Release 4.52.0

.github/workflows/pr-lint.yaml

@@ -5,15 +5,19 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check ticket name conforms to requirements
-        run: echo ${{ github.event.pull_request.head.ref }} | grep -i -E -q "(ccm-[0-9]+)|(dependabot\/)"
+        env:
+          BRANCH_REF: ${{ github.event.pull_request.head.ref }}
+        run: echo "$BRANCH_REF" | grep -i -E -q "(ccm-[0-9]+)|(dependabot\/)"
         continue-on-error: true
 
       - name: Grab ticket name
         if: contains(github.event.pull_request.head.ref, 'ccm-') || contains(github.event.pull_request.head.ref, 'CCM-')
-        run: echo ::set-env name=TICKET_NAME::$(echo ${{ github.event.pull_request.head.ref }} | grep -i -o '\(ccm-[0-9]\+\)' | tr '[:lower:]' '[:upper:]')
-        continue-on-error: true
         env:
-          ACTIONS_ALLOW_UNSECURE_COMMANDS: true
+          BRANCH_REF: ${{ github.event.pull_request.head.ref }}
+        run: |
+          TICKET=$(echo "$BRANCH_REF" | grep -i -o '\(ccm-[0-9]\+\)' | tr '[:lower:]' '[:upper:]')
+          echo "TICKET_NAME=$TICKET" >> $GITHUB_ENV
+        continue-on-error: true
 
       - name: Comment on PR with link to JIRA ticket
         if: contains(github.event.pull_request.head.ref, 'ccm-') || contains(github.event.pull_request.head.ref, 'CCM-')

nhsd-git-secrets/nhsd-git-secrets.dockerfile

@@ -19,43 +19,38 @@
 
 FROM ubuntu:24.10
 
-RUN echo "Installing required modules"
-RUN apt-get update \
-  && apt-get -y install curl git build-essential \
-  && apt-get clean
+RUN echo "Installing required modules" \
+  && apt-get update \
+  && apt-get -y install build-essential curl git \
+  && apt-get clean \
+  && echo "Copying source files"
 
 # By default, we copy the entire project into the dockerfile for secret scanning
 # Tweak that COPY if you only want some of the source
-RUN echo "Copying source files"
 WORKDIR /secrets-scanner
 COPY . source
-RUN ls -l source
-
-RUN echo "Downloading secrets scanner"
-RUN curl https://codeload.github.com/awslabs/git-secrets/tar.gz/master | tar -xz --strip=1 git-secrets-master
-
-RUN echo "Installing secrets scanner"
-RUN make install
+RUN ls -l source \
+  && echo "Downloading secrets scanner" \
+  && curl https://codeload.github.com/awslabs/git-secrets/tar.gz/master | tar -xz --strip=1 git-secrets-master \
+  && RUN echo "Installing secrets scanner" \
+  && RUN make install \
+  && echo "Configuring git"
 
 # even though running secrets scanner on a folder, must still be in some kind of git repo
 # for the git-secrets config to attach to something
 # so init an empty git repo here
-RUN echo "Configuring git"
 WORKDIR /secrets-scanner/source
-RUN git init
-
-RUN echo "Downloading regex files from engineering-framework"
-RUN curl https://codeload.github.com/NHSDigital/software-engineering-quality-framework/tar.gz/main | tar -xz --strip=3 software-engineering-quality-framework-main/tools/nhsd-git-secrets/nhsd-rules-deny.txt
+RUN git init \
+  && echo "Downloading regex files from engineering-framework" \
+  && curl https://codeload.github.com/NHSDigital/software-engineering-quality-framework/tar.gz/main | tar -xz --strip=3 software-engineering-quality-framework-main/tools/nhsd-git-secrets/nhsd-rules-deny.txt \
+  && echo "Copying allowed secrets list"
 
-RUN echo "Copying allowed secrets list"
 COPY .gitallowed .
-RUN echo .gitallowed
-
-# Register additional providers: adds AWS by default
-RUN echo "Configuring secrets scanner"
-RUN /secrets-scanner/git-secrets --register-aws
-RUN /secrets-scanner/git-secrets --add-provider -- cat nhsd-rules-deny.txt
-
-# build will fail here, if secrets are found
-RUN echo "Running scan..."
-RUN /secrets-scanner/git-secrets --scan -r .
+RUN echo .gitallowed \
+  # Register additional providers: adds AWS by default
+  && echo "Configuring secrets scanner" \
+  && /secrets-scanner/git-secrets --register-aws \
+  && /secrets-scanner/git-secrets --add-provider -- cat nhsd-rules-deny.txt \
+  # build will fail here, if secrets are found
+  && echo "Running scan..." \
+  && /secrets-scanner/git-secrets --scan -r .