Skip to content

Chore: [AEA-6424] - new quality checks #493

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
anthony-nhs merged 4 commits into from
Apr 13, 2026
Merged

Chore: [AEA-6424] - new quality checks #493

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
5db1bda
new qc
anthony-nhs Apr 8, 2026
f177bc8
fix
anthony-nhs Apr 8, 2026
e9f67c8
Merge remote-tracking branch 'origin/main' into new_qc
anthony-nhs Apr 13, 2026
c094699
remove trivy
anthony-nhs Apr 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .devcontainer/devcontainer.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"args": {
"DOCKER_GID": "${env:DOCKER_GID:}",
"IMAGE_NAME": "node_24_python_3_14_java_24",
"IMAGE_VERSION": "v1.2.0",
"IMAGE_VERSION": "v1.4.4",
"USER_UID": "${localEnv:USER_ID:}",
"USER_GID": "${localEnv:GROUP_ID:}"
}
Expand Down
2 changes: 2 additions & 0 deletions .github/CODEOWNERS
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
# restrict access to approving workflow changes
.github/workflows/ @NHSDigital/eps-admins
Comment on lines +1 to +2
Copy link

Copilot AI Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description still contains the placeholder/template sections (e.g. "Remove items from this list...", PR naming guidance). Please update it to reflect the actual change and remove the template text so the merge commit message/changelog entry is meaningful.

Copilot uses AI. Check for mistakes.
29 changes: 23 additions & 6 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,17 +4,24 @@ on:
push:
branches: [main]

env:
BRANCH_NAME: ${{ github.event.ref.BRANCH_NAME }}
permissions: {}
Copy link

Copilot AI Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With workflow-level permissions: {} the jobs that call the reusable workflow sam_release_code.yml (e.g. release_dev, release_qa) currently don't declare job-level permissions. Reusable workflows cannot elevate permissions above the caller, so sam_release_code.yml won't actually get the id-token / contents permissions it requests and AWS/OIDC + checkout/push steps can fail. Add explicit job-level permissions to each uses: ./.github/workflows/sam_release_code.yml job (at minimum id-token: write and contents: write if gh-pages updates are required).

Suggested change
permissions: {}
permissions:
contents: write
id-token: write

Copilot uses AI. Check for mistakes.

jobs:
get_config_values:
uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@5ac2707dd9cd60ad127275179495b9c890d74711
uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@c8f899f30a6a726859b0277faa73cd9ff7f4de20
permissions:
attestations: read
contents: read
packages: read
with:
verify_published_from_main_image: true
quality_checks:
uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711
uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@c8f899f30a6a726859b0277faa73cd9ff7f4de20
needs: [get_config_values]
permissions:
contents: read
id-token: write
packages: read
secrets:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
with:
Expand All @@ -32,26 +39,33 @@ jobs:

tag_release:
needs: [quality_checks, get_commit_id, get_config_values]
uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711
uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@c8f899f30a6a726859b0277faa73cd9ff7f4de20
permissions:
id-token: write
contents: write
packages: write
with:
dry_run: true
pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
branch_name: main
tag_format: ${{ needs.get_config_values.outputs.tag_format }}
secrets: inherit

package_code:
needs: [tag_release, get_config_values]
uses: ./.github/workflows/sam_package_code.yml
permissions:
contents: read
id-token: write
packages: read
with:
pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}

release_dev:
needs: [tag_release, package_code, get_commit_id, get_config_values]
uses: ./.github/workflows/sam_release_code.yml
permissions:
contents: write
id-token: write
with:
pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
ARTIFACT_BUCKET_PREFIX: ${{needs.tag_release.outputs.version_tag}}
Expand All @@ -73,6 +87,9 @@ jobs:
release_qa:
needs: [tag_release, release_dev, package_code, get_commit_id, get_config_values]
uses: ./.github/workflows/sam_release_code.yml
permissions:
contents: write
id-token: write
with:
pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
ARTIFACT_BUCKET_PREFIX: ${{needs.tag_release.outputs.version_tag}}
Expand Down
8 changes: 2 additions & 6 deletions .github/workflows/delete_old_cloudformation_stacks.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,27 +1,23 @@
name: "Delete old cloudformation stacks"

# Controls when the action will run - in this case triggered manually
on:
workflow_dispatch:
schedule:
- cron: "0 0 * * *"

# A workflow run is made up of one or more jobs that can run sequentially or in parallel
permissions: {}
jobs:
# This workflow contains a single job called "combine-prs"
delete-old-cloudformation-stacks:
# The type of runner that the job will run on
runs-on: ubuntu-22.04
permissions:
id-token: write
contents: read

# Steps represent a sequence of tasks that will be executed as part of the job
steps:
- name: Checkout local github scripts
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
with:
ref: ${{ env.BRANCH_NAME }}
persist-credentials: false
sparse-checkout: |
.github/scripts

Expand Down
35 changes: 27 additions & 8 deletions .github/workflows/pull_request.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,30 +4,42 @@ on:
pull_request:
branches: [main]

env:
BRANCH_NAME: ${{ github.event.pull_request.head.ref }}
permissions: {}
Copy link

Copilot AI Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With workflow-level permissions: {} the default GITHUB_TOKEN permissions are none. Jobs like get_issue_number (uses actions/github-script to call the PR/commit APIs) and release_code (calls reusable workflow sam_release_code.yml, which needs at least id-token: write and contents: read) currently don't set job-level permissions, so they will inherit none and likely fail with 403 / OIDC token errors. Add explicit permissions blocks to those jobs (e.g. pull-requests: read for get_issue_number, and id-token: write + contents: read (or contents: write if needed) for release_code).

Copilot uses AI. Check for mistakes.

jobs:
dependabot-auto-approve-and-merge:
needs: quality_checks
uses: NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@5ac2707dd9cd60ad127275179495b9c890d74711
uses: NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@c8f899f30a6a726859b0277faa73cd9ff7f4de20
permissions:
contents: write
pull-requests: write
secrets:
AUTOMERGE_APP_ID: ${{ secrets.AUTOMERGE_APP_ID }}
AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }}
get_config_values:
uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@5ac2707dd9cd60ad127275179495b9c890d74711
uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@c8f899f30a6a726859b0277faa73cd9ff7f4de20
permissions:
attestations: read
contents: read
packages: read
with:
verify_published_from_main_image: false
quality_checks:
uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711
uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@c8f899f30a6a726859b0277faa73cd9ff7f4de20
needs: [get_config_values]
permissions:
contents: read
id-token: write
packages: read
with:
pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
secrets:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

pr_title_format_check:
uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@5ac2707dd9cd60ad127275179495b9c890d74711
uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@c8f899f30a6a726859b0277faa73cd9ff7f4de20
permissions:
pull-requests: write

get_issue_number:
runs-on: ubuntu-22.04
Expand Down Expand Up @@ -58,16 +70,16 @@ jobs:

tag_release:
needs: [get_config_values]
uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711
uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@c8f899f30a6a726859b0277faa73cd9ff7f4de20
permissions:
id-token: write
contents: write
packages: write
with:
dry_run: true
pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
branch_name: ${{ github.event.pull_request.head.ref }}
tag_format: ${{ needs.get_config_values.outputs.tag_format }}
secrets: inherit

get_commit_id:
runs-on: ubuntu-22.04
Expand All @@ -82,12 +94,19 @@ jobs:
package_code:
needs: [get_issue_number, get_config_values]
uses: ./.github/workflows/sam_package_code.yml
permissions:
contents: read
id-token: write
packages: read
with:
pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}

release_code:
needs: [get_issue_number, package_code, get_commit_id, get_config_values]
uses: ./.github/workflows/sam_release_code.yml
permissions:
contents: write
id-token: write
with:
pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
STACK_NAME: fhir-validator-pr-${{needs.get_issue_number.outputs.issue_number}}
Expand Down
37 changes: 32 additions & 5 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,17 +3,24 @@ name: deploy to environments
on:
workflow_dispatch:

env:
BRANCH_NAME: ${{ github.event.ref.BRANCH_NAME }}
permissions: {}
Copy link

Copilot AI Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With workflow-level permissions: {} the release_* jobs that call the reusable workflow sam_release_code.yml don't declare job-level permissions. Because called workflows cannot elevate permissions beyond the caller, sam_release_code.yml will run without the id-token / contents permissions it needs for OIDC AWS auth, checkout, and gh-pages updates. Add explicit permissions blocks to each release_* job (at minimum id-token: write and contents: write).

Copilot uses AI. Check for mistakes.

jobs:
get_config_values:
uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@5ac2707dd9cd60ad127275179495b9c890d74711
uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@c8f899f30a6a726859b0277faa73cd9ff7f4de20
permissions:
attestations: read
contents: read
packages: read
with:
verify_published_from_main_image: true
quality_checks:
uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711
uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@c8f899f30a6a726859b0277faa73cd9ff7f4de20
needs: [get_config_values]
permissions:
contents: read
id-token: write
packages: read
secrets:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
with:
Expand All @@ -31,10 +38,11 @@ jobs:

tag_release:
needs: [quality_checks, get_commit_id, get_config_values]
uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711
uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@c8f899f30a6a726859b0277faa73cd9ff7f4de20
permissions:
id-token: write
contents: write
packages: write
with:
dry_run: false
pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
Expand All @@ -49,12 +57,19 @@ jobs:
package_code:
needs: [tag_release, get_config_values]
uses: ./.github/workflows/sam_package_code.yml
permissions:
contents: read
id-token: write
packages: read
with:
pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}

release_dev:
needs: [tag_release, package_code, get_commit_id, get_config_values]
uses: ./.github/workflows/sam_release_code.yml
permissions:
contents: write
id-token: write
with:
pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
ARTIFACT_BUCKET_PREFIX: ${{needs.tag_release.outputs.version_tag}}
Expand All @@ -76,6 +91,9 @@ jobs:
release_ref:
needs: [tag_release, release_dev, package_code, get_commit_id, get_config_values]
uses: ./.github/workflows/sam_release_code.yml
permissions:
contents: write
id-token: write
with:
pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
ARTIFACT_BUCKET_PREFIX: ${{needs.tag_release.outputs.version_tag}}
Expand All @@ -93,6 +111,9 @@ jobs:
release_qa:
needs: [tag_release, release_dev, package_code, get_commit_id, get_config_values]
uses: ./.github/workflows/sam_release_code.yml
permissions:
contents: write
id-token: write
with:
pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
ARTIFACT_BUCKET_PREFIX: ${{needs.tag_release.outputs.version_tag}}
Expand All @@ -110,6 +131,9 @@ jobs:
release_int:
needs: [tag_release, release_qa, package_code, get_commit_id, get_config_values]
uses: ./.github/workflows/sam_release_code.yml
permissions:
contents: write
id-token: write
with:
pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
ARTIFACT_BUCKET_PREFIX: ${{needs.tag_release.outputs.version_tag}}
Expand All @@ -131,6 +155,9 @@ jobs:
release_prod:
needs: [tag_release, release_int, package_code, get_commit_id, get_config_values]
uses: ./.github/workflows/sam_release_code.yml
permissions:
contents: write
id-token: write
with:
pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
ARTIFACT_BUCKET_PREFIX: ${{needs.tag_release.outputs.version_tag}}
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/sam_package_code.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@ on:
pinned_image:
type: string
required: true
permissions: {}

jobs:
sam_package_code:
runs-on: ubuntu-22.04
Expand All @@ -26,7 +28,7 @@ jobs:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
with:
ref: ${{ env.BRANCH_NAME }}
persist-credentials: false
- name: make install
run: |
make install
Expand Down
5 changes: 4 additions & 1 deletion .github/workflows/sam_release_code.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,8 @@ on:
DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE:
required: false

permissions: {}

jobs:
sam_release_code:
runs-on: ubuntu-22.04
Expand All @@ -66,7 +68,7 @@ jobs:
- name: Checkout local github actions
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
with:
ref: ${{ env.BRANCH_NAME }}
persist-credentials: false
fetch-depth: 0
sparse-checkout: |
.github
Expand Down Expand Up @@ -102,6 +104,7 @@ jobs:
- name: Checkout gh-pages
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
with:
persist-credentials: true
ref: gh-pages
path: gh-pages

Expand Down
1 change: 1 addition & 0 deletions .github/workflows/sync_copilot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ on:
workflow_dispatch:
schedule:
- cron: '0 6 * * 1'
permissions: {}

jobs:
sync-copilot-instructions:
Expand Down
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,3 +44,4 @@ node_modules/
vendor
cfn_guard_output/
.trivy_out/
.sbom/
8 changes: 8 additions & 0 deletions .pre-commit-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,14 @@ repos:

- repo: local
hooks:
- id: grype-scan-local
name: Grype scan local changes
entry: make
args: ["grype-scan-local"]
language: system
pass_filenames: false
always_run: true

- id: check-commit-signing
name: Check commit signing
description: Ensures that commits are GPG signed
Expand Down
8 changes: 8 additions & 0 deletions zizmor.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
rules:
secrets-outside-env:
ignore:
- delete_old_cloudformation_stacks.yml:28:31
unpinned-images:
ignore:
- sam_release_code.yml:55:7
- sam_package_code.yml:15:7
Loading