From c7b107aaf6e5c300a11dfe56ee8505a71424c735 Mon Sep 17 00:00:00 2001 From: Shahid Azim Date: Thu, 21 May 2026 13:31:49 +0100 Subject: [PATCH] fix: updated github actions to latest versions with support for node.js v24 --- .../create-lines-of-code-report/action.yaml | 4 +-- .../actions/create-sbom-report/action.yaml | 2 +- .github/actions/scan-dependencies/action.yaml | 6 ++--- .../actions/scan-vulnerabilities/action.yaml | 2 +- .github/workflows/cicd-1-pull-request.yaml | 2 +- .github/workflows/cicd-2-publish.yaml | 25 ++---------------- .github/workflows/cicd-3-deploy.yaml | 6 ++--- .github/workflows/stage-1-commit.yaml | 14 +++++----- .github/workflows/stage-2-test.yaml | 12 ++++----- .github/workflows/stage-3-build-images.yaml | 22 ++++++++-------- .github/workflows/stage-3-build.yaml | 26 +++++++++---------- .github/workflows/stage-4-acceptance.yaml | 18 ++++++------- scripts/deployments/get-docker-names.sh | 2 +- 13 files changed, 60 insertions(+), 81 deletions(-) diff --git a/.github/actions/create-lines-of-code-report/action.yaml b/.github/actions/create-lines-of-code-report/action.yaml index b21f0667..2c7bbd34 100644 --- a/.github/actions/create-lines-of-code-report/action.yaml +++ b/.github/actions/create-lines-of-code-report/action.yaml @@ -32,7 +32,7 @@ runs: run: zip lines-of-code-report.json.zip lines-of-code-report.json - name: "Upload CLOC report as an artefact" if: ${{ !env.ACT }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: lines-of-code-report.json.zip path: ./lines-of-code-report.json.zip @@ -44,7 +44,7 @@ runs: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT - name: "Authenticate to send the report" if: steps.check.outputs.secrets_exist == 'true' - uses: aws-actions/configure-aws-credentials@v2 + uses: aws-actions/configure-aws-credentials@v6 with: role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }} aws-region: ${{ inputs.idp_aws_report_upload_region }} diff --git a/.github/actions/create-sbom-report/action.yaml b/.github/actions/create-sbom-report/action.yaml index 7c69d80a..bc6434d0 100644 --- a/.github/actions/create-sbom-report/action.yaml +++ b/.github/actions/create-sbom-report/action.yaml @@ -33,7 +33,7 @@ runs: bash ${GITHUB_WORKSPACE}/templates/scripts/reports/create-sbom-report.sh - name: Upload SBOM report as an artefact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: ${{ inputs.image_name }}-sbom path: ${{ inputs.image_name }}-sbom.json diff --git a/.github/actions/scan-dependencies/action.yaml b/.github/actions/scan-dependencies/action.yaml index f8ed605d..63019680 100644 --- a/.github/actions/scan-dependencies/action.yaml +++ b/.github/actions/scan-dependencies/action.yaml @@ -32,7 +32,7 @@ runs: run: zip sbom-repository-report.json.zip sbom-repository-report.json - name: "Upload SBOM report as an artefact" if: ${{ !env.ACT }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: sbom-repository-report.json.zip path: ./sbom-repository-report.json.zip @@ -47,7 +47,7 @@ runs: run: zip vulnerabilities-repository-report.json.zip vulnerabilities-repository-report.json - name: "Upload vulnerabilities report as an artefact" if: ${{ !env.ACT }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: vulnerabilities-repository-report.json.zip path: ./vulnerabilities-repository-report.json.zip @@ -58,7 +58,7 @@ runs: run: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT - name: "Authenticate to send the reports" if: steps.check.outputs.secrets_exist == 'true' - uses: aws-actions/configure-aws-credentials@v2 + uses: aws-actions/configure-aws-credentials@v6 with: role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }} aws-region: ${{ inputs.idp_aws_report_upload_region }} diff --git a/.github/actions/scan-vulnerabilities/action.yaml b/.github/actions/scan-vulnerabilities/action.yaml index 786b1b80..0a9c386a 100644 --- a/.github/actions/scan-vulnerabilities/action.yaml +++ b/.github/actions/scan-vulnerabilities/action.yaml @@ -54,7 +54,7 @@ runs: done - name: Upload vulnerabilities report - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: ${{ inputs.image_name }}-vulnerabilities path: | diff --git a/.github/workflows/cicd-1-pull-request.yaml b/.github/workflows/cicd-1-pull-request.yaml index 004b11a5..73b85516 100644 --- a/.github/workflows/cicd-1-pull-request.yaml +++ b/.github/workflows/cicd-1-pull-request.yaml @@ -27,7 +27,7 @@ jobs: docker_file_exists: ${{ steps.check_compose.outputs.docker_file_exists }} steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: "Set CI/CD variables" id: variables run: | diff --git a/.github/workflows/cicd-2-publish.yaml b/.github/workflows/cicd-2-publish.yaml index 5717ee9b..2df86ae0 100644 --- a/.github/workflows/cicd-2-publish.yaml +++ b/.github/workflows/cicd-2-publish.yaml @@ -22,7 +22,7 @@ jobs: version: ${{ steps.variables.outputs.version }} steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: "Set CI/CD variables" id: variables run: | @@ -53,32 +53,11 @@ jobs: timeout-minutes: 3 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: "Get the artefacts" run: | echo "Getting the artefacts created by the build stage ..." # TODO: Use either action/cache or action/upload-artifact - - name: "Create release" - id: create_release - uses: actions/create-release@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - tag_name: ${{ needs.metadata.outputs.version }} - release_name: Release ${{ needs.metadata.outputs.version }} - body: | - Release of ${{ needs.metadata.outputs.version }} - draft: false - prerelease: false - # - name: "Upload release asset" - # uses: actions/upload-release-asset@v1 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: "${{ steps.create_release.outputs.upload_url }}" - # asset_path: ./* - # asset_name: repository-template-${{ needs.metadata.outputs.version }}.tar.gz - # asset_content_type: "application/gzip" success: name: "Success notification" runs-on: ubuntu-latest diff --git a/.github/workflows/cicd-3-deploy.yaml b/.github/workflows/cicd-3-deploy.yaml index 2745b380..be4e9b62 100644 --- a/.github/workflows/cicd-3-deploy.yaml +++ b/.github/workflows/cicd-3-deploy.yaml @@ -24,7 +24,7 @@ jobs: tag: ${{ steps.variables.outputs.tag }} steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: "Set CI/CD variables" id: variables run: | @@ -56,7 +56,7 @@ jobs: timeout-minutes: 10 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@v6 # TODO: More jobs or/and steps here # success: # name: "Success notification" @@ -68,7 +68,7 @@ jobs: # run: echo "secret_exist=${{ secrets.TEAMS_NOTIFICATION_WEBHOOK_URL != '' }}" >> $GITHUB_OUTPUT # - name: "Notify on deployment to an environment" # if: steps.check.outputs.secret_exist == 'true' - # uses: nhs-england-tools/notify-msteams-action@v0.0.4 + # uses: nhs-england-tools/notify-msteams-action@v1.0.0 # with: # github-token: ${{ secrets.GITHUB_TOKEN }} # teams-webhook-url: ${{ secrets.TEAMS_NOTIFICATION_WEBHOOK_URL }} diff --git a/.github/workflows/stage-1-commit.yaml b/.github/workflows/stage-1-commit.yaml index a97d49ee..cdce7f06 100644 --- a/.github/workflows/stage-1-commit.yaml +++ b/.github/workflows/stage-1-commit.yaml @@ -39,7 +39,7 @@ jobs: timeout-minutes: 2 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: fetch-depth: 0 # Full history is needed to scan all commits - name: "Scan secrets" @@ -50,7 +50,7 @@ jobs: timeout-minutes: 2 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check file format" @@ -61,7 +61,7 @@ jobs: # timeout-minutes: 2 # steps: # - name: "Checkout code" - # uses: actions/checkout@v4 + # uses: actions/checkout@v6 # with: # fetch-depth: 0 # Full history is needed to compare branches # - name: "Check Markdown format" @@ -72,7 +72,7 @@ jobs: # timeout-minutes: 2 # steps: # - name: "Checkout code" - # uses: actions/checkout@v4 + # uses: actions/checkout@v6 # with: # fetch-depth: 0 # Full history is needed to compare branches # - name: "Check English usage" @@ -83,7 +83,7 @@ jobs: timeout-minutes: 2 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: "Lint Terraform" uses: ./.github/actions/lint-terraform count-lines-of-code: @@ -95,7 +95,7 @@ jobs: timeout-minutes: 2 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: "Count lines of code" uses: ./.github/actions/create-lines-of-code-report with: @@ -114,7 +114,7 @@ jobs: timeout-minutes: 2 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@v6 # - name: "Scan dependencies" # uses: ./.github/actions/scan-dependencies # with: diff --git a/.github/workflows/stage-2-test.yaml b/.github/workflows/stage-2-test.yaml index b10c159f..14bd7853 100644 --- a/.github/workflows/stage-2-test.yaml +++ b/.github/workflows/stage-2-test.yaml @@ -39,7 +39,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: "Run unit test suite" run: | make test-unit @@ -52,7 +52,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: "Run linting" run: | make test-lint @@ -66,7 +66,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: "Run test coverage check" run: | make test-coverage @@ -80,9 +80,9 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Install Terraform - uses: hashicorp/setup-terraform@v3 + uses: hashicorp/setup-terraform@v4 with: terraform_version: 1.12.2 - name: "run the tests" @@ -99,7 +99,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: fetch-depth: 0 # Full history is needed to improving relevancy of reporting - name: "Perform static analysis" diff --git a/.github/workflows/stage-3-build-images.yaml b/.github/workflows/stage-3-build-images.yaml index 59ce3286..71a1eaea 100644 --- a/.github/workflows/stage-3-build-images.yaml +++ b/.github/workflows/stage-3-build-images.yaml @@ -45,13 +45,13 @@ jobs: FUNC_NAMES: ${{ steps.get-function-names.outputs.FUNC_NAMES }} DOCKER_COMPOSE_DIR: ${{ steps.get-function-names.outputs.DOCKER_COMPOSE_DIR }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 with: fetch-depth: 2 token: ${{ secrets.GITHUB_TOKEN }} - name: Checkout dtos-devops-templates repository - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: repository: NHSDigital/dtos-devops-templates path: templates @@ -82,14 +82,14 @@ jobs: pr_num_tag: ${{ env.PR_NUM_TAG }} short_commit_hash: ${{ env.COMMIT_HASH_TAG }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 with: token: ${{ secrets.GITHUB_TOKEN }} fetch-depth: 1 submodules: 'true' - name: Checkout dtos-devops-templates repository - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: repository: NHSDigital/dtos-devops-templates path: templates @@ -97,7 +97,7 @@ jobs: - name: Az CLI login if: github.ref == 'refs/heads/main' - uses: azure/login@v2 + uses: azure/login@v3 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} @@ -222,7 +222,7 @@ jobs: zip "${SBOM_REPOSITORY_REPORT}.json.zip" "${SBOM_REPOSITORY_REPORT}.json" - name: Upload SBOM report as an artefact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: ${{ env.SBOM_REPOSITORY_REPORT }}.json.zip path: ./${{ env.SBOM_REPOSITORY_REPORT }}.json.zip @@ -235,14 +235,14 @@ jobs: zip ${VULNERABILITIES_REPOSITORY_REPORT}.json.zip ${VULNERABILITIES_REPOSITORY_REPORT}.json - name: Upload vulnerabilities report as an artefact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: ${{ env.VULNERABILITIES_REPOSITORY_REPORT }}.json.zip path: ./${{ env.VULNERABILITIES_REPOSITORY_REPORT }}.json.zip retention-days: 21 - name: Upload vulnerabilities summary report as an artefact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: ${{ env.VULNERABILITIES_SUMMARY_LOGFILE }} path: ./${{ env.VULNERABILITIES_SUMMARY_LOGFILE }} @@ -253,7 +253,7 @@ jobs: needs: build-and-push steps: - name: Download SBOM JSON artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v7 with: path: ./downloaded-artifacts @@ -267,13 +267,13 @@ jobs: zip vulnerabilities-repository-report-${{ needs.build-and-push.outputs.PR_NUM_TAG }}.zip downloaded-artifacts/**/*vulnerabilities-summary*.txt - name: Upload sbom zip file - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: aggregated-sbom-repository-report-${{ needs.build-and-push.outputs.PR_NUM_TAG }}.zip path: sbom-repository-report-${{ needs.build-and-push.outputs.PR_NUM_TAG }}.zip - name: Upload repository zip file - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: aggregated-vulnerabilities-repository-report-${{ needs.build-and-push.outputs.PR_NUM_TAG }}.zip path: vulnerabilities-repository-report-${{ needs.build-and-push.outputs.PR_NUM_TAG }}.zip diff --git a/.github/workflows/stage-3-build.yaml b/.github/workflows/stage-3-build.yaml index 7192255d..7e5ade62 100644 --- a/.github/workflows/stage-3-build.yaml +++ b/.github/workflows/stage-3-build.yaml @@ -54,13 +54,13 @@ jobs: pr_num_tag: ${{ steps.tags.outputs.pr_num_tag }} short_commit_hash: ${{ steps.tags.outputs.short_commit_hash }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 with: # to allow git diff between HEAD and the previous commit to main branch fetch-depth: 2 - name: Checkout dtos-devops-templates repository - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: repository: NHSDigital/dtos-devops-templates path: templates @@ -116,13 +116,13 @@ jobs: matrix: function: ${{ fromJSON(needs.containers-to-build.outputs.containers) }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 with: fetch-depth: 1 submodules: true - name: Checkout dtos-devops-templates - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: repository: NHSDigital/dtos-devops-templates path: templates @@ -152,7 +152,7 @@ jobs: - name: AzureCLI login if: (github.ref == 'refs/heads/main' && env.USE_AZURECR == 'true') - uses: azure/login@v2 + uses: azure/login@v3 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} @@ -160,7 +160,7 @@ jobs: - name: ghcr.io login if: (github.ref == 'refs/heads/main' && env.USE_AZURECR == 'false') - uses: docker/login-action@v3 + uses: docker/login-action@v4 with: registry: ghcr.io username: ${{ github.actor }} @@ -202,13 +202,13 @@ jobs: contents: read packages: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 with: # to allow git diff between HEAD and the previous commit to main branch fetch-depth: 2 - name: Checkout dtos-devops-templates repository - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: repository: NHSDigital/dtos-devops-templates path: templates @@ -216,7 +216,7 @@ jobs: - name: AzureCLI login if: env.USE_AZURECR == 'true' - uses: azure/login@v2 + uses: azure/login@v3 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} @@ -224,7 +224,7 @@ jobs: - name: ghcr.io login if: env.USE_AZURECR == 'false' - uses: docker/login-action@v3 + uses: docker/login-action@v4 with: registry: ghcr.io username: ${{ github.actor }} @@ -257,12 +257,12 @@ jobs: needs: [build-and-push, containers-to-build] steps: - name: Get all artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v7 with: path: aggregated-reports - name: Aggregate reports - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: aggregated-reports-${{ needs.containers-to-build.outputs.pr_num_tag }} - path: aggregated-reports \ No newline at end of file + path: aggregated-reports diff --git a/.github/workflows/stage-4-acceptance.yaml b/.github/workflows/stage-4-acceptance.yaml index d554f98a..aca23307 100644 --- a/.github/workflows/stage-4-acceptance.yaml +++ b/.github/workflows/stage-4-acceptance.yaml @@ -39,7 +39,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: "Create infractructure" run: | echo "Creating infractructure..." @@ -56,7 +56,7 @@ jobs: timeout-minutes: 10 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: "Run contract test" run: | make test-contract @@ -70,7 +70,7 @@ jobs: timeout-minutes: 10 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: "Run security test" run: | make test-security @@ -84,7 +84,7 @@ jobs: timeout-minutes: 10 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: "Run UI test" run: | make test-ui @@ -98,7 +98,7 @@ jobs: timeout-minutes: 10 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: "Run UI performance test" run: | make test-ui-performance @@ -112,7 +112,7 @@ jobs: timeout-minutes: 10 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: "Run integration test" run: | make test-integration @@ -126,7 +126,7 @@ jobs: timeout-minutes: 10 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: "Run accessibility test" run: | make test-accessibility @@ -140,7 +140,7 @@ jobs: timeout-minutes: 10 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: "Run load tests" run: | make test-load @@ -164,7 +164,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: "Tear down environment" run: | echo "Tearing down environment..." diff --git a/scripts/deployments/get-docker-names.sh b/scripts/deployments/get-docker-names.sh index 41aac351..5cf0271a 100644 --- a/scripts/deployments/get-docker-names.sh +++ b/scripts/deployments/get-docker-names.sh @@ -26,7 +26,7 @@ if [[ -z "${CHANGED_FOLDERS_CSV}" ]]; then exit 1 fi if [[ "${GITHUB_EVENT_NAME}" == "push" && "${GITHUB_REF}" == "refs/heads/main" ]]; then - # Merge to main - compare merged code with main immediately prior to the merge (HEAD^), needs 'fetch-depth: 2' parameter for actions/checkout@v4 + # Merge to main - compare merged code with main immediately prior to the merge (HEAD^), needs 'fetch-depth: 2' parameter for actions/checkout@v6 mapfile -t source_changes < <(git diff --name-only HEAD^ -- "${SOURCE_CODE_PATH}" | sed -r 's#(^.*/).*$#\1#' | sort -u) else # PR creation or update - compare feature branch with main, folder paths only, unique list