From 6d0071757ce3b36cbab4ecb47637b39bbfb12517 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 1 Apr 2026 13:37:11 +0000 Subject: [PATCH] fix --- .devcontainer/devcontainer.json | 1 - .github/dependabot.yaml | 6 +- .../schedule_dev_container_update.yml | 19 --- .github/workflows/sync_copilot.yml | 80 ++------- .../update-dev-container-version.yml | 155 ++---------------- .pre-commit-config.yaml | 20 +++ 6 files changed, 50 insertions(+), 231 deletions(-) delete mode 100644 .github/workflows/schedule_dev_container_update.yml diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index d19c9683..25b63368 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -12,7 +12,6 @@ }, "updateRemoteUserUID": false }, - "postAttachCommand": "git-secrets --register-aws; git-secrets --add-provider -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt", "mounts": [ "source=${env:HOME}${env:USERPROFILE}/.aws,target=/home/vscode/.aws,type=bind", "source=${env:HOME}${env:USERPROFILE}/.ssh,target=/home/vscode/.ssh,type=bind", diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml index 1bf0315e..d454622d 100644 --- a/.github/dependabot.yaml +++ b/.github/dependabot.yaml @@ -13,7 +13,7 @@ updates: commit-message: prefix: "Upgrade: [dependabot] - " cooldown: - default-days: 3 + default-days: 7 ################################### # Poetry ######################### @@ -29,7 +29,7 @@ updates: commit-message: prefix: "Upgrade: [dependabot] - " cooldown: - default-days: 3 + default-days: 7 ################################### # NPM workspace ################## @@ -45,4 +45,4 @@ updates: commit-message: prefix: "Upgrade: [dependabot] - " cooldown: - default-days: 3 + default-days: 7 diff --git a/.github/workflows/schedule_dev_container_update.yml b/.github/workflows/schedule_dev_container_update.yml deleted file mode 100644 index 1ac8d819..00000000 --- a/.github/workflows/schedule_dev_container_update.yml +++ /dev/null @@ -1,19 +0,0 @@ -name: Scheduled Update Devcontainer Version - -on: - workflow_dispatch: - schedule: - - cron: "0 18 * * 4" - -jobs: - update_devcontainer_version: - uses: ./.github/workflows/update-dev-container-version.yml - permissions: - contents: read - packages: read - pull-requests: write - with: - base_branch: main - secrets: - CREATE_PULL_REQUEST_APP_ID: ${{ secrets.CREATE_PULL_REQUEST_APP_ID }} - CREATE_PULL_REQUEST_PEM: ${{ secrets.CREATE_PULL_REQUEST_PEM }} diff --git a/.github/workflows/sync_copilot.yml b/.github/workflows/sync_copilot.yml index dc78b993..f47c62b8 100644 --- a/.github/workflows/sync_copilot.yml +++ b/.github/workflows/sync_copilot.yml @@ -1,78 +1,22 @@ -name: Sync copilot instructions +name: Sync Copilot Instructions on: - workflow_call: - inputs: - common_workflows_ref: - description: "The ref to sync from the central repository" - required: false - default: "main" - type: string - calling_repo_base_branch: - description: "The base branch from the calling repository that should be merged into" - required: false - type: string - default: main + workflow_dispatch: + schedule: + - cron: "0 6 * * 1" jobs: - sync: + sync-copilot-instructions: runs-on: ubuntu-22.04 - environment: "create_pull_request" + environment: create_pull_request permissions: contents: read - pull-requests: write steps: - - name: Checkout calling repo code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + - name: Sync shared instructions + uses: NHSDigital/eps-copilot-instructions@a7849a16aabd5c1edef13e29467a480fa08555f8 with: - ref: ${{ inputs.calling_repo_base_branch }} - fetch-depth: 0 - - - name: Checkout central repo code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - with: - ref: ${{ inputs.common_workflows_ref }} - fetch-depth: 0 - path: eps-common-workflows - repository: NHSDigital/eps-common-workflows - sparse-checkout: | - .github/instructions/general - .github/instructions/languages - .github/copilot-instructions.md - .github/prompts - - - name: Copy central instructions - run: | - rm -rf .github/instructions/general - rm -rf .github/instructions/languages - rm -rf .github/copilot-instructions.md - rm -rf .github/prompts - mkdir -p .github/instructions/ - cp -R eps-common-workflows/.github/instructions/general .github/instructions/general - cp -R eps-common-workflows/.github/instructions/languages .github/instructions/languages - cp eps-common-workflows/.github/copilot-instructions.md .github/copilot-instructions.md - cp -R eps-common-workflows/.github/prompts .github/prompts - rm -rf eps-common-workflows - - - name: Create GitHub App Token - uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 - id: generate-token - with: - app-id: "${{ secrets.CREATE_PULL_REQUEST_APP_ID }}" - private-key: "${{ secrets.CREATE_PULL_REQUEST_PEM }}" - - - name: Create Pull Request - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 - with: - token: "${{ steps.generate-token.outputs.token }}" - commit-message: "Upgrade: [dependabot] - sync Copilot instructions" - title: "Upgrade: [dependabot] - sync Copilot instructions" - body: | - Syncing Copilot instructions from central repo. - Ref: `${{ inputs.common_workflows_ref }}` - branch: copilot-instructions-sync - base: ${{ inputs.calling_repo_base_branch }} - branch-suffix: random - sign-commits: true - delete-branch: true + copilot_instructions_ref: main + calling_repo_base_branch: main + CREATE_PULL_REQUEST_APP_ID: ${{ secrets.CREATE_PULL_REQUEST_APP_ID }} + CREATE_PULL_REQUEST_PEM: ${{ secrets.CREATE_PULL_REQUEST_PEM }} diff --git a/.github/workflows/update-dev-container-version.yml b/.github/workflows/update-dev-container-version.yml index 661bdec9..765cd09c 100644 --- a/.github/workflows/update-dev-container-version.yml +++ b/.github/workflows/update-dev-container-version.yml @@ -1,148 +1,23 @@ -name: Update Dev Container Image version +name: Update devcontainer version + on: - workflow_call: - inputs: - base_branch: - required: false - type: string - default: main - secrets: - CREATE_PULL_REQUEST_APP_ID: - required: true - CREATE_PULL_REQUEST_PEM: - required: true + workflow_dispatch: + schedule: + - cron: "0 6 * * 4" +permissions: {} + jobs: - update_devcontainer_version: + update-devcontainer-version: runs-on: ubuntu-22.04 + environment: create_pull_request permissions: contents: read packages: read - pull-requests: write - steps: - - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - with: - fetch-depth: 0 - - name: Load config value - id: load-config - run: | - set -euo pipefail - DEVCONTAINER_IMAGE=$(jq -r '.build.args.IMAGE_NAME' .devcontainer/devcontainer.json) - - DEVCONTAINER_VERSION=$(jq -r '.build.args.IMAGE_VERSION' .devcontainer/devcontainer.json) - - { - echo "DEVCONTAINER_IMAGE=$DEVCONTAINER_IMAGE" - echo "DEVCONTAINER_VERSION=$DEVCONTAINER_VERSION" - } >> "$GITHUB_ENV" - - name: Resolve latest devcontainer image version from GHCR - id: resolve-version - env: - GH_TOKEN: "${{ github.token }}" - run: | - set -euo pipefail - - - PACKAGE_NAME="eps-devcontainers/${DEVCONTAINER_IMAGE}" - - ENCODED_PACKAGE_NAME=$(python3 -c 'import sys, urllib.parse; - print(urllib.parse.quote(sys.argv[1], safe=""))' "$PACKAGE_NAME") - - - VERSIONS_JSON=$(gh api \ - -H "Accept: application/vnd.github+json" \ - "/orgs/NHSDigital/packages/container/${ENCODED_PACKAGE_NAME}/versions?per_page=100") - - LATEST_VIA_LATEST_TAG=$(jq -r ' - [ .[] - | select((.metadata.container.tags // []) | index("latest")) - ] - | sort_by(.created_at) - | reverse - | .[0].metadata.container.tags // [] - | map(select(test("^v"))) - | .[0] // empty - ' <<< "$VERSIONS_JSON") - - - LATEST_V_TAG=$(jq -r ' - [ .[] - | {created_at, tags: (.metadata.container.tags // [])} - ] - | sort_by(.created_at) - | reverse - | map(.tags[]? | select(test("^v"))) - | .[0] // empty - ' <<< "$VERSIONS_JSON") - - - RESOLVED_VERSION="$LATEST_VIA_LATEST_TAG" - - if [[ -z "$RESOLVED_VERSION" ]]; then - RESOLVED_VERSION="$LATEST_V_TAG" - fi - - - if [[ -z "$RESOLVED_VERSION" ]]; then - echo "No version tag matching ^v found for package ${PACKAGE_NAME}" >&2 - exit 1 - fi - - echo "Resolved latest version: ${RESOLVED_VERSION}" - - echo "LATEST_DEVCONTAINER_VERSION=${RESOLVED_VERSION}" >> "$GITHUB_ENV" - - echo "latest_version=${RESOLVED_VERSION}" >> "$GITHUB_OUTPUT" - - name: Update devcontainer version in config - run: | - set -euo pipefail - - - TARGET_VERSION='${{ steps.resolve-version.outputs.latest_version }}' - - if [[ "$TARGET_VERSION" == "$DEVCONTAINER_VERSION" ]]; then - echo "IMAGE_VERSION is already up to date (${DEVCONTAINER_VERSION})" - exit 0 - fi - - - python3 - <<'PY' - - import json - - from pathlib import Path - - - config_file = Path('.devcontainer/devcontainer.json') - - config = json.loads(config_file.read_text()) - - config['build']['args']['IMAGE_VERSION'] = '${{ - steps.resolve-version.outputs.latest_version }}' - - config_file.write_text(json.dumps(config, indent=2) + '\n') - - PY - - - echo "Updated IMAGE_VERSION from ${DEVCONTAINER_VERSION} to - ${LATEST_DEVCONTAINER_VERSION}" - - name: Create GitHub App Token - uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 - id: generate-token - with: - app-id: "${{ secrets.CREATE_PULL_REQUEST_APP_ID }}" - private-key: "${{ secrets.CREATE_PULL_REQUEST_PEM }}" - - name: Create Pull Request - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 + steps: + - name: Update devcontainer version + uses: NHSDigital/eps-update-devcontainer@dc3a8c5f11e7226ee4f5f2bb35bd0d1265092306 with: - token: "${{ steps.generate-token.outputs.token }}" - commit-message: Update devcontainer image version to ${{ steps.resolve-version.outputs.latest_version }} - title: "Upgrade: [dependabot] - Update devcontainer image version to ${{ steps.resolve-version.outputs.latest_version }}" - body: "This PR updates the devcontainer image version to ${{ steps.resolve-version.outputs.latest_version }}." - add-paths: .devcontainer/devcontainer.json - sign-commits: true - base: "${{ inputs.base_branch }}" - delete-branch: true - branch: update-devcontainer-version + calling_repo_base_branch: main + CREATE_PULL_REQUEST_APP_ID: ${{ secrets.CREATE_PULL_REQUEST_APP_ID }} + CREATE_PULL_REQUEST_PEM: ${{ secrets.CREATE_PULL_REQUEST_PEM }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f319077d..2f7f8656 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -17,6 +17,26 @@ repos: files: ^(.github) - repo: local hooks: + - id: check-commit-signing + name: Check commit signing + description: Ensures that commits are GPG signed + entry: bash + args: + - -c + - | + if ! git config --get commit.gpgsign | grep -q "true" > /dev/null 2>&1; then + echo "Error: Commit signing is not enabled." + echo "Please enable commit signing with:" + echo " git config commit.gpgsign true" + echo "" + echo "For more information, see: https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits" + exit 1 + fi + echo "Commit signing is properly configured." + language: system + pass_filenames: false + always_run: true + - id: git-secrets name: Git Secrets description: git-secrets scans commits, commit messages, and --no-ff merges to prevent adding secrets into your git repositories.