diff --git a/.gitallowed b/.gitallowed
new file mode 100644
index 00000000..9f33d492
--- /dev/null
+++ b/.gitallowed
@@ -0,0 +1,33 @@
+# Allow GitHub workflow secrets and tokens
+token: ?"?\$\{\{\s*secrets\.GITHUB_TOKEN\s*\}\}"?
+github-token: ?"?\$\{\{\s*secrets\.GITHUB_TOKEN\s*\}\}"?
+token: ?"?\$\{\{\s*secrets\.DEPENDABOT_TOKEN\s*\}\}"?
+id-token: write
+--token=\$\{\{\s*steps\.generate-token\.outputs\.token\s*\}\}
+--token=\$GITHUB-TOKEN
+
+# Allow CIDR blocks in CloudFormation templates and related files
+CidrBlock: "10\.\d{1,3}\.\d{1,3}\.\d{1,3}/\d{1,2}"
+DestinationCidrBlock: "0\.0\.0\.0/0"
+
+# Java corretto is not a secret
+.*java corretto.*
+
+# Allow standard code in JSON files for FHIR compliance testing
+"code": "1\.2\.840\.10065\.1\.12\.1\.1"
+
+# Allow IP in X-Forwarded-For header in test files
+.*\"X-Forwarded-For\": \"86\.5\.218\.71\".*
+
+# Allow version for AspectJ in pom.xml
+1\.9\.22\.1
+
+^.*pom\.xml:.*([^<]+).*$
+^.*Gemfile\.lock:.*$
+^.*\.java:.*\\"id\\":\\"([0-9a-f\-]+)\\".*$
+
+# General ones
+.*\.gitallowed.*
+.*nhsd-rules-deny.txt.*
+.*\.venv.*
+.*node_modules.*
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 2da038cb..5264adcf 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -9,9 +9,11 @@ env:
jobs:
quality_checks:
- uses: ./.github/workflows/quality_checks.yml
+ uses: NHSDigital/eps-workflow-quality-checks/.github/workflows/quality-checks.yml@v4.0.0
secrets:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+ with:
+ install_java: true
get_commit_id:
runs-on: ubuntu-latest
diff --git a/.github/workflows/pr-link.yml b/.github/workflows/pr-link.yml
index 8d842123..51432f89 100644
--- a/.github/workflows/pr-link.yml
+++ b/.github/workflows/pr-link.yml
@@ -14,10 +14,25 @@ jobs:
- name: Grab ticket name
if: contains(github.event.pull_request.head.ref, 'aea-') || contains(github.event.pull_request.head.ref, 'AEA-') || contains(github.event.pull_request.head.ref, 'apm-') || contains(github.event.pull_request.head.ref, 'APM-') || contains(github.event.pull_request.head.ref, 'apmspii-') || contains(github.event.pull_request.head.ref, 'APMSPII-') || contains(github.event.pull_request.head.ref, 'adz-') || contains(github.event.pull_request.head.ref, 'ADZ-') || contains(github.event.pull_request.head.ref, 'amb-') || contains(github.event.pull_request.head.ref, 'AMB-')
- run: echo name=TICKET_NAME::"$(echo "$REF" | grep -i -o '\(aea-[0-9]\+\)\|\(apm-[0-9]\+\)\|\(apmspii-[0-9]\+\)\|\(adz-[0-9]\+\)|\(amb-[0-9]\+\)' | tr '[:lower:]' '[:upper:]')" >> "$GITHUB_ENV"
continue-on-error: true
- env:
- ACTIONS_ALLOW_UNSECURE_COMMANDS: true
+ run: |
+ # Match ticket name patterns
+ REGEX='
+ (aea-[0-9]+)|
+ (apm-[0-9]+)|
+ (apmspii-[0-9]+)|
+ (adz-[0-9]+)|
+ (amb-[0-9]+)
+ '
+
+ # Remove whitespace and newlines from the regex
+ REGEX=$(echo "$REGEX" | tr -d '[:space:]')
+
+ # Extract the ticket name and convert to uppercase
+ TICKET_NAME=$(echo "$REF" | grep -i -E -o "$REGEX" | tr '[:lower:]' '[:upper:]')
+
+ # Set the environment variable
+ echo "TICKET_NAME=$TICKET_NAME" >> "$GITHUB_ENV"
- name: Comment on PR with link to JIRA ticket
if: contains(github.event.pull_request.head.ref, 'aea-') || contains(github.event.pull_request.head.ref, 'AEA-') || contains(github.event.pull_request.head.ref, 'apm-') || contains(github.event.pull_request.head.ref, 'APM-') || contains(github.event.pull_request.head.ref, 'apmspii-') || contains(github.event.pull_request.head.ref, 'APMSPII-') || contains(github.event.pull_request.head.ref, 'adz-') || contains(github.event.pull_request.head.ref, 'ADZ-') || contains(github.event.pull_request.head.ref, 'amb-') || contains(github.event.pull_request.head.ref, 'AMB-')
@@ -27,5 +42,5 @@ jobs:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
msg: |
- This branch is work on a ticket in the NHS Digital APM JIRA Project. Here's a handy link to the ticket:
+ This branch is work on a ticket in an NHS Digital JIRA Project. Here's a handy link to the ticket:
# [${{ env.TICKET_NAME }}](https://nhsd-jira.digital.nhs.uk/browse/${{ env.TICKET_NAME }})
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
index 62e96f24..d10a0a39 100644
--- a/.github/workflows/pull_request.yml
+++ b/.github/workflows/pull_request.yml
@@ -9,9 +9,11 @@ env:
jobs:
quality_checks:
- uses: ./.github/workflows/quality_checks.yml
+ uses: NHSDigital/eps-workflow-quality-checks/.github/workflows/quality-checks.yml@v4.0.0
secrets:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+ with:
+ install_java: true
pr_title_format_check:
uses: ./.github/workflows/pr_title_check.yml
diff --git a/.github/workflows/quality_checks.yml b/.github/workflows/quality_checks.yml
deleted file mode 100644
index 2552b20f..00000000
--- a/.github/workflows/quality_checks.yml
+++ /dev/null
@@ -1,77 +0,0 @@
-name: quality checks
-
-on:
- workflow_call:
- secrets:
- SONAR_TOKEN:
- required: true
-
-jobs:
- quality_checks:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/setup-java@v4
- with:
- java-version: '21'
- distribution: 'corretto'
- - name: Checkout code
- uses: actions/checkout@v4
- with:
- ref: ${{ env.BRANCH_NAME }}
- fetch-depth: 0
-
- # using git commit sha for version of action to ensure we have stable version
- - name: Install asdf
- uses: asdf-vm/actions/setup@05e0d2ed97b598bfce82fd30daf324ae0c4570e6
- with:
- asdf_branch: v0.11.3
-
- - name: Cache asdf
- uses: actions/cache@v4
- with:
- path: |
- ~/.asdf
- key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}
- restore-keys: |
- ${{ runner.os }}-asdf-
-
- - name: Install asdf dependencies in .tool-versions
- uses: asdf-vm/actions/install@05e0d2ed97b598bfce82fd30daf324ae0c4570e6
- with:
- asdf_branch: v0.11.3
- env:
- PYTHON_CONFIGURE_OPTS: --enable-shared
-
- - name: make install
- run: |
- make install
-
- - name: run check-licenses
- run: make check-licenses
-
- - name: run lint
- run: make lint
-
- - name: Run cfn-guard
- run: make cfn-guard
-
- - name: show cfn-guard output
- if: failure()
- run: find cfn_guard_output -type f -print0 | xargs -0 cat
-
- - uses: actions/upload-artifact@v4
- name: upload cfn_guard_output
- if: failure()
- with:
- name: cfn_guard_output
- path: cfn_guard_output
-
- - name: run tests and Sonar scan
- env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
- SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
- run: |
- # shellcheck source=/dev/null
- . ~/.asdf/plugins/java/set-java-home.bash
- make download-dependencies
- mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=NHSDigital_eps-FHIR-validator-lambda
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 374d11e5..58292724 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -8,9 +8,11 @@ env:
jobs:
quality_checks:
- uses: ./.github/workflows/quality_checks.yml
+ uses: NHSDigital/eps-workflow-quality-checks/.github/workflows/quality-checks.yml@v4.0.0
secrets:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+ with:
+ install_java: true
get_commit_id:
runs-on: ubuntu-latest
diff --git a/sonar-project.properties b/sonar-project.properties
new file mode 100644
index 00000000..b6d4e47e
--- /dev/null
+++ b/sonar-project.properties
@@ -0,0 +1,14 @@
+sonar.organization=nhsdigital
+sonar.projectKey=NHSDigital_eps-FHIR-validator-lambda
+sonar.sources=src/main
+sonar.tests=src/test
+sonar.java.binaries=target/classes
+sonar.java.test.binaries=target/test-classes
+
+sonar.host.url=https://sonarcloud.io
+
+sonar.coverage.exclusions=src/test/**
+sonar.cpd.exclusions=src/test/**
+
+sonar.java.coveragePlugin=jacoco
+sonar.coverage.jacoco.xmlReportPaths=target/site/jacoco/jacoco.xml