From dc1f1d09e2120156c00af1e375bda93d5592a45c Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 28 Nov 2024 11:41:16 +0000
Subject: [PATCH] Upgrade: [dependabot] - bump
 NHSDigital/eps-workflow-quality-checks from 3.0.0 to 4.0.4 (#275)

Bumps
[NHSDigital/eps-workflow-quality-checks](https://github.com/nhsdigital/eps-workflow-quality-checks)
from 3.0.0 to 4.0.4.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/nhsdigital/eps-workflow-quality-checks/releases">NHSDigital/eps-workflow-quality-checks's
releases</a>.</em></p>
<blockquote>
<h2>v4.0.4</h2>
<h2><a
href="https://github.com/NHSDigital/eps-workflow-quality-checks/compare/v4.0.3...v4.0.4">4.0.4</a>
(2024-11-19)</h2>
<h3>Fix</h3>
<ul>
<li>[AEA-0000] - add step to run make lint (<a
href="https://redirect.github.com/nhsdigital/eps-workflow-quality-checks/issues/12">#12</a>)
(<a
href="https://github.com/NHSDigital/eps-workflow-quality-checks/commit/a83f03a3b0b7c60a71c60d0d66c15f912f95d39b">a83f03a</a>)</li>
</ul>
<h2>Info</h2>
<p><a
href="https://github.com/NHSDigital/eps-workflow-quality-checks/compare/3738e977da71...a83f03a3b0b7">See
code diff</a>
<a
href="https://github.com/NHSDigital/eps-workflow-quality-checks/actions/runs/11909924652">Release
workflow run</a></p>
<p>It was initialized by <a
href="https://github.com/wildjames">wildjames</a></p>
<h2>v4.0.3</h2>
<h2><a
href="https://github.com/NHSDigital/eps-workflow-quality-checks/compare/v4.0.2...v4.0.3">4.0.3</a>
(2024-11-12)</h2>
<h3>Docs</h3>
<ul>
<li>[AEA-0000] - Tweak the README (<a
href="https://redirect.github.com/nhsdigital/eps-workflow-quality-checks/issues/11">#11</a>)
(<a
href="https://github.com/NHSDigital/eps-workflow-quality-checks/commit/3738e977da717f372a3c9c71c7f6b7c0c5f6fbf0">3738e97</a>)</li>
</ul>
<h2>Info</h2>
<p><a
href="https://github.com/NHSDigital/eps-workflow-quality-checks/compare/18c2e693bdb3...3738e977da71">See
code diff</a>
<a
href="https://github.com/NHSDigital/eps-workflow-quality-checks/actions/runs/11801648133">Release
workflow run</a></p>
<p>It was initialized by <a
href="https://github.com/wildjames">wildjames</a></p>
<h2>v4.0.2</h2>
<h2><a
href="https://github.com/NHSDigital/eps-workflow-quality-checks/compare/v4.0.1...v4.0.2">4.0.2</a>
(2024-11-06)</h2>
<h3>Fix</h3>
<ul>
<li>[AEA-0000] - Fix typo in java sonar (<a
href="https://redirect.github.com/nhsdigital/eps-workflow-quality-checks/issues/10">#10</a>)
(<a
href="https://github.com/NHSDigital/eps-workflow-quality-checks/commit/18c2e693bdb32442cea577821e20443a4b9a7632">18c2e69</a>)</li>
</ul>
<h2>Info</h2>
<p><a
href="https://github.com/NHSDigital/eps-workflow-quality-checks/compare/e3120b3268d1...18c2e693bdb3">See
code diff</a>
<a
href="https://github.com/NHSDigital/eps-workflow-quality-checks/actions/runs/11706309014">Release
workflow run</a></p>
<p>It was initialized by <a
href="https://github.com/wildjames">wildjames</a></p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/NHSDigital/eps-workflow-quality-checks/commit/a83f03a3b0b7c60a71c60d0d66c15f912f95d39b"><code>a83f03a</code></a>
Fix: [AEA-0000] - add step to run make lint (<a
href="https://redirect.github.com/nhsdigital/eps-workflow-quality-checks/issues/12">#12</a>)</li>
<li><a
href="https://github.com/NHSDigital/eps-workflow-quality-checks/commit/3738e977da717f372a3c9c71c7f6b7c0c5f6fbf0"><code>3738e97</code></a>
Docs: [AEA-0000] - Tweak the README (<a
href="https://redirect.github.com/nhsdigital/eps-workflow-quality-checks/issues/11">#11</a>)</li>
<li><a
href="https://github.com/NHSDigital/eps-workflow-quality-checks/commit/18c2e693bdb32442cea577821e20443a4b9a7632"><code>18c2e69</code></a>
Fix: [AEA-0000] - Fix typo in java sonar (<a
href="https://redirect.github.com/nhsdigital/eps-workflow-quality-checks/issues/10">#10</a>)</li>
<li><a
href="https://github.com/NHSDigital/eps-workflow-quality-checks/commit/e3120b3268d127a97ac50cdffebbbf71878c24fb"><code>e3120b3</code></a>
Fix: [AEA-0000] - Fix sonar for java. Fix release tagging flow (<a
href="https://redirect.github.com/nhsdigital/eps-workflow-quality-checks/issues/9">#9</a>)</li>
<li><a
href="https://github.com/NHSDigital/eps-workflow-quality-checks/commit/017c8a016bbe4aa32b06a5afaf09c2c8d07889db"><code>017c8a0</code></a>
New: [AEA-4540] - Add secret scanning (<a
href="https://redirect.github.com/nhsdigital/eps-workflow-quality-checks/issues/5">#5</a>)</li>
<li><a
href="https://github.com/NHSDigital/eps-workflow-quality-checks/commit/5bc62f51ac3446971ddf3d451ead18e4a22f1786"><code>5bc62f5</code></a>
Fix: [AEA-0000] - Fix URL (<a
href="https://redirect.github.com/nhsdigital/eps-workflow-quality-checks/issues/8">#8</a>)</li>
<li><a
href="https://github.com/NHSDigital/eps-workflow-quality-checks/commit/b93ce1817002aa9b674d905f96b7c0f697ef5bfa"><code>b93ce18</code></a>
Chore: [AEA-4183] - Add semantic release (<a
href="https://redirect.github.com/nhsdigital/eps-workflow-quality-checks/issues/7">#7</a>)</li>
<li><a
href="https://github.com/NHSDigital/eps-workflow-quality-checks/commit/a05d7a26ae903940e93f585533bbfbf070005a03"><code>a05d7a2</code></a>
Fix: [AEA-0000] - Add ignores to check-licenses (<a
href="https://redirect.github.com/nhsdigital/eps-workflow-quality-checks/issues/6">#6</a>)</li>
<li>See full diff in <a
href="https://github.com/nhsdigital/eps-workflow-quality-checks/compare/v3.0.0...v4.0.4">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=NHSDigital/eps-workflow-quality-checks&package-manager=github_actions&previous-version=3.0.0&new-version=4.0.4)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Anthony Brown <121869075+anthony-nhs@users.noreply.github.com>
---
 .devcontainer/devcontainer.json    |  8 ++++++++
 .gitallowed                        | 18 ++++++++++++++++++
 .github/workflows/ci.yml           |  2 +-
 .github/workflows/pull_request.yml |  2 +-
 .github/workflows/release.yml      |  2 +-
 .pre-commit-config.yaml            | 10 ++++++++++
 6 files changed, 39 insertions(+), 3 deletions(-)
 create mode 100644 .gitallowed

diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
index 58ff30b..76c5cc8 100644
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -8,6 +8,13 @@
     "context": "..",
     "args": {}
   },
+  "features": {
+    "ghcr.io/devcontainers/features/docker-outside-of-docker:1": {
+      "version": "latest",
+      "moby": "true",
+      "installDockerBuildx": "true"
+    }
+  },
   "mounts": [
     "source=${env:HOME}${env:USERPROFILE}/.ssh,target=/home/vscode/.ssh,type=bind",
     "source=${env:HOME}${env:USERPROFILE}/.gnupg,target=/home/vscode/.gnupg,type=bind"
@@ -52,5 +59,6 @@
       }
     }
   },
+  "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" },
   "postCreateCommand": "rm -f ~/.docker/config.json; git config --global --add safe.directory /workspaces/nhs-eps-spine-client; make install; direnv allow ."
 }
diff --git a/.gitallowed b/.gitallowed
new file mode 100644
index 0000000..9f2ecd3
--- /dev/null
+++ b/.gitallowed
@@ -0,0 +1,18 @@
+token: ?"?\$\{\{\s*secrets\.GITHUB_TOKEN\s*\}\}"?
+github-token: ?"?\$\{\{\s*secrets\.GITHUB_TOKEN\s*\}\}"?
+token: ?"?\$\{\{\s*secrets\.DEPENDABOT_TOKEN\s*\}\}"?
+id-token: write
+--token=\$\{\{\s*steps\.generate-token\.outputs\.token\s*\}\}
+--token=\$GITHUB-TOKEN
+--token="\$GITHUB-TOKEN"
+.*Gemfile\.lock.*
+.*\.gitallowed.*
+.*nhsd-rules-deny.txt.*
+.*\.venv.*
+.*node_modules.*
+.:src/resources/clinical_content_view.*root=*
+.:src/resources/clinical_content_view.*codeSystem=*
+.:src/resources/prescription_search.*root=*
+.:src/live-spine-client.*root=*
+0ba20a521167058a74f3b6e65c42d732054e5753:docs.*
+0ba20a521167058a74f3b6e65c42d732054e5753:scripts/.*
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 1357286..b03080c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,7 +6,7 @@ on:
 
 jobs:
   quality_checks:
-    uses: NHSDigital/eps-workflow-quality-checks/.github/workflows/quality-checks.yml@v3.0.0
+    uses: NHSDigital/eps-workflow-quality-checks/.github/workflows/quality-checks.yml@v4.0.4
     secrets:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
index b9021dd..2a30293 100644
--- a/.github/workflows/pull_request.yml
+++ b/.github/workflows/pull_request.yml
@@ -6,7 +6,7 @@ on:
 
 jobs:
   quality_checks:
-    uses: NHSDigital/eps-workflow-quality-checks/.github/workflows/quality-checks.yml@v3.0.0
+    uses: NHSDigital/eps-workflow-quality-checks/.github/workflows/quality-checks.yml@v4.0.4
     secrets:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3a5883f..5982f63 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,7 +7,7 @@ on:
 
 jobs:
   quality_checks:
-    uses: NHSDigital/eps-workflow-quality-checks/.github/workflows/quality-checks.yml@v3.0.0
+    uses: NHSDigital/eps-workflow-quality-checks/.github/workflows/quality-checks.yml@v4.0.4
     secrets:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 31ecaab..17aefc8 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -40,5 +40,15 @@ repos:
         types_or: [yaml]
         pass_filenames: false
 
+  - repo: local
+    hooks:
+      - id: git-secrets
+        name: Git Secrets
+        description: git-secrets scans commits, commit messages, and --no-ff merges to prevent adding secrets into your git repositories.
+        entry: bash
+        args:
+          - -c
+          - 'docker run -v "$LOCAL_WORKSPACE_FOLDER:/src" git-secrets --pre_commit_hook'
+        language: system
 fail_fast: true
 default_stages: [commit]