generated from NHSDigital/nhs-notify-repository-template
-
Notifications
You must be signed in to change notification settings - Fork 0
190 lines (186 loc) · 6.46 KB
/
stage-1-commit.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
name: "Commit stage"
on:
workflow_call:
inputs:
build_datetime:
description: "Build datetime, set by the CI/CD pipeline workflow"
required: true
type: string
build_timestamp:
description: "Build timestamp, set by the CI/CD pipeline workflow"
required: true
type: string
build_epoch:
description: "Build epoch, set by the CI/CD pipeline workflow"
required: true
type: string
nodejs_version:
description: "Node.js version, set by the CI/CD pipeline workflow"
required: true
type: string
python_version:
description: "Python version, set by the CI/CD pipeline workflow"
required: true
type: string
terraform_version:
description: "Terraform version, set by the CI/CD pipeline workflow"
required: true
type: string
version:
description: "Version of the software, set by the CI/CD pipeline workflow"
required: true
type: string
jobs:
scan-secrets:
name: "Scan secrets"
runs-on: ubuntu-latest
timeout-minutes: 2
steps:
- name: "Checkout code"
uses: actions/checkout@v4
with:
fetch-depth: 0 # Full history is needed to scan all commits
- name: "Scan secrets"
uses: ./.github/actions/scan-secrets
check-file-format:
name: "Check file format"
runs-on: ubuntu-latest
timeout-minutes: 2
steps:
- name: "Checkout code"
uses: actions/checkout@v4
with:
fetch-depth: 0 # Full history is needed to compare branches
- name: "Check file format"
uses: ./.github/actions/check-file-format
check-markdown-format:
name: "Check Markdown format"
runs-on: ubuntu-latest
timeout-minutes: 2
steps:
- name: "Checkout code"
uses: actions/checkout@v4
with:
fetch-depth: 0 # Full history is needed to compare branches
- name: "Check Markdown format"
uses: ./.github/actions/check-markdown-format
terraform-docs:
name: "Run terraform-docs"
runs-on: ubuntu-latest
needs: detect-terraform-changes
if: needs.detect-terraform-changes.outputs.terraform_changed == 'true'
permissions:
contents: write
steps:
- name: "Checkout code"
uses: actions/checkout@v4
with:
fetch-depth: 0 # Full history is needed to compare branches
- name: "Check to see if Terraform Docs are up-to-date"
run: |
make terraform-docs
- name: "Stage changes"
run: |
git add infrastructure/terraform/**/*.md
- name: "Check for changes in Terraform Docs"
run: |
if git diff --cached --name-only | grep -qE '\.md$'; then
echo "Markdown files have changed. Please run 'make terraform-docs' and commit the changes."
exit 1
fi
check-english-usage:
name: "Check English usage"
runs-on: ubuntu-latest
timeout-minutes: 2
steps:
- name: "Checkout code"
uses: actions/checkout@v4
with:
fetch-depth: 0 # Full history is needed to compare branches
- name: "Check English usage"
uses: ./.github/actions/check-english-usage
detect-terraform-changes:
name: "Detect Terraform Changes"
runs-on: ubuntu-latest
outputs:
terraform_changed: ${{ steps.check.outputs.terraform_changed }}
steps:
- name: "Checkout code"
uses: actions/checkout@v4
- name: "Check for Terraform changes"
id: check
run: |
git fetch origin main || true # Ensure you have the latest main branch
CHANGED_FILES=$(git diff --name-only HEAD origin/main)
echo "Changed files: $CHANGED_FILES"
if echo "$CHANGED_FILES" | grep -qE '\.tf$'; then
echo "Terraform files have changed."
echo "terraform_changed=true" >> $GITHUB_OUTPUT
else
echo "No Terraform changes detected."
echo "terraform_changed=false" >> $GITHUB_OUTPUT
fi
lint-terraform:
name: "Lint Terraform"
runs-on: ubuntu-latest
timeout-minutes: 2
needs: detect-terraform-changes
if: needs.detect-terraform-changes.outputs.terraform_changed == 'true'
steps:
- name: "Checkout code"
uses: actions/checkout@v4
- name: "Lint Terraform"
uses: ./.github/actions/lint-terraform
tfsec:
name: "TFSec Scan"
runs-on: ubuntu-latest
timeout-minutes: 5
needs: detect-terraform-changes
if: needs.detect-terraform-changes.outputs.terraform_changed == 'true'
steps:
- name: "Checkout code"
uses: actions/checkout@v4
- name: "Setup ASDF"
uses: asdf-vm/actions/setup@v3
- name: "Perform Setup"
uses: ./.github/actions/setup
- name: "TFSec Scan"
uses: ./.github/actions/tfsec
count-lines-of-code:
name: "Count lines of code"
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
timeout-minutes: 2
steps:
- name: "Checkout code"
uses: actions/checkout@v4
- name: "Count lines of code"
uses: ./.github/actions/create-lines-of-code-report
with:
build_datetime: "${{ inputs.build_datetime }}"
build_timestamp: "${{ inputs.build_timestamp }}"
idp_aws_report_upload_account_id: "${{ secrets.IDP_AWS_REPORT_UPLOAD_ACCOUNT_ID }}"
idp_aws_report_upload_region: "${{ secrets.IDP_AWS_REPORT_UPLOAD_REGION }}"
idp_aws_report_upload_role_name: "${{ secrets.IDP_AWS_REPORT_UPLOAD_ROLE_NAME }}"
idp_aws_report_upload_bucket_endpoint: "${{ secrets.IDP_AWS_REPORT_UPLOAD_BUCKET_ENDPOINT }}"
scan-dependencies:
name: "Scan dependencies"
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
timeout-minutes: 2
steps:
- name: "Checkout code"
uses: actions/checkout@v4
- name: "Scan dependencies"
uses: ./.github/actions/scan-dependencies
with:
build_datetime: "${{ inputs.build_datetime }}"
build_timestamp: "${{ inputs.build_timestamp }}"
idp_aws_report_upload_account_id: "${{ secrets.IDP_AWS_REPORT_UPLOAD_ACCOUNT_ID }}"
idp_aws_report_upload_region: "${{ secrets.IDP_AWS_REPORT_UPLOAD_REGION }}"
idp_aws_report_upload_role_name: "${{ secrets.IDP_AWS_REPORT_UPLOAD_ROLE_NAME }}"
idp_aws_report_upload_bucket_endpoint: "${{ secrets.IDP_AWS_REPORT_UPLOAD_BUCKET_ENDPOINT }}"