NHSDigital · matt-mercer · Aug 8, 2025 · Aug 8, 2025 · Aug 8, 2025 · Aug 8, 2025
@@ -0,0 +1,61 @@
+name: "asdf-cache"
+description: "asdf cache action from https://github.com/ai/asdf-cache-action/blob/main/action.yml"
+inputs:
+  asdf-version:
+    description: "asdf version to install"
+    default: ""
+    required: false
+  os:
+    description: "target os"
+    default: "linux"
+    required: false
+  architecture:
+    description: "target architecture"
+    default: "amd64"
+    required: false
+runs:
+  using: "composite"
+  steps:
+
+    - name: install asdf
+      shell: bash
+      run: |
+        set -o pipefail
+        asdf_version="${{ inputs.asdf-version }}"
+        asdf_version="$(echo "${asdf_version}" | sed 's#v##g')"
+        if which asdf &&  [[ "${asdf_version}" == "" || "$(asdf --version | cut -d' ' -f3)" == "v${asdf_version}" ]]; then
+          echo "asdf: $(asdf --version | cut -d' ' -f3) detected"
+        else
+          if [[ "${asdf_version}" == "" ]]; then
+            asdf_version="$(curl --fail -s "${GITHUB_API_URL}/repos/asdf-vm/asdf/releases/latest" | jq -r '.name')"
+          fi
+          asdf_version="$(echo "${asdf_version}" | sed 's#v##g')"
+          echo "installing asdf ${asdf_version}"
+          wget -q -O - "https://github.com/asdf-vm/asdf/releases/download/v${asdf_version}/asdf-v${asdf_version}-${{ inputs.os }}-${{ inputs.architecture }}.tar.gz" | tar -zxf - -C /usr/local/bin asdf
+        fi
+
+    - name: Cache asdf
+      id: cache
+      uses: actions/cache@v4
+      with:
+        path: ~/.asdf
+        key: asdf-${{ hashFiles('**/.tool-versions') }}
+
+    - name: install asdf plugins
+      if: steps.cache.outputs.cache-hit != 'true'
+      shell: bash
+      run: |
+        for plugin in $(cat .tool-versions | grep -Ev '^#' | cut -d' ' -f1 | uniq); do
+          asdf plugin add $plugin
+        done
+
+    - name: asdf install
+      if: steps.cache.outputs.cache-hit != 'true'
+      shell: bash
+      run: |
+        asdf install
+
+    - name: update path
+      shell: bash
+      run: |
+        echo "${HOME}/.asdf/shims" >> $GITHUB_PATH
@@ -0,0 +1,90 @@
+name: "common-build-steps"
+description: "regular build steps"
+inputs:
+  python-version:
+    description: "If set, will use a system python version rather than asdf. Eg. a value of 3.11 would use the latest 3.11.x version. Set to empty string to use asdf versions."
+    default: "3.11"
+    required: false
+  fetch-depth:
+    description: "git fetch depth"
+    default: "0"
+    required: false
+
+
+runs:
+  using: "composite"
+  steps:
+    - name: checkout the calling repo
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: ${{ inputs.fetch-depth }}
+
+    - name: setup python
+      if: ${{ inputs.python-version != '' }}
+      uses: actions/setup-python@v5
+      with:
+        python-version: ${{ inputs.python-version }}
+
+    - name: print branch info
+      shell: bash
+      run: |
+        git branch
+        echo "GITHUB_HEAD_REF=${GITHUB_HEAD_REF}"
+        echo "GITHUB_BASE_REF=${GITHUB_BASE_REF}"
+        git log --oneline -n 10
+
+    - name: clean
+      shell: bash
+      run: |
+        git clean -fdx
+
+    - name: check secrets
+      uses: ./.github/actions/check-secrets
+
+    - name: merge into base_branch
+      if: ${{ github.event_name == 'pull_request' }}
+      shell: bash
+      run: |
+        echo base branch "${{ github.base_ref }}"
+        echo pr branch "${{ github.head_ref }}"
+        git checkout "${{ github.base_ref }}"
+        git checkout -b "merging-${{ github.event.number }}"
+        git merge --ff-only "${{ github.event.pull_request.head.sha }}"
+
+    - name: git reset
+      shell: bash
+      run: git reset --hard
+
+    - name: replace asdf python version
+      if: ${{ inputs.python-version != '' }}
+      shell: bash
+      run: sed -i -E 's#^python .*##g' .tool-versions
+
+    - name: Install tools from asdf config
+      if: ${{ hashFiles('**/.tool-versions') }}
+      uses: ./.github/actions/asdf-cache
+
+    - name: cache virtualenv
+      uses: actions/cache@v4
+      with:
+        path: |
+          .venv
+          **/.lock-hash
+          **/requirements.txt
+        key: ${{ runner.os }}-py-${{ inputs.python-version }}-poetry-${{ hashFiles('./poetry.lock') }}
+
+    - name: fix virtualenv
+      shell: bash
+      run: |
+        if [ -d .venv/bin ]; then
+          echo fixing .venv
+          unlink .venv/bin/python3
+          py_version="$(ls /opt/hostedtoolcache/Python --color=no | sed 's#/##g' | grep -E '^3.11' | sort -t\. -k3 --numeric | tail -n 1)"
+          if [ -z "${py_version}" ]; then
+            ls /opt/hostedtoolcache/Python
+            echo "could not find a compatible python version for ${py_version}"
+            exit -1
+          fi
+          ln -s -t .venv/bin "/opt/hostedtoolcache/Python/${py_version}/x64/bin/python3"
+          find .venv/bin -type f -exec file {} + | awk -F: '/ASCII text/ {print $1}' | xargs grep -lr '.venv' | xargs sed -i -E "s#/.*?/.venv#${GITHUB_WORKSPACE}/.venv#"
+        fi
@@ -0,0 +1,22 @@
+name: "CI stages"
+description: "run any standard CI stages found in the root Makefile"
+
+inputs:
+  scan-type:
+    description: secrets scan type  recursive/untracked etc.
+    default: 'recursive'
+    required: false
+
+runs:
+  using: "composite"
+  steps:
+    - name: run git-secrets
+      shell: bash
+      run: |
+        export PATH="${PATH}:${{ github.action_path }}"
+        git secrets --register-aws
+        if [[ -e ./.gitdisallowed ]]; then
+          git secrets --add-provider -- grep -Ev '^(#.*|\s*$)' .gitdisallowed || true
+          git secrets --add --allowed '^.gitdisallowed:[0-9]+:.*' || true
+        fi
+        git secrets --scan --${{ inputs.scan-type }}