diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index f82ecf0..d13583e 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -6,7 +6,7 @@ "args": { "DOCKER_GID": "${env:DOCKER_GID:}", "IMAGE_NAME": "node_24_python_3_14", - "IMAGE_VERSION": "v1.4.2", + "IMAGE_VERSION": "v1.4.8", "USER_UID": "${localEnv:USER_ID:}", "USER_GID": "${localEnv:GROUP_ID:}" }, diff --git a/.gitallowed b/.gitallowed deleted file mode 100644 index 267605f..0000000 --- a/.gitallowed +++ /dev/null @@ -1,7 +0,0 @@ -id-token: write -password: \${{secrets\.GITHUB_TOKEN}} -token: ?"?\$\{\{\s*secrets\.GITHUB_TOKEN\s*\}\}"? -github-token: ?"?\$\{\{\s*secrets\.GITHUB_TOKEN\s*\}\}"? -token: ?"?\$\{\{\s*secrets\.DEPENDABOT_TOKEN\s*\}\}"? -\.gitallowed -id-token: "write" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 96e01b6..dca57e2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -2,12 +2,12 @@ name: ci on: push: - branches: [main] + branches: [ main ] permissions: {} jobs: get_config_values: - uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929 + uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845 permissions: attestations: "read" contents: "read" @@ -16,21 +16,24 @@ jobs: verify_published_from_main_image: false quality_checks: - uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@f3d19a678a725917a5c59cae4d76db621bb7c9c7 - needs: [get_config_values] + uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845 + needs: [ get_config_values ] permissions: contents: "read" + packages: "read" + id-token: "write" with: pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} tag_release: - needs: [get_config_values] - uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@f3d19a678a725917a5c59cae4d76db621bb7c9c7 + needs: [ get_config_values ] + uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845 permissions: id-token: "write" contents: "write" + packages: "write" with: dry_run: true pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index ff511c2..d567bf2 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -2,13 +2,13 @@ name: pull_request on: pull_request: - branches: [main] + branches: [ main ] permissions: {} jobs: get_config_values: - uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929 + uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845 permissions: attestations: "read" contents: "read" @@ -17,7 +17,7 @@ jobs: verify_published_from_main_image: false dependabot-auto-approve-and-merge: - uses: NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929 + uses: NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845 permissions: contents: "write" pull-requests: "write" @@ -26,25 +26,28 @@ jobs: AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }} quality_checks: - uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@f3d19a678a725917a5c59cae4d76db621bb7c9c7 + uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845 permissions: contents: "read" - needs: [get_config_values] + packages: "read" + id-token: "write" + needs: [ get_config_values ] with: pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} pr_title_format_check: - uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929 + uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845 permissions: pull-requests: "write" tag_release: - needs: [get_config_values] - uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@f3d19a678a725917a5c59cae4d76db621bb7c9c7 + needs: [ get_config_values ] + uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845 permissions: id-token: "write" contents: "write" + packages: "write" with: dry_run: true pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 02b105e..d4c578f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -9,7 +9,7 @@ permissions: {} jobs: get_config_values: - uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929 + uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845 permissions: attestations: "read" contents: "read" @@ -18,21 +18,24 @@ jobs: verify_published_from_main_image: false quality_checks: - uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@f3d19a678a725917a5c59cae4d76db621bb7c9c7 - needs: [get_config_values] + uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845 + needs: [ get_config_values ] permissions: contents: "read" + packages: "read" + id-token: "write" with: pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} tag_release: - needs: [get_config_values] - uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@f3d19a678a725917a5c59cae4d76db621bb7c9c7 + needs: [ get_config_values ] + uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845 permissions: id-token: "write" contents: "write" + packages: "write" with: dry_run: false pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 00e54d5..1f88c7f 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -26,7 +26,7 @@ repos: - id: zizmor-action name: Check action.yml entry: zizmor - args: ["action.yml"] + args: [ "action.yml" ] language: system files: action.yml pass_filenames: false @@ -34,19 +34,19 @@ repos: - id: lint-githubactions name: Lint github actions entry: make - args: ["actionlint"] + args: [ "actionlint" ] language: system files: ^.github - types_or: [yaml] + types_or: [ yaml ] pass_filenames: false - id: lint-githubaction-scripts name: Lint github action scripts entry: make - args: ["shellcheck"] + args: [ "shellcheck" ] language: system files: ^.github/scripts - types_or: [sh, shell] + types_or: [ sh, shell ] pass_filenames: false - id: check-commit-signing @@ -78,14 +78,15 @@ repos: pass_filenames: false always_run: true - - id: git-secrets - name: Git Secrets - description: git-secrets scans commits, commit messages, and --no-ff merges to prevent adding secrets into your git repositories. + - id: gitleasks + name: Git Leaks + description: gitleaks scans commits, commit messages, and --no-ff merges to + prevent adding secrets into your git repositories. entry: bash args: - -c - - "git-secrets --pre_commit_hook" + - "gitleaks git --pre-commit --redact --staged --verbose" language: system fail_fast: true -default_stages: [pre-commit] +default_stages: [ pre-commit ]