Incorporated changes to the base repository template which contains t…

…he CI/CD definitions

.github/workflows/cicd-1-pull-request.yaml

@@ -10,10 +10,13 @@ on:
     types: [opened, reopened]
 
 jobs:
+
   metadata:
-    name: "Set CI/CD metadata"
+    name: Set CI/CD metadata
     runs-on: ubuntu-latest
     timeout-minutes: 1
+    permissions:
+      pull-requests: read
     outputs:
       build_datetime_london: ${{ steps.variables.outputs.build_datetime_london }}
       build_datetime: ${{ steps.variables.outputs.build_datetime }}
@@ -22,11 +25,14 @@ jobs:
       nodejs_version: ${{ steps.variables.outputs.nodejs_version }}
       python_version: ${{ steps.variables.outputs.python_version }}
       terraform_version: ${{ steps.variables.outputs.terraform_version }}
+      environment_tag: ${{ steps.variables.outputs.environment_tag }}
       version: ${{ steps.variables.outputs.version }}
       does_pull_request_exist: ${{ steps.pr_exists.outputs.does_pull_request_exist }}
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v4
+        with:
+          submodules: 'true'
       - name: "Set CI/CD variables"
         id: variables
         run: |
@@ -40,10 +46,11 @@ jobs:
           echo "python_version=$(grep "^nodejs" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
           echo "terraform_version=$(grep "^terraform" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
           echo "version=$(head -n 1 .version 2> /dev/null || echo unknown)" >> $GITHUB_OUTPUT
+          echo "environment_tag=development" >> $GITHUB_OUTPUT
       - name: "Check if pull request exists for this branch"
         id: pr_exists
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ github.token }}
         run: |
           branch_name=${GITHUB_HEAD_REF:-$(echo $GITHUB_REF | sed 's#refs/heads/##')}
           echo "Current branch is '$branch_name'"
@@ -54,7 +61,7 @@ jobs:
             echo "Pull request doesn't exist"
             echo "does_pull_request_exist=false" >> $GITHUB_OUTPUT
           fi
-      - name: "List variables"
+      - name: List variables
         run: |
           export BUILD_DATETIME_LONDON="${{ steps.variables.outputs.build_datetime_london }}"
           export BUILD_DATETIME="${{ steps.variables.outputs.build_datetime }}"
@@ -63,11 +70,12 @@ jobs:
           export NODEJS_VERSION="${{ steps.variables.outputs.nodejs_version }}"
           export PYTHON_VERSION="${{ steps.variables.outputs.python_version }}"
           export TERRAFORM_VERSION="${{ steps.variables.outputs.terraform_version }}"
+          export ENVIRONMENT_TAG="${{ steps.variables.outputs.environment_tag }}"
           export VERSION="${{ steps.variables.outputs.version }}"
           export DOES_PULL_REQUEST_EXIST="${{ steps.pr_exists.outputs.does_pull_request_exist }}"
           make list-variables
   commit-stage: # Recommended maximum execution time is 2 minutes
-    name: "Commit stage"
+    name: Commit stage
     needs: [metadata]
     uses: ./.github/workflows/stage-1-commit.yaml
     with:
@@ -92,23 +100,21 @@ jobs:
       terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
       version: "${{ needs.metadata.outputs.version }}"
     secrets: inherit
-  build-stage: # Recommended maximum execution time is 3 minutes
-    name: "Build stage"
-    needs: [metadata, test-stage]
-    uses: ./.github/workflows/stage-3-build.yaml
-    if: needs.metadata.outputs.does_pull_request_exist == 'true' || (github.event_name == 'pull_request' && (github.event.action == 'opened' || github.event.action == 'reopened'))
+  build-image-stage: # Recommended maximum execution time is 3 minutes
+    name: Image build stage
+    needs: [metadata, commit-stage, test-stage]
+    uses: NHSDigital/dtos-devops-templates/.github/workflows/stage-3-build-images.yaml@main
+    if: needs.metadata.outputs.does_pull_request_exist == 'true' || github.ref == 'refs/heads/main' || (github.event_name == 'pull_request' && (github.event.action == 'opened' || github.event.action == 'reopened'))
     with:
-      build_datetime: "${{ needs.metadata.outputs.build_datetime }}"
-      build_timestamp: "${{ needs.metadata.outputs.build_timestamp }}"
-      build_epoch: "${{ needs.metadata.outputs.build_epoch }}"
-      nodejs_version: "${{ needs.metadata.outputs.nodejs_version }}"
-      python_version: "${{ needs.metadata.outputs.python_version }}"
-      terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
-      version: "${{ needs.metadata.outputs.version }}"
+      docker_compose_file: ./compose.yaml
+      excluded_containers_csv_list: azurite,azurite-setup,sql-database,database-setup
+      environment_tag: ${{ needs.metadata.outputs.environment_tag }}
+      function_app_source_code_path: src
+      project_name: service-insights
     secrets: inherit
   acceptance-stage: # Recommended maximum execution time is 10 minutes
-    name: "Acceptance stage"
-    needs: [metadata, build-stage]
+    name: Acceptance stage
+    needs: [metadata, build-image-stage]
     uses: ./.github/workflows/stage-4-acceptance.yaml
     if: needs.metadata.outputs.does_pull_request_exist == 'true' || (github.event_name == 'pull_request' && (github.event.action == 'opened' || github.event.action == 'reopened'))
     with:
@@ -120,3 +126,20 @@ jobs:
       terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
       version: "${{ needs.metadata.outputs.version }}"
     secrets: inherit
+  validate-title-stage:
+    name: Validate PR title
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    env:
+      GITHUB_TOKEN: ${{ github.token }}
+    if: github.event_name == 'pull_request'
+    steps:
+      - uses: amannn/action-semantic-pull-request@v5
+        id: validate
+
+      - uses: thollander/actions-comment-pull-request@v2
+        if: ${{ failure() && steps.validate.conclusion == 'failure' }}
+        with:
+          message: |
+            Your Pull Request title must meet the conventional commit standards, please see the following documentation - https://www.conventionalcommits.org/en/v1.0.0/#specification

.github/workflows/cicd-2-publish.yaml

@@ -23,6 +23,8 @@ jobs:
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v4
+        with:
+          submodules: 'true'
       - name: "Set CI/CD variables"
         id: variables
         run: |
@@ -89,7 +91,7 @@ jobs:
         run: echo "secret_exist=${{ secrets.TEAMS_NOTIFICATION_WEBHOOK_URL != '' }}" >> $GITHUB_OUTPUT
       - name: "Notify on publishing packages"
         if: steps.check.outputs.secret_exist == 'true'
-        uses: nhs-england-tools/notify-msteams-action@v1.0.0
+        uses: nhs-england-tools/notify-msteams-action@v0.0.4
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           teams-webhook-url: ${{ secrets.TEAMS_NOTIFICATION_WEBHOOK_URL }}

.github/workflows/stage-1-commit.yaml

@@ -42,6 +42,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0 # Full history is needed to scan all commits
+          submodules: 'true'
       - name: "Scan secrets"
         uses: ./.github/actions/scan-secrets
   check-file-format:
@@ -105,22 +106,3 @@ jobs:
           idp_aws_report_upload_region: "${{ secrets.IDP_AWS_REPORT_UPLOAD_REGION }}"
           idp_aws_report_upload_role_name: "${{ secrets.IDP_AWS_REPORT_UPLOAD_ROLE_NAME }}"
           idp_aws_report_upload_bucket_endpoint: "${{ secrets.IDP_AWS_REPORT_UPLOAD_BUCKET_ENDPOINT }}"
-  scan-dependencies:
-    name: "Scan dependencies"
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write
-      contents: read
-    timeout-minutes: 2
-    steps:
-      - name: "Checkout code"
-        uses: actions/checkout@v4
-      - name: "Scan dependencies"
-        uses: ./.github/actions/scan-dependencies
-        with:
-          build_datetime: "${{ inputs.build_datetime }}"
-          build_timestamp: "${{ inputs.build_timestamp }}"
-          idp_aws_report_upload_account_id: "${{ secrets.IDP_AWS_REPORT_UPLOAD_ACCOUNT_ID }}"
-          idp_aws_report_upload_region: "${{ secrets.IDP_AWS_REPORT_UPLOAD_REGION }}"
-          idp_aws_report_upload_role_name: "${{ secrets.IDP_AWS_REPORT_UPLOAD_ROLE_NAME }}"
-          idp_aws_report_upload_bucket_endpoint: "${{ secrets.IDP_AWS_REPORT_UPLOAD_BUCKET_ENDPOINT }}"

.github/workflows/stage-2-test.yaml

@@ -40,6 +40,8 @@ jobs:
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v4
+        with:
+          submodules: 'true'
       - name: "Run unit test suite"
         run: |
           make test-unit

.github/workflows/stage-4-acceptance.yaml

@@ -71,6 +71,8 @@ jobs:
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v4
+        with:
+          submodules: 'true'
       - name: "Run security test"
         run: |
           make test-security

scripts/config/gitleaks.toml

@@ -16,4 +16,9 @@ regexes = [
 ]
 
 [allowlist]
-paths = ['''.terraform.lock.hcl''', '''poetry.lock''', '''yarn.lock''']
+paths = [
+  '''.terraform.lock.hcl''',
+  '''poetry.lock''',
+  '''yarn.lock''',
+  '''\.sln'''
+]

scripts/docker/docker.lib.sh

@@ -27,9 +27,10 @@ function docker-build() {
 
   version-create-effective-file
   _create-effective-dockerfile
-
-  tag=$(_get-effective-tag)
-
+  # The current directory must be changed for the image build script to access
+  # assets that need to be copied
+  current_dir=$(pwd)
+  cd "$dir"
   docker build \
     --progress=plain \
     --platform linux/amd64 \
@@ -42,36 +43,16 @@ function docker-build() {
     --build-arg GIT_COMMIT_HASH="$(git rev-parse --short HEAD)" \
     --build-arg BUILD_DATE="$(date -u +"%Y-%m-%dT%H:%M:%S%z")" \
     --build-arg BUILD_VERSION="$(_get-effective-version)" \
-    --tag "${tag}" \
+    --tag "${DOCKER_IMAGE}:$(_get-effective-version)" \
     --rm \
     --file "${dir}/Dockerfile.effective" \
     .
-
+  cd "$current_dir"
   # Tag the image with all the stated versions, see the documentation for more details
   for version in $(_get-all-effective-versions) latest; do
-    if [ ! -z "$version" ]; then
-      docker tag "${tag}" "${DOCKER_IMAGE}:${version}"
-    fi
+    docker tag "${DOCKER_IMAGE}:$(_get-effective-version)" "${DOCKER_IMAGE}:${version}"
   done
-}
-
-# Create the Dockerfile.effective file to bake in version info
-# Arguments (provided as environment variables):
-#   dir=[path to the Dockerfile to use, default is '.']
-function docker-bake-dockerfile() {
-
-  local dir=${dir:-$PWD}
-
-  version-create-effective-file
-  _create-effective-dockerfile
-}
-
-# Run hadolint over the generated Dockerfile.
-# Arguments (provided as environment variables):
-#  dir=[path to the image directory where the Dockerfile.effective is located, default is '.']
-function docker-lint() {
-  local dir=${dir:-$PWD}
-  file=${dir}/Dockerfile.effective ./scripts/docker/dockerfile-linter.sh
+  docker rmi --force "$(docker images | grep "<none>" | awk '{print $3}')" 2> /dev/null ||:
 }
 
 # Check test Docker image.
@@ -100,13 +81,12 @@ function docker-check-test() {
 function docker-run() {
 
   local dir=${dir:-$PWD}
-  local tag=$(dir="$dir" _get-effective-tag)
 
   # shellcheck disable=SC2086
   docker run --rm --platform linux/amd64 \
     ${args:-} \
-    "${tag}" \
-    ${DOCKER_CMD:-}
+    "${DOCKER_IMAGE}:$(dir="$dir" _get-effective-version)" \
+    ${cmd:-}
 }
 
 # Push Docker image.
@@ -134,8 +114,7 @@ function docker-clean() {
   done
   rm -f \
     .version \
-    Dockerfile.effective \
-    Dockerfile.effective.dockerignore
+    Dockerfile.effective
 }
 
 # Create effective version from the VERSION file.
@@ -228,13 +207,6 @@ function _create-effective-dockerfile() {
 
   local dir=${dir:-$PWD}
 
-  # If it exists, we need to copy the .dockerignore file to match the prefix of the
-  # Dockerfile.effective file, otherwise docker won't use it.
-  # See https://docs.docker.com/build/building/context/#filename-and-location
-  # If using podman, this requires v5.0.0 or later.
-  if [ -f "${dir}/Dockerfile.dockerignore" ]; then
-    cp "${dir}/Dockerfile.dockerignore" "${dir}/Dockerfile.effective.dockerignore"
-  fi
   cp "${dir}/Dockerfile" "${dir}/Dockerfile.effective"
   _replace-image-latest-by-specific-version
   _append-metadata
@@ -304,20 +276,6 @@ function _get-effective-version() {
   head -n 1 "${dir}/.version" 2> /dev/null ||:
 }
 
-# Print the effective tag for the image with the version. If you don't have a VERSION file
-# then the tag will be just the image name.  Otherwise it will be the image name with the version.
-# Arguments (provided as environment variables):
-#   dir=[path to the image directory where the Dockerfile is located, default is '.']
-function _get-effective-tag() {
-
-  local tag=$DOCKER_IMAGE
-  version=$(_get-effective-version)
-  if [ ! -z "$version" ]; then
-    tag="${tag}:${version}"
-  fi
-  echo "$tag"
-}
-
 # Print all Docker image versions.
 # Arguments (provided as environment variables):
 #   dir=[path to the image directory where the Dockerfile is located, default is '.']