merge with main

Author: Vlasis-Perdikidis

.github/PULL_REQUEST_TEMPLATE.md

@@ -25,6 +25,7 @@
 - [ ] I have added tests to cover my changes
 - [ ] I have updated the documentation accordingly
 - [ ] This PR is a result of pair or mob programming
+- [ ] If I have used the 'skip-trivy-package' label I have done so responsibly and in the knowledge that this is being fixed as part of a separate ticket/PR.
 
 ---
 

.github/actions/acceptance-tests/action.yml

@@ -0,0 +1,51 @@
+name: Acceptance tests
+description: "Run acceptance tests for this repo"
+
+inputs:
+  testType:
+    description: Type of test to run
+    required: true
+
+  targetEnvironment:
+    description: Name of the environment under test
+    required: true
+
+  targetAccountGroup:
+    description: Name of the account group under test
+    default: nhs-notify-template-management-dev
+    required: true
+
+  targetComponent:
+    description: Name of the component under test
+    required: true
+
+runs:
+  using: "composite"
+
+  steps:
+    - name: Fetch terraform output
+      uses: actions/download-artifact@v5
+      with:
+        name: terraform-output-${{ inputs.targetComponent }}
+
+    - name: Get Node version
+      id: nodejs_version
+      shell: bash
+      run: |
+        echo "nodejs_version=$(grep "^nodejs\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
+
+    - name: "Repo setup"
+      uses: ./.github/actions/node-install
+      with:
+        node-version: ${{ steps.nodejs_version.outputs.nodejs_version }}
+        GITHUB_TOKEN: ${{ env.GITHUB_TOKEN }}
+
+    - name: "Set PR NUMBER"
+      shell: bash
+      run: |
+          echo "PR_NUMBER=${{ inputs.targetEnvironment }}" >> $GITHUB_ENV
+
+    - name: Run test - ${{ inputs.testType }}
+      shell: bash
+      run: |
+        make test-${{ inputs.testType }}

.github/actions/build-oas-spec/action.yml

@@ -0,0 +1,68 @@
+name: "Build OAS Spec"
+description: "Build OAS Spec"
+
+inputs:
+  version:
+    description: "Version number"
+    required: true
+  apimEnv:
+    description: "APIM environment"
+    required: true
+  buildSandbox:
+    description: "Whether to build the sandbox OAS spec"
+    required: false
+    default: false
+  nodejs_version:
+    description: "Node.js version, set by the CI/CD pipeline workflow"
+    required: true
+  NODE_AUTH_TOKEN:
+    description: "Token for access to github package registry"
+    required: true
+
+runs:
+  using: composite
+
+  steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+    - uses: actions/setup-node@v4
+      with:
+        node-version: ${{ inputs.nodejs_version }}
+        registry-url: 'https://npm.pkg.github.com'
+
+    - name: "Cache node_modules"
+      uses: actions/cache@v4
+      with:
+        path: |
+          **/node_modules
+        key: ${{ runner.os }}-node-${{ inputs.nodejs_version }}-${{ hashFiles('**/package-lock.json') }}
+        restore-keys: |
+          ${{ runner.os }}-node-${{ inputs.nodejs_version }}-
+
+    - name: Npm install
+      working-directory: .
+      env:
+        NODE_AUTH_TOKEN: ${{ inputs.NODE_AUTH_TOKEN }}
+      run: npm ci
+      shell: bash
+
+    - name: Build ${{ inputs.apimEnv }} oas
+      working-directory: .
+      env:
+        APIM_ENV: ${{ inputs.apimEnv }}
+      shell: bash
+      run: |
+        if [ ${{ env.APIM_ENV }} == "internal-dev-sandbox" ] && [ ${{ inputs.buildSandbox }} == true ]
+        then
+          echo "Building sandbox OAS spec"
+          make build-json-oas-spec APIM_ENV=sandbox
+        else
+          echo "Building env specific OAS spec"
+          make build-yml-oas-spec APIM_ENV=${{ env.APIM_ENV }}
+        fi
+
+    - name: Upload API OAS specification artifact
+      uses: actions/upload-artifact@v4
+      with:
+        path: "build"
+        name: api-oas-specification-${{ inputs.apimEnv }}${{ inputs.version != '' && format('-{0}', inputs.version) || '' }}

.github/actions/build-proxies/action.yml

@@ -8,6 +8,10 @@ inputs:
   releaseVersion:
     description: "Release, tag, branch, or commit ID to be used for deployment"
     required: true
+  isRelease:
+    description: "True if releaseVersion is a release tag (if set, downloads from release assets instead of workflow artifacts)"
+    required: false
+    default: false
   environment:
     description: "Deployment environment"
     required: true
@@ -25,39 +29,33 @@ inputs:
     description: "Name of the Component to deploy"
     required: true
     default: 'api'
-  nodejs_version:
-    description: "Node.js version, set by the CI/CD pipeline workflow"
-    required: true
-  NODE_AUTH_TOKEN:
-    description: "Token for access to github package registry"
-    required: true
 
 runs:
   using: composite
 
   steps:
-    - name: Checkout
-      uses: actions/checkout@v4
-    - uses: actions/setup-node@v4
+    - name: Download OAS Spec artifact from workflow
+      if: ${{ inputs.isRelease == 'false' }}
+      uses: actions/download-artifact@v4
       with:
-        node-version: ${{ inputs.nodejs_version }}
-        registry-url: 'https://npm.pkg.github.com'
-
-    - name: "Cache node_modules"
-      uses: actions/cache@v4
-      with:
-        path: |
-          **/node_modules
-        key: ${{ runner.os }}-node-${{ inputs.nodejs_version }}-${{ hashFiles('**/package-lock.json') }}
-        restore-keys: |
-          ${{ runner.os }}-node-${{ inputs.nodejs_version }}-
+        name: api-oas-specification-${{ inputs.apimEnv }}${{ inputs.version != '' && format('-{0}', inputs.version) || '' }}
+        path: ./build
 
-    - name: Npm install
-      working-directory: .
-      env:
-        NODE_AUTH_TOKEN: ${{ inputs.NODE_AUTH_TOKEN }}
-      run: npm ci
+    - name: Download OAS Spec artifact from release
+      if: ${{ inputs.isRelease == 'true' }}
       shell: bash
+      run: |
+        mkdir ./build
+        ASSET_PATTERN="api-oas-specification-${{ inputs.apimEnv }}-*.zip"
+        gh release download "${{ inputs.releaseVersion }}" \
+          --pattern "$ASSET_PATTERN" \
+          --dir ./build
+        # Unzip the downloaded file (there should be exactly one match)
+        ASSET_FILE=$(ls ./build/api-oas-specification-${{ inputs.apimEnv }}-*.zip)
+        unzip "$ASSET_FILE" -d ./build
+        rm "$ASSET_FILE"
+      env:
+        GH_TOKEN: ${{ github.token }}
 
     - name: Setup Proxy Name and target
       shell: bash
@@ -87,21 +85,10 @@ runs:
           echo "MTLS_NAME=notify-supplier-mtls-pr$PR_NUMBER" >> $GITHUB_ENV
         fi
 
-    - name: Build ${{ inputs.apimEnv }} oas
-      working-directory: .
-      env:
-        APIM_ENV: ${{ inputs.apimEnv }}
+    - name: Set APIM_ENV
       shell: bash
       run: |
-        if [ ${{ env.APIM_ENV }} == "internal-dev-sandbox" ] && [ ${{ inputs.buildSandbox }} == true ]
-        then
-          echo "Building sandbox OAS spec"
-          make build-json-oas-spec APIM_ENV=sandbox
-        else
-          echo "Building env specific OAS spec"
-          make build-json-oas-spec APIM_ENV=${{ env.APIM_ENV }}
-        fi
-
+        APIM_ENV="${{ inputs.apimEnv }}"
         if [[ $APIM_ENV == *-pr ]]; then
           echo "Removing pr suffix from APIM_ENV after building OAS and calling proxygen"
           APIM_ENV=$(echo "$APIM_ENV" | sed 's/-pr$//')

.github/actions/build-sdk/action.yml

@@ -55,12 +55,6 @@ runs:
       run: |
         make build VERSION="${{ inputs.version }}"
 
-    - name: Upload API OAS specification artifact
-      uses: actions/upload-artifact@v4
-      with:
-        path: "build"
-        name: api-oas-specification-${{ inputs.version }}
-
     - name: Upload html artifact
       uses: actions/upload-artifact@v4
       with:

.github/actions/trivy-iac/action.yaml

@@ -0,0 +1,18 @@
+name: "Trivy IaC Scan"
+description: "Scan Terraform IaC using Trivy"
+runs:
+  using: "composite"
+  steps:
+    - name: "Trivy Terraform IaC Scan"
+      shell: bash
+      run: |
+        components_exit_code=0
+        modules_exit_code=0
+
+        ./scripts/terraform/trivy-scan.sh --mode iac ./infrastructure/terraform/components || components_exit_code=$?
+        ./scripts/terraform/trivy-scan.sh --mode iac ./infrastructure/terraform/modules || modules_exit_code=$?
+
+        if [ $components_exit_code -ne 0 ] || [ $modules_exit_code -ne 0 ]; then
+          echo "Trivy misconfigurations detected."
+          exit 1
+        fi

.github/actions/trivy-package/action.yaml

@@ -0,0 +1,16 @@
+name: "Trivy Package Scan"
+description: "Scan project packages using Trivy"
+runs:
+  using: "composite"
+  steps:
+    - name: "Trivy Package Scan"
+      shell: bash
+      run: |
+        exit_code=0
+
+        ./scripts/terraform/trivy-scan.sh --mode package . || exit_code=$?
+
+        if [ $exit_code -ne 0 ]; then
+          echo "Trivy has detected package vulnerablilites. Please refer to https://nhsd-confluence.digital.nhs.uk/spaces/RIS/pages/1257636917/PLAT-KOP-012+-+Trivy+Pipeline+Vulnerability+Scanning+Exemption"
+          exit 1
+        fi

.github/actions/trivy/action.yaml

@@ -28,6 +28,7 @@ jobs:
       is_version_prerelease: ${{ steps.variables.outputs.is_version_prerelease }}
       does_pull_request_exist: ${{ steps.pr_exists.outputs.does_pull_request_exist }}
       pr_number: ${{ steps.pr_exists.outputs.pr_number }}
+      skip_trivy_package: ${{ steps.skip_trivy.outputs.skip_trivy_package }}
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v5
@@ -66,6 +67,26 @@ jobs:
             echo "does_pull_request_exist=false" >> $GITHUB_OUTPUT
             echo "pr_number=" >> $GITHUB_OUTPUT
           fi
+      - name: "Determine if Trivy package scan should be skipped"
+        id: skip_trivy
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ steps.pr_exists.outputs.pr_number }}
+        run: |
+          if [[ -z "$PR_NUMBER" ]]; then
+            echo "No pull request detected; Trivy package scan will run."
+            echo "skip_trivy_package=false" >> $GITHUB_OUTPUT
+            exit 0
+          fi
+
+          labels=$(gh pr view "$PR_NUMBER" --json labels --jq '.labels[].name')
+          echo "Labels on PR #$PR_NUMBER: $labels"
+
+          if echo "$labels" | grep -Fxq 'skip-trivy-package'; then
+            echo "skip_trivy_package=true" >> $GITHUB_OUTPUT
+          else
+            echo "skip_trivy_package=false" >> $GITHUB_OUTPUT
+          fi
       - name: "List variables"
         run: |
           export BUILD_DATETIME_LONDON="${{ steps.variables.outputs.build_datetime_london }}"
@@ -89,6 +110,7 @@ jobs:
       build_epoch: "${{ needs.metadata.outputs.build_epoch }}"
       nodejs_version: "${{ needs.metadata.outputs.nodejs_version }}"
       python_version: "${{ needs.metadata.outputs.python_version }}"
+      skip_trivy_package: ${{ needs.metadata.outputs.skip_trivy_package == 'true' }}
       terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
       version: "${{ needs.metadata.outputs.version }}"
     secrets: inherit

.github/workflows/cicd-1-pull-request.yaml

@@ -77,6 +77,13 @@ jobs:
           echo "ENVIRONMENT=$ENVIRONMENT" >> $GITHUB_ENV
           echo "APIM_ENV=$APIM_ENV" >> $GITHUB_ENV
 
+      - name: "Build OAS spec"
+        uses: ./.github/actions/build-oas-spec
+        with:
+          apimEnv: "${{ env.APIM_ENV }}"
+          buildSandbox: ${{ inputs.build_sandbox }}
+          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
       - name: "Build proxies"
         env:
           PROXYGEN_API_NAME: nhs-notify-supplier
@@ -90,4 +97,3 @@ jobs:
           runId: "${{ github.run_id }}"
           buildSandbox: ${{ inputs.build_sandbox }}
           releaseVersion: ${{ github.ref_name }}
-          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}