ministryofjustice · jacobwoffenden · Feb 22, 2024 · Feb 21, 2024 · Feb 21, 2024 · Feb 21, 2024
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,9 +1,6 @@
-# To get started with Dependabot version updates, you'll need to specify which
-# package ecosystems to update and where the package manifests are located.
-# Please see the documentation for all configuration options:
-# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
-
+---
 version: 2
+
 updates:
   - package-ecosystem: "github-actions"
     directory: "/"

diff --git a/.github/workflows/build-test.yml b/.github/workflows/build-test.yml
@@ -0,0 +1,34 @@
+---
+name: Build and Test
+
+on:
+  pull_request:
+    branches:
+      - main
+
+permissions: {}
+
+jobs:
+  build-test:
+    name: Build and Test
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Build
+        id: build
+        shell: bash
+        run: |
+          docker build --file Dockerfile --tag ghcr.io/ministryofjustice/tech-docs-github-pages-publisher:latest .
+
+      - name: Test
+        id: test
+        shell: bash
+        run: |
+          docker run --rm \
+            --volume ${GITHUB_WORKSPACE}/test:/publisher \
+            ghcr.io/ministryofjustice/tech-docs-github-pages-publisher:latest /usr/local/bin/td-package
diff --git a/.github/workflows/cicd-build-docker-image.yml b/.github/workflows/cicd-build-docker-image.yml
diff --git a/.github/workflows/cicd-dependency-review.yml b/.github/workflows/cicd-dependency-review.yml
diff --git a/.github/workflows/cicd-push-docker-image.yml b/.github/workflows/cicd-push-docker-image.yml
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -0,0 +1,28 @@
+---
+name: Dependency Review
+
+on:
+  pull_request:
+    types:
+        - edited
+        - opened
+        - reopened
+        - synchronize
+
+permissions: {}
+
+jobs:
+  dependency-review:
+    name: Dependency Review
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Dependency Review
+        uses: actions/dependency-review-action@9129d7d40b8c12c1ed0f60400d00c92d437adcce # v4.1.3
+        with:
+          fail-on-severity: critical
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,55 @@
+---
+name: Release
+
+on:
+  push:
+    tags:
+      - "v*"
+
+permissions: {}
+
+jobs:
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Install cosign
+        id: install_cosign
+        uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
+
+      - name: Log in to GitHub Container Registry
+        id: login_ghcr
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and Push
+        id: build_and_push
+        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
+        with:
+          push: true
+          tags: ghcr.io/ministryofjustice/tech-docs-github-pages-publisher:${{ github.ref_name }}
+
+      - name: Sign
+        id: sign
+        shell: bash
+        run: |
+          cosign sign --yes ghcr.io/ministryofjustice/tech-docs-github-pages-publisher@${{ steps.build_and_push.outputs.digest }}
+
+      - name: Verify
+        id: verify
+        run: |
+          cosign verify \
+            --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+            --certificate-identity=https://github.com/ministryofjustice/tech-docs-github-pages-publisher/.github/workflows/release.yml@refs/tags/${{ github.ref_name }} \
+            ghcr.io/ministryofjustice/tech-docs-github-pages-publisher@${{ steps.build_and_push.outputs.digest }}
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,14 @@
 .env
-
+.terraform/
+coverage/
+venv/
+env/
+.DS_STORE
 .vscode
-.idea
+*.code-workspace
+*.sha256
+terraform.tfstate
+test/docs
+test/artifact.tar
+test/config.rb
+test/Gemfile*
diff --git a/.ruby-version b/.ruby-version
diff --git a/Dockerfile b/Dockerfile
@@ -1,29 +1,42 @@
-# Do not update to Ruby 3 until Gemfile dependencies are fixed
-FROM ruby:2.7.6-alpine3.15
+FROM public.ecr.aws/docker/library/ruby:3.2.3-alpine3.19
 
-# These are needed to support building native extensions during
-# bundle install step
-RUN apk --update add --virtual build_deps build-base git
+LABEL org.opencontainers.image.vendor="Ministry of Justice" \
+      org.opencontainers.image.authors="Operations Engineering" \
+      org.opencontainers.image.title="Tech Docs GitHub Pages Publisher" \
+      org.opencontainers.image.description="Container for build and packaging tech-docs" \
+      org.opencontainers.image.url="https://github.com/ministryofjustice/tech-docs-github-pages-publisher"
 
-RUN addgroup -g 1000 -S appgroup \
-  && adduser -u 1000 --system appuser \
-  && adduser appuser appgroup \
-  && gem install bundler -v 2.4.22\
-  && bundle config
+ENV PUBLISHER_DIRECTORY="/publisher" \
+    BUNDLER_VERSION="2.5.6" \
+    LYCHEE_VERSION="0.14.3"
 
-# Required at runtime by middleman
-RUN apk add --no-cache nodejs
 
-WORKDIR /app
+# Install dependencies
+RUN apk --update-cache --no-cache add \
+      build-base \
+      curl \
+      git \
+      nodejs
 
-COPY Gemfile Gemfile.lock ./
+RUN install -dD -o root -g root -m 700 "${PUBLISHER_DIRECTORY}"
+
+RUN gem install bundler --version "${BUNDLER_VERSION}"
+
+RUN curl --location --fail-with-body \
+      "https://github.com/lycheeverse/lychee/releases/download/v${LYCHEE_VERSION}/lychee-v${LYCHEE_VERSION}-x86_64-unknown-linux-musl.tar.gz" \
+      --output lychee.tar.gz \
+    && tar -xzf lychee.tar.gz \
+    && install -o root -g root -m 775 lychee /usr/local/bin/lychee \
+    && rm -f lychee.tar.gz
+
+COPY src/usr/local/bin/ /usr/local/bin/
+
+WORKDIR /opt/publisher
+
+COPY src/opt/publisher/ /opt/publisher/
 
 RUN bundle install
 
-# Stash a copy of the config.rb, Gemfile and Gemfile.lock Middleman need these
-# later, because documentation repos won't have them.
-RUN mkdir /stashed-files
-COPY config.rb Gemfile Gemfile.lock /stashed-files/
+WORKDIR ${PUBLISHER_DIRECTORY}
 
-RUN mkdir /publishing-scripts
-COPY scripts/* /scripts/
+ENTRYPOINT ["/bin/sh"]
diff --git a/Gemfile b/Gemfile
diff --git a/LICENSE b/LICENSE
@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2020-2022 Crown Copyright (Ministry of Justice)
+Copyright (c) 2020-2024 Crown Copyright (Ministry of Justice)
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal