Merge branch 'main' into feature/PI-2097-crn-convictions-conviction-id

.github/actions/analyse/action.yml

@@ -23,7 +23,7 @@ runs:
       shell: bash
 
     - name: Publish test reports
-      uses: mikepenz/action-junit-report@9379f0ccddcab154835d4e2487555ee79614fe95 # v4.2.1
+      uses: mikepenz/action-junit-report@ac30be7acb0a361e5492575ab42e47fcadec4928 # v4.2.2
       if: always() && github.actor != 'dependabot[bot]'
       with:
         check_name: |-

.github/actions/format-code/action.yml

@@ -60,7 +60,7 @@ runs:
       env:
         mask: ${{ inputs.mask }}
 
-    - uses: planetscale/ghcommit-action@b662a9d7235a07e80d976152ed5afe41651c4973 # v0.2.9
+    - uses: planetscale/ghcommit-action@c8ba2501e51d7257efb393109e6e10bc36a3f769 # v0.1.40
       with:
         commit_message: ${{ inputs.commit_message }}
         repo: ${{ github.repository }}

.github/actions/render-project-template/action.yml

@@ -30,6 +30,7 @@ runs:
         sed -i '/add new projects here/a \    "${{ inputs.project_name }}",' settings.gradle.kts
         sed -i '/add new projects here/i \          - '"'"'["${{ inputs.project_name }}"]'"'"'' .github/workflows/access.yml
         sed -i '/add new projects here/i \          - '"'"'["${{ inputs.project_name }}"]'"'"'' .github/workflows/deploy.yml
+        sed -i '/add new projects here/i \          - '"'"'["${{ inputs.project_name }}"]'"'"'' .github/workflows/service-catalogue.yml
         sed -i '/add new projects here/i \          - ${{ inputs.project_name }}' .github/workflows/build.yml
         sed -i '/add new projects here/i \* [${{ steps.project_name.outputs.title_case }}](https://ministryofjustice.github.io/hmpps-probation-integration-services/tech-docs/projects/${{ inputs.project_name }})' doc/tech-docs/source/services.html.md.erb
         sed 's/$SERVICE_NAME/${{ inputs.project_name }}/g' templates/runConfiguration.xml > '.idea/runConfigurations/${{ steps.project_name.outputs.underscore }}.xml'

.github/workflows/gradle.yml

@@ -32,7 +32,7 @@ jobs:
           passphrase: ${{ secrets.BOT_GPG_PASSPHRASE }}
           git_user_signingkey: true
           git_commit_gpgsign: true
-      - uses: gradle-update/update-gradle-wrapper-action@v1
+      - uses: gradle-update/update-gradle-wrapper-action@0407394b9d173dfc9cf5695f9f560fef6d61a5fe # v1
         with:
           labels: dependencies
           repo-token: ${{ secrets.BOT_GITHUB_TOKEN }}
@@ -41,6 +41,6 @@ jobs:
           if [ "$(git branch --show-current)" != main ]; then
             git config --local user.name probation-integration-bot
             git config --local user.email [email protected]
-            git commit --amend --reset-author --no-edit
+            git rebase --exec 'git commit --amend --reset-author --no-edit' "HEAD~$(find . -type f -name gradlew | wc -l)"
             git push --set-upstream origin "$(git branch --show-current)" --force
           fi

.github/workflows/security.yml

@@ -38,7 +38,7 @@ jobs:
           echo >> projects/${{ matrix.project }}/.trivyignore
 
       - name: Scan image
-        uses: aquasecurity/trivy-action@b2933f565dbc598b29947660e66259e3c7bc8561 # v0.20.0
+        uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # v0.21.0
         with:
           image-ref: 'ghcr.io/ministryofjustice/hmpps-probation-integration-services/${{ matrix.project }}:latest'
           ignore-unfixed: true
@@ -56,7 +56,7 @@ jobs:
           sarif_file: 'trivy-results.sarif'
 
       - name: Get Trivy results
-        uses: aquasecurity/trivy-action@b2933f565dbc598b29947660e66259e3c7bc8561 # v0.20.0
+        uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # v0.21.0
         with:
           image-ref: 'ghcr.io/ministryofjustice/hmpps-probation-integration-services/${{ matrix.project }}:latest'
           ignore-unfixed: true

.github/workflows/service-catalogue.yml

@@ -0,0 +1,156 @@
+name: Service catalogue
+# Add projects to the HMPPS Service Catalogue
+
+on:
+  workflow_dispatch:
+    inputs:
+      projects:
+        description: Project
+        type: choice
+        required: true
+        options:
+          - 'All'
+          - '["accredited-programmes-and-oasys"]'
+          - '["approved-premises-and-delius"]'
+          - '["approved-premises-and-oasys"]'
+          - '["arns-and-delius"]'
+          - '["assessment-summary-and-delius"]'
+          - '["cas2-and-delius"]'
+          - '["cas3-and-delius"]'
+          - '["core-person-record-and-delius"]'
+          - '["court-case-and-delius"]'
+          - '["create-and-vary-a-licence-and-delius"]'
+          - '["custody-key-dates-and-delius"]'
+          - '["domain-events-and-delius"]'
+          - '["dps-and-delius"]'
+          - '["effective-proposal-framework-and-delius"]'
+          - '["external-api-and-delius"]'
+          - '["hdc-licences-and-delius"]'
+          - '["hmpps-auth-and-delius"]'
+          - '["make-recall-decisions-and-delius"]'
+          - '["manage-offences-and-delius"]'
+          - '["manage-pom-cases-and-delius"]'
+          - '["manage-supervision-and-delius"]'
+          - '["manage-supervision-and-oasys"]'
+          - '["oasys-and-delius"]'
+          - '["offender-events-and-delius"]'
+          - '["opd-and-delius"]'
+          - '["pathfinder-and-delius"]'
+          - '["person-search-index-from-delius"]'
+          - '["pre-sentence-reports-to-delius"]'
+          - '["prison-case-notes-to-probation"]'
+          - '["prison-custody-status-to-delius"]'
+          - '["prison-education-and-delius"]'
+          - '["prison-identifier-and-delius"]'
+          - '["prisoner-profile-and-delius"]'
+          - '["probation-search-and-delius"]'
+          - '["refer-and-monitor-and-delius"]'
+          - '["resettlement-passport-and-delius"]'
+          - '["risk-assessment-scores-to-delius"]'
+          - '["sentence-plan-and-delius"]'
+          - '["sentence-plan-and-oasys"]'
+          - '["soc-and-delius"]'
+          - '["tier-to-delius"]'
+          - '["unpaid-work-and-delius"]'
+          - '["workforce-allocations-to-delius"]'
+          # ^ add new projects here
+          # GitHub Actions doesn't support dynamic choices, we must add each project here to enable manual deployments
+          # See https://github.com/community/community/discussions/11795
+  push:
+    branches:
+      - main
+    paths:
+      - 'projects/**/deploy'
+
+jobs:
+  get-projects:
+    outputs:
+      projects: ${{ steps.output.outputs.projects }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - id: check-changes
+        if: github.event_name == 'push'
+        uses: ./.github/actions/check-changes
+        with:
+          filters: |
+            projects:
+              - 'projects/**/deploy'
+      - name: Get projects - changed
+        if: github.event_name == 'push'
+        run: echo "projects=$PROJECTS" | tee -a "$GITHUB_ENV"
+        env:
+          PROJECTS: ${{ steps.check-changes.outputs.projects }}
+      - name: Get projects - all
+        if: github.event_name == 'workflow_dispatch' && inputs.projects == 'All'
+        run: echo "projects=$(find projects -mindepth 1 -maxdepth 1 -printf "%f\n" | jq --raw-input . | jq --slurp --compact-output .)" | tee -a "$GITHUB_ENV"
+      - name: Get projects - selected
+        if: github.event_name == 'workflow_dispatch' && inputs.projects != 'All'
+        run: echo 'projects=${{ inputs.projects }}' | tee -a "$GITHUB_ENV"
+      - id: output
+        run: echo 'projects=${{ env.projects }}' | tee -a "$GITHUB_OUTPUT"
+
+  update-catalogue:
+    runs-on: ubuntu-latest
+    needs: get-projects
+    strategy:
+      fail-fast: false
+      matrix:
+        project: ${{ fromJson(needs.get-projects.outputs.projects) }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: ./.github/actions/cloud-platform-auth
+        with:
+          api: ${{ secrets.KUBE_ENV_API }}
+          cert: ${{ secrets.KUBE_CERT }}
+          cluster: ${{ secrets.KUBE_CLUSTER }}
+          namespace: ${{ secrets.KUBE_NAMESPACE }}
+          token: ${{ secrets.KUBE_TOKEN }}
+
+      - name: Get environment details
+        id: environments
+        run: |
+          environments=[]
+          for env in dev preprod prod; do
+            values_file="projects/$PROJECT_NAME/deploy/values-$env.yml"
+            if [ -f "$values_file" ] && [ "$(yq '.enabled' "$values_file" | sed 's/^null$/true/')" = "true" ] && [ -n "$(yq '.generic-service.ingress.host' "$values_file")" ]; then 
+              url=$(yq '.generic-service.ingress.host' "$values_file")
+              health_path=$(yq '.generic-service.livenessProbe.httpGet.path // "/health"' "projects/$PROJECT_NAME/deploy/values.yaml")
+              environments=$(echo "$environments" | jq -c '. += [{
+                "name": $name,
+                "type": $name,
+                "url": ("https://" + $url),
+                "health_path": $health_path,
+                "info_path": "/info",
+                "namespace": ("hmpps-probation-integration-services-" + $name)
+              }]' --arg name "$env" --arg url "$url" --arg health_path "$health_path")
+            fi
+          done
+          echo "environments=$environments" | tee -a "$GITHUB_OUTPUT"
+        env:
+          PROJECT_NAME: ${{ matrix.project }}
+
+      - name: Update catalogue
+        run: |
+          ./script/start-service-pod.sh
+          PROJECT_TITLE="$(awk 'BEGIN {RS=""; FS="\n"} !/^[#\/]/ {gsub("\n", " ", $0); sub(/\. .*/, "."); print; exit}' "projects/$PROJECT_NAME/README.md")" # First line of the project's README.md
+          kubectl cp ./script/update-service-catalogue.sh "$POD_NAME:/tmp/update-service-catalogue.sh"
+          kubectl exec "$POD_NAME" -- env \
+            PROJECT_NAME="$PROJECT_NAME" \
+            PROJECT_TITLE="$PROJECT_TITLE" \
+            ENVIRONMENTS="$ENVIRONMENTS" \
+            SERVICE_CATALOGUE_API_KEY="$SERVICE_CATALOGUE_API_KEY" \
+          /tmp/update-service-catalogue.sh
+        env:
+          NAMESPACE: ${{ secrets.KUBE_NAMESPACE }}
+          POD_NAME: sc-${{ matrix.project }}
+          PROJECT_NAME: ${{ matrix.project }}
+          ENVIRONMENTS: ${{ steps.environments.outputs.environments }}
+          SERVICE_CATALOGUE_API_KEY: ${{ secrets.SERVICE_CATALOGUE_API_KEY }}
+
+      - name: Delete pod
+        if: always()
+        run: kubectl delete pod "$POD_NAME" || true
+        env:
+          POD_NAME: sc-${{ matrix.project }}

.gitignore

@@ -5,6 +5,9 @@ build/
 !**/src/main/**/build/
 !**/src/test/**/build/
 
+### Kotlin 2.0 ###
+.kotlin
+
 ### STS ###
 .apt_generated
 .classpath

build.gradle.kts

@@ -1,5 +1,5 @@
 import com.gorylenko.GenerateGitPropertiesTask
-import org.jetbrains.kotlin.gradle.tasks.KotlinCompile
+import org.jetbrains.kotlin.gradle.dsl.JvmTarget
 import org.jetbrains.kotlin.noarg.gradle.NoArgExtension
 import org.springframework.boot.gradle.tasks.buildinfo.BuildInfo
 import org.springframework.boot.gradle.tasks.bundling.BootJar
@@ -8,10 +8,9 @@ import uk.gov.justice.digital.hmpps.plugins.ClassPathPlugin
 import uk.gov.justice.digital.hmpps.plugins.JibConfigPlugin
 
 plugins {
-    kotlin("jvm") version "1.9.24"
-    kotlin("plugin.spring") version "1.9.24" apply false
-    kotlin("plugin.jpa") version "1.9.24" apply false
-    kotlin("kapt") version "1.9.24" apply false
+    kotlin("jvm") version "2.0.0"
+    kotlin("plugin.spring") version "2.0.0" apply false
+    kotlin("plugin.jpa") version "2.0.0" apply false
     id("org.springframework.boot") version "3.2.5" apply false
     id("io.spring.dependency-management") version "1.1.5" apply false
     id("com.gorylenko.gradle-git-properties") version "2.4.2" apply false
@@ -40,38 +39,43 @@ allprojects {
         mavenCentral()
     }
 
+    apply {
+        plugin("org.jetbrains.kotlin.jvm")
+    }
+
+    kotlin {
+        compilerOptions {
+            jvmTarget.set(JvmTarget.JVM_21)
+            freeCompilerArgs.add("-Xjsr305=strict") // to make use of Spring's null-safety annotations
+        }
+    }
+
     tasks {
         withType<JavaCompile> {
             sourceCompatibility = "21"
         }
 
-        withType<KotlinCompile> {
-            kotlinOptions {
-                freeCompilerArgs = listOf("-Xjsr305=strict")
-                jvmTarget = "21"
-            }
-        }
-
         withType<BootJar> {
             enabled = false
         }
     }
 }
 
 subprojects {
-    apply { plugin("org.springframework.boot") }
-    apply { plugin("io.spring.dependency-management") }
-    apply { plugin("org.jetbrains.kotlin.jvm") }
-    apply { plugin("org.jetbrains.kotlin.kapt") }
-    apply { plugin("org.jetbrains.kotlin.plugin.jpa") }
-    apply { plugin("org.jetbrains.kotlin.plugin.spring") }
-    apply { plugin("jacoco") }
-    apply { plugin("test-report-aggregation") }
-    apply { plugin("jacoco-report-aggregation") }
-    apply { plugin("org.sonarqube") }
-    apply { plugin("com.gorylenko.gradle-git-properties") }
-    apply { plugin(JibConfigPlugin::class.java) }
-    apply { plugin(ClassPathPlugin::class.java) }
+    apply {
+        plugin("org.springframework.boot")
+        plugin("io.spring.dependency-management")
+        plugin("org.jetbrains.kotlin.jvm")
+        plugin("org.jetbrains.kotlin.plugin.jpa")
+        plugin("org.jetbrains.kotlin.plugin.spring")
+        plugin("jacoco")
+        plugin("test-report-aggregation")
+        plugin("jacoco-report-aggregation")
+        plugin("org.sonarqube")
+        plugin("com.gorylenko.gradle-git-properties")
+        plugin(JibConfigPlugin::class.java)
+        plugin(ClassPathPlugin::class.java)
+    }
 
     tasks {
         withType<BootRun> {

doc/tech-docs/source/concepts.html.md.erb

@@ -128,6 +128,27 @@ A practitioner can be a member of one or more teams.
 
 Each team is linked to a single [Local Admin Unit](#local-admin-unit-lau), and may also have a linked office location.
 
+### Limited Access
+
+Alongside role-based access control, access to specific cases in Delius can be controlled via _restrictions_ and
+_exclusions_.
+
+#### Restriction
+
+Probation cases can be "restricted" to a specific subset of probation practitioners, so that only those practitioners
+can access the case details.
+
+Restrictions act as an _allow list_, and are commonly used for high-profile or sensitive cases that should not be
+accessible by everyone.
+
+#### Exclusion
+
+Probation cases can also be "excluded" from a subset of probation practitioners, so that those practitioners
+specifically cannot access the case details.
+
+Exclusions act as a _deny list_, and are commonly used for cases where a practitioner may have a personal relationship
+with the person on probation.
+
 ## OASys Concepts
 
 Probation concepts as modelled in the OASys application

projects/accredited-programmes-and-oasys/deploy/values.yaml

@@ -1,5 +1,6 @@
 # Common values
 generic-service:
+  productId: HMPPS518
   nameOverride: accredited-programmes-and-oasys
 
   image:

projects/accredited-programmes-and-oasys/src/main/resources/application.yml

@@ -23,6 +23,8 @@ management:
     exposure.include: [ "health", "info" ]
   endpoint.health.show-details: always
 
+info.productId: HMPPS518 # https://developer-portal.hmpps.service.justice.gov.uk/products/185
+
 ---
 # Shared dev/test config
 spring.config.activate.on-profile: [ "dev", "integration-test" ]

projects/accredited-programmes-and-oasys/tech-docs/Gemfile.lock

@@ -145,7 +145,8 @@ GEM
     rb-inotify (0.10.1)
       ffi (~> 1.0)
     redcarpet (3.5.1)
-    rexml (3.2.5)
+    rexml (3.2.8)
+      strscan (>= 3.0.9)
     rouge (3.30.0)
     sass (3.4.25)
     sassc (2.4.0)
@@ -154,6 +155,7 @@ GEM
     sprockets (4.2.0)
       concurrent-ruby (~> 1.0)
       rack (>= 2.2.4, < 4)
+    strscan (3.1.0)
     temple (0.10.0)
     thor (1.2.1)
     tilt (2.0.11)

projects/approved-premises-and-delius/deploy/values.yaml

@@ -1,4 +1,5 @@
 generic-service:
+  productId: HMPPS518
   nameOverride: approved-premises-and-delius
   serviceAccountName: approved-premises-and-delius
 

projects/approved-premises-and-delius/src/main/resources/application.yml

@@ -40,6 +40,8 @@ management:
     exposure.include: [ "health", "info" ]
   endpoint.health.show-details: always
 
+info.productId: HMPPS518 # https://developer-portal.hmpps.service.justice.gov.uk/products/185
+
 ---
 # Shared dev/test config
 spring.config.activate.on-profile: [ "dev", "integration-test" ]

projects/approved-premises-and-oasys/deploy/values.yaml

@@ -2,6 +2,7 @@
 # Values here are the same across all environments
 # An additional set of default values can be found in templates/helm-defaults.yml, which is the same across all projects
 generic-service:
+  productId: HMPPS518
   nameOverride: approved-premises-and-oasys
 
   image: