Merge pull request #62 from ONS-Innovation/KEH-1221

KEH-1221 - Add additional linters

Author: TotalDwarf03

.checkov.yml

@@ -0,0 +1,22 @@
+# Checkov configuration file
+# This file is used to configure Checkov, a static code analysis tool for infrastructure as code.
+---
+skip-check:
+  # IAM Resourcing using wildcards
+  - CKV_AWS_356
+  - CKV_AWS_111
+
+  # Lambda Encryption and Dead Letter Queue
+  - CKV_AWS_173
+  - CKV_AWS_116
+
+  # Cloudwatch Logs KMS Encryption and Retention
+  - CKV_AWS_158
+  - CKV_AWS_338
+
+  # Pin module sources to a commit hash (false positive)
+  - CKV_TF_1
+
+  # These ignores are TEMPORARY. They will be resolved in the future.
+  - CKV_AWS_108
+  - CKV_AWS_272

.github/pull_request_template.md

@@ -1,38 +1,38 @@
-## What type of PR is this? (check all applicable)
+# What type of PR is this? (check all applicable)
 
 - [ ] Refactor
 - [ ] Feature
 - [ ] Bug Fix
 - [ ] Optimization
 - [ ] Documentation Update
 
-### What
+## What
 
 Describe what you have changed and why.
 
-### Testing
+## Testing
 
 Have any new tests been added as part of this issue? If not, try to explain why test coverage is not needed here.
 
 - [ ] Yes
 - [ ] No
-Please write a brief description of why test coverage is not necessary here.
+      Please write a brief description of why test coverage is not necessary here.
 - [ ] Not as part of this ticket. (Could be done at a later point)
 
-### Documentation
+## Documentation
 
-Has any new documentation been written as part of this issue? We should try to keep documentation up to date 
+Has any new documentation been written as part of this issue? We should try to keep documentation up to date
 as new code is added, rather than leaving it for the future.
 
 - [ ] Yes
 - [ ] No
-Please write a brief description of why documentation is not necessary here.
+      Please write a brief description of why documentation is not necessary here.
 - [ ] Not as part of this ticket. (Could be done at a later point)
 
-### Related issues
+## Related issues
 
 Provide links to any related issues.
 
-### How to review
+## How to review
 
-Describe the steps required to test the changes.
+Describe the steps required to test the changes.

.github/workflows/ci.yml

@@ -7,6 +7,8 @@ on: # yamllint disable-line rule:truthy
   pull_request:
     branches: [main]
 
+permissions: read-all
+
 concurrency:
   group: "${{ github.head_ref || github.ref }}-${{ github.workflow }}"
   cancel-in-progress: true
@@ -15,12 +17,10 @@ jobs:
   lint-test:
     name: Lint and Test
     runs-on: ubuntu-22.04
-    permissions:
-      contents: read
     strategy:
       matrix:
         python-version: ["3.12"]
-    
+
     steps:
       - uses: actions/checkout@v4
       - name: Install Poetry
@@ -31,18 +31,18 @@ jobs:
         with:
           python-version: ${{ matrix.python-version }}
           cache: poetry
-        
+
       - name: Display Python version
         run: python -c "import sys; print(sys.version)"
 
       - name: Install dependencies
         run: make install-dev
 
-      - name: Lint Python (check only)
-        run: make lint
+      - name: Lint Python and Markdown (check only)
+        run: make lint-check
 
       - name: Run tests
         run: make test
-      
-      - name: Cleanup residue file
-        run: make clean
+
+      - name: Cleanup residue files
+        run: make clean

.github/workflows/deploy_mkdocs.yml

@@ -19,13 +19,13 @@ jobs:
       - uses: actions/setup-python@v5
         with:
           python-version: 3.x
-      - run: echo "cache_id=$(date --utc '+%V')" >> $GITHUB_ENV 
+      - run: echo "cache_id=$(date --utc '+%V')" >> $GITHUB_ENV
       - uses: actions/cache@v4
         with:
           key: mkdocs-material-${{ env.cache_id }}
-          path: .cache 
+          path: .cache
           restore-keys: |
             mkdocs-material-
       - run: pip install poetry
       - run: poetry install --only docs
-      - run: poetry run mkdocs gh-deploy --force
+      - run: poetry run mkdocs gh-deploy --force

.github/workflows/megalinter.yml

@@ -0,0 +1,204 @@
+# MegaLinter GitHub Action configuration file
+# More info at https://megalinter.io
+---
+name: MegaLinter
+
+# Trigger mega-linter at every push. Action will also be visible from
+# Pull Requests to main
+on: # yamllint disable-line rule:truthy
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: write
+  issues: write
+  pull-requests: write
+  statuses: write
+
+# Comment env block if you do not want to apply fixes
+env:
+  # Apply linter fixes configuration
+  #
+  # When active, APPLY_FIXES must also be defined as environment variable
+  # (in github/workflows/mega-linter.yml or other CI tool)
+  # This is dynamically set based on the presence of the PAT secret.
+  # If the PAT secret is not present, the APPLY_FIXES environment variable is set to none.
+  # Without a PAT token, commits/PRs will not trigger workflow runs.
+  # This is a GitHub Actions limitation to prevent infinite loops.
+  APPLY_FIXES: all
+
+  # Decide which event triggers application of fixes in a commit or a PR
+  # (pull_request, push, all)
+  APPLY_FIXES_EVENT: pull_request
+
+  # If APPLY_FIXES is used, defines if the fixes are directly committed (commit)
+  # or posted in a PR (pull_request)
+  APPLY_FIXES_MODE: commit
+
+  # Show individual linter status in GitHub Actions status summary
+  GITHUB_STATUS_REPORTER: true
+
+  # Enable to show lint results in GitHub PR comments.
+  GITHUB_COMMENT_REPORTER: true
+
+  # Set to simple to avoid external images in generated markdown
+  REPORTERS_MARKDOWN_TYPE: simple
+
+concurrency:
+  group: "${{ github.head_ref || github.ref }}-${{ github.workflow }}"
+  cancel-in-progress: true
+
+jobs:
+  lint:
+    name: MegaLinter
+    runs-on: ubuntu-latest
+
+    # Give the default GITHUB_TOKEN write permission to commit and push, comment
+    # issues, and post new Pull Requests; remove the ones you do not need
+    permissions:
+      contents: write
+      issues: write
+      pull-requests: write
+      statuses: write
+
+    steps:
+      # Git Checkout
+      - name: Checkout Code
+        uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
+
+          # If you use VALIDATE_ALL_CODEBASE = true, you can remove this line to
+          # improve performance
+          fetch-depth: 0
+
+      - name: Check PAT and Set APPLY_FIXES
+        run: |
+          if [ -z "${{ secrets.PAT }}" ]; then
+            echo "APPLY_FIXES=none" >> "$GITHUB_ENV"
+          fi
+
+      # MegaLinter
+      - name: MegaLinter
+
+        # You can override MegaLinter flavor used to have faster performances
+        # More info at https://megalinter.io/latest/flavors/
+        uses: oxsecurity/megalinter@1fc052d03c7a43c78fe0fee19c9d648b749e0c01
+
+        id: ml
+
+        # All available variables are described in documentation
+        # https://megalinter.io/latest/config-file/
+        env:
+          # Validates all source when push on main, else just the git diff with
+          # main. Override with true if you always want to lint all sources
+          #
+          # To validate the entire codebase, set to:
+          # VALIDATE_ALL_CODEBASE: true
+          #
+          # To validate only diff with main, set to:
+          # VALIDATE_ALL_CODEBASE: >-
+          #   ${{
+          #     github.event_name == 'push' &&
+          #     github.ref == 'refs/heads/main'
+          #   }}
+          VALIDATE_ALL_CODEBASE: true
+
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+          # ADD YOUR CUSTOM ENV VARIABLES HERE TO OVERRIDE VALUES OF
+          # .mega-linter.yml AT THE ROOT OF YOUR REPOSITORY
+
+      # Upload MegaLinter artifacts
+      - name: Archive production artifacts
+        uses: actions/upload-artifact@v4
+        if: success() || failure()
+        with:
+          name: MegaLinter reports
+          path: |
+            megalinter-reports
+            mega-linter.log
+
+      # Create pull request if applicable
+      # (for now works only on PR from same repository, not from forks)
+      - name: Create Pull Request with applied fixes
+        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f
+        id: cpr
+        if: >-
+          steps.ml.outputs.has_updated_sources == 1 &&
+          (
+            env.APPLY_FIXES_EVENT == 'all' ||
+            env.APPLY_FIXES_EVENT == github.event_name
+          ) &&
+          env.APPLY_FIXES_MODE == 'pull_request' &&
+          (
+            github.event_name == 'push' ||
+            github.event.pull_request.head.repo.full_name == github.repository
+          ) &&
+          !contains(github.event.head_commit.message, 'skip fix')
+        with:
+          token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
+          commit-message: "[MegaLinter] Apply linters automatic fixes"
+          title: "[MegaLinter] Apply linters automatic fixes"
+          labels: bot
+
+      - name: Create PR output
+        if: >-
+          steps.ml.outputs.has_updated_sources == 1 &&
+          (
+            env.APPLY_FIXES_EVENT == 'all' ||
+            env.APPLY_FIXES_EVENT == github.event_name
+          ) &&
+          env.APPLY_FIXES_MODE == 'pull_request' &&
+          (
+            github.event_name == 'push' ||
+            github.event.pull_request.head.repo.full_name == github.repository
+          ) &&
+          !contains(github.event.head_commit.message, 'skip fix')
+        run: |
+          echo "PR Number - ${{ steps.cpr.outputs.pull-request-number }}"
+          echo "PR URL - ${{ steps.cpr.outputs.pull-request-url }}"
+
+      # Push new commit if applicable
+      # (for now works only on PR from same repository, not from forks)
+      - name: Prepare commit
+        if: >-
+          steps.ml.outputs.has_updated_sources == 1 &&
+          (
+            env.APPLY_FIXES_EVENT == 'all' ||
+            env.APPLY_FIXES_EVENT == github.event_name
+          ) &&
+          env.APPLY_FIXES_MODE == 'commit' &&
+          github.ref != 'refs/heads/main' &&
+          (
+            github.event_name == 'push' ||
+            github.event.pull_request.head.repo.full_name == github.repository
+          ) &&
+          !contains(github.event.head_commit.message, 'skip fix')
+        run: sudo chown -Rc $UID .git/
+
+      - name: Commit and push applied linter fixes
+        uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842
+        if: >-
+          steps.ml.outputs.has_updated_sources == 1 &&
+          (
+            env.APPLY_FIXES_EVENT == 'all' ||
+            env.APPLY_FIXES_EVENT == github.event_name
+          ) &&
+          env.APPLY_FIXES_MODE == 'commit' &&
+          github.ref != 'refs/heads/main' &&
+          (
+            github.event_name == 'push' ||
+            github.event.pull_request.head.repo.full_name == github.repository
+          ) &&
+          !contains(github.event.head_commit.message, 'skip fix')
+        with:
+          branch: >-
+            ${{
+              github.event.pull_request.head.ref ||
+              github.head_ref ||
+              github.ref
+            }}
+          commit_message: "[MegaLinter] Apply linters fixes"

.gitignore

@@ -63,3 +63,6 @@ terraform.rc
 
 # VS Code settings
 .vscode/
+
+# Ignore MegaLinter reports
+megalinter-reports/

.markdownlint.json

@@ -0,0 +1,3 @@
+{
+  "MD013": false
+}

.markdownlintignore

@@ -0,0 +1 @@
+venv