diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 58ff30b..76c5cc8 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -8,6 +8,13 @@ "context": "..", "args": {} }, + "features": { + "ghcr.io/devcontainers/features/docker-outside-of-docker:1": { + "version": "latest", + "moby": "true", + "installDockerBuildx": "true" + } + }, "mounts": [ "source=${env:HOME}${env:USERPROFILE}/.ssh,target=/home/vscode/.ssh,type=bind", "source=${env:HOME}${env:USERPROFILE}/.gnupg,target=/home/vscode/.gnupg,type=bind" @@ -52,5 +59,6 @@ } } }, + "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" }, "postCreateCommand": "rm -f ~/.docker/config.json; git config --global --add safe.directory /workspaces/nhs-eps-spine-client; make install; direnv allow ." } diff --git a/.gitallowed b/.gitallowed new file mode 100644 index 0000000..9f2ecd3 --- /dev/null +++ b/.gitallowed @@ -0,0 +1,18 @@ +token: ?"?\$\{\{\s*secrets\.GITHUB_TOKEN\s*\}\}"? +github-token: ?"?\$\{\{\s*secrets\.GITHUB_TOKEN\s*\}\}"? +token: ?"?\$\{\{\s*secrets\.DEPENDABOT_TOKEN\s*\}\}"? +id-token: write +--token=\$\{\{\s*steps\.generate-token\.outputs\.token\s*\}\} +--token=\$GITHUB-TOKEN +--token="\$GITHUB-TOKEN" +.*Gemfile\.lock.* +.*\.gitallowed.* +.*nhsd-rules-deny.txt.* +.*\.venv.* +.*node_modules.* +.:src/resources/clinical_content_view.*root=* +.:src/resources/clinical_content_view.*codeSystem=* +.:src/resources/prescription_search.*root=* +.:src/live-spine-client.*root=* +0ba20a521167058a74f3b6e65c42d732054e5753:docs.* +0ba20a521167058a74f3b6e65c42d732054e5753:scripts/.* diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1357286..b03080c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,7 +6,7 @@ on: jobs: quality_checks: - uses: NHSDigital/eps-workflow-quality-checks/.github/workflows/quality-checks.yml@v3.0.0 + uses: NHSDigital/eps-workflow-quality-checks/.github/workflows/quality-checks.yml@v4.0.4 secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index b9021dd..2a30293 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -6,7 +6,7 @@ on: jobs: quality_checks: - uses: NHSDigital/eps-workflow-quality-checks/.github/workflows/quality-checks.yml@v3.0.0 + uses: NHSDigital/eps-workflow-quality-checks/.github/workflows/quality-checks.yml@v4.0.4 secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3a5883f..5982f63 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,7 +7,7 @@ on: jobs: quality_checks: - uses: NHSDigital/eps-workflow-quality-checks/.github/workflows/quality-checks.yml@v3.0.0 + uses: NHSDigital/eps-workflow-quality-checks/.github/workflows/quality-checks.yml@v4.0.4 secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 31ecaab..17aefc8 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -40,5 +40,15 @@ repos: types_or: [yaml] pass_filenames: false + - repo: local + hooks: + - id: git-secrets + name: Git Secrets + description: git-secrets scans commits, commit messages, and --no-ff merges to prevent adding secrets into your git repositories. + entry: bash + args: + - -c + - 'docker run -v "$LOCAL_WORKSPACE_FOLDER:/src" git-secrets --pre_commit_hook' + language: system fail_fast: true default_stages: [commit]