Skip to content
.github/workflows/stage-1-commit.yaml

CCM-14499: Pinning all GitHub Actions to SHAs #7

Sign in to view logs

CCM-14499: Pinning all GitHub Actions to SHAs

CCM-14499: Pinning all GitHub Actions to SHAs #7

Workflow file for this run

.github/workflows/stage-1-commit.yaml at d64db11
name: "Commit stage"
on:
workflow_call:
inputs:
build_datetime:
description: "Build datetime, set by the CI/CD pipeline workflow"
required: true
type: string
build_timestamp:
description: "Build timestamp, set by the CI/CD pipeline workflow"
required: true
type: string
build_epoch:
description: "Build epoch, set by the CI/CD pipeline workflow"
required: true
type: string
nodejs_version:
description: "Node.js version, set by the CI/CD pipeline workflow"
required: true
type: string
python_version:
description: "Python version, set by the CI/CD pipeline workflow"
required: true
type: string
# TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549
# skip_trivy_package:
# description: "Skip Trivy package scan when true"
# type: boolean
# default: false
terraform_version:
description: "Terraform version, set by the CI/CD pipeline workflow"
required: true
type: string
version:
description: "Version of the software, set by the CI/CD pipeline workflow"
required: true
type: string
jobs:
scan-secrets:
name: "Scan secrets"
runs-on: ubuntu-latest
timeout-minutes: 5
steps:

Check failure on line 45 in .github/workflows/stage-1-commit.yaml

View workflow run for this annotation

GitHub Actions / .github/workflows/stage-1-commit.yaml

Invalid workflow file 

You have an error in your yaml syntax on line 45
- name: "Checkout code"
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with:
fetch-depth: 0 # Full history is needed to scan all commits
- name: "Scan secrets"
uses: ./.github/actions/scan-secrets
check-file-format:
name: "Check file format"
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- name: "Checkout code"
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with:
fetch-depth: 0 # Full history is needed to compare branches
- name: "Check file format"
uses: ./.github/actions/check-file-format
check-markdown-format:
name: "Check Markdown format"
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- name: "Checkout code"
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with:
fetch-depth: 0 # Full history is needed to compare branches
- name: "Check Markdown format"
uses: ./.github/actions/check-markdown-format
terraform-docs:
name: "Run terraform-docs"
runs-on: ubuntu-latest
needs: detect-terraform-changes
if: needs.detect-terraform-changes.outputs.terraform_changed == 'true'
permissions:
contents: write
steps:
- name: "Checkout code"
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with:
fetch-depth: 0 # Full history is needed to compare branches
- name: "Check to see if Terraform Docs are up-to-date"
run: |
make terraform-docs
- name: "Stage changes"
run: |
git add infrastructure/terraform/**/*.md
- name: "Check for changes in Terraform Docs"
run: |
if git diff --cached --name-only | grep -qE '\.md$'; then
echo "Markdown files have changed. Please run 'make terraform-docs' and commit the changes."
exit 1
fi
check-english-usage:
name: "Check English usage"
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- name: "Checkout code"
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with:
fetch-depth: 0 # Full history is needed to compare branches
- name: "Check English usage"
uses: ./.github/actions/check-english-usage
check-todo-usage:
name: "Check TODO usage"
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- name: "Checkout code"
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with:
fetch-depth: 0 # Full history is needed to compare branches
- name: "Check TODO usage"
uses: ./.github/actions/check-todo-usage
detect-terraform-changes:
name: "Detect Terraform Changes"
runs-on: ubuntu-latest
outputs:
terraform_changed: ${{ steps.check.outputs.terraform_changed }}
steps:
- name: "Checkout code"
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: "Check for Terraform changes"
id: check
run: |
git fetch origin main || true # Ensure you have the latest main branch
CHANGED_FILES=$(git diff --name-only HEAD origin/main)
echo "Changed files: $CHANGED_FILES"
if echo "$CHANGED_FILES" | grep -qE '\.tf$'; then
echo "Terraform files have changed."
echo "terraform_changed=true" >> $GITHUB_OUTPUT
else
echo "No Terraform changes detected."
echo "terraform_changed=false" >> $GITHUB_OUTPUT
fi
lint-terraform:
name: "Lint Terraform"
runs-on: ubuntu-latest
timeout-minutes: 5
needs: detect-terraform-changes
if: needs.detect-terraform-changes.outputs.terraform_changed == 'true'
steps:
- name: "Checkout code"
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Setup ASDF"
uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302
- name: "Lint Terraform"
uses: ./.github/actions/lint-terraform
# TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549
# trivy-iac:
# name: "Trivy IaC Scan"
# permissions:
# contents: read
# runs-on: ubuntu-latest
# timeout-minutes: 10
# needs: detect-terraform-changes
# if: needs.detect-terraform-changes.outputs.terraform_changed == 'true'
# steps:
# - name: "Checkout code"
# uses: actions/checkout@v6.0.2
# - name: "Setup ASDF"
# uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302
# - name: "Trivy IaC Scan"
# uses: ./.github/actions/trivy-iac
# trivy-package:
# if: ${{ !inputs.skip_trivy_package }}
# name: "Trivy Package Scan"
# permissions:
# contents: read
# runs-on: ubuntu-latest
# timeout-minutes: 10
# steps:
# - name: "Checkout code"
# uses: actions/checkout@v6.0.2
# - name: "Setup ASDF"
# uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302
# - name: "Trivy Package Scan"
# uses: ./.github/actions/trivy-package
count-lines-of-code:
name: "Count lines of code"
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
timeout-minutes: 5
steps:
- name: "Checkout code"
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Count lines of code"
uses: ./.github/actions/create-lines-of-code-report
with:
build_datetime: "${{ inputs.build_datetime }}"
build_timestamp: "${{ inputs.build_timestamp }}"
idp_aws_report_upload_account_id: "${{ secrets.IDP_AWS_REPORT_UPLOAD_ACCOUNT_ID }}"
idp_aws_report_upload_region: "${{ secrets.IDP_AWS_REPORT_UPLOAD_REGION }}"
idp_aws_report_upload_role_name: "${{ secrets.IDP_AWS_REPORT_UPLOAD_ROLE_NAME }}"
idp_aws_report_upload_bucket_endpoint: "${{ secrets.IDP_AWS_REPORT_UPLOAD_BUCKET_ENDPOINT }}"
scan-dependencies:
name: "Scan dependencies"
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
timeout-minutes: 5
steps:
- name: "Checkout code"
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Scan dependencies"
uses: ./.github/actions/scan-dependencies
with:
build_datetime: "${{ inputs.build_datetime }}"
build_timestamp: "${{ inputs.build_timestamp }}"
idp_aws_report_upload_account_id: "${{ secrets.IDP_AWS_REPORT_UPLOAD_ACCOUNT_ID }}"
idp_aws_report_upload_region: "${{ secrets.IDP_AWS_REPORT_UPLOAD_REGION }}"
idp_aws_report_upload_role_name: "${{ secrets.IDP_AWS_REPORT_UPLOAD_ROLE_NAME }}"
idp_aws_report_upload_bucket_endpoint: "${{ secrets.IDP_AWS_REPORT_UPLOAD_BUCKET_ENDPOINT }}"