Jagi5 sonar updates (#4)

<!-- markdownlint-disable-next-line first-line-heading -->
## Description
Merge in latest form repo template and update sonar properties to
exclude examples

<!-- Describe your changes in detail. -->

## Context

<!-- Why is this change required? What problem does it solve? -->

## Type of changes

<!-- What types of changes does your code introduce? Put an `x` in all
the boxes that apply. -->

- [ ] Refactoring (non-breaking change)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would change existing
functionality)
- [ ] Bug fix (non-breaking change which fixes an issue)

## Checklist

<!-- Go over all the following points, and put an `x` in all the boxes
that apply. -->

- [ ] I am familiar with the [contributing
guidelines](../docs/CONTRIBUTING.md)
- [ ] I have followed the code style of the project
- [ ] I have added tests to cover my changes
- [ ] I have updated the documentation accordingly
- [ ] This PR is a result of pair or mob programming

---

## Sensitive Information Declaration

To ensure the utmost confidentiality and protect your and others
privacy, we kindly ask you to NOT including [PII (Personal Identifiable
Information) / PID (Personal Identifiable
Data)](https://digital.nhs.uk/data-and-information/keeping-data-safe-and-benefitting-the-public)
or any other sensitive data in this PR (Pull Request) and the codebase
changes. We will remove any PR that do contain any sensitive
information. We really appreciate your cooperation in this matter.

- [ ] I confirm that neither PII/PID nor sensitive data are included in
this PR and the codebase changes.

---------

Signed-off-by: regularfry <[email protected]>
Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: Dan Stefaniuk <[email protected]>
Co-authored-by: Dan Stefaniuk <[email protected]>
Co-authored-by: amaanibn-nasar1-nhs <[email protected]>
Co-authored-by: Tim Ireland <[email protected]>
Co-authored-by: Jonathan Pearce <[email protected]>
Co-authored-by: Tamara Goldschmidt <[email protected]>
Co-authored-by: Tim Rickwood <[email protected]>
Co-authored-by: Robert Ball <[email protected]>
Co-authored-by: [email protected] <[email protected]>
Co-authored-by: Robert Ball <[email protected]>
Co-authored-by: Alex Young <[email protected]>
Co-authored-by: amaanibn-nasar1-nhs <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Alex Young <[email protected]>

.github/actions/check-markdown-format/action.yaml

@@ -7,4 +7,4 @@ runs:
       shell: bash
       run: |
         export BRANCH_NAME=origin/${{ github.event.repository.default_branch }}
-        ./scripts/githooks/check-markdown-format.sh
+        check=branch ./scripts/githooks/check-markdown-format.sh

.github/actions/scan-secrets/action.yaml

@@ -6,5 +6,5 @@ runs:
     - name: "Scan secrets"
       shell: bash
       run: |
-        export ALL_FILES=true # Do not change this line, as new patterns may be added or history may be rewritten
-        ./scripts/githooks/scan-secrets.sh
+        # Please do not change this `check=whole-history` setting, as new patterns may be added or history may be rewritten.
+        check=whole-history ./scripts/githooks/scan-secrets.sh

.github/workflows/cicd-2-publish.yaml

@@ -0,0 +1,85 @@
+name: "CI/CD publish"
+
+on:
+  pull_request:
+    types: [closed]
+    branches:
+      - main
+
+jobs:
+  metadata:
+    name: "Set CI/CD metadata"
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.merged == true
+    timeout-minutes: 1
+    outputs:
+      build_datetime: ${{ steps.variables.outputs.build_datetime }}
+      build_timestamp: ${{ steps.variables.outputs.build_timestamp }}
+      build_epoch: ${{ steps.variables.outputs.build_epoch }}
+      nodejs_version: ${{ steps.variables.outputs.nodejs_version }}
+      python_version: ${{ steps.variables.outputs.python_version }}
+      terraform_version: ${{ steps.variables.outputs.terraform_version }}
+      version: ${{ steps.variables.outputs.version }}
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v4
+      - name: "Set CI/CD variables"
+        id: variables
+        run: |
+          datetime=$(date -u +'%Y-%m-%dT%H:%M:%S%z')
+          echo "build_datetime=$datetime" >> $GITHUB_OUTPUT
+          echo "build_timestamp=$(date --date=$datetime -u +'%Y%m%d%H%M%S')" >> $GITHUB_OUTPUT
+          echo "build_epoch=$(date --date=$datetime -u +'%s')" >> $GITHUB_OUTPUT
+          echo "nodejs_version=$(grep "^nodejs" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
+          echo "python_version=$(grep "^nodejs" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
+          echo "terraform_version=$(grep "^terraform" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
+          # TODO: Get the version, but it may not be the .version file as this should come from the CI/CD Pull Request Workflow
+          echo "version=$(head -n 1 .version 2> /dev/null || echo unknown)" >> $GITHUB_OUTPUT
+      - name: "List variables"
+        run: |
+          export BUILD_DATETIME="${{ steps.variables.outputs.build_datetime }}"
+          export BUILD_TIMESTAMP="${{ steps.variables.outputs.build_timestamp }}"
+          export BUILD_EPOCH="${{ steps.variables.outputs.build_epoch }}"
+          export NODEJS_VERSION="${{ steps.variables.outputs.nodejs_version }}"
+          export PYTHON_VERSION="${{ steps.variables.outputs.python_version }}"
+          export TERRAFORM_VERSION="${{ steps.variables.outputs.terraform_version }}"
+          export VERSION="${{ steps.variables.outputs.version }}"
+          make list-variables
+  publish:
+    name: "Publish packages"
+    runs-on: ubuntu-latest
+    needs: [metadata]
+    if: github.event.pull_request.merged == true
+    timeout-minutes: 3
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v4
+      - name: "Get the artefacts"
+        run: |
+          echo "Building artefact ..."
+          export release_name=terraform-aws-api-bootstrap-${{ needs.metadata.outputs.version }}.tar.gz
+          tar -czf $release_name ./lambda ./terraform
+      - name: "Create release"
+        uses: softprops/action-gh-release@v1
+        with:
+          files: terraform-aws-api-bootstrap-${{ needs.metadata.outputs.version }}.tar.gz
+          name: Release ${{ needs.metadata.outputs.version }}
+          tag_name: ${{ needs.metadata.outputs.version }}
+          body: Release of ${{ needs.metadata.outputs.version }}
+  success:
+    name: "Success notification"
+    runs-on: ubuntu-latest
+    needs: [publish]
+    steps:
+      - name: "Check prerequisites for notification"
+        id: check
+        run: echo "secret_exist=${{ secrets.TEAMS_NOTIFICATION_WEBHOOK_URL != '' }}" >> $GITHUB_OUTPUT
+      - name: "Notify on publishing packages"
+        if: steps.check.outputs.secret_exist == 'true'
+        uses: nhs-england-tools/[email protected]
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          teams-webhook-url: ${{ secrets.TEAMS_NOTIFICATION_WEBHOOK_URL }}
+          message-title: "Release ${{ needs.metadata.outputs.version }}"
+          message-text: "Release successfully published"
+          link: ${{ github.event.pull_request.html_url }}

.tool-versions

@@ -1,30 +1,15 @@
-nodejs 18.17.1 # Always check AWS and Azure runtime support
-python 3.11.4 # Always check AWS and Azure runtime support
-poetry 1.6.1
-yarn 1.22.19
-terraform 1.5.6
-pre-commit 3.3.3
+# This file is for you! Please, updated to the versions agreed by your team.
 
+terraform 1.5.7
+pre-commit 3.4.0
+python 3.9.17
 # ==============================================================================
 # The section below is reserved for Docker image versions.
 
-# alpine, SEE: https://hub.docker.com/_/alpine/tags
-# docker/alpine 3.18.3@sha256:c5c5fda71656f28e49ac9c5416b3643eaa6a108a8093151d6d1afc9463be8e33
-
-# nodejs, SEE: https://hub.docker.com/_/node/tags
-# docker/node 18.17.1-alpine3.18@sha256:982b5b6f07cd9241c9ebb163829067deac8eaefc57cfa8f31927f4b18943d971
-
-# python, SEE: https://hub.docker.com/_/python/tags
-# docker/python 3.11.4-alpine3.18@sha256:0135ae6442d1269379860b361760ad2cf6ab7c403d21935a8015b48d5bf78a86
-
-# terraform, SEE: https://hub.docker.com/r/hashicorp/terraform/tags
-# docker/hashicorp/terraform 1.5.6@sha256:180a7efa983386a27b43657ed610e9deed9e6c3848d54f9ea9b6cb8a5c8c25f5
-
-# shellcheck, SEE: https://hub.docker.com/r/koalaman/shellcheck/tags
-# docker/koalaman/shellcheck latest@sha256:e40388688bae0fcffdddb7e4dea49b900c18933b452add0930654b2dea3e7d5c
-
-# hadolint, SEE: https://hub.docker.com/r/hadolint/hadolint/tags
-# docker/hadolint/hadolint 2.12.0-alpine@sha256:7dba9a9f1a0350f6d021fb2f6f88900998a4fb0aaf8e4330aa8c38544f04db42
-
-# ghcr.io/nhs-england-tools/github-runner-image, SEE: https://github.com/nhs-england-tools/github-runner-image/pkgs/container/github-runner-image
-# docker/ghcr.io/nhs-england-tools/github-runner-image 20230909-321fd1e-rt@sha256:ce4fd6035dc450a50d3cbafb4986d60e77cb49a71ab60a053bb1b9518139a646
+# TODO: Move this section - consider using a different file for the repository template dependencies.
+# docker/ghcr.io/gitleaks/gitleaks v8.18.0@sha256:fd2b5cab12b563d2cc538b14631764a1c25577780e3b7dba71657d58da45d9d9 # SEE: https://github.com/gitleaks/gitleaks/pkgs/container/gitleaks
+# docker/ghcr.io/nhs-england-tools/github-runner-image 20230909-321fd1e-rt@sha256:ce4fd6035dc450a50d3cbafb4986d60e77cb49a71ab60a053bb1b9518139a646 # SEE: https://github.com/nhs-england-tools/github-runner-image/pkgs/container/github-runner-image
+# docker/hadolint/hadolint 2.12.0-alpine@sha256:7dba9a9f1a0350f6d021fb2f6f88900998a4fb0aaf8e4330aa8c38544f04db42 # SEE: https://hub.docker.com/r/hadolint/hadolint/tags
+# docker/hashicorp/terraform 1.5.6@sha256:180a7efa983386a27b43657ed610e9deed9e6c3848d54f9ea9b6cb8a5c8c25f5 # SEE: https://hub.docker.com/r/hashicorp/terraform/tags
+# docker/koalaman/shellcheck latest@sha256:e40388688bae0fcffdddb7e4dea49b900c18933b452add0930654b2dea3e7d5c # SEE: https://hub.docker.com/r/koalaman/shellcheck/tags
+# docker/sonarsource/sonar-scanner-cli 5.0.1@sha256:494ecc3b5b1ee1625bd377b3905c4284e4f0cc155cff397805a244dee1c7d575 # SEE: https://hub.docker.com/r/sonarsource/sonar-scanner-cli/tags

Makefile

@@ -14,4 +14,8 @@ config:: # Configure development environment (main) @Configuration
 # ==============================================================================
 
 ${VERBOSE}.SILENT: \
+	build \
+	clean \
 	config \
+	dependencies \
+	deploy \

docs/adr/assets/ADR-003/examples/bash/script.sh

@@ -17,7 +17,7 @@ function main() {
 function get-jwt-token() {
 
   header=$(echo -n '{"alg":"RS256","typ":"JWT"}' | base64 | tr -d '=' | tr -d '\n=' | tr -- '+/' '-_')
-  payload=$(echo -n '{"iat":'$(date +%s)',"exp":'$(($(date +%s)+600))',"iss":"'$GITHUB_APP_ID'"}' | base64 | tr -d '\n=' | tr -- '+/' '-_')
+  payload=$(echo -n '{"iat":'"$(date +%s)"',"exp":'$(($(date +%s)+600))',"iss":"'"$GITHUB_APP_ID"'"}' | base64 | tr -d '\n=' | tr -- '+/' '-_')
   signature=$(echo -n "$header.$payload" | openssl dgst -binary -sha256 -sign "$GITHUB_APP_PK_FILE" | openssl base64 | tr -d '\n=' | tr -- '+/' '-_')
 
   echo "$header.$payload.$signature"
@@ -30,17 +30,17 @@ function get-installation-id() {
     -H "Accept: application/vnd.github.v3+json" \
     https://api.github.com/app/installations)
 
-  echo "$(echo $installations_response | jq '.[] | select(.account.login == "'"$GITHUB_ORG"'") .id')"
+  echo "$installations_response" | jq '.[] | select(.account.login == "'"$GITHUB_ORG"'") .id'
 }
 
 function get-access-token() {
 
   token_response=$(curl -sX POST \
     -H "Authorization: Bearer $jwt_token" \
     -H "Accept: application/vnd.github.v3+json" \
-    https://api.github.com/app/installations/$installation_id/access_tokens)
+    "https://api.github.com/app/installations/$installation_id/access_tokens")
 
-  echo "$(echo $token_response | jq .token -r)"
+  echo "$token_response" | jq .token -r
 }
 
 main

scripts/config/pre-commit.yaml

@@ -1,29 +1,32 @@
 repos:
-- repo: local
-  hooks:
-  - id: scan-secrets
-    name: Scan Secrets
-    entry: ./scripts/githooks/scan-secrets.sh
-    language: script
-    pass_filenames: false
-- repo: local
-  hooks:
-  - id: check-file-format
-    name: Check File Format
-    entry: check=staged-changes./scripts/githooks/check-file-format.sh
-    language: script
-    pass_filenames: false
-- repo: local
-  hooks:
-  - id: check-markdown-format
-    name: Check Markdown Format
-    entry: ./scripts/githooks/check-markdown-format.sh
-    language: script
-    pass_filenames: false
-- repo: local
-  hooks:
-  - id: check-terraform-format
-    name: Check Terraform Format
-    entry: ./scripts/githooks/check-terraform-format.sh
-    language: script
-    pass_filenames: false
+  - repo: local
+    hooks:
+      - id: scan-secrets
+        name: Scan Secrets
+        entry: ./scripts/githooks/scan-secrets.sh
+        args: ["check=staged-changes"]
+        language: script
+        pass_filenames: false
+  - repo: local
+    hooks:
+      - id: check-file-format
+        name: Check File Format
+        entry: ./scripts/githooks/check-file-format.sh
+        args: ["check=staged-changes"]
+        language: script
+        pass_filenames: false
+  - repo: local
+    hooks:
+      - id: check-markdown-format
+        name: Check Markdown Format
+        entry: ./scripts/githooks/check-markdown-format.sh
+        args: ["check=staged-changes"]
+        language: script
+        pass_filenames: false
+  - repo: local
+    hooks:
+      - id: check-terraform-format
+        name: Check Terraform Format
+        entry: ./scripts/githooks/check-terraform-format.sh
+        language: script
+        pass_filenames: false

scripts/config/sonar-scanner.properties

@@ -4,6 +4,4 @@ sonar.host.url=https://sonarcloud.io
 sonar.qualitygate.wait=true
 sonar.sourceEncoding=UTF-8
 sonar.sources=.
-
-#sonar.python.coverage.reportPaths=.coverage/coverage.xml
-#sonar.[javascript|typescript].lcov.reportPaths=.coverage/lcov.info
+sonar.exclusions=**/examples/**

scripts/docker/docker.lib.sh

@@ -11,8 +11,9 @@ set -euo pipefail
 #   $ source ./docker.lib.sh
 #
 # Arguments (provided as environment variables):
-#   DOCKER_IMAGE=ghcr.io/org/repo   # Docker image name
-#   DOCKER_TITLE="My Docker image"  # Docker image title
+#   DOCKER_IMAGE=ghcr.io/org/repo             # Docker image name
+#   DOCKER_TITLE="My Docker image"            # Docker image title
+#   TOOL_VERSIONS=$project_dir/.tool-versions # Path to the tool versions file
 
 # ==============================================================================
 # Functions to be used with custom images.
@@ -164,10 +165,10 @@ function docker-get-image-version-and-pull() {
 
   # Get the image full version from the '.tool-versions' file,
   # match it by name and version regex, if given.
-  local versions_file="$(git rev-parse --show-toplevel)/.tool-versions"
+  local versions_file="${TOOL_VERSIONS:=$(git rev-parse --show-toplevel)/.tool-versions}"
   local version="latest"
   if [ -f "$versions_file" ]; then
-    line=$(grep "docker/${name} " "$versions_file" | sed "s/^#\s*//; s/\s*#.*$//" | grep "${match_version:-'.*'}")
+    line=$(grep "docker/${name} " "$versions_file" | sed "s/^#\s*//; s/\s*#.*$//" | grep "${match_version:-".*"}")
     [ -n "$line" ] && version=$(echo "$line" | awk '{print $2}')
   fi
 
@@ -176,7 +177,7 @@ function docker-get-image-version-and-pull() {
   local digest="$(echo "$version" | sed 's/^.*@//')"
 
   # Check if the image exists locally already
-  if ! docker images | awk '{ print $1 ":" $2 }' | grep "^${name}:${tag}$"; then
+  if ! docker images | awk '{ print $1 ":" $2 }' | grep -q "^${name}:${tag}$"; then
     if [ "$digest" != "latest" ]; then
       # Pull image by the digest sha256 and tag it
       docker pull \
@@ -217,13 +218,13 @@ function _create-effective-dockerfile() {
 function _replace-image-latest-by-specific-version() {
 
   local dir=${dir:-$PWD}
-  local versions_file=$(git rev-parse --show-toplevel)/.tool-versions
+  local versions_file="${TOOL_VERSIONS:=$(git rev-parse --show-toplevel)/.tool-versions}"
   local dockerfile="${dir}/Dockerfile.effective"
   local build_datetime=${BUILD_DATETIME:-$(date -u +'%Y-%m-%dT%H:%M:%S%z')}
 
   if [ -f "$versions_file" ]; then
     # First, list the entries specific for Docker to take precedence, then the rest but exclude comments
-    content=$(grep " docker/" "$versions_file"; grep -v " docker/" "$versions_file" | grep -v "^#")
+    content=$(grep " docker/" "$versions_file"; grep -v " docker/" "$versions_file" ||: | grep -v "^#")
     echo "$content" | while IFS= read -r line; do
       [ -z "$line" ] && continue
       line=$(echo "$line" | sed "s/^#\s*//; s/\s*#.*$//" | sed "s;docker/;;")

scripts/docker/docker.mk

@@ -45,6 +45,7 @@ docker-example-build: # Build Docker example @ExamplesAndTests
 	cd scripts/docker/examples/python
 	DOCKER_IMAGE=repository-template/docker-example-python
 	DOCKER_TITLE="Repository Template Docker Python Example"
+	TOOL_VERSIONS="$(shell git rev-parse --show-toplevel)/scripts/docker/examples/python/.tool-versions.example"
 	docker-build
 
 docker-example-lint: # Lint Docker example @ExamplesAndTests

scripts/docker/dockerfile-linter.sh

@@ -46,7 +46,8 @@ function docker-run-hadolint() {
   # shellcheck disable=SC1091
   source ./scripts/docker/docker.lib.sh
 
-  image=$(name=hadolint/hadolint docker-get-image-version-and-pull)
+  # shellcheck disable=SC2155
+  local image=$(name=hadolint/hadolint docker-get-image-version-and-pull)
   # shellcheck disable=SC2001
   docker run --rm --platform linux/amd64 \
     --volume "$PWD:/workdir" \

scripts/docker/examples/python/.tool-versions.example

@@ -0,0 +1,2 @@
+# python, SEE: https://hub.docker.com/_/python/tags
+# docker/python 3.11.4-alpine3.18@sha256:0135ae6442d1269379860b361760ad2cf6ab7c403d21935a8015b48d5bf78a86

scripts/docker/examples/python/assets/hello_world/requirements.txt

@@ -1,2 +1,12 @@
-flask==2.3.2
-Flask-WTF==1.1.1
+blinker==1.6.2
+click==8.1.7
+Flask-WTF==1.2.0
+Flask==2.3.3
+itsdangerous==2.1.2
+Jinja2==3.1.2
+MarkupSafe==2.1.3
+pip==23.1.2
+setuptools==65.5.1
+Werkzeug==3.0.0
+wheel==0.41.1
+WTForms==3.0.1

scripts/docker/tests/.tool-versions.test

@@ -0,0 +1,2 @@
+# python, SEE: https://hub.docker.com/_/python/tags
+# docker/python 3.11.4-alpine3.18@sha256:0135ae6442d1269379860b361760ad2cf6ab7c403d21935a8015b48d5bf78a86

scripts/docker/tests/docker.test.sh

@@ -74,6 +74,7 @@ function test-docker-build() {
 function test-docker-image-from-signature() {
 
   # Arrange
+  TOOL_VERSIONS="$(git rev-parse --show-toplevel)/scripts/docker/tests/.tool-versions.test"
   cp Dockerfile Dockerfile.effective
   # Act
   _replace-image-latest-by-specific-version
@@ -143,7 +144,7 @@ function test-docker-get-image-version-and-pull() {
 
 # ==============================================================================
 
-function is_arg_true() {
+function is-arg-true() {
 
   if [[ "$1" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$ ]]; then
     return 0
@@ -154,7 +155,7 @@ function is_arg_true() {
 
 # ==============================================================================
 
-is_arg_true "${VERBOSE:-false}" && set -x
+is-arg-true "${VERBOSE:-false}" && set -x
 
 main "$@"