Chore: [AEA-0000] - add pre-commit hooks, update docs, tighten security on workflows

.gitallowed

@@ -0,0 +1,7 @@
+id-token: write
+password: \${{secrets\.GITHUB_TOKEN}}
+token: ?"?\$\{\{\s*secrets\.GITHUB_TOKEN\s*\}\}"?
+github-token: ?"?\$\{\{\s*secrets\.GITHUB_TOKEN\s*\}\}"?
+token: ?"?\$\{\{\s*secrets\.DEPENDABOT_TOKEN\s*\}\}"?
+\.gitallowed
+id-token: "write"

.github/workflows/ci.yml

@@ -4,15 +4,22 @@ on:
     push:
         branches: [main]
 
+permissions: {}
 jobs:
     get_config_values:
         uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@f3d19a678a725917a5c59cae4d76db621bb7c9c7
+        permissions:
+            attestations: "read"
+            contents: "read"
+            packages: "read"
         with:
             verify_published_from_main_image: false
 
     quality_checks:
         uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@f3d19a678a725917a5c59cae4d76db621bb7c9c7
         needs: [get_config_values]
+        permissions:
+            contents: "read"
         with:
             pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
         secrets:

.github/workflows/pull_request.yml

@@ -4,20 +4,31 @@ on:
     pull_request:
         branches: [main]
 
+permissions: {}
+
 jobs:
     get_config_values:
         uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@f3d19a678a725917a5c59cae4d76db621bb7c9c7
+        permissions:
+            attestations: "read"
+            contents: "read"
+            packages: "read"
         with:
             verify_published_from_main_image: false
 
     dependabot-auto-approve-and-merge:
         uses: NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@f3d19a678a725917a5c59cae4d76db621bb7c9c7
+        permissions:
+            contents: "write"
+            pull-requests: "write"
         secrets:
             AUTOMERGE_APP_ID: ${{ secrets.AUTOMERGE_APP_ID }}
             AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }}
 
     quality_checks:
         uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@f3d19a678a725917a5c59cae4d76db621bb7c9c7
+        permissions:
+            contents: "read"
         needs: [get_config_values]
         with:
             pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
@@ -26,7 +37,8 @@ jobs:
 
     pr_title_format_check:
         uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@f3d19a678a725917a5c59cae4d76db621bb7c9c7
-
+        permissions:
+            pull-requests: "write"
     tag_release:
         needs: [get_config_values]
         uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@f3d19a678a725917a5c59cae4d76db621bb7c9c7

.github/workflows/release.yml

@@ -5,15 +5,23 @@ on:
     schedule:
         - cron: "0 8 * * 3"
 
+permissions: {}
+
 jobs:
     get_config_values:
         uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@f3d19a678a725917a5c59cae4d76db621bb7c9c7
+        permissions:
+            attestations: "read"
+            contents: "read"
+            packages: "read"
         with:
             verify_published_from_main_image: false
 
     quality_checks:
         uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@f3d19a678a725917a5c59cae4d76db621bb7c9c7
         needs: [get_config_values]
+        permissions:
+            contents: "read"
         with:
             pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
         secrets:

.github/workflows/update_dev_container.yml

@@ -0,0 +1,24 @@
+name: Update devcontainer version
+
+on:
+    workflow_dispatch:
+    schedule:
+        - cron: "0 6 * * 1"
+
+permissions: {}
+
+jobs:
+    update-devcontainer-version:
+        runs-on: ubuntu-22.04
+        environment: create_pull_request
+        permissions:
+            contents: read
+            packages: read
+
+        steps:
+            - name: Update devcontainer version
+              uses: NHSDigital/eps-update-devcontainer@95118f6746ca7081258cc7f651dca1c5bb7339f1
+              with:
+                  calling_repo_base_branch: main
+                  CREATE_PULL_REQUEST_APP_ID: ${{ secrets.CREATE_PULL_REQUEST_APP_ID }}
+                  CREATE_PULL_REQUEST_PEM: ${{ secrets.CREATE_PULL_REQUEST_PEM }}

.pre-commit-config.yaml

@@ -0,0 +1,91 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v6.0.0
+    hooks:
+      - id: check-merge-conflict
+        name: Check for merge conflict strings
+
+      - id: end-of-file-fixer
+        name: Fix missing newline at the end of files
+
+      - id: check-shebang-scripts-are-executable
+        name: Check shell scripts are executable
+        files: \.(sh)$
+
+      - id: check-yaml
+        name: Check pipelines configuration
+        files: ^(.github)
+
+  - repo: https://github.com/pycqa/flake8
+    rev: "7ef0350a439c93166bc8ba89fcc3de6a9a664e6c"
+    hooks:
+      - id: flake8
+
+  - repo: local
+    hooks:
+      - id: zizmor-action
+        name: Check action.yml
+        entry: zizmor
+        args: ["action.yml"]
+        language: system
+        files: action.yml
+        pass_filenames: false
+
+      - id: lint-githubactions
+        name: Lint github actions
+        entry: make
+        args: ["actionlint"]
+        language: system
+        files: ^.github
+        types_or: [yaml]
+        pass_filenames: false
+
+      - id: lint-githubaction-scripts
+        name: Lint github action scripts
+        entry: make
+        args: ["shellcheck"]
+        language: system
+        files: ^.github/scripts
+        types_or: [sh, shell]
+        pass_filenames: false
+
+      - id: check-commit-signing
+        name: Check commit signing
+        description: Ensures that commits are GPG signed
+        entry: bash
+        args:
+          - -c
+          - |
+            if ! git config --get user.signingkey > /dev/null 2>&1; then
+              echo "Error: Git signing key not configured."
+              echo "Please configure your GPG signing key with:"
+              echo "  git config user.signingkey <YOUR_GPG_KEY_ID>"
+              echo ""
+              echo "To find your GPG key ID, run: gpg --list-secret-keys --keyid-format=long"
+              echo "For more information, see: https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits"
+              exit 1
+            fi
+            if ! git config --get commit.gpgsign | grep -q "true" > /dev/null 2>&1; then
+              echo "Error: Commit signing is not enabled."
+              echo "Please enable commit signing with:"
+              echo "  git config commit.gpgsign true"
+              echo ""
+              echo "For more information, see: https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits"
+              exit 1
+            fi
+            echo "Commit signing is properly configured."
+        language: system
+        pass_filenames: false
+        always_run: true
+
+      - id: git-secrets
+        name: Git Secrets
+        description: git-secrets scans commits, commit messages, and --no-ff merges to prevent adding secrets into your git repositories.
+        entry: bash
+        args:
+          - -c
+          - "git-secrets --pre_commit_hook"
+        language: system
+
+fail_fast: true
+default_stages: [pre-commit]

Makefile

@@ -1,8 +1,11 @@
 .PHONY: install install-node compile lint test
-install:
-	echo "Nothing to install"
+install: install-node install-python install-hooks
 install-node:
 	echo "Nothing to install"
+install-python:
+	poetry install
+install-hooks: install-python
+	poetry run pre-commit install --install-hooks --overwrite
 compile:
 	echo "Nothing to compile"
 lint:

README.md

@@ -48,6 +48,8 @@ on:
   schedule:
     - cron: '0 6 * * 1'
 
+permissions: {}
+
 jobs:
   sync-copilot-instructions:
     runs-on: ubuntu-22.04