Chore: [AEA-0000] - bump dev container version to 1.4.8

.devcontainer/devcontainer.json

@@ -6,7 +6,7 @@
     "args": {
       "DOCKER_GID": "${env:DOCKER_GID:}",
       "IMAGE_NAME": "node_24_python_3_14",
-      "IMAGE_VERSION": "v1.4.2",
+      "IMAGE_VERSION": "v1.4.8",
       "USER_UID": "${localEnv:USER_ID:}",
       "USER_GID": "${localEnv:GROUP_ID:}"
     },

.github/workflows/ci.yml

@@ -2,12 +2,12 @@ name: ci
 
 on:
     push:
-        branches: [main]
+        branches: [ main ]
 
 permissions: {}
 jobs:
     get_config_values:
-        uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
+        uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845
         permissions:
             attestations: "read"
             contents: "read"
@@ -16,21 +16,24 @@ jobs:
             verify_published_from_main_image: false
 
     quality_checks:
-        uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@f3d19a678a725917a5c59cae4d76db621bb7c9c7
-        needs: [get_config_values]
+        uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845
+        needs: [ get_config_values ]
         permissions:
             contents: "read"
+            packages: "read"
+            id-token: "write"
         with:
             pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
         secrets:
             SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
     tag_release:
-        needs: [get_config_values]
-        uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@f3d19a678a725917a5c59cae4d76db621bb7c9c7
+        needs: [ get_config_values ]
+        uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845
         permissions:
             id-token: "write"
             contents: "write"
+            packages: "write"
         with:
             dry_run: true
             pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}

.github/workflows/pull_request.yml

@@ -2,13 +2,13 @@ name: pull_request
 
 on:
     pull_request:
-        branches: [main]
+        branches: [ main ]
 
 permissions: {}
 
 jobs:
     get_config_values:
-        uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
+        uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845
         permissions:
             attestations: "read"
             contents: "read"
@@ -17,7 +17,7 @@ jobs:
             verify_published_from_main_image: false
 
     dependabot-auto-approve-and-merge:
-        uses: NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
+        uses: NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845
         permissions:
             contents: "write"
             pull-requests: "write"
@@ -26,25 +26,28 @@ jobs:
             AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }}
 
     quality_checks:
-        uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@f3d19a678a725917a5c59cae4d76db621bb7c9c7
+        uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845
         permissions:
             contents: "read"
-        needs: [get_config_values]
+            packages: "read"
+            id-token: "write"
+        needs: [ get_config_values ]
         with:
             pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
         secrets:
             SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
     pr_title_format_check:
-        uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
+        uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845
         permissions:
             pull-requests: "write"
     tag_release:
-        needs: [get_config_values]
-        uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@f3d19a678a725917a5c59cae4d76db621bb7c9c7
+        needs: [ get_config_values ]
+        uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845
         permissions:
             id-token: "write"
             contents: "write"
+            packages: "write"
         with:
             dry_run: true
             pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}

.github/workflows/release.yml

@@ -9,7 +9,7 @@ permissions: {}
 
 jobs:
     get_config_values:
-        uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
+        uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845
         permissions:
             attestations: "read"
             contents: "read"
@@ -18,21 +18,24 @@ jobs:
             verify_published_from_main_image: false
 
     quality_checks:
-        uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@f3d19a678a725917a5c59cae4d76db621bb7c9c7
-        needs: [get_config_values]
+        uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845
+        needs: [ get_config_values ]
         permissions:
             contents: "read"
+            packages: "read"
+            id-token: "write"
         with:
             pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
         secrets:
             SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
     tag_release:
-        needs: [get_config_values]
-        uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@f3d19a678a725917a5c59cae4d76db621bb7c9c7
+        needs: [ get_config_values ]
+        uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845
         permissions:
             id-token: "write"
             contents: "write"
+            packages: "write"
         with:
             dry_run: false
             pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}

.pre-commit-config.yaml

@@ -26,27 +26,27 @@ repos:
       - id: zizmor-action
         name: Check action.yml
         entry: zizmor
-        args: ["action.yml"]
+        args: [ "action.yml" ]
         language: system
         files: action.yml
         pass_filenames: false
 
       - id: lint-githubactions
         name: Lint github actions
         entry: make
-        args: ["actionlint"]
+        args: [ "actionlint" ]
         language: system
         files: ^.github
-        types_or: [yaml]
+        types_or: [ yaml ]
         pass_filenames: false
 
       - id: lint-githubaction-scripts
         name: Lint github action scripts
         entry: make
-        args: ["shellcheck"]
+        args: [ "shellcheck" ]
         language: system
         files: ^.github/scripts
-        types_or: [sh, shell]
+        types_or: [ sh, shell ]
         pass_filenames: false
 
       - id: check-commit-signing
@@ -78,14 +78,15 @@ repos:
         pass_filenames: false
         always_run: true
 
-      - id: git-secrets
-        name: Git Secrets
-        description: git-secrets scans commits, commit messages, and --no-ff merges to prevent adding secrets into your git repositories.
+      - id: gitleasks
+        name: Git Leaks
+        description: gitleaks scans commits, commit messages, and --no-ff merges to
+          prevent adding secrets into your git repositories.
         entry: bash
         args:
           - -c
-          - "git-secrets --pre_commit_hook"
+          - "gitleaks git --pre-commit --redact --staged --verbose"
         language: system
 
 fail_fast: true
-default_stages: [pre-commit]
+default_stages: [ pre-commit ]