Chore: [AEA-6424] - new quality checks#493
Conversation
There was a problem hiding this comment.
Pull request overview
This PR tightens repository quality/security tooling by adding local vulnerability scanning and hardening GitHub Actions workflows with explicit permissions, alongside related housekeeping updates.
Changes:
- Add
zizmor.ymlrule ignores to suppress known/accepted findings. - Add a local
pre-commithook to runmake grype-scan-local, and ignore generated SBOM output. - Harden/refresh GitHub Actions workflows (explicit
permissions: {}, updated reusable workflow refs, safer checkout settings) and add CODEOWNERS for workflow approval control.
Reviewed changes
Copilot reviewed 11 out of 12 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
zizmor.yml |
Adds rule ignore configuration for zizmor findings. |
.pre-commit-config.yaml |
Adds a local pre-commit hook to run Grype scanning via make. |
.gitignore |
Ignores .sbom/ output directory. |
.github/workflows/sync_copilot.yml |
Sets default workflow permissions to none. |
.github/workflows/sam_release_code.yml |
Adds default no-permissions and tweaks checkout credential persistence. |
.github/workflows/sam_package_code.yml |
Adds default no-permissions and tweaks checkout credential persistence. |
.github/workflows/release.yml |
Updates reusable workflow SHAs and moves to explicit permissions model. |
.github/workflows/pull_request.yml |
Updates reusable workflow SHAs and moves to explicit permissions model. |
.github/workflows/delete_old_cloudformation_stacks.yml |
Sets default workflow permissions to none and hardens checkout. |
.github/workflows/ci.yml |
Updates reusable workflow SHAs and moves to explicit permissions model. |
.github/CODEOWNERS |
Restricts approvals for workflow changes to @NHSDigital/eps-admins. |
.devcontainer/devcontainer.json |
Bumps devcontainer base image version. |
|
|
||
| env: | ||
| BRANCH_NAME: ${{ github.event.pull_request.head.ref }} | ||
| permissions: {} |
There was a problem hiding this comment.
With workflow-level permissions: {} the default GITHUB_TOKEN permissions are none. Jobs like get_issue_number (uses actions/github-script to call the PR/commit APIs) and release_code (calls reusable workflow sam_release_code.yml, which needs at least id-token: write and contents: read) currently don't set job-level permissions, so they will inherit none and likely fail with 403 / OIDC token errors. Add explicit permissions blocks to those jobs (e.g. pull-requests: read for get_issue_number, and id-token: write + contents: read (or contents: write if needed) for release_code).
|
|
||
| env: | ||
| BRANCH_NAME: ${{ github.event.ref.BRANCH_NAME }} | ||
| permissions: {} |
There was a problem hiding this comment.
With workflow-level permissions: {} the jobs that call the reusable workflow sam_release_code.yml (e.g. release_dev, release_qa) currently don't declare job-level permissions. Reusable workflows cannot elevate permissions above the caller, so sam_release_code.yml won't actually get the id-token / contents permissions it requests and AWS/OIDC + checkout/push steps can fail. Add explicit job-level permissions to each uses: ./.github/workflows/sam_release_code.yml job (at minimum id-token: write and contents: write if gh-pages updates are required).
| permissions: {} | |
| permissions: | |
| contents: write | |
| id-token: write |
|
|
||
| env: | ||
| BRANCH_NAME: ${{ github.event.ref.BRANCH_NAME }} | ||
| permissions: {} |
There was a problem hiding this comment.
With workflow-level permissions: {} the release_* jobs that call the reusable workflow sam_release_code.yml don't declare job-level permissions. Because called workflows cannot elevate permissions beyond the caller, sam_release_code.yml will run without the id-token / contents permissions it needs for OIDC AWS auth, checkout, and gh-pages updates. Add explicit permissions blocks to each release_* job (at minimum id-token: write and contents: write).
| # restrict access to approving workflow changes | ||
| .github/workflows/ @NHSDigital/eps-admins |
There was a problem hiding this comment.
The PR description still contains the placeholder/template sections (e.g. "Remove items from this list...", PR naming guidance). Please update it to reflect the actual change and remove the template text so the merge commit message/changelog entry is meaningful.
anthony-nhs
changed the title
|
Summary
Details