From 5db1bda41ac0f4268aa7ea1918fb2183fe96904b Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 8 Apr 2026 16:39:53 +0000 Subject: [PATCH 1/3] new qc --- .devcontainer/devcontainer.json | 2 +- .github/CODEOWNERS | 2 ++ .github/workflows/ci.yml | 23 +++++++++---- .../delete_old_cloudformation_stacks.yml | 8 ++--- .github/workflows/pull_request.yml | 32 ++++++++++++++----- .github/workflows/release.yml | 22 ++++++++++--- .github/workflows/sam_package_code.yml | 4 ++- .github/workflows/sam_release_code.yml | 5 ++- .github/workflows/sync_copilot.yml | 1 + .gitignore | 1 + .pre-commit-config.yaml | 8 +++++ zizmor.yml | 8 +++++ 12 files changed, 88 insertions(+), 28 deletions(-) create mode 100644 .github/CODEOWNERS create mode 100644 zizmor.yml diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index ee1bd5b3..7b4e7089 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -6,7 +6,7 @@ "args": { "DOCKER_GID": "${env:DOCKER_GID:}", "IMAGE_NAME": "node_24_python_3_14_java_24", - "IMAGE_VERSION": "v1.2.0", + "IMAGE_VERSION": "v1.4.4", "USER_UID": "${localEnv:USER_ID:}", "USER_GID": "${localEnv:GROUP_ID:}" } diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 00000000..0492a665 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,2 @@ +# restrict access to approving workflow changes +.github/workflows/ @NHSDigital/eps-admins diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 72fe7542..d41441b4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,17 +4,24 @@ on: push: branches: [main] -env: - BRANCH_NAME: ${{ github.event.ref.BRANCH_NAME }} +permissions: {} jobs: get_config_values: - uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@5ac2707dd9cd60ad127275179495b9c890d74711 + uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@c8f899f30a6a726859b0277faa73cd9ff7f4de20 + permissions: + attestations: read + contents: read + packages: read with: verify_published_from_main_image: true quality_checks: - uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711 + uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@c8f899f30a6a726859b0277faa73cd9ff7f4de20 needs: [get_config_values] + permissions: + contents: read + id-token: write + packages: read secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} with: @@ -32,20 +39,24 @@ jobs: tag_release: needs: [quality_checks, get_commit_id, get_config_values] - uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711 + uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@c8f899f30a6a726859b0277faa73cd9ff7f4de20 permissions: id-token: write contents: write + packages: write with: dry_run: true pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} branch_name: main tag_format: ${{ needs.get_config_values.outputs.tag_format }} - secrets: inherit package_code: needs: [tag_release, get_config_values] uses: ./.github/workflows/sam_package_code.yml + permissions: + contents: read + id-token: write + packages: read with: pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} diff --git a/.github/workflows/delete_old_cloudformation_stacks.yml b/.github/workflows/delete_old_cloudformation_stacks.yml index 0d9cbe07..14cd4c15 100644 --- a/.github/workflows/delete_old_cloudformation_stacks.yml +++ b/.github/workflows/delete_old_cloudformation_stacks.yml @@ -1,27 +1,23 @@ name: "Delete old cloudformation stacks" -# Controls when the action will run - in this case triggered manually on: workflow_dispatch: schedule: - cron: "0 0 * * *" -# A workflow run is made up of one or more jobs that can run sequentially or in parallel +permissions: {} jobs: - # This workflow contains a single job called "combine-prs" delete-old-cloudformation-stacks: - # The type of runner that the job will run on runs-on: ubuntu-22.04 permissions: id-token: write contents: read - # Steps represent a sequence of tasks that will be executed as part of the job steps: - name: Checkout local github scripts uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: - ref: ${{ env.BRANCH_NAME }} + persist-credentials: false sparse-checkout: | .github/scripts diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 780862ea..5e991e7b 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -4,30 +4,42 @@ on: pull_request: branches: [main] -env: - BRANCH_NAME: ${{ github.event.pull_request.head.ref }} +permissions: {} jobs: dependabot-auto-approve-and-merge: needs: quality_checks - uses: NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@5ac2707dd9cd60ad127275179495b9c890d74711 + uses: NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@c8f899f30a6a726859b0277faa73cd9ff7f4de20 + permissions: + contents: write + pull-requests: write secrets: AUTOMERGE_APP_ID: ${{ secrets.AUTOMERGE_APP_ID }} AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }} get_config_values: - uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@5ac2707dd9cd60ad127275179495b9c890d74711 + uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@c8f899f30a6a726859b0277faa73cd9ff7f4de20 + permissions: + attestations: read + contents: read + packages: read with: verify_published_from_main_image: false quality_checks: - uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711 + uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@c8f899f30a6a726859b0277faa73cd9ff7f4de20 needs: [get_config_values] + permissions: + contents: read + id-token: write + packages: read with: pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} pr_title_format_check: - uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@5ac2707dd9cd60ad127275179495b9c890d74711 + uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@c8f899f30a6a726859b0277faa73cd9ff7f4de20 + permissions: + pull-requests: write get_issue_number: runs-on: ubuntu-22.04 @@ -58,16 +70,16 @@ jobs: tag_release: needs: [get_config_values] - uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711 + uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@c8f899f30a6a726859b0277faa73cd9ff7f4de20 permissions: id-token: write contents: write + packages: write with: dry_run: true pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} branch_name: ${{ github.event.pull_request.head.ref }} tag_format: ${{ needs.get_config_values.outputs.tag_format }} - secrets: inherit get_commit_id: runs-on: ubuntu-22.04 @@ -82,6 +94,10 @@ jobs: package_code: needs: [get_issue_number, get_config_values] uses: ./.github/workflows/sam_package_code.yml + permissions: + contents: read + id-token: write + packages: read with: pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c0e03ca6..3902f958 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -3,17 +3,24 @@ name: deploy to environments on: workflow_dispatch: -env: - BRANCH_NAME: ${{ github.event.ref.BRANCH_NAME }} +permissions: {} jobs: get_config_values: - uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@5ac2707dd9cd60ad127275179495b9c890d74711 + uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@c8f899f30a6a726859b0277faa73cd9ff7f4de20 + permissions: + attestations: read + contents: read + packages: read with: verify_published_from_main_image: true quality_checks: - uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711 + uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@c8f899f30a6a726859b0277faa73cd9ff7f4de20 needs: [get_config_values] + permissions: + contents: read + id-token: write + packages: read secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} with: @@ -31,10 +38,11 @@ jobs: tag_release: needs: [quality_checks, get_commit_id, get_config_values] - uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711 + uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@c8f899f30a6a726859b0277faa73cd9ff7f4de20 permissions: id-token: write contents: write + packages: write with: dry_run: false pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} @@ -49,6 +57,10 @@ jobs: package_code: needs: [tag_release, get_config_values] uses: ./.github/workflows/sam_package_code.yml + permissions: + contents: read + id-token: write + packages: read with: pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} diff --git a/.github/workflows/sam_package_code.yml b/.github/workflows/sam_package_code.yml index 402056ce..f972cdd5 100644 --- a/.github/workflows/sam_package_code.yml +++ b/.github/workflows/sam_package_code.yml @@ -6,6 +6,8 @@ on: pinned_image: type: string required: true +permissions: {} + jobs: sam_package_code: runs-on: ubuntu-22.04 @@ -26,7 +28,7 @@ jobs: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: - ref: ${{ env.BRANCH_NAME }} + persist-credentials: false - name: make install run: | make install diff --git a/.github/workflows/sam_release_code.yml b/.github/workflows/sam_release_code.yml index 489f4562..1ecaff1d 100644 --- a/.github/workflows/sam_release_code.yml +++ b/.github/workflows/sam_release_code.yml @@ -45,6 +45,8 @@ on: DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE: required: false +permissions: {} + jobs: sam_release_code: runs-on: ubuntu-22.04 @@ -66,7 +68,7 @@ jobs: - name: Checkout local github actions uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: - ref: ${{ env.BRANCH_NAME }} + persist-credentials: false fetch-depth: 0 sparse-checkout: | .github @@ -102,6 +104,7 @@ jobs: - name: Checkout gh-pages uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: + persist-credentials: true ref: gh-pages path: gh-pages diff --git a/.github/workflows/sync_copilot.yml b/.github/workflows/sync_copilot.yml index 72b62eb1..06b2d7a1 100644 --- a/.github/workflows/sync_copilot.yml +++ b/.github/workflows/sync_copilot.yml @@ -4,6 +4,7 @@ on: workflow_dispatch: schedule: - cron: '0 6 * * 1' +permissions: {} jobs: sync-copilot-instructions: diff --git a/.gitignore b/.gitignore index 7baaecf0..b2d18c2d 100644 --- a/.gitignore +++ b/.gitignore @@ -44,3 +44,4 @@ node_modules/ vendor cfn_guard_output/ .trivy_out/ +.sbom/ diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index efd98aa0..fd166300 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -23,6 +23,14 @@ repos: - repo: local hooks: + - id: grype-scan-local + name: Grype scan local changes + entry: make + args: ["grype-scan-local"] + language: system + pass_filenames: false + always_run: true + - id: check-commit-signing name: Check commit signing description: Ensures that commits are GPG signed diff --git a/zizmor.yml b/zizmor.yml new file mode 100644 index 00000000..e5a3aee3 --- /dev/null +++ b/zizmor.yml @@ -0,0 +1,8 @@ +rules: + secrets-outside-env: + ignore: + - delete_old_cloudformation_stacks.yml:28:31 + unpinned-images: + ignore: + - sam_release_code.yml:55:7 + - sam_package_code.yml:15:7 From f177bc812dc7b329c5acd93b46f752463a1961ed Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 8 Apr 2026 16:41:27 +0000 Subject: [PATCH 2/3] fix --- .github/workflows/ci.yml | 6 ++++++ .github/workflows/pull_request.yml | 3 +++ .github/workflows/release.yml | 15 +++++++++++++++ 3 files changed, 24 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d41441b4..ba6e7806 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -63,6 +63,9 @@ jobs: release_dev: needs: [tag_release, package_code, get_commit_id, get_config_values] uses: ./.github/workflows/sam_release_code.yml + permissions: + contents: write + id-token: write with: pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} ARTIFACT_BUCKET_PREFIX: ${{needs.tag_release.outputs.version_tag}} @@ -84,6 +87,9 @@ jobs: release_qa: needs: [tag_release, release_dev, package_code, get_commit_id, get_config_values] uses: ./.github/workflows/sam_release_code.yml + permissions: + contents: write + id-token: write with: pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} ARTIFACT_BUCKET_PREFIX: ${{needs.tag_release.outputs.version_tag}} diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 5e991e7b..298e309d 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -104,6 +104,9 @@ jobs: release_code: needs: [get_issue_number, package_code, get_commit_id, get_config_values] uses: ./.github/workflows/sam_release_code.yml + permissions: + contents: write + id-token: write with: pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} STACK_NAME: fhir-validator-pr-${{needs.get_issue_number.outputs.issue_number}} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3902f958..985ed4ce 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -67,6 +67,9 @@ jobs: release_dev: needs: [tag_release, package_code, get_commit_id, get_config_values] uses: ./.github/workflows/sam_release_code.yml + permissions: + contents: write + id-token: write with: pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} ARTIFACT_BUCKET_PREFIX: ${{needs.tag_release.outputs.version_tag}} @@ -88,6 +91,9 @@ jobs: release_ref: needs: [tag_release, release_dev, package_code, get_commit_id, get_config_values] uses: ./.github/workflows/sam_release_code.yml + permissions: + contents: write + id-token: write with: pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} ARTIFACT_BUCKET_PREFIX: ${{needs.tag_release.outputs.version_tag}} @@ -105,6 +111,9 @@ jobs: release_qa: needs: [tag_release, release_dev, package_code, get_commit_id, get_config_values] uses: ./.github/workflows/sam_release_code.yml + permissions: + contents: write + id-token: write with: pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} ARTIFACT_BUCKET_PREFIX: ${{needs.tag_release.outputs.version_tag}} @@ -122,6 +131,9 @@ jobs: release_int: needs: [tag_release, release_qa, package_code, get_commit_id, get_config_values] uses: ./.github/workflows/sam_release_code.yml + permissions: + contents: write + id-token: write with: pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} ARTIFACT_BUCKET_PREFIX: ${{needs.tag_release.outputs.version_tag}} @@ -143,6 +155,9 @@ jobs: release_prod: needs: [tag_release, release_int, package_code, get_commit_id, get_config_values] uses: ./.github/workflows/sam_release_code.yml + permissions: + contents: write + id-token: write with: pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} ARTIFACT_BUCKET_PREFIX: ${{needs.tag_release.outputs.version_tag}} From c09469911dcd33bbf9de525e437bb4fba6357c4a Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Mon, 13 Apr 2026 14:15:19 +0000 Subject: [PATCH 3/3] remove trivy --- trivy.yaml | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 trivy.yaml diff --git a/trivy.yaml b/trivy.yaml deleted file mode 100644 index df1250f2..00000000 --- a/trivy.yaml +++ /dev/null @@ -1,3 +0,0 @@ -ignorefile: ".trivyignore" -license: - ignored: ["LGPL-2.1-only", "GPL-2.0-with-classpath-exception"]