: Add branch protection rules

.github/CODEOWNERS

@@ -1,6 +1,6 @@
 # NHS Notify Code Owners
 
-* @rossbugginsnhs @m-houston @edmundcraske2-nhs @timireland
+* @NHSDigital/nhs-notify-amet
 
 # Default protection for codeowners, must be last in file.
 /.github/CODEOWNERS @NHSDigital/nhs-notify-code-owners

.github/workflows/manual-combine-dependabot-prs.yaml

@@ -0,0 +1,24 @@
+name: Combine Dependabot PRs
+
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+  checks: read
+
+jobs:
+  combine-prs:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: combine-prs
+        id: combine-prs
+        uses: github/[email protected]
+        with:
+          ci_required: false
+          labels: dependencies
+          pr_title: Combined Dependabot PRs
+          combine_branch_name: dependabotCombined
+          pr_body_header: Combined Dependabot PRs

.github/workflows/scheduled-repository-template-sync.yaml

@@ -0,0 +1,55 @@
+name: Repository Template Sync
+
+on:
+  schedule:
+    - cron: '0 0 1 * *'
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+  checks: read
+
+jobs:
+  update-external-repo:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Check out the repository
+      uses: actions/checkout@v4
+
+    - name: Check out external repository
+      uses: actions/checkout@v4
+      with:
+        repository: NHSDigital/nhs-notify-repository-template
+        path: nhs-notify-repository-template
+        token: ${{ github.token }}
+
+    - name: Run syncronisation script
+      run: |
+        ./scripts/githooks/sync-template-repo.sh
+        rm -Rf ./nhs-notify-repository-template
+
+    - name: Create Pull Request
+      if: ${{ !env.ACT }}
+      uses: peter-evans/[email protected]
+      with:
+        token: ${{ secrets.GITHUB_TOKEN }}
+        commit-message: Drift from template
+        branch: scheduledTemplateRepositorySync
+        delete-branch: true
+        title: '[Template Sync] Drift from template-repository remediation'
+        body: |
+          # Resultant drift from repository template
+
+          ## Who should respond to this PR?
+          The team which owns the responsibility for this component repository. You may want to consult other contributors.
+
+          ## How to progress this PR
+          The repositories guardians should review the contents of the PR and decide how to proceed, you may wish to back-out certain changes or accept them from the upstream `nhsdigital/nhs-notify-repository-template` repository.
+
+          If there are changes you do not wish to see again, it is recommended you add exclusions to `scripts/config/.repository-template-sync-ignore`.
+        labels: |
+          template
+          automation
+        draft: false

.github/workflows/scorecard.yml

@@ -0,0 +1,73 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '15 22 * * 5'
+  push:
+    branches: [ "main" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      # Uncomment the permissions below if installing in a private repository.
+      # contents: read
+      # actions: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: false
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard (optional).
+      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+        with:
+          sarif_file: results.sarif

.gitignore

@@ -6,7 +6,7 @@
 *vulnerabilities*report*.json
 *report*json.zip
 .version
-
+version.json
 *.code-workspace
 !project.code-workspace
 

.tool-versions

@@ -1,9 +1,9 @@
-# This file is for you! Please, updated to the versions agreed by your team.
-
-terraform 1.7.0
+act 0.2.64
+gitleaks 8.18.4
 pre-commit 3.6.0
-nodejs 18.18.2
-gitleaks 8.15.3
+terraform 1.9.2
+tfsec 1.28.10
+vale 3.6.0
 
 # ==============================================================================
 # The section below is reserved for Docker image versions.
@@ -17,7 +17,7 @@ gitleaks 8.15.3
 # docker/ghcr.io/nhs-england-tools/github-runner-image 20230909-321fd1e-rt@sha256:ce4fd6035dc450a50d3cbafb4986d60e77cb49a71ab60a053bb1b9518139a646 # SEE: https://github.com/nhs-england-tools/github-runner-image/pkgs/container/github-runner-image
 # docker/hadolint/hadolint 2.12.0-alpine@sha256:7dba9a9f1a0350f6d021fb2f6f88900998a4fb0aaf8e4330aa8c38544f04db42 # SEE: https://hub.docker.com/r/hadolint/hadolint/tags
 # docker/hashicorp/terraform 1.5.6@sha256:180a7efa983386a27b43657ed610e9deed9e6c3848d54f9ea9b6cb8a5c8c25f5 # SEE: https://hub.docker.com/r/hashicorp/terraform/tags
-# docker/jdkato/vale v2.29.7@sha256:5ccfac574231b006284513ac3e4e9f38833989d83f2a68db149932c09de85149 # SEE: https://hub.docker.com/r/jdkato/vale/tags
+# docker/jdkato/vale v3.6.0@sha256:0ef22c8d537f079633cfff69fc46f69a2196072f69cab1ab232e8a79a388e425 # SEE: https://hub.docker.com/r/jdkato/vale/tags
 # docker/koalaman/shellcheck latest@sha256:e40388688bae0fcffdddb7e4dea49b900c18933b452add0930654b2dea3e7d5c # SEE: https://hub.docker.com/r/koalaman/shellcheck/tags
 # docker/mstruebing/editorconfig-checker 2.7.1@sha256:dd3ca9ea50ef4518efe9be018d669ef9cf937f6bb5cfe2ef84ff2a620b5ddc24 # SEE: https://hub.docker.com/r/mstruebing/editorconfig-checker/tags
 # docker/sonarsource/sonar-scanner-cli 5.0.1@sha256:494ecc3b5b1ee1625bd377b3905c4284e4f0cc155cff397805a244dee1c7d575 # SEE: https://hub.docker.com/r/sonarsource/sonar-scanner-cli/tags

Makefile

@@ -11,7 +11,7 @@ dependencies: # Install dependencies needed to build and test the project @Pipel
 	# TODO: Implement installation of your project dependencies
 
 build: # Build the project artefact @Pipeline
-	# TODO: Implement the artefact build step
+	(cd docs && make build)
 
 publish: # Publish the project artefact @Pipeline
 	# TODO: Implement the artefact publishing step
@@ -20,12 +20,16 @@ deploy: # Deploy the project artefact to the target environment @Pipeline
 	# TODO: Implement the artefact deployment step
 
 clean:: # Clean-up project resources (main) @Operations
+	rm -f .version
 	# TODO: Implement project resources clean-up step
 
-config:: # Configure development environment (main) @Configuration
-	# TODO: Use only 'make' targets that are specific to this project, e.g. you may not need to install Node.js
-	make _install-dependencies
+config:: _install-dependencies version # Configure development environment (main) @Configuration
+	(cd docs && make install)
 
+version:
+	rm -f .version
+	make version-create-effective-file dir=.
+	echo "{ \"schemaVersion\": 1, \"label\": \"version\", \"message\": \"$$(head -n 1 .version 2> /dev/null || echo unknown)\", \"color\": \"orange\" }" > version.json
 # ==============================================================================
 
 ${VERBOSE}.SILENT: \

docs/.vscode/tasks.json

@@ -1,13 +1,13 @@
 {
-  "version": "2.0.0",
   "tasks": [
     {
+      "command": "kill $(lsof -ti :4000); exit 0;",
       "label": "stop-already-running",
       "options": {
         "cwd": "${workspaceFolder}"
       },
-      "command": "kill $(lsof -ti :4000); exit 0;",
       "type": "shell"
     }
-  ]
+  ],
+  "version": "2.0.0"
 }

docs/_includes/page-info-header.html

@@ -2,10 +2,10 @@
   assign wordWarning = 200 %} {% assign wordCount = content | number_of_words%} {%
   assign readTime = wordCount | divided_by: 100.0 | ceil %} {% if page.sub_title
   %}
-  <h1>{{ page.name }}</h1>
+  <h1>{{ page.title }}</h1>
   <p class="text-medium text-grey-dk-300 mb-0">{{ page.summary }}</p>
   {% else %}
-  <h1>{{ page.name }}</h1>
+  <h1>{{ page.title }}</h1>
   {% endif %}
 
   <div class="page-info">

docs/_sass/color_schemes/nhs.scss

@@ -1,32 +1,30 @@
 @import "./color_schemes/light";
 
-
 @font-face {
   font-family: "Frutiger W01";
   font-style: normal;
-  src: url("https://assets.nhs.uk/fonts/FrutigerLTW01-55Roman.woff2") format('woff2');
+  src: url("https://assets.nhs.uk/fonts/FrutigerLTW01-55Roman.woff2")
+    format("woff2");
 }
 
 @font-face {
   font-family: "Frutiger W01";
   font-weight: 800;
   font-style: normal;
-  src: url("https://assets.nhs.uk/fonts/FrutigerLTW01-65Bold.woff2") format('woff2');
+  src: url("https://assets.nhs.uk/fonts/FrutigerLTW01-65Bold.woff2")
+    format("woff2");
 }
 
-
 // Typography
 
 // prettier-ignore
 $body-font-family: Frutiger W01,Arial,Sans-serif;
-$mono-font-family: Frutiger W01,Arial,Sans-serif;
-
 
 
 $blue-000: #005eb8;
 $grey-dk-000: #d8dde0;
 $grey-dk-100: #f0f4f5;
-$grey-dk-300: #212B32;
+$grey-dk-300: #212b32;
 $sidebar-color: $grey-dk-100;
 $body-background-color: $grey-dk-100;
 $link-color: $blue-000;
@@ -35,3 +33,6 @@ $font-size-7: 1.25rem;
 $font-size-6: 2rem;
 $font-size-8: 3rem;
 //$font-size-5: 1.188rem; // h3
+
+$nav-width: 20rem;
+$content-width: 130rem;

docs/_sass/custom/custom.scss

@@ -1,7 +1,7 @@
 // Totally custom here.
 
 .nav-category {
-  text-transform:none;
+  text-transform: none;
   color: $grey-dk-300;
   @include fs-4;
   font-weight: 600;
@@ -14,7 +14,7 @@
     }
   }
 }
-.site-title{
+.site-title {
   font-weight: 600;
   font-size: 1.2rem !important;
 }
@@ -23,7 +23,7 @@
   .nav-list-item {
     @include fs-4;
     font-weight: 400;
-    -webkit-font-smoothing:antialiased;
+    -webkit-font-smoothing: antialiased;
   }
 }
 
@@ -35,22 +35,34 @@ body {
 }
 
 @media (min-width: 31.25rem) {
-  h1, .text-alpha {
-      font-size: 3rem !important;
-      font-weight: 600;
+  h1,
+  .text-alpha {
+    font-size: 3rem !important;
+    font-weight: 600;
   }
 }
 
 @media (min-width: 31.25rem) {
-  h2, .text-alpha {
-      font-size: 2rem !important;
-      font-weight: 600;
+  h2,
+  .text-alpha {
+    font-size: 2rem !important;
+    font-weight: 600;
   }
 }
 
 @media (min-width: 31.25rem) {
-  h3, .text-alpha {
-      font-size: 1.5rem !important;
-      font-weight: 600;
+  h3,
+  .text-alpha {
+    font-size: 1.5rem !important;
+    font-weight: 600;
   }
 }
+
+.table-wrapper {
+  display: inline-block;
+  width: unset;
+  }
+
+  th, td {
+    min-width: 1%;
+    }

docs/collections/_adrs/assets/ADR-003/examples/nodejs/package.json

@@ -1,14 +1,14 @@
 {
-  "main": "main.ts",
-  "scripts": {
-    "start": "ts-node main.ts"
-  },
   "dependencies": {
     "@octokit/auth-app": "^6.0.0",
     "octokit": "^3.1.0"
   },
   "devDependencies": {
     "ts-node": "^10.9.1",
     "typescript": "^5.2.2"
+  },
+  "main": "main.ts",
+  "scripts": {
+    "start": "ts-node main.ts"
   }
 }