From 23ca0fa257e7e6d815f5ae4504660cd420bf8206 Mon Sep 17 00:00:00 2001 From: Valswyn-NHS Date: Fri, 17 Apr 2026 14:10:12 +0100 Subject: [PATCH] APM-7202-Github-bestpractices --- .github/workflows/pr-lint.yaml | 71 ++++++++++----------- .github/workflows/publish-uat.yml | 82 ++++++++++++------------ .github/workflows/release.yml | 102 +++++++++++++++--------------- .github/workflows/sbom.yml | 17 ++--- 4 files changed, 134 insertions(+), 138 deletions(-) diff --git a/.github/workflows/pr-lint.yaml b/.github/workflows/pr-lint.yaml index 063dd4c..4d368c5 100644 --- a/.github/workflows/pr-lint.yaml +++ b/.github/workflows/pr-lint.yaml @@ -5,44 +5,43 @@ jobs: lint: runs-on: ubuntu-latest steps: - - name: Set TICKET_NAME environment variable if branch name references a Jira ticket - env: - REF: ${{ github.event.pull_request.head.ref }} - run: | - OUTPUT=$(echo "$REF" | { grep -i -E -q "(apm-[0-9]+)|(apmspii-[0-9]+)|(adz-[0-9]+)|(amb-[0-9]+)|(amp-[0-9]+)|(dependabot\/)" || test $? = 1; }) - if [ ! -z "$OUTPUT" -a "$OUTPUT" != " " ]; then - TICKET_NAME=$(echo $OUTPUT | tr '[:lower:]' '[:upper:]') - echo "TICKET_NAME=$TICKET_NAME" >> "$GITHUB_ENV" - fi + - name: Set TICKET_NAME environment variable if branch name references a Jira ticket + env: + REF: ${{ github.event.pull_request.head.ref }} + run: | + OUTPUT=$(echo "$REF" | { grep -i -E -q "(apm-[0-9]+)|(apmspii-[0-9]+)|(adz-[0-9]+)|(amb-[0-9]+)|(amp-[0-9]+)|(dependabot\/)" || test $? = 1; }) + if [ ! -z "$OUTPUT" -a "$OUTPUT" != " " ]; then + TICKET_NAME=$(echo $OUTPUT | tr '[:lower:]' '[:upper:]') + echo "TICKET_NAME=$TICKET_NAME" >> "$GITHUB_ENV" + fi - - name: Comment on PR with link to JIRA ticket - uses: thollander/actions-comment-pull-request@v2 - if: ${{ env.TICKET_NAME }} - with: - message: | - This branch is work on a ticket in the NHS England's API Management JIRA Project: - # [${{ env.TICKET_NAME }}](https://nhsd-jira.digital.nhs.uk/browse/${{ env.TICKET_NAME}}) - comment_tag: jira-ticket + - name: Comment on PR with link to JIRA ticket + uses: thollander/actions-comment-pull-request@v2 + if: ${{ env.TICKET_NAME }} + with: + message: | + This branch is work on a ticket in the NHS England's API Management JIRA Project: + # [${{ env.TICKET_NAME }}](https://nhsd-jira.digital.nhs.uk/browse/${{ env.TICKET_NAME}}) + comment_tag: jira-ticket - - name: Add UAT Portal Deployment Instructions to PR - uses: thollander/actions-comment-pull-request@v2 - with: - message: | - Manually run the [Publish Spec to Bloomreach UAT Portal](https://github.com/NHSDigital/proxygen-api-specification/actions/workflows/publish-uat.yml) to preview specification on the [UAT Portal](https://uat2.nhsd.io/developer/api-catalogue/proxy-generator) (requires VPN). - comment_tag: uat-deploy - - - name: Checkout - uses: actions/checkout@v3 + - name: Add UAT Portal Deployment Instructions to PR + uses: thollander/actions-comment-pull-request@v2 + with: + message: | + Manually run the [Publish Spec to Bloomreach UAT Portal](https://github.com/NHSDigital/proxygen-api-specification/actions/workflows/publish-uat.yml) to preview specification on the [UAT Portal](https://uat2.nhsd.io/developer/api-catalogue/proxy-generator) (requires VPN). + comment_tag: uat-deploy - - name: Cache node modules - uses: actions/cache@v4 - with: - path: ~/.npm - key: ${{ runner.os }}-build-cache-npm-packages-${{ hashFiles('**/package-lock.json') }} - - - name: Install repo - run: make install + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - name: Vacuum OpenAPI Spec linter - run: make lint + - name: Cache node modules + uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 + with: + path: ~/.npm + key: ${{ runner.os }}-build-cache-npm-packages-${{ hashFiles('**/package-lock.json') }} + - name: Install repo + run: make install + + - name: Vacuum OpenAPI Spec linter + run: make lint diff --git a/.github/workflows/publish-uat.yml b/.github/workflows/publish-uat.yml index 93412f2..fbda7dd 100644 --- a/.github/workflows/publish-uat.yml +++ b/.github/workflows/publish-uat.yml @@ -6,44 +6,44 @@ jobs: publish: runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v3 - - - name: Set OAS info.version to ${{ github.ref_name}}-${{github.sha}} - run: sed -i 's/__VERSION__/${{ github.ref_name}}-${{github.sha}}/g' specification/proxygen.yaml - - - name: Cache node modules - uses: actions/cache@v4 - with: - path: ~/.npm - key: ${{ runner.os }}-build-cache-npm-packages-${{ hashFiles('**/package-lock.json') }} - - - name: Install repo - run: make install - - - name: Vacuum OpenAPI Spec linter - run: make lint - - - name: Setup proxygen-cli - env: - PROXYGEN_PRIVATE_KEY: ${{ secrets.ENCODED_PROXYGEN_PRIVATE_KEY }} - PROXYGEN_KID: ${{ secrets.PROXYGEN_KID }} - PROXYGEN_CLIENT_ID: ${{ secrets.PROXYGEN_CLIENT_ID }} - run: | - pipx install proxygen-cli - pipx upgrade proxygen-cli - - # Setup proxygen auth and settings - mkdir -p ${HOME}/.proxygen - echo "$PROXYGEN_PRIVATE_KEY" | base64 --decode > ${HOME}/.proxygen/key - envsubst < ./.github/proxygen-credentials-template.yaml > ${HOME}/.proxygen/credentials.yaml - envsubst < ./.github/proxygen-settings.yaml > ${HOME}/.proxygen/settings.yaml - proxygen status - - - name: Publish spec - run: proxygen spec publish specification/proxygen.yaml --uat --no-confirm - - - name: Instructions for viewing UAT Specification - run: | - echo "View uat spec changes at https://uat2.nhsd.io/developer/api-catalogue/proxy-generator" - echo "Remember Bloomreach pulls UAT changes every 5-10 minutes so changes may not appear right away. You must be connected to the VPN." + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + - name: Set OAS info.version to ${{ github.ref_name}}-${{github.sha}} + run: sed -i 's/__VERSION__/${{ github.ref_name}}-${{github.sha}}/g' specification/proxygen.yaml + + - name: Cache node modules + uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 + with: + path: ~/.npm + key: ${{ runner.os }}-build-cache-npm-packages-${{ hashFiles('**/package-lock.json') }} + + - name: Install repo + run: make install + + - name: Vacuum OpenAPI Spec linter + run: make lint + + - name: Setup proxygen-cli + env: + PROXYGEN_PRIVATE_KEY: ${{ secrets.ENCODED_PROXYGEN_PRIVATE_KEY }} + PROXYGEN_KID: ${{ secrets.PROXYGEN_KID }} + PROXYGEN_CLIENT_ID: ${{ secrets.PROXYGEN_CLIENT_ID }} + run: | + pipx install proxygen-cli + pipx upgrade proxygen-cli + + # Setup proxygen auth and settings + mkdir -p ${HOME}/.proxygen + echo "$PROXYGEN_PRIVATE_KEY" | base64 --decode > ${HOME}/.proxygen/key + envsubst < ./.github/proxygen-credentials-template.yaml > ${HOME}/.proxygen/credentials.yaml + envsubst < ./.github/proxygen-settings.yaml > ${HOME}/.proxygen/settings.yaml + proxygen status + + - name: Publish spec + run: proxygen spec publish specification/proxygen.yaml --uat --no-confirm + + - name: Instructions for viewing UAT Specification + run: | + echo "View uat spec changes at https://uat2.nhsd.io/developer/api-catalogue/proxy-generator" + echo "Remember Bloomreach pulls UAT changes every 5-10 minutes so changes may not appear right away. You must be connected to the VPN." diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1ffe2e0..8042179 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -9,54 +9,54 @@ jobs: release_and_publish: runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v3 - with: - fetch-depth: 0 # Required for calculate_version.py script - - - name: Setup Python environment and dependencies - run: | - pipx install poetry - poetry install - - - name: Calculate version - run: echo "SPEC_VERSION=$(poetry run python scripts/calculate_version.py)" >> "$GITHUB_ENV" - - - name: Set OAS info.version to ${{ env.SPEC_VERSION }} - run: sed -i 's/__VERSION__/${{ env.SPEC_VERSION }}/g' specification/proxygen.yaml - - - name: Cache node modules - uses: actions/cache@v4 - with: - path: ~/.npm - key: ${{ runner.os }}-build-cache-npm-packages-${{ hashFiles('**/package-lock.json') }} - - - name: Install repo - run: make install - - - name: Vacuum OpenAPI Spec linter - run: make lint - - - name: Create Release ${{ env.SPEC_VERSION }} - uses: softprops/action-gh-release@v1 - with: - tag_name: ${{ env.SPEC_VERSION }} - - - name: Setup proxygen-cli - env: - PROXYGEN_PRIVATE_KEY: ${{ secrets.ENCODED_PROXYGEN_PRIVATE_KEY }} - PROXYGEN_KID: ${{ secrets.PROXYGEN_KID }} - PROXYGEN_CLIENT_ID: ${{ secrets.PROXYGEN_CLIENT_ID }} - run: | - pipx install proxygen-cli - pipx upgrade proxygen-cli - - # Setup proxygen auth and settings - mkdir -p ${HOME}/.proxygen - echo "$PROXYGEN_PRIVATE_KEY" | base64 --decode > ${HOME}/.proxygen/key - envsubst < ./.github/proxygen-credentials-template.yaml > ${HOME}/.proxygen/credentials.yaml - envsubst < ./.github/proxygen-settings.yaml > ${HOME}/.proxygen/settings.yaml - proxygen status - - - name: Publish spec - run: proxygen spec publish specification/proxygen.yaml --no-confirm + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 # Required for calculate_version.py script + + - name: Setup Python environment and dependencies + run: | + pipx install poetry + poetry install + + - name: Calculate version + run: echo "SPEC_VERSION=$(poetry run python scripts/calculate_version.py)" >> "$GITHUB_ENV" + + - name: Set OAS info.version to ${{ env.SPEC_VERSION }} + run: sed -i 's/__VERSION__/${{ env.SPEC_VERSION }}/g' specification/proxygen.yaml + + - name: Cache node modules + uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 + with: + path: ~/.npm + key: ${{ runner.os }}-build-cache-npm-packages-${{ hashFiles('**/package-lock.json') }} + + - name: Install repo + run: make install + + - name: Vacuum OpenAPI Spec linter + run: make lint + + - name: Create Release ${{ env.SPEC_VERSION }} + uses: softprops/action-gh-release@v1 + with: + tag_name: ${{ env.SPEC_VERSION }} + + - name: Setup proxygen-cli + env: + PROXYGEN_PRIVATE_KEY: ${{ secrets.ENCODED_PROXYGEN_PRIVATE_KEY }} + PROXYGEN_KID: ${{ secrets.PROXYGEN_KID }} + PROXYGEN_CLIENT_ID: ${{ secrets.PROXYGEN_CLIENT_ID }} + run: | + pipx install proxygen-cli + pipx upgrade proxygen-cli + + # Setup proxygen auth and settings + mkdir -p ${HOME}/.proxygen + echo "$PROXYGEN_PRIVATE_KEY" | base64 --decode > ${HOME}/.proxygen/key + envsubst < ./.github/proxygen-credentials-template.yaml > ${HOME}/.proxygen/credentials.yaml + envsubst < ./.github/proxygen-settings.yaml > ${HOME}/.proxygen/settings.yaml + proxygen status + + - name: Publish spec + run: proxygen spec publish specification/proxygen.yaml --no-confirm diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 7b57a5d..341a437 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -24,10 +24,10 @@ jobs: contents: write steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup Python 3.13 - uses: actions/setup-python@v5 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: "3.13" @@ -56,7 +56,7 @@ jobs: chmod +x syft # Add to PATH for subsequent steps - echo "$(pwd)" >> $GITHUB_PATH + echo "$(pwd)" >> $GITHUB_PATH - name: Create SBOM run: bash scripts/create-sbom.sh terraform python tflint @@ -69,7 +69,7 @@ jobs: python .github/scripts/sbom_json_to_csv.py sbom.json SBOM_${REPO_NAME}.csv - name: Upload SBOM CSV as artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: sbom-csv path: SBOM_${{ github.event.repository.name }}.csv @@ -81,8 +81,6 @@ jobs: - name: Scan SBOM for Vulnerabilities (JSON) run: | grype sbom:sbom.json -o json > grype-report.json - - - name: Convert Grype JSON to CSV run: | @@ -90,9 +88,8 @@ jobs: REPO_NAME=$(basename $GITHUB_REPOSITORY) python .github/scripts/grype_json_to_csv.py grype-report.json grype-report-${REPO_NAME}.csv - - name: Upload Vulnerability Report - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: grype-report path: grype-report-${{ github.event.repository.name }}.csv @@ -104,7 +101,7 @@ jobs: python .github/scripts/sbom_packages_to_csv.py sbom.json $REPO_NAME - name: Upload Package Inventory CSV - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: sbom-packages - path: sbom-packages-${{ github.event.repository.name }}.csv \ No newline at end of file + path: sbom-packages-${{ github.event.repository.name }}.csv