Task/ds 9999 test task di GitHub migration

application/.coveragerc → .coveragerc

@@ -4,4 +4,6 @@ omit =
   **/__init__.py
   tests/*
   **/tests/*
+  application/dos_db_handler/*.py
+  **/conftest.py
 branch = True

.editorconfig

@@ -16,3 +16,6 @@ indent_style = tab
 
 [*.py]
 indent_size = 4
+
+[*.md]
+indent_size = unset

.github/PULL_REQUEST_TEMPLATE/release_pull_request_template.md

@@ -0,0 +1,5 @@
+# Release Branch Pull Request
+
+## Description of Changes
+
+Please include a summary of the change

.github/PULL_REQUEST_TEMPLATE/task_pull_request_template.md

@@ -0,0 +1,26 @@
+# Task Branch Pull Request
+
+**<https://nhsd-jira.digital.nhs.uk/browse/{{ .BRANCH_NUMBER }}>**
+
+## Description of Changes
+
+Please include a summary of the change
+
+## Type of change
+
+Delete not appropriate
+
+- Bug fix (non-breaking change which fixes an issue)
+- New feature (non-breaking change which adds functionality)
+- Breaking change (fix or feature that would cause existing functionality to not work as expected)
+- Refactoring (non-breaking change which improves the structure of the code)
+
+## Development Checklist
+
+- [ ] I have performed a self-review of my own code
+- [ ] Tests have added that prove my fix is effective or that my feature works (Integration tests)
+- [ ] I have updated Dependabot to include my changes (if applicable)
+
+## Code Reviewer Checklist
+
+- [ ] I can confirm the changes have been tested or approved by a tester

.github/PULL_REQUEST_TEMPLATE/test_pull_request_template.md

@@ -0,0 +1,22 @@
+# Test Branch Pull Request
+
+## What branch do these tests check?
+
+-
+
+## Description of changes/tests
+
+Why do these tests need to exist?/When should the test be run?
+
+## Development Checklist
+
+- [ ] The tests are tagged correctly
+- [ ] The tests will be run in the development pipeline
+- [ ] The tests are stable and pass
+- [ ] I have used reusable functions and classes where possible
+
+## Code Reviewer Checklist
+
+- [ ] I am confident the tests are stable and have passed
+- [ ] I am confident the tests will be run in the development pipeline
+- [ ] I believe the tests developed in a way which makes them reusable and maintainable

.github/SECURITY.md

@@ -0,0 +1,34 @@
+# Security
+
+NHS England takes security and the protection of private data extremely seriously. If you believe you have found a vulnerability or other issue which has compromised or could compromise the security of any of our systems and/or private data managed by our systems, please do not hesitate to contact us using the methods outlined below.
+
+## Table of Contents
+
+- [Security](#security)
+  - [Table of Contents](#table-of-contents)
+  - [Reporting a vulnerability](#reporting-a-vulnerability)
+    - [Email](#email)
+    - [NCSC](#ncsc)
+  - [General Security Enquiries](#general-security-enquiries)
+
+## Reporting a vulnerability
+
+Please note, email is our preferred method of receiving reports.
+
+### Email
+
+If you wish to notify us of a vulnerability via email, please include detailed information on the nature of the vulnerability and any steps required to reproduce it.
+
+You can reach us at:
+
+- [cybersecurity@nhs.net](cybersecurity@nhs.net)
+
+### NCSC
+
+You can send your report to the National Cyber Security Centre, who will assess your report and pass it on to NHS England if necessary.
+
+You can report vulnerabilities here: [https://www.ncsc.gov.uk/information/vulnerability-reporting](https://www.ncsc.gov.uk/information/vulnerability-reporting)
+
+## General Security Enquiries
+
+If you have general enquiries regarding our cyber security, please reach out to us at [cybersecurity@nhs.net](cybersecurity@nhs.net)

.github/dependabot.yml

@@ -0,0 +1,66 @@
+version: 2
+updates:
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    target-branch: "develop"
+
+  # Maintain dependencies for Python (Works recursively in application directories)
+  - package-ecosystem: "pip"
+    directory: "/application"
+    schedule:
+      interval: "monthly"
+    target-branch: "develop"
+    versioning-strategy: increase-if-necessary
+
+  # Docker Dependencies
+  - package-ecosystem: "docker"
+    directory: "/build/docker/lambda"
+    schedule:
+      interval: "daily"
+    target-branch: "develop"
+
+  - package-ecosystem: "docker"
+    directory: "/build/docker/tester"
+    schedule:
+      interval: "daily"
+    target-branch: "develop"
+
+  # Terraform Dependencies
+  - package-ecosystem: "terraform"
+    directory: "/infrastructure/modules/s3"
+    schedule:
+      interval: "monthly"
+    target-branch: "develop"
+
+  - package-ecosystem: "terraform"
+    directory: "/infrastructure/stacks/api-key"
+    schedule:
+      interval: "monthly"
+    target-branch: "develop"
+
+  - package-ecosystem: "terraform"
+    directory: "/infrastructure/stacks/blue-green-link"
+    schedule:
+      interval: "monthly"
+    target-branch: "develop"
+
+  - package-ecosystem: "terraform"
+    directory: "/infrastructure/stacks/shared-resources"
+    schedule:
+      interval: "monthly"
+    target-branch: "develop"
+
+  - package-ecosystem: "terraform"
+    directory: "/infrastructure/stacks/application"
+    schedule:
+      interval: "monthly"
+    target-branch: "develop"
+
+  - package-ecosystem: "terraform"
+    directory: "/infrastructure/stacks/development-and-deployment-tools"
+    schedule:
+      interval: "monthly"
+    target-branch: "develop"

.github/pull_request_template.md

@@ -1,45 +1,3 @@
-## Link to JIRA Ticket
+# Warning
 
--
-
-## Description
-
-Please include a summary of the change
-
-### Noteworthy Changes
-
-- These are changes the reviewer should look out for
-
-## Type of change
-
-Delete not appropriate
-
-- Bug fix (non-breaking change which fixes an issue)
-- New feature (non-breaking change which adds functionality)
-- Breaking change (fix or feature that would cause existing functionality to not work as expected)
-- This change requires a documentation update
-
-## Testing
-
-Please tick the testing that has been completed
-
-- [ ] Unit tests
-- [ ] Integration tests
-
-## Developer Checklist
-
-- [ ] I have performed a self-review of my own code
-- [ ] I have run the [code formatting checks](../README.md#code-quality)
-- [ ] I have run the [code quality checks](../README.md#code-quality)
-- [ ] New code meets [standards](https://nhsd-confluence.digital.nhs.uk/display/DI/DI+Ways+of+Working) agreed by the team
-- [ ] Unit test code coverage is at or above 80%
-- [ ] New and existing unit tests pass locally with my changes
-- [ ] Tests have added that prove my fix is effective or that my feature works (Integration tests)
-- [ ] I have made corresponding changes to the documentation
-- [ ] I have cleaned down my environment (if created)
-
-## Code Reviewer Checklist
-
-- [ ] I have run the unit tests and they run correctly
-- [ ] I can confirm the changes have been tested or approved by a tester
-- [ ] I can confirm no remaining infrastructure is left over from this branch
+Please don't modify this description yet it will be populated once you create the pull request.

.github/workflows/check-pull-request-checklist.yml

@@ -0,0 +1,19 @@
+name: "Check Pull Request Checklist"
+
+on:
+  pull_request:
+    types: [opened, ready_for_review, edited, synchronize, reopened]
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  pull-request-checklist:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: mheap/require-checklist-action@v2
+        with:
+          requireChecklist: false
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/code-quality.yml

@@ -1,38 +1,87 @@
 name: "Check code format and quality"
+
 on:
   push:
-    branches: [master]
+    branches: [develop, main]
   pull_request:
-    types: [opened, synchronize, reopened]
+    types: [opened, ready_for_review, synchronize, reopened]
+
+permissions:
+  contents: read
+
 jobs:
   check-code-quality:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Check text files format
         run: |
           build/automation/etc/githooks/scripts/editorconfig-pre-commit.sh
-      - name: Check Python files format
+      - name: Tester Build
         run: |
-          make python-linting
-      - name: Check Terraform files format
+          make tester-build
+      - name: Check Python Unit Test Coverage
         run: |
-          build/automation/etc/githooks/scripts/terraform-format-pre-commit.sh
-      - name: Create coverage report
-        run: |
-          make tester-build coverage-report
+          make coverage-report
       - uses: sonarsource/sonarcloud-github-action@master
         # SEE: https://github.com/SonarSource/sonarcloud-github-action
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
         with:
-          projectBaseDir: ./application
+          projectBaseDir: .
           args: >
+            -Dsonar.sources=application,infrastructure,scripts,test,build/docker
             -Dsonar.organization=nhsd-exeter
             -Dsonar.projectKey=uec-dos-int
-            -Dsonar.coverage.exclusions=tests/**,**/tests/**
+            -Dsonar.coverage.exclusions=tests/**,**/tests/**,infrastructure,application/dos_db_handler/**,test/**,scripts/**,application/conftest.py
             -Dsonar.python.coverage.reportPaths=coverage.xml
-            -Dsonar.python.version=3.9
+            -Dsonar.python.version=3.12
+            -Dsonar.exclusions=application/**/tests/**
+
+  check-markdown-code-quality:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Check Markdown format
+        uses: DavidAnson/markdownlint-cli2-action@v13
+        with:
+          config: .github/workflows/configs/markdownlint/.markdownlint.json
+      - name: Check Markdown links
+        uses: gaurav-nelson/github-action-markdown-link-check@v1
+        with:
+          use-quiet-mode: "yes"
+          config-file: .github/workflows/configs/markdownlint/markdown-check-links.json
+          base-branch: develop
+          check-modified-files-only: "yes"
+
+  check-prose:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Check prose
+        uses: errata-ai/vale-action@reviewdog
+        with:
+          fail_on_error: true
+
+  check-python-code-quality:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Tester Build
+        run: |
+          make tester-build
+      - name: Run Python Linting & Formatting
+        run: |
+          make python-run-ruff-checks
+      - name: Check for Python Dead Code
+        run: |
+          make python-check-dead-code

.github/workflows/code-secrets.yml

@@ -0,0 +1,18 @@
+name: "Check code for Secrets"
+
+on: push
+
+permissions:
+  contents: read
+
+jobs:
+  check-code-secrets:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Check if code contains any secrets
+        run: make git-config git-secrets-scan-repo-files
+      - name: Checkov Secret Scanner
+        run: make checkov-secret-scanning

.github/workflows/code-security.yml

@@ -1,14 +1,26 @@
-name: "Check code for secrets"
-on: push
+name: "Check code for Security Vulnerabilities"
+
+on:
+  push:
+    branches: [develop, master]
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+permissions:
+  contents: read
+
 jobs:
   check-code-security:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - name: Check if code contains any secrets
-        run: |
-          make \
-            git-config \
-            git-secrets-scan-repo-files
+      - name: Check if code contains any Terraform Security Vulnerabilities
+        run: make terraform-security
+      - name: Checkov Security and Best Practices - Docker
+        run: make -s docker-best-practices
+      - name: Checkov Security and Best Practices - Terraform
+        run: make -s terraform-best-practices
+      - name: Checkov Security and Best Practices - Github Actions
+        run: make -s github-actions-best-practices