UKHomeOffice · tomyems · Jul 14, 2023 · May 27, 2023 · May 27, 2023 · May 27, 2023
diff --git a/.cypress/plugins/index.js b/.cypress/plugins/index.js
diff --git a/.drone.yml b/.drone.yml
@@ -16,11 +16,13 @@ platform:
 steps:
 - name: deploy
   pull: if-not-exists
-  image: quay.io/ukhomeofficedigital/lev-ci:3.5.1-130-e662c06959
+  image: node:18-alpine
   commands:
+  - apk add -q --no-cache docker git jq make
   - echo "$${DOCKER_PASSWORD}" | docker login -u "$${DOCKER_USERNAME}" --password-stdin "$${DOCKER_REGISTRY}"
   - npm install -g pnpm@6.32.3
   - wget -q "https://storage.googleapis.com/kubernetes-release/release/v$${KUBECTL_VERSION}/bin/linux/amd64/kubectl" -O "/usr/bin/kubectl"
+  - chmod +x "/usr/bin/kubectl"
   - cd 'apps/docs'
   - make deploy kubectl="kubectl --insecure-skip-tls-verify --server=$${KUBE_SERVER} --namespace=$${KUBE_NAMESPACE} --token=$${KUBE_TOKEN}"
   environment:

diff --git a/.github/actions/deploy-to-heroku/action.yml b/.github/actions/deploy-to-heroku/action.yml
@@ -17,7 +17,7 @@ runs:
   steps:
 
     - name: Login to Heroku
-      uses: AkhileshNS/heroku-deploy@v3.12.12
+      uses: AkhileshNS/heroku-deploy@v3.12.14
       with:
         heroku_api_key: ${{ inputs.heroku-api-key }}
         heroku_app_name: ''

diff --git a/.github/actions/deploy-to-netlify/action.yml b/.github/actions/deploy-to-netlify/action.yml
@@ -31,7 +31,7 @@ runs:
 
     - id: deploy
       name: Deploy
-      uses: nwtgck/actions-netlify@v1.2.3
+      uses: nwtgck/actions-netlify@v2.0.0
       with:
         publish-dir: "${{ inputs.app && format('apps/{0}/', inputs.app) }}pkg/netlify/publish/"
         functions-dir: "${{ inputs.app && format('apps/{0}/', inputs.app) }}pkg/netlify/functions/"

diff --git a/.github/actions/scan-app/action.yml b/.github/actions/scan-app/action.yml
@@ -30,10 +30,10 @@ runs:
         TARGET: ${{ inputs.target }}
       run: |
         PRETTY_TARGET="${TARGET#https://}"
-        echo "::set-output name=write-issue::$([[ \"${GITHUB_REF#refs/heads/}\" != \"${BASELINE_BRANCH}\" ]] && echo 'false' || echo 'true')"
-        echo "::set-output name=fail-action::$([[ \"${GITHUB_REF#refs/heads/}\" != \"${BASELINE_BRANCH}\" ]] && echo 'true' || true)"
-        echo "::set-output name=prefix::${PRETTY_TARGET:-${APP}}"
-        echo "::set-output name=target::${TARGET:-http://localhost:8080}"
+        echo "write-issue=$([[ \"${GITHUB_REF#refs/heads/}\" != \"${BASELINE_BRANCH}\" ]] && echo 'false' || echo 'true')" >> ${GITHUB_OUTPUT}
+        echo "fail-action=$([[ \"${GITHUB_REF#refs/heads/}\" != \"${BASELINE_BRANCH}\" ]] && echo 'true' || true)" >> ${GITHUB_OUTPUT}
+        echo "prefix=${PRETTY_TARGET:-${APP}}" >> ${GITHUB_OUTPUT}
+        echo "target=${TARGET:-http://localhost:8080}" >> ${GITHUB_OUTPUT}
 
     - name: ZAP Scan (baseline)
       if: inputs.smoke

diff --git a/.github/actions/scan-code/action.yml b/.github/actions/scan-code/action.yml
@@ -1,9 +1,5 @@
 name: Scan code-base
 description: Scans the code-base for credentials and security vulnerabilities
-inputs:
-  token:
-    description: GitHub token
-    required: true
 runs:
   using: composite
   steps:
@@ -13,31 +9,5 @@ runs:
       with:
         languages: 'javascript'
 
-    - name: Cache vdb
-      uses: actions/cache@v3
-      with:
-        path: |
-          ${{ github.workspace }}/vdb
-        key: vdb-os_${{ runner.os }}
-
     - name: Perform CodeQL Analysis
       uses: github/codeql-action/analyze@v2
-
-    - name: Scan
-      uses: ShiftLeftSecurity/scan-action@master
-      env:
-        DISABLE_TELEMETRY: 'true'
-        ENABLE_OSS_RISK: 'true'
-        FETCH_LICENSE: 'true'
-        VDB_HOME: ${{ github.workspace }}/vdb
-        WORKSPACE: https://github.com/${{ github.repository }}/blob/${{ github.sha }}
-        GITHUB_TOKEN: ${{ inputs.token }}
-      with:
-        type: json,yaml,serverless,dockerfile,kubernetes,depscan,bom
-        output: reports
-
-    - name: Upload scan reports
-      uses: actions/upload-artifact@master
-      with:
-        name: slscan-reports
-        path: reports
diff --git a/.github/actions/scan-dependencies/action.yml b/.github/actions/scan-dependencies/action.yml
@@ -0,0 +1,35 @@
+name: Scan dependencies
+description: Scans the dependencies for known security vulnerabilities
+inputs:
+  token:
+    description: GitHub token
+    required: true
+runs:
+  using: composite
+  steps:
+
+    - name: Cache vdb
+      uses: actions/cache@v3
+      with:
+        path: |
+          ${{ github.workspace }}/vdb
+        key: vdb-os_${{ runner.os }}
+
+    - name: Scan
+      uses: ShiftLeftSecurity/scan-action@master
+      env:
+        DISABLE_TELEMETRY: 'true'
+        ENABLE_OSS_RISK: 'true'
+        FETCH_LICENSE: 'true'
+        VDB_HOME: ${{ github.workspace }}/vdb
+        WORKSPACE: https://github.com/${{ github.repository }}/blob/${{ github.sha }}
+        GITHUB_TOKEN: ${{ inputs.token }}
+      with:
+        type: json,yaml,serverless,dockerfile,kubernetes,depscan,bom
+        output: reports
+
+    - name: Upload scan reports
+      uses: actions/upload-artifact@master
+      with:
+        name: slscan-reports
+        path: reports
diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml
@@ -4,7 +4,7 @@ inputs:
   node:
     description: The version of Node.js to use.
     required: false
-    default: 16
+    default: 18
   frozen-lockfile:
     description: Whether to require a frozen lock-file
     required: false
@@ -19,7 +19,7 @@ runs:
         sudo update-locale LANG=${{ env.LANG }}
 
     - name: Setup PNPM
-      uses: pnpm/action-setup@v2.2.2
+      uses: pnpm/action-setup@v2.2.4
       with:
         version: 6.32.3
         run_install: false
@@ -40,7 +40,7 @@ runs:
 
     - name: Pull dependencies
       if: ${{ !inputs.frozen-lockfile || inputs.frozen-lockfile == 'false' }}
-      uses: pnpm/action-setup@v2.2.2
+      uses: pnpm/action-setup@v2.2.4
       with:
         version: 6.32.3
         run_install: |
@@ -49,7 +49,7 @@ runs:
 
     - name: Pull dependencies (frozen lock-file)
       if: ${{ inputs.frozen-lockfile && inputs.frozen-lockfile != 'false' }}
-      uses: pnpm/action-setup@v2.2.2
+      uses: pnpm/action-setup@v2.2.4
       with:
         version: 6.32.3
         run_install: true
diff --git a/.github/workflows/change-assurance.yml b/.github/workflows/change-assurance.yml
@@ -6,6 +6,21 @@ env:
   LANGUAGE: "en_GB:en"
   LC_ALL: "en_GB.UTF-8"
 jobs:
+  static-analysis:
+    name: Static analysis
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Scan code-base
+        uses: ./.github/actions/scan-code
+
   common:
     name: Dependencies, Unit tests
     runs-on: ubuntu-latest
@@ -38,7 +53,7 @@ jobs:
       - name: Setup
         uses: ./.github/actions/setup
         with:
-          node: 16
+          node: 18
 
       - name: Build libraries
         run: npm run libs:build
@@ -59,7 +74,7 @@ jobs:
       - name: Setup
         uses: ./.github/actions/setup
         with:
-          node: 16
+          node: 18
 
       - name: Build
         uses: ./.github/actions/build-app
@@ -91,7 +106,7 @@ jobs:
       - name: Setup
         uses: ./.github/actions/setup
         with:
-          node: 16
+          node: 18
 
       - name: Download build directory
         uses: actions/download-artifact@v3

diff --git a/.github/workflows/deploy-to-heroku.yml b/.github/workflows/deploy-to-heroku.yml
@@ -74,7 +74,7 @@ jobs:
           cypress-project-id: ${{ secrets.CYPRESS_PROJECT_ID }}
           cypress-record-key: ${{ secrets.CYPRESS_RECORD_KEY }}
           deployment: heroku
-          node: 16
+          node: 18
           smoke: true
 
       - name: Scan service for vulnerabilities

diff --git a/.github/workflows/deploy-to-netlify.yml b/.github/workflows/deploy-to-netlify.yml
@@ -80,7 +80,7 @@ jobs:
           cypress-project-id: ${{ secrets.CYPRESS_PROJECT_ID }}
           cypress-record-key: ${{ secrets.CYPRESS_RECORD_KEY }}
           deployment: netlify
-          node: 16
+          node: 18
           smoke: true
 
       - name: Scan service for vulnerabilities

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -19,7 +19,7 @@ jobs:
       - name: Setup
         uses: ./.github/actions/setup
         with:
-          node: 16
+          node: 18
 
       - name: Push Storybook to Chromatic
         uses: chromaui/action@v1
@@ -30,13 +30,14 @@ jobs:
           autoAcceptChanges: master
           exitZeroOnChanges: true
           exitOnceUploaded: true
+          onlyChanged: true
 
   deploy-docs-to-netlify:
     name: Deploy to Netlify and test
     uses: './.github/workflows/deploy-to-netlify.yml'
     with:
       app: docs
-      node: 16
+      node: 18
       production-branch: master
     secrets:
       CYPRESS_PROJECT_ID: ${{ secrets.CYPRESS_PROJECT_ID }}

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -19,7 +19,7 @@ jobs:
       - name: Setup
         uses: ./.github/actions/setup
         with:
-          node: 16
+          node: 18
           frozen-lockfile: true
 
       - name: Publish

diff --git a/.github/workflows/analysis.yml → ...ub/workflows/static-security-analysis.yml b/.github/workflows/analysis.yml → ...ub/workflows/static-security-analysis.yml
@@ -1,7 +1,5 @@
-name: 'Analysis'
+name: 'Static Security Analysis'
 on:
-  pull_request:
-    branches: [ 'master' ]
   schedule:
     - cron: '35 1 * * 2'
 jobs:
@@ -18,12 +16,15 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v3
 
+      - name: Scan code-base
+        uses: ./.github/actions/scan-code
+
       - name: Setup
         uses: ./.github/actions/setup
         with:
-          node: 16
+          node: 18
 
-      - name: Scan code-base
-        uses: ./.github/actions/scan-code
+      - name: Scan dependencies
+        uses: ./.github/actions/scan-dependencies
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/update-built-files.yml b/.github/workflows/update-built-files.yml
@@ -19,10 +19,10 @@ jobs:
       - name: Setup
         uses: ./.github/actions/setup
         with:
-          node: 16
+          node: 18
 
-      - name: Scan code-base
-        uses: ./.github/actions/scan-code
+      - name: Scan dependencies
+        uses: ./.github/actions/scan-dependencies
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
 
@@ -31,3 +31,17 @@ jobs:
         with:
           baseline-branch: 'master'
 
+  static-analysis:
+    name: Static analysis
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Scan code-base
+        uses: ./.github/actions/scan-code
diff --git a/.jest/setup/enzyme.js b/.jest/setup/enzyme.js
diff --git a/apps/docs/Dockerfile b/apps/docs/Dockerfile
@@ -1,4 +1,4 @@
-FROM node:16-alpine
+FROM node:18-alpine
 
 RUN apk add --no-cache ca-certificates \
  && apk upgrade --no-cache \
@@ -15,7 +15,7 @@ COPY package.json /app/
 COPY dist/ /app/dist/
 
 USER 31337
-ENV LISTEN_HOST="0.0.0.0" \
+ENV LISTEN_HOST="::" \
     LISTEN_PORT="8080" \
     SSR_ONLY="false" \
     SESSIONS_SECRET="changeme" \

diff --git a/apps/docs/aws.serverless.yml b/apps/docs/aws.serverless.yml
@@ -1,7 +1,7 @@
 service: docs
 provider:
   name: aws
-  runtime: nodejs16.x
+  runtime: nodejs18.x
   environment:
     MODE: serverless
     NODE_ENV: production

diff --git a/apps/docs/cypress.config.mjs b/apps/docs/cypress.config.mjs
@@ -0,0 +1,6 @@
+import { defineConfig } from 'cypress';
+import projectConfig from '../../cypress.config.mjs';
+
+export default defineConfig({
+  ...projectConfig
+});
diff --git a/apps/docs/cypress.json b/apps/docs/cypress.json