From 894f8b6a2a3b635103b92999e50d814be706fd52 Mon Sep 17 00:00:00 2001 From: Dan Stefaniuk Date: Sat, 25 Nov 2023 10:55:07 +0000 Subject: [PATCH 1/8] Remove typo --- scripts/init.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/init.mk b/scripts/init.mk index 974d085c..373f8a4f 100644 --- a/scripts/init.mk +++ b/scripts/init.mk @@ -145,7 +145,7 @@ HELP_SCRIPT = \ ${VERBOSE}.SILENT: \ _install-dependencies \ -Ì _install-dependency \ + _install-dependency \ clean \ config \ githooks-config \ From 07ee679fad70315462614ec3c48c13b308c3f195 Mon Sep 17 00:00:00 2001 From: Dan Stefaniuk <499338+stefaniuk@users.noreply.github.com> Date: Sat, 2 Dec 2023 08:15:19 +0000 Subject: [PATCH 2/8] Add Vale pre-commit Git hook (#146) ## Description This change adds a Vale pre-commit Git hook to the repository template. Additionally, the following refactoring tasks were done: - Use Vale natively, if available, otherwise fall back to Docker. - Maintain a consistent naming convention for GitHub actions and pre-commit Git hooks. ## Context Vale is a command-line tool that functions as a syntax-aware linter for prose. It's designed to help writers adhere to a specific writing style or set of guidelines. We automatically check the English usage in our documentation. ## Type of changes - [x] Refactoring (non-breaking change) - [x] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would change existing functionality) - [ ] Bug fix (non-breaking change which fixes an issue) ## Checklist - [x] I am familiar with the [contributing guidelines](../docs/CONTRIBUTING.md) - [x] I have followed the code style of the project - [ ] I have added tests to cover my changes - [ ] I have updated the documentation accordingly - [ ] This PR is a result of pair or mob programming --- ## Sensitive Information Declaration To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including [PII (Personal Identifiable Information) / PID (Personal Identifiable Data)](https://digital.nhs.uk/data-and-information/keeping-data-safe-and-benefitting-the-public) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter. - [x] I confirm that neither PII/PID nor sensitive data are included in this PR and the codebase changes. --- .../action.yaml | 1 + .github/workflows/stage-1-commit.yaml | 8 +-- .tool-versions | 1 + scripts/config/pre-commit.yaml | 18 +++++-- scripts/githooks/check-english-usage.sh | 52 +++++++++++++++---- scripts/githooks/check-file-format.sh | 4 +- 6 files changed, 62 insertions(+), 22 deletions(-) rename .github/actions/{lint-prose => check-english-usage}/action.yaml (73%) diff --git a/.github/actions/lint-prose/action.yaml b/.github/actions/check-english-usage/action.yaml similarity index 73% rename from .github/actions/lint-prose/action.yaml rename to .github/actions/check-english-usage/action.yaml index ac0d3e81..9953bcc7 100644 --- a/.github/actions/lint-prose/action.yaml +++ b/.github/actions/check-english-usage/action.yaml @@ -6,4 +6,5 @@ runs: - name: "Check English usage" shell: bash run: | + export BRANCH_NAME=origin/${{ github.event.repository.default_branch }} check=branch ./scripts/githooks/check-english-usage.sh diff --git a/.github/workflows/stage-1-commit.yaml b/.github/workflows/stage-1-commit.yaml index d7679788..a516b786 100644 --- a/.github/workflows/stage-1-commit.yaml +++ b/.github/workflows/stage-1-commit.yaml @@ -56,7 +56,7 @@ jobs: - name: "Check file format" uses: ./.github/actions/check-file-format check-markdown-format: - name: "Check markdown format" + name: "Check Markdown format" runs-on: ubuntu-latest timeout-minutes: 2 steps: @@ -64,9 +64,9 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 # Full history is needed to compare branches - - name: "Check markdown format" + - name: "Check Markdown format" uses: ./.github/actions/check-markdown-format - lint-prose: + check-english-usage: name: "Check English usage" runs-on: ubuntu-latest timeout-minutes: 2 @@ -76,7 +76,7 @@ jobs: with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check English usage" - uses: ./.github/actions/lint-prose + uses: ./.github/actions/check-english-usage lint-terraform: name: "Lint Terraform" runs-on: ubuntu-latest diff --git a/.tool-versions b/.tool-versions index 2faaa205..a69438db 100644 --- a/.tool-versions +++ b/.tool-versions @@ -15,6 +15,7 @@ pre-commit 3.4.0 # docker/ghcr.io/nhs-england-tools/github-runner-image 20230909-321fd1e-rt@sha256:ce4fd6035dc450a50d3cbafb4986d60e77cb49a71ab60a053bb1b9518139a646 # SEE: https://github.com/nhs-england-tools/github-runner-image/pkgs/container/github-runner-image # docker/hadolint/hadolint 2.12.0-alpine@sha256:7dba9a9f1a0350f6d021fb2f6f88900998a4fb0aaf8e4330aa8c38544f04db42 # SEE: https://hub.docker.com/r/hadolint/hadolint/tags # docker/hashicorp/terraform 1.5.6@sha256:180a7efa983386a27b43657ed610e9deed9e6c3848d54f9ea9b6cb8a5c8c25f5 # SEE: https://hub.docker.com/r/hashicorp/terraform/tags +# docker/jdkato/vale v2.29.7@sha256:5ccfac574231b006284513ac3e4e9f38833989d83f2a68db149932c09de85149 # SEE: https://hub.docker.com/r/jdkato/vale/tags # docker/koalaman/shellcheck latest@sha256:e40388688bae0fcffdddb7e4dea49b900c18933b452add0930654b2dea3e7d5c # SEE: https://hub.docker.com/r/koalaman/shellcheck/tags # docker/mstruebing/editorconfig-checker 2.7.1@sha256:dd3ca9ea50ef4518efe9be018d669ef9cf937f6bb5cfe2ef84ff2a620b5ddc24 # SEE: https://hub.docker.com/r/mstruebing/editorconfig-checker/tags # docker/sonarsource/sonar-scanner-cli 5.0.1@sha256:494ecc3b5b1ee1625bd377b3905c4284e4f0cc155cff397805a244dee1c7d575 # SEE: https://hub.docker.com/r/sonarsource/sonar-scanner-cli/tags diff --git a/scripts/config/pre-commit.yaml b/scripts/config/pre-commit.yaml index 36ee902e..37ca6375 100644 --- a/scripts/config/pre-commit.yaml +++ b/scripts/config/pre-commit.yaml @@ -2,7 +2,7 @@ repos: - repo: local hooks: - id: scan-secrets - name: Scan Secrets + name: Scan secrets entry: ./scripts/githooks/scan-secrets.sh args: ["check=staged-changes"] language: script @@ -10,7 +10,7 @@ repos: - repo: local hooks: - id: check-file-format - name: Check File Format + name: Check file format entry: ./scripts/githooks/check-file-format.sh args: ["check=staged-changes"] language: script @@ -18,15 +18,23 @@ repos: - repo: local hooks: - id: check-markdown-format - name: Check Markdown Format + name: Check Markdown format entry: ./scripts/githooks/check-markdown-format.sh args: ["check=staged-changes"] language: script pass_filenames: false - repo: local hooks: - - id: check-terraform-format - name: Check Terraform Format + - id: check-english-usage + name: Check English usage + entry: ./scripts/githooks/check-english-usage.sh + args: ["check=staged-changes"] + language: script + pass_filenames: false +- repo: local + hooks: + - id: lint-terraform + name: Lint Terraform entry: ./scripts/githooks/check-terraform-format.sh language: script pass_filenames: false diff --git a/scripts/githooks/check-english-usage.sh b/scripts/githooks/check-english-usage.sh index 995833f0..b3942deb 100755 --- a/scripts/githooks/check-english-usage.sh +++ b/scripts/githooks/check-english-usage.sh @@ -1,6 +1,8 @@ #!/bin/bash -set -e +# WARNING: Please, DO NOT edit this file! It is maintained in the Repository Template (https://github.com/nhs-england-tools/repository-template). Raise a PR instead. + +set -euo pipefail # Git hook to check prose style # @@ -19,15 +21,12 @@ set -e # check=staged-changes: check only files staged for commit. # check=working-tree-changes: check modified, unstaged files. This is the default. # check=branch: check for all changes since branching from $BRANCH_NAME -# ============================================================================== - -image_version=v2.29.0@sha256:d4647754ea0d051d574bafe79edccaaa67f25a4c227b890a55dd83a117278590 # ============================================================================== function main() { - cd $(git rev-parse --show-toplevel) + cd "$(git rev-parse --show-toplevel)" check=${check:-working-tree-changes} case $check in @@ -48,18 +47,49 @@ function main() { ;; esac + if command -v vale > /dev/null 2>&1 && ! is-arg-true "${FORCE_USE_DOCKER:-false}"; then + filter="$filter" run-vale-natively + else + filter="$filter" run-vale-in-docker + fi +} + +# Run Vale natively. +# Arguments (provided as environment variables): +# filter=[git command to filter the files to check] +function run-vale-natively() { + + # shellcheck disable=SC2046 + vale \ + --config "$PWD/scripts/config/vale/vale.ini" \ + $($filter) +} + +# Run Vale in a Docker container. +# Arguments (provided as environment variables): +# filter=[git command to filter the files to check] +function run-vale-in-docker() { + + # shellcheck disable=SC1091 + source ./scripts/docker/docker.lib.sh + + # shellcheck disable=SC2155 + local image=$(name=jdkato/vale docker-get-image-version-and-pull) # We use /dev/null here to stop `vale` from complaining that it's # not been called correctly if the $filter happens to return an - # empty list. As long as there's a filename, even if it's one that + # empty list. As long as there's a filename, even if it's one that # will be ignored, `vale` is happy. + # shellcheck disable=SC2046,SC2086 docker run --rm --platform linux/amd64 \ - --volume $PWD:/workdir \ + --volume "$PWD:/workdir" \ --workdir /workdir \ - jdkato/vale:$image_version \ - --config scripts/config/vale/vale.ini \ + "$image" \ + --config /workdir/scripts/config/vale/vale.ini \ $($filter) /dev/null } +# ============================================================================== + function is-arg-true() { if [[ "$1" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$ ]]; then @@ -71,8 +101,8 @@ function is-arg-true() { # ============================================================================== -is-arg-true "$VERBOSE" && set -x +is-arg-true "${VERBOSE:-false}" && set -x -main $* +main "$@" exit 0 diff --git a/scripts/githooks/check-file-format.sh b/scripts/githooks/check-file-format.sh index fd466adb..d7c94747 100755 --- a/scripts/githooks/check-file-format.sh +++ b/scripts/githooks/check-file-format.sh @@ -76,7 +76,7 @@ function main() { # Run editorconfig natively. # Arguments (provided as environment variables): # dry_run_opt=[dry run option] -# filter=[filter for files to check] +# filter=[git command to filter the files to check] function run-editorconfig-natively() { # shellcheck disable=SC2046,SC2086 @@ -87,7 +87,7 @@ function run-editorconfig-natively() { # Run editorconfig in a Docker container. # Arguments (provided as environment variables): # dry_run_opt=[dry run option] -# filter=[filter for files to check] +# filter=[git command to filter the files to check] function run-editorconfig-in-docker() { # shellcheck disable=SC1091 From 8b79e0afabe94984094f0991a2ce939391c3f771 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 23 Jan 2024 10:26:37 +0000 Subject: [PATCH 3/8] Bump jinja2 from 3.1.2 to 3.1.3 in /scripts/docker/examples/python/assets/hello_world (#147) Bumps [jinja2](https://github.com/pallets/jinja) from 3.1.2 to 3.1.3.
Release notes

Sourced from jinja2's releases.

3.1.3

This is a fix release for the 3.1.x feature branch.

Changelog

Sourced from jinja2's changelog.

Version 3.1.3

Released 2024-01-10

  • Fix compiler error when checking if required blocks in parent templates are empty. :pr:1858
  • xmlattr filter does not allow keys with spaces. GHSA-h5c8-rqwp-cp95
  • Make error messages stemming from invalid nesting of {% trans %} blocks more helpful. :pr:1918
Commits

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=jinja2&package-manager=pip&previous-version=3.1.2&new-version=3.1.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/nhs-england-tools/repository-template/network/alerts).
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .../docker/examples/python/assets/hello_world/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/docker/examples/python/assets/hello_world/requirements.txt b/scripts/docker/examples/python/assets/hello_world/requirements.txt index 3bad2efd..a38fca78 100644 --- a/scripts/docker/examples/python/assets/hello_world/requirements.txt +++ b/scripts/docker/examples/python/assets/hello_world/requirements.txt @@ -3,7 +3,7 @@ click==8.1.7 Flask-WTF==1.2.0 Flask==2.3.3 itsdangerous==2.1.2 -Jinja2==3.1.2 +Jinja2==3.1.3 MarkupSafe==2.1.3 pip==23.3 setuptools==65.5.1 From 2bba42e993d6f1748e3b4af43e0df0824c193da8 Mon Sep 17 00:00:00 2001 From: Dan Stefaniuk <499338+stefaniuk@users.noreply.github.com> Date: Wed, 24 Jan 2024 16:49:49 +0000 Subject: [PATCH 4/8] Update documentation on setting up a SonarCloud project (#122) ## Description ## Context ## Type of changes - [x] Refactoring (non-breaking change) - [ ] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would change existing functionality) - [ ] Bug fix (non-breaking change which fixes an issue) ## Checklist - [x] I am familiar with the [contributing guidelines](../docs/CONTRIBUTING.md) - [x] I have followed the code style of the project - [ ] I have added tests to cover my changes - [x] I have updated the documentation accordingly - [ ] This PR is a result of pair or mob programming --- ## Sensitive Information Declaration To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including [PII (Personal Identifiable Information) / PID (Personal Identifiable Data)](https://digital.nhs.uk/data-and-information/keeping-data-safe-and-benefitting-the-public) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter. - [x] I confirm that neither PII/PID nor sensitive data are included in this PR and the codebase changes. --------- Signed-off-by: Alex Young Co-authored-by: Alex Young --- docs/user-guides/Perform_static_analysis.md | 63 +++++++++++++++++---- 1 file changed, 51 insertions(+), 12 deletions(-) diff --git a/docs/user-guides/Perform_static_analysis.md b/docs/user-guides/Perform_static_analysis.md index 22447b93..a1f70118 100644 --- a/docs/user-guides/Perform_static_analysis.md +++ b/docs/user-guides/Perform_static_analysis.md @@ -3,8 +3,9 @@ - [Guide: Perform static analysis](#guide-perform-static-analysis) - [Overview](#overview) - [Key files](#key-files) - - [Configuration checklist](#configuration-checklist) + - [Setup](#setup) - [Testing](#testing) + - [Configuration checklist](#configuration-checklist) ## Overview @@ -19,26 +20,64 @@ Static code analysis is an essential part of modern software development. It pro - [perform-static-analysis/action.yaml](../../.github/actions/perform-static-analysis/action.yaml): GitHub action to run the script as part of the CI/CD pipeline - [.gitignore](../../.gitignore): Excludes the `.scannerwork` temporary directory created during the process +## Setup + +Contact the GitHub Admins via their mailbox to have your [SonarCloud](https://sonarcloud.io) access set up. + +## Testing + +You can run and test static analysis locally on a developer's workstation using the following command + +```shell +export SONAR_ORGANISATION_KEY=nhs-england-tools # Replace with your organisation key +export SONAR_PROJECT_KEY=repository-template # Replace with your project key +export SONAR_TOKEN=[replace-with-your-sonar-token] +./scripts/reports/perform-static-analysis.sh +``` + ## Configuration checklist -- Contact the GitHub Admins via email to have your [SonarCloud](https://sonarcloud.io) project created within the organisation space -- Create a bot account for your service. For more details, please see this [note](../../docs/adr/ADR-003_Acceptable_use_of_GitHub_PAT_and_Apps_for_authN_and_authZ.md#recommendation-for-github-admins). This account should be given access to your project and must own the `SONAR_TOKEN` for security reasons. Use this account to complete the rest of the activities in the Sonar service +> [!WARNING]
+> This section is to be used by the GitHub Admins. + +The list demonstrates the manual way of configuring a project, however our aim is to automate all the activities below. + +- Create a Sonar project within the organisation space: + - Navigate to `+ > Analyze new project > create a project manually` + - Choose the appropriate organisation + - Set "Display name" + - Set "Project key" (it should be populated automatically) + - Set project visibility to "Public" + - After clicking the 'Next' button, set "The new code for this project will be based on" to "Previous version" + - Click "Create project" +- Add two new groups under `Administration > Groups`: + - `[Programme Name]`, all members of the project + - `[Programme Name] Admins`, who will the project's quality gates and quality profiles +- Assign members to the above groups accordingly +- Set group permissions under `Administration > Permissions`: + - For the `[Programme Name] Admins` group, assign: + - "Quality Gates" + - "Quality Profiles" +- Manage project permissions, navigate to `Administration > Projects Management` and select the project you created + - Click on `Edit Permissions` + - Search for `[Programme Name] Admins` group and assign the following: + - "Administer Issues" + - "Administer Security Hotspots" + - "Administer" + - Ensure that other groups do not have unnecessary permissions to administer this project - Navigate to project `Administration > Analysis Method > Manually` and select `Other (for JS, TS, Go, Python, PHP, ...)` - In the [sonar-scanner.properties](../../scripts/config/sonar-scanner.properties) file in your repository, set the following properties according to the information provided above - Set `sonar.[language].[coverage-tool].reportPaths` to ensure the unit test coverage is reported back to Sonar - Do not set the `sonar.organization` and `sonar.projectKey` properties in this file; do the next step instead + +- Use the Sonar token owned by the "SonarCloud Token GitHub Admins" service user. There is an existing token named "Scan all" + +> [!NOTE]
+> For an advance configuration create a bot account for your service. For more details, please see this [note](../../docs/adr/ADR-003_Acceptable_use_of_GitHub_PAT_and_Apps_for_authN_and_authZ.md#recommendation-for-github-admins). This account should be given access to your project and must own the `SONAR_TOKEN` for security reasons. + - Follow the documentation on [creating encrypted secrets](https://docs.github.com/en/actions/security-guides/encrypted-secrets) to add the `SONAR_TOKEN` secret to your repository. The GitHub action is already configured to fetch that secret and pass it as a variable. In addition to that: - Add `SONAR_ORGANISATION_KEY` variable (not a secret) - Add `SONAR_PROJECT_KEY` variable (not a secret) - Navigate to project `Administration > Analysis Method` and turn off the `Automatic Analysis` option - Please refrain from adding your repository to the GitHub SonarCloud App, as this app should not be used. Doing so will duplicate reports and initiate them outside the primary pipeline workflow - Confirm that the _"Perform static analysis"_ GitHub action is part of your GitHub CI/CD workflow and enforces the _"Sonar Way"_ quality gates. You can find more information about this in the [NHSE Software Engineering Quality Framework](https://github.com/NHSDigital/software-engineering-quality-framework/blob/main/tools/sonarqube.md) - -## Testing - -You can run and test static analysis locally on a developer's workstation using the following command - -```shell -export SONAR_TOKEN=[replace-with-your-sonar-token] -./scripts/perform-static-analysis.sh -``` From 5a9f3f2e4bd8ff89eb14f4a048c406f469faadb0 Mon Sep 17 00:00:00 2001 From: Alex Young Date: Wed, 28 Feb 2024 07:24:23 +0000 Subject: [PATCH 5/8] Bump terraform and pre-commit versions (#148) This patch bumps terraform to 1.7.0 and pre-commit to 3.6.0. ## Type of changes - [ ] Refactoring (non-breaking change) - [x] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would change existing functionality) - [ ] Bug fix (non-breaking change which fixes an issue) ## Checklist - [ ] I am familiar with the [contributing guidelines](../docs/CONTRIBUTING.md) - [ ] I have followed the code style of the project - [ ] I have added tests to cover my changes - [ ] I have updated the documentation accordingly - [ ] This PR is a result of pair or mob programming --- ## Sensitive Information Declaration To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including [PII (Personal Identifiable Information) / PID (Personal Identifiable Data)](https://digital.nhs.uk/data-and-information/keeping-data-safe-and-benefitting-the-public) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter. - [ ] I confirm that neither PII/PID nor sensitive data are included in this PR and the codebase changes. Co-authored-by: Dan Stefaniuk <499338+stefaniuk@users.noreply.github.com> --- .tool-versions | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.tool-versions b/.tool-versions index a69438db..32db55a4 100644 --- a/.tool-versions +++ b/.tool-versions @@ -1,7 +1,7 @@ # This file is for you! Please, updated to the versions agreed by your team. -terraform 1.5.7 -pre-commit 3.4.0 +terraform 1.7.0 +pre-commit 3.6.0 # ============================================================================== # The section below is reserved for Docker image versions. From 5be34c451545fc09da9c8aebe28c6e6df2050c03 Mon Sep 17 00:00:00 2001 From: Alex Young Date: Mon, 15 Apr 2024 21:23:11 +0100 Subject: [PATCH 6/8] First pass at a full terraform example (#151) ## Description As a general rule, the repository template should provide functionality that works out of the box. The terraform example is problematic because the options default to running the example, and the example doesn't give any guidance as to how people should set up their own code. This patch removes the example, and replaces it with a more fully explained quick start example in `Scripting_Terraform.md`. It also adds the `TF_ENV` environment variable, as a shorthand for selecting the terraform environment directory under `infrastructure/environments`. ## Type of changes - [ ] Refactoring (non-breaking change) - [x] New feature (non-breaking change which adds functionality) - [x] Breaking change (fix or feature that would change existing functionality) - [ ] Bug fix (non-breaking change which fixes an issue) ## Checklist - [ ] I am familiar with the [contributing guidelines](../docs/CONTRIBUTING.md) - [ ] I have followed the code style of the project - [ ] I have added tests to cover my changes - [ ] I have updated the documentation accordingly - [ ] This PR is a result of pair or mob programming --- ## Sensitive Information Declaration To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including [PII (Personal Identifiable Information) / PID (Personal Identifiable Data)](https://digital.nhs.uk/data-and-information/keeping-data-safe-and-benefitting-the-public) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter. - [x] I confirm that neither PII/PID nor sensitive data are included in this PR and the codebase changes. --- docs/developer-guides/Scripting_Terraform.md | 203 ++++++++++++++++-- .../environments/{ => dev}/.gitkeep | 0 .../terraform-state-aws-s3/.gitignore | 41 ---- .../examples/terraform-state-aws-s3/main.tf | 46 ---- .../terraform-state-aws-s3/provider.tf | 3 - .../terraform-state-aws-s3/variables.tf | 9 - .../terraform-state-aws-s3/versions.tf | 8 - scripts/terraform/terraform.mk | 27 +-- 8 files changed, 190 insertions(+), 147 deletions(-) rename infrastructure/environments/{ => dev}/.gitkeep (100%) delete mode 100644 scripts/terraform/examples/terraform-state-aws-s3/.gitignore delete mode 100644 scripts/terraform/examples/terraform-state-aws-s3/main.tf delete mode 100644 scripts/terraform/examples/terraform-state-aws-s3/provider.tf delete mode 100644 scripts/terraform/examples/terraform-state-aws-s3/variables.tf delete mode 100644 scripts/terraform/examples/terraform-state-aws-s3/versions.tf diff --git a/docs/developer-guides/Scripting_Terraform.md b/docs/developer-guides/Scripting_Terraform.md index 14b80ca1..837288f6 100644 --- a/docs/developer-guides/Scripting_Terraform.md +++ b/docs/developer-guides/Scripting_Terraform.md @@ -62,35 +62,202 @@ Here are some key features built into this repository's Terraform module: ### Quick start -Run the example: +The Repository Template assumes that you will be constructing the bulk of your infrastructure in `infrastructure/modules` as generic deployment configuration, which you will then compose into environment-specific modules, each stored in their own directory under `infrastructure/environments`. Let's create a simple deployable thing, and configure an S3 bucket. We'll make the name of the bucket a variable, so that each environment can have its own. + +Open the file `infrastructure/modules/private_s3_bucket/main.tf`, and put this in it: + +```terraform +# Define the provider +provider "aws" { + region = "eu-west-2" +} + +variable "bucket_name" { + description = "Name of the bucket, which can be different per environment" +} + +resource "aws_s3_bucket" "my_bucket" { + bucket = var.bucket_name # Replace with your desired bucket name + acl = "private" +} +``` + +Note that the variable has been given no value. This is intentional, and allows us to pass the bucket name in as a parameter from the environment. + +Now, we're going to define two deployment environments: `dev`, and `test`. Run this: + +```bash +mkdir -p infrastructure/environments/{dev,test} +``` + +It is important that the directory names match your environment names. + +Now, let's create the environment definition files. Open `infrastructure/environments/dev/main.tf` and copy in: + +```terraform +module "dev_environment" { + source = "../../modules/private_s3_bucket" + bucket_name = "nhse-ee-my-fancy-bucket" +} +``` + +Some things to note: + +- The `source` path is relative to the directory that the `main.tf` file is in. When `terraform` runs, it will `chdir` to that directory first, before doing anything else. +- The `module` name, `"dev_environment"` here, can be anything. Module names are only scoped to the file they're in, so you don't need to follow any particular convention here. +- The `bucket_name` is going to end up as the bucket name in AWS. It wants to be meaningful to you, and you need to pick your own. The framework doesn't constrain your choice, but remember that AWS needs them to be globally unique and if you steal `"nhse-ee-my-fancy-bucket"` then I can't test these docs and then I will be sad. + +Let's create our `test` environment now. Open `infrastructure/environments/test/main.tf` and copy in: + +```terraform +module "test_environment" { + source = "../../modules/private_s3_bucket" + bucket_name = "nhse-ee-my-fancy-test-bucket" +} +``` + +We have changed the bucket name here. In this example, I am making no assumptions as to how your AWS accounts are set up. If you intend for your development and test infrastructure to be in the same AWS account (perhaps by necessity, for organisational reasons) and you need to separate them by a naming convention, the framework can support that. + +Now we have our modules and our environments configured, we need to initialise each of them. Run these two commands: + +```bash +TF_ENV=dev make terraform-init +TF_ENV=test make terraform-init +``` + +Each invocation will download the `terraform` dependencies we need. The `TF_ENV` name we give to each invocation is the name of the environment, and must match the directory name we chose under `infrastructure/environments` so that `make` gives the right parameters to `terraform`. + +We are now ready to try deploying to AWS, from our local environment. + +I am going to assume that you have an `~/.aws/credentials` file set up with a separate profile for each environment that you want to use, called `my-test-environment` and `my-dev-environment`. They might have the same credential values in them, in which case `terraform` will create the resources in the same account; or you might have them set up to deploy to different accounts. Either would work. + +Run the following: + +```shell +TF_ENV=dev AWS_PROFILE=my-dev-environment make terraform-plan +``` + +If all is working correctly (and you may need to do a round of `aws sso login` first), you should see this output: + +```text + +Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + + create + +Terraform will perform the following actions: + + # module.dev_environment.aws_s3_bucket.my_bucket will be created + + resource "aws_s3_bucket" "my_bucket" { + + acceleration_status = (known after apply) + + acl = "private" + + arn = (known after apply) + + bucket = "my-dev-bucket" + + bucket_domain_name = (known after apply) + + bucket_prefix = (known after apply) + + bucket_regional_domain_name = (known after apply) + + force_destroy = false + + hosted_zone_id = (known after apply) + + id = (known after apply) + + object_lock_enabled = (known after apply) + + policy = (known after apply) + + region = (known after apply) + + request_payer = (known after apply) + + tags_all = (known after apply) + + website_domain = (known after apply) + + website_endpoint = (known after apply) + } + +Plan: 1 to add, 0 to change, 0 to destroy. + +───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── + +Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply" now. + +``` + +No errors found, so we can now create the bucket: ```shell -# AWS console access setup -export AWS_ACCESS_KEY_ID="..." -export AWS_SECRET_ACCESS_KEY="..." -export AWS_SESSION_TOKEN="..." + $ TF_ENV=dev AWS_PROFILE=my-dev-environment make terraform-apply + +Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + + create + +Terraform will perform the following actions: + + # module.dev_environment.aws_s3_bucket.my_bucket will be created + + resource "aws_s3_bucket" "my_bucket" { + + acceleration_status = (known after apply) + + acl = (known after apply) + + arn = (known after apply) + + bucket = "nhse-ee-my-dev-bucket" + + bucket_domain_name = (known after apply) + + bucket_prefix = (known after apply) + + bucket_regional_domain_name = (known after apply) + + force_destroy = false + + hosted_zone_id = (known after apply) + + id = (known after apply) + + object_lock_enabled = (known after apply) + + policy = (known after apply) + + region = (known after apply) + + request_payer = (known after apply) + + tags_all = (known after apply) + + website_domain = (known after apply) + + website_endpoint = (known after apply) + } + +Plan: 1 to add, 0 to change, 0 to destroy. + +Do you want to perform these actions? + Terraform will perform the actions described above. + Only 'yes' will be accepted to approve. + + Enter a value: yes + +module.dev_environment.aws_s3_bucket.my_bucket: Creating... +module.dev_environment.aws_s3_bucket.my_bucket: Creation complete after 1s [id=nhse-ee-my-dev-bucket] + +Apply complete! Resources: 1 added, 0 changed, 0 destroyed. + ``` +You will notice here that I needed to confirm the action to `terraform` manually. If you don't want to do that, you can pass the `-auto-approve` option to `terraform` like this: + ```shell -$ make terraform-example-provision-aws-infrastructure +TF_ENV=dev AWS_PROFILE=my-dev-environment make terraform-apply opts="-auto-approve" +``` -Initializing the backend.. -... -Plan: 5 to add, 0 to change, 0 to destroy. -Saved the plan to: terraform.tfplan -To perform exactly these actions, run the following command to apply: - terraform apply "terraform.tfplan" +If you check the contents of your AWS account, you should see your new bucket: + +```shell + $ aws s3 ls --profile my-dev-environment ... -Apply complete! Resources: 5 added, 0 changed, 0 destroyed. +2024-03-01 16:33:55 nhse-ee-my-dev-bucket +``` -$ make terraform-example-destroy-aws-infrastructure +Now I don't want to leave that there, so I will run the corresponding `destroy` command to get rid of it: -... -Plan: 0 to add, 0 to change, 5 to destroy. -... -Apply complete! Resources: 0 added, 0 changed, 5 destroyed. +```shell + $ TF_ENV=dev AWS_PROFILE=my-dev-environment make terraform-destroy opts="-auto-approve" +module.dev_environment.aws_s3_bucket.my_bucket: Refreshing state... [id=nhse-ee-my-dev-bucket] + +Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + - destroy + +Terraform will perform the following actions: + + # module.dev_environment.aws_s3_bucket.my_bucket will be destroyed + ...(more terraform output not shown because it's boring, but the end result is the bucket going away) ``` +To create your `test` environment, you run the same commands with `test` where previously you had `dev`: + +```shell +TF_ENV=test AWS_PROFILE=my-test-environment make terraform-apply opts="-auto-approve" +``` + +To use the same `terraform` files in a GitHub action, see the docs [here](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services). + ### Your stack implementation Always follow [best practices for using Terraform](https://cloud.google.com/docs/terraform/best-practices-for-terraform) while providing infrastructure as code (IaC) for your service. diff --git a/infrastructure/environments/.gitkeep b/infrastructure/environments/dev/.gitkeep similarity index 100% rename from infrastructure/environments/.gitkeep rename to infrastructure/environments/dev/.gitkeep diff --git a/scripts/terraform/examples/terraform-state-aws-s3/.gitignore b/scripts/terraform/examples/terraform-state-aws-s3/.gitignore deleted file mode 100644 index c8311407..00000000 --- a/scripts/terraform/examples/terraform-state-aws-s3/.gitignore +++ /dev/null @@ -1,41 +0,0 @@ -# Ignore the lock file as this is just an example -.terraform.lock.hcl -# Ignore Terraform plan -*tfplan* - -# SEE: https://github.com/github/gitignore/blob/main/Terraform.gitignore - -# Local .terraform directories -**/.terraform/* - -# .tfstate files -*.tfstate -*.tfstate.* - -# Crash log files -crash.log -crash.*.log - -# Exclude all .tfvars files, which are likely to contain sensitive data, such as -# password, private keys, and other secrets. These should not be part of version -# control as they are data points which are potentially sensitive and subject -# to change depending on the environment. -*.tfvars -*.tfvars.json - -# Ignore override files as they are usually used to override resources locally and so -# are not checked in -override.tf -override.tf.json -*_override.tf -*_override.tf.json - -# Include override files you do wish to add to version control using negated pattern -# !example_override.tf - -# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan -# example: *tfplan* - -# Ignore CLI configuration files -.terraformrc -terraform.rc diff --git a/scripts/terraform/examples/terraform-state-aws-s3/main.tf b/scripts/terraform/examples/terraform-state-aws-s3/main.tf deleted file mode 100644 index a4ca5b0e..00000000 --- a/scripts/terraform/examples/terraform-state-aws-s3/main.tf +++ /dev/null @@ -1,46 +0,0 @@ -resource "aws_s3_bucket" "terraform_state_store" { - bucket = var.terraform_state_bucket_name - lifecycle { - prevent_destroy = false // FIXME: Normally, this should be 'true' - this is just an example - } -} - -resource "aws_s3_bucket_versioning" "enabled" { - bucket = aws_s3_bucket.terraform_state_store.id - versioning_configuration { - status = "Enabled" - } -} - -resource "aws_s3_bucket_server_side_encryption_configuration" "default" { - bucket = aws_s3_bucket.terraform_state_store.id - rule { - apply_server_side_encryption_by_default { - sse_algorithm = "AES256" - } - } -} - -resource "aws_s3_bucket_public_access_block" "public_access" { - bucket = aws_s3_bucket.terraform_state_store.id - block_public_acls = true - block_public_policy = true - ignore_public_acls = true - restrict_public_buckets = true -} - -resource "aws_dynamodb_table" "dynamodb_terraform_state_lock" { - name = var.terraform_state_table_name - billing_mode = "PAY_PER_REQUEST" - hash_key = "LockID" - attribute { - name = "LockID" - type = "S" - } - server_side_encryption { - enabled = true - } - point_in_time_recovery { - enabled = true - } -} diff --git a/scripts/terraform/examples/terraform-state-aws-s3/provider.tf b/scripts/terraform/examples/terraform-state-aws-s3/provider.tf deleted file mode 100644 index b64be2af..00000000 --- a/scripts/terraform/examples/terraform-state-aws-s3/provider.tf +++ /dev/null @@ -1,3 +0,0 @@ -provider "aws" { - region = "eu-west-2" -} diff --git a/scripts/terraform/examples/terraform-state-aws-s3/variables.tf b/scripts/terraform/examples/terraform-state-aws-s3/variables.tf deleted file mode 100644 index 07f60cb1..00000000 --- a/scripts/terraform/examples/terraform-state-aws-s3/variables.tf +++ /dev/null @@ -1,9 +0,0 @@ -variable "terraform_state_bucket_name" { - description = "The S3 bucket name to store Terraform state" - default = "repository-template-example-terraform-state-store" -} - -variable "terraform_state_table_name" { - description = "The DynamoDB table name to acquire Terraform lock" - default = "repository-template-example-terraform-state-lock" -} diff --git a/scripts/terraform/examples/terraform-state-aws-s3/versions.tf b/scripts/terraform/examples/terraform-state-aws-s3/versions.tf deleted file mode 100644 index 18fd04af..00000000 --- a/scripts/terraform/examples/terraform-state-aws-s3/versions.tf +++ /dev/null @@ -1,8 +0,0 @@ -terraform { - required_version = ">= 1.5.0" - required_providers { - aws = { - version = ">= 5.14.0" - } - } -} diff --git a/scripts/terraform/terraform.mk b/scripts/terraform/terraform.mk index 120a0591..6339b196 100644 --- a/scripts/terraform/terraform.mk +++ b/scripts/terraform/terraform.mk @@ -4,6 +4,11 @@ # Custom implementation - implementation of a make target should not exceed 5 lines of effective code. # In most cases there should be no need to modify the existing make targets. +TF_ENV ?= dev +STACK ?= ${stack} +TERRAFORM_STACK ?= $(or ${STACK}, infrastructure/environments/${TF_ENV}) +dir ?= ${TERRAFORM_STACK} + terraform-init: # Initialise Terraform - optional: terraform_dir|dir=[path to a directory where the command will be executed, relative to the project's top-level directory, default is one of the module variables or the example directory, if not set], terraform_opts|opts=[options to pass to the Terraform init command, default is none/empty] @Development make _terraform cmd="init" \ dir=$(or ${terraform_dir}, ${dir}) \ @@ -41,8 +46,6 @@ clean:: # Remove Terraform files (terraform) - optional: terraform_dir|dir=[path opts=$(or ${terraform_opts}, ${opts}) _terraform: # Terraform command wrapper - mandatory: cmd=[command to execute]; optional: dir=[path to a directory where the command will be executed, relative to the project's top-level directory, default is one of the module variables or the example directory, if not set], opts=[options to pass to the Terraform command, default is none/empty] - # 'TERRAFORM_STACK' is passed to the functions as environment variable - TERRAFORM_STACK=$(or ${TERRAFORM_STACK}, $(or ${terraform_stack}, $(or ${STACK}, $(or ${stack}, scripts/terraform/examples/terraform-state-aws-s3)))) dir=$(or ${dir}, ${TERRAFORM_STACK}) source scripts/terraform/terraform.lib.sh terraform-${cmd} # 'dir' and 'opts' are accessible by the function as environment variables, if set @@ -55,23 +58,6 @@ terraform-shellscript-lint: # Lint all Terraform module shell scripts @Quality file=$${file} scripts/shellscript-linter.sh done -# ============================================================================== -# Module tests and examples - please DO NOT edit this section! - -terraform-example-provision-aws-infrastructure: # Provision example of AWS infrastructure @ExamplesAndTests - make terraform-init - make terraform-plan opts="-out=terraform.tfplan" - make terraform-apply opts="-auto-approve terraform.tfplan" - -terraform-example-destroy-aws-infrastructure: # Destroy example of AWS infrastructure @ExamplesAndTests - make terraform-destroy opts="-auto-approve" - -terraform-example-clean: # Remove Terraform example files @ExamplesAndTests - dir=$(or ${dir}, ${TERRAFORM_STACK}) - source scripts/terraform/terraform.lib.sh - terraform-clean - rm -f ${TERRAFORM_STACK}/.terraform.lock.hcl - # ============================================================================== # Configuration - please DO NOT edit this section! @@ -85,9 +71,6 @@ ${VERBOSE}.SILENT: \ clean \ terraform-apply \ terraform-destroy \ - terraform-example-clean \ - terraform-example-destroy-aws-infrastructure \ - terraform-example-provision-aws-infrastructure \ terraform-fmt \ terraform-init \ terraform-install \ From 9d88dae760db82a87ca9ad126df7b1172517e5ca Mon Sep 17 00:00:00 2001 From: Dan Stefaniuk <499338+stefaniuk@users.noreply.github.com> Date: Wed, 17 Apr 2024 13:39:43 +0100 Subject: [PATCH 7/8] Add sed and grep to the list of prerequisites (#150) ## Description Add `sed` and `grep` GNU toolchain commands to the list of prerequisites. ## Context While setting up workstations with a new team, some scripts failed and it wasn't immediately apparent that the version of the `sed` command had to be GNU compliant. ## Type of changes - [x] Refactoring (non-breaking change) - [ ] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would change existing functionality) - [ ] Bug fix (non-breaking change which fixes an issue) ## Checklist - [x] I am familiar with the [contributing guidelines](../docs/CONTRIBUTING.md) - [x] I have followed the code style of the project - [ ] I have added tests to cover my changes - [x] I have updated the documentation accordingly - [ ] This PR is a result of pair or mob programming --- ## Sensitive Information Declaration To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including [PII (Personal Identifiable Information) / PID (Personal Identifiable Data)](https://digital.nhs.uk/data-and-information/keeping-data-safe-and-benefitting-the-public) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter. - [x] I confirm that neither PII/PID nor sensitive data are included in this PR and the codebase changes. --- README.md | 14 ++++++++++---- scripts/config/vale/styles/Vocab/words/accept.txt | 1 + 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 29f86801..fa01eec1 100644 --- a/README.md +++ b/README.md @@ -48,9 +48,6 @@ The following software packages, or their equivalents, are expected to be instal - [Docker](https://www.docker.com/) container runtime or a compatible tool, e.g. [Podman](https://podman.io/), - [asdf](https://asdf-vm.com/) version manager, - [GNU make](https://www.gnu.org/software/make/) 3.82 or later, -- [GNU coreutils](https://www.gnu.org/software/coreutils/) and [GNU binutils](https://www.gnu.org/software/binutils/) may be required to build dependencies like Python, which may need to be compiled during installation. For macOS users, this has been scripted and automated by the `dotfiles` project; please see this [script](https://github.com/nhs-england-tools/dotfiles/blob/main/assets/20-install-base-packages.macos.sh) for details, -- [Python](https://www.python.org/) required to run Git hooks, -- [`jq`](https://jqlang.github.io/jq/) a lightweight and flexible command-line JSON processor. > [!NOTE]
> The version of GNU make available by default on macOS is earlier than 3.82. You will need to upgrade it or certain `make` tasks will fail. On macOS, you will need [Homebrew](https://brew.sh/) installed, then to install `make`, like so: @@ -59,7 +56,16 @@ The following software packages, or their equivalents, are expected to be instal > brew install make > ``` > -> You will then see instructions to fix your `$PATH` variable to make the newly installed version available. If you are using [dotfiles](https://github.com/nhs-england-tools/dotfiles), this is all done for you. +> You will then see instructions to fix your [`$PATH`](https://github.com/nhs-england-tools/dotfiles/blob/main/dot_path.tmpl) variable to make the newly installed version available. If you are using [dotfiles](https://github.com/nhs-england-tools/dotfiles), this is all done for you. + +- [GNU sed](https://www.gnu.org/software/sed/) and [GNU grep](https://www.gnu.org/software/grep/) are required for the scripted command-line output processing, +- [GNU coreutils](https://www.gnu.org/software/coreutils/) and [GNU binutils](https://www.gnu.org/software/binutils/) may be required to build dependencies like Python, which may need to be compiled during installation, + +> [!NOTE]
+> For macOS users, installation of the GNU toolchain has been scripted and automated as part of the `dotfiles` project. Please see this [script](https://github.com/nhs-england-tools/dotfiles/blob/main/assets/20-install-base-packages.macos.sh) for details. + +- [Python](https://www.python.org/) required to run Git hooks, +- [`jq`](https://jqlang.github.io/jq/) a lightweight and flexible command-line JSON processor. ### Configuration diff --git a/scripts/config/vale/styles/Vocab/words/accept.txt b/scripts/config/vale/styles/Vocab/words/accept.txt index eb9cd04e..2c35a52b 100644 --- a/scripts/config/vale/styles/Vocab/words/accept.txt +++ b/scripts/config/vale/styles/Vocab/words/accept.txt @@ -13,5 +13,6 @@ Trufflehog bot idempotence onboarding +sed toolchain [A-Z]+s From 0ed3c55bc7bb9b3b8eedee2d048620b5a3c57949 Mon Sep 17 00:00:00 2001 From: Alex Young Date: Wed, 1 May 2024 11:48:52 +0100 Subject: [PATCH 8/8] Check markdown in files known to git, not all files (#158) ## Description As currently written, `check=all scripts/githooks/check-markdown-format` will not only check files intentionally checked in, it will also check anything under, for instance, `.venv/` or `node_modules/` which are out of our control. This change makes it only pay attention to checked-in files. I don't think it was intentional that we lint markdown in dependencies. ## Type of changes - [ ] Refactoring (non-breaking change) - [ ] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would change existing functionality) - [x] Bug fix (non-breaking change which fixes an issue) ## Checklist - [x] I am familiar with the [contributing guidelines](../docs/CONTRIBUTING.md) - [x] I have followed the code style of the project - [ ] I have added tests to cover my changes - [ ] I have updated the documentation accordingly - [ ] This PR is a result of pair or mob programming --- ## Sensitive Information Declaration To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including [PII (Personal Identifiable Information) / PID (Personal Identifiable Data)](https://digital.nhs.uk/data-and-information/keeping-data-safe-and-benefitting-the-public) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter. - [x] I confirm that neither PII/PID nor sensitive data are included in this PR and the codebase changes. Signed-off-by: Alex Young --- scripts/githooks/check-markdown-format.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/githooks/check-markdown-format.sh b/scripts/githooks/check-markdown-format.sh index 698df4a5..c39a080d 100755 --- a/scripts/githooks/check-markdown-format.sh +++ b/scripts/githooks/check-markdown-format.sh @@ -38,7 +38,7 @@ function main() { check=${check:-working-tree-changes} case $check in "all") - files="$(find ./ -type f -name "*.md")" + files="$(git ls-files "*.md")" ;; "staged-changes") files="$(git diff --diff-filter=ACMRT --name-only --cached "*.md")"