diff --git a/Makefile b/Makefile index 94e379c..aae27f8 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ .PHONY: install -install: install-node install-python +install: install-node install-python install-hooks install-node: npm ci @@ -8,6 +8,9 @@ install-node: install-python: poetry install +install-hooks: install-python + poetry run pre-commit install --install-hooks --overwrite + deep-clean: find . -name 'node_modules' -type d -prune -exec rm -rf '{}' + diff --git a/README.md b/README.md index 4b488ff..bd91fa5 100644 --- a/README.md +++ b/README.md @@ -1,19 +1,182 @@ -# eps-workflow-quality-checks +# eps-common-workflows +A collection of common workflows used by other EPS repositories -A workflow to run the quality checks for EPS repositories. The main element of this lives in the [`quality-checks.yml`](./.github/workflows/quality-checks.yml) configuration file. The steps executed by this workflow are as follows: +The workflows that are available to use are -- **Install Project Dependencies** -- **Generate and Check SBOMs**: Creates Software Bill of Materials (SBOMs) to track dependencies for security and compliance. Uses [THIS](https://github.com/NHSDigital/eps-action-sbom) action. -- **Run Linting** -- **Run Unit Tests** -- **Scan git history for secrets**: Scans for secret-like patterns, using https://github.com/NHSDigital/software-engineering-quality-framework/blob/main/tools/nhsd-git-secrets/git-secrets -- **SonarCloud Scan**: Performs code analysis using SonarCloud to detect quality issues and vulnerabilities. -- **Validate CloudFormation Templates** (*Conditional*): If CloudFormation, AWS SAM templates or CDK are present, runs `cfn-lint` (SAM and cloudformation only) and `cfn-guard` to validate templates against AWS best practices and security rules. -- **Validate Terraform Plans** Terraform plans can also be scanned by `cfn-guard` by uploading plans as artefacts in the calling workflow. All Terraform plans must end _terraform_plan and be in json format. -- **CDK Synth** (*Conditional*): Runs `make cdk-synth` if packages/cdk folder exists -- **Check Licenses**: Runs `make check-licenses`. -- **Check Python Licenses** (*Conditional*): If the project uses Poetry, scans Python dependencies for incompatible licenses. +## combine dependabot prs + +This workflow can be called to combine multiple open Dependabot PRs into a single PR. + +#### Inputs + +- `branchPrefix`: Branch prefix to find combinable PRs based on. Default: `dependabot` +- `mustBeGreen`: Only combine PRs that are green (status is success). Default: `true` +- `combineBranchName`: Name of the branch to combine PRs into. Default: `combine-dependabot-PRs` +- `ignoreLabel`: Exclude PRs with this label. Default: `nocombine` + +#### Example + +```yaml +name: Combine Dependabot PRs + +on: + workflow_dispatch: + inputs: + branchPrefix: + description: "Branch prefix to find combinable PRs based on" + required: true + type: string + mustBeGreen: + description: "Only combine PRs that are green (status is success)" + required: true + type: boolean + combineBranchName: + description: "Name of the branch to combine PRs into" + required: true + type: string + ignoreLabel: + description: "Exclude PRs with this label" + required: true + type: string + +jobs: + combine-dependabot-prs: + uses: NHSDigital/eps-common-workflows/.github/workflows/combine-dependabot-prs.yml@f5c8313a10855d0cc911db6a9cd666494c00045a + with: + branchPrefix: ${{ github.event.inputs.branchPrefix }} + mustBeGreen: ${{ github.event.inputs.mustBeGreen }} + combineBranchName: ${{ github.event.inputs.combineBranchName }} + ignoreLabel: ${{ github.event.inputs.ignoreLabel }} +``` + +## dependabot auto approve and merge +This workflow can be called to automatically approve and merge Dependabot PRs as part of the pull request workflow. + +#### Requirements + +Ensure that the `AUTOMERGE_APP_ID` and `AUTOMERGE_PEM` secrets are set, a `requires-manual-qa` PR label is created, and the repo is added to the `eps-autoapprove-dependabot` GitHub App. + +#### Example + +```yaml +name: Pull Request + +on: + pull_request: + branches: [main] + +jobs: + dependabot-auto-approve-and-merge: + uses: NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@f5c8313a10855d0cc911db6a9cd666494c00045a + secrets: + AUTOMERGE_APP_ID: ${{ secrets.AUTOMERGE_APP_ID }} + AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }} +``` +## pr title check +This workflow checks that all pull requests have a title that matches the required format, and comments on the PR with a link to the relevant ticket if a ticket reference is found. + +#### Example + +To use this workflow in your repository, call it from another workflow file: + +```yaml +name: Pull Request + +on: + pull_request: + branches: [main] + +jobs: + pr_title_format_check: + uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@f5c8313a10855d0cc911db6a9cd666494c00045a +``` + +## quality checks +This workflow runs common quality checks. +To use this, you must have the following Makefile targets defined +- install +- check-licences +- lint +- test +- cdk-synth (only for cdk projects) + +#### Inputs + +- `install_java`: Whether to install java or not +- `run_sonar`: Whether to run sonar checks or not. +- `asdfVersion`: Override the version of asdf to install. +- `reinstall_poetry`: If you are using this from a primarily python based project, you should set this to true to force a poetry reinstallation after python is installed + +#### Secret Inputs +- `SONAR_TOKEN`: Token used to authenticate to sonar + +#### Outputs + +None + +#### Example + +To use this workflow in your repository, call it from another workflow file: + +```yaml +name: Release + +on: + workflow_dispatch: + +jobs: + quality_checks: + uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@f5c8313a10855d0cc911db6a9cd666494c00045a + needs: [get_asdf_version] + with: + asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }} + secrets: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} +``` + + + +## tag release +This workflow uses the semantic-release npm package to generate a new version tag, changelog, and github release for a repo. + +#### Inputs + +- `dry_run`: Whether to run in dry_run mode (do not create tags) or not +- `tagFormat`: Default `v\\${version}`. A template for the version tag. +- `branch_name`: The branch name to base the release on +- `publish_package`: Default false. If true, semantic-release will publish npm package. +- `asdfVersion`: Override the version of asdf to install. +- `main_branch`: The branch to use for publishing. Defaults to main + +#### Outputs + +- `version_tag`: The version tag created by semantic-release. +- `change_set_version`: A timestamped string that con be used for creating changesets. + +#### Example + +To use this workflow in your repository, call it from another workflow file: + +```yaml +name: Release + +on: + workflow_dispatch: + +jobs: + tag_release: + uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml@f5c8313a10855d0cc911db6a9cd666494c00045a + with: + tagFormat: "v\\${version}-beta" + dry_run: true + asdfVersion: 0.18.0 + branch_name: main + publish_package: false +``` + + +## Secret scanning docker The secret scanning also has a dockerfile, which can be run against a repo in order to scan it manually (or as part of pre-commit hooks). This can be done like so: ```bash @@ -51,45 +214,3 @@ repos: - 'docker run -v "$LOCAL_WORKSPACE_FOLDER:/src" git-secrets --pre_commit_hook' language: system ``` - -# Usage - -## Inputs - -None - -## Required Makefile targets - -In order to run, these `make` commands must be present. They may be mocked, if they are not relevant to the project. - -- `install` -- `lint` -- `test` -- `check-licenses` -- `cdk-synth` - only needed if packages/cdk folder exists - -## Environment variables - -### `SONAR_TOKEN` - -Required for the SonarCloud Scan step, which analyzes your code for quality and security issues using SonarCloud. - -# Example Workflow Call - -To use this workflow in your repository, call it from another workflow file: - -```yaml -name: Quality Checks - -on: - push: - branches: - - main - - develop - -jobs: - quality_checks: - uses: NHSDigital/eps-workflow-quality-checks/.github/workflows/quality-checks.yml@4.0.2 - secrets: - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} -```