From f9598f3d9e9769a15f8b2596eb5069d759d4a4e5 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 16 Apr 2026 18:57:39 +0000 Subject: [PATCH 1/2] bump dev container version --- .github/workflows/ci.yml | 2 +- .github/workflows/pull_request.yml | 2 +- .github/workflows/release.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2c6a67a..ed166d2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -15,7 +15,7 @@ jobs: verify_published_from_main_image: false quality_checks: - uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@68c2dea999875055ecbfdf055d8391e6e8b8ce2f + uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@8399c1f015c1304e40771cbd8ccc24c7ed48fdbc needs: [get_config_values] permissions: contents: "read" diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 9b0dae8..3896c56 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -24,7 +24,7 @@ jobs: AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }} quality_checks: - uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@68c2dea999875055ecbfdf055d8391e6e8b8ce2f + uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@8399c1f015c1304e40771cbd8ccc24c7ed48fdbc needs: [get_config_values] permissions: contents: "read" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4d5946b..63e8a55 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,7 +16,7 @@ jobs: verify_published_from_main_image: false quality_checks: - uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@68c2dea999875055ecbfdf055d8391e6e8b8ce2f + uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@8399c1f015c1304e40771cbd8ccc24c7ed48fdbc needs: [get_config_values] permissions: contents: "read" From 4feb59298642c34e4fb99ae7f2bc9d42effedf71 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 17 Apr 2026 08:10:25 +0000 Subject: [PATCH 2/2] fix --- .devcontainer/devcontainer.json | 2 +- .gitallowed | 7 ------- .github/workflows/ci.yml | 15 +++++++++------ .github/workflows/pull_request.yml | 19 +++++++++++-------- .github/workflows/release.yml | 13 ++++++++----- .pre-commit-config.yaml | 21 +++++++++++---------- 6 files changed, 40 insertions(+), 37 deletions(-) delete mode 100644 .gitallowed diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 47cd4f7..ab5b4f1 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -6,7 +6,7 @@ "args": { "DOCKER_GID": "${env:DOCKER_GID:}", "IMAGE_NAME": "node_24_python_3_14", - "IMAGE_VERSION": "v1.4.2", + "IMAGE_VERSION": "v1.4.8", "USER_UID": "${localEnv:USER_ID:}", "USER_GID": "${localEnv:GROUP_ID:}" }, diff --git a/.gitallowed b/.gitallowed deleted file mode 100644 index 267605f..0000000 --- a/.gitallowed +++ /dev/null @@ -1,7 +0,0 @@ -id-token: write -password: \${{secrets\.GITHUB_TOKEN}} -token: ?"?\$\{\{\s*secrets\.GITHUB_TOKEN\s*\}\}"? -github-token: ?"?\$\{\{\s*secrets\.GITHUB_TOKEN\s*\}\}"? -token: ?"?\$\{\{\s*secrets\.DEPENDABOT_TOKEN\s*\}\}"? -\.gitallowed -id-token: "write" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ed166d2..7e7caf9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -2,11 +2,11 @@ name: ci on: push: - branches: [main] + branches: [ main ] permissions: {} jobs: get_config_values: - uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929 + uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845 permissions: attestations: "read" contents: "read" @@ -15,21 +15,24 @@ jobs: verify_published_from_main_image: false quality_checks: - uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@8399c1f015c1304e40771cbd8ccc24c7ed48fdbc - needs: [get_config_values] + uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845 + needs: [ get_config_values ] permissions: contents: "read" + packages: "read" + id-token: "write" with: pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} tag_release: - needs: [get_config_values] - uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@68c2dea999875055ecbfdf055d8391e6e8b8ce2f + needs: [ get_config_values ] + uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845 permissions: id-token: "write" contents: "write" + packages: "write" with: dry_run: true pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 3896c56..b3c974d 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -2,11 +2,11 @@ name: pull_request on: pull_request: - branches: [main] + branches: [ main ] permissions: {} jobs: get_config_values: - uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929 + uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845 permissions: attestations: "read" contents: "read" @@ -15,7 +15,7 @@ jobs: verify_published_from_main_image: false dependabot-auto-approve-and-merge: - uses: NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929 + uses: NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845 permissions: contents: "write" pull-requests: "write" @@ -24,26 +24,29 @@ jobs: AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }} quality_checks: - uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@8399c1f015c1304e40771cbd8ccc24c7ed48fdbc - needs: [get_config_values] + uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845 + needs: [ get_config_values ] permissions: contents: "read" + packages: "read" + id-token: "write" with: pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} pr_title_format_check: - uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929 + uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845 permissions: pull-requests: "write" tag_release: - needs: [get_config_values] - uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@68c2dea999875055ecbfdf055d8391e6e8b8ce2f + needs: [ get_config_values ] + uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845 permissions: id-token: "write" contents: "write" + packages: "write" with: dry_run: true pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 63e8a55..2e9e331 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,7 +7,7 @@ on: permissions: {} jobs: get_config_values: - uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929 + uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845 permissions: attestations: "read" contents: "read" @@ -16,21 +16,24 @@ jobs: verify_published_from_main_image: false quality_checks: - uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@8399c1f015c1304e40771cbd8ccc24c7ed48fdbc - needs: [get_config_values] + uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845 + needs: [ get_config_values ] permissions: contents: "read" + packages: "read" + id-token: "write" with: pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} tag_release: - needs: [get_config_values] - uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@68c2dea999875055ecbfdf055d8391e6e8b8ce2f + needs: [ get_config_values ] + uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845 permissions: id-token: "write" contents: "write" + packages: "write" with: dry_run: false pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 00e54d5..1f88c7f 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -26,7 +26,7 @@ repos: - id: zizmor-action name: Check action.yml entry: zizmor - args: ["action.yml"] + args: [ "action.yml" ] language: system files: action.yml pass_filenames: false @@ -34,19 +34,19 @@ repos: - id: lint-githubactions name: Lint github actions entry: make - args: ["actionlint"] + args: [ "actionlint" ] language: system files: ^.github - types_or: [yaml] + types_or: [ yaml ] pass_filenames: false - id: lint-githubaction-scripts name: Lint github action scripts entry: make - args: ["shellcheck"] + args: [ "shellcheck" ] language: system files: ^.github/scripts - types_or: [sh, shell] + types_or: [ sh, shell ] pass_filenames: false - id: check-commit-signing @@ -78,14 +78,15 @@ repos: pass_filenames: false always_run: true - - id: git-secrets - name: Git Secrets - description: git-secrets scans commits, commit messages, and --no-ff merges to prevent adding secrets into your git repositories. + - id: gitleasks + name: Git Leaks + description: gitleaks scans commits, commit messages, and --no-ff merges to + prevent adding secrets into your git repositories. entry: bash args: - -c - - "git-secrets --pre_commit_hook" + - "gitleaks git --pre-commit --redact --staged --verbose" language: system fail_fast: true -default_stages: [pre-commit] +default_stages: [ pre-commit ]