Merge branch 'main' into aea-6256-cdk-statemachine

tstephen-nhs · web-flow · commit 610786761223 · 2026-03-27T14:06:27.000Z
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -6,13 +6,11 @@
     "args": {
       "DOCKER_GID": "${env:DOCKER_GID:}",
       "IMAGE_NAME": "node_24_python_3_14",
-      "IMAGE_VERSION": "v1.0.7",
+      "IMAGE_VERSION": "v1.2.0",
       "USER_UID": "${localEnv:USER_ID:}",
       "USER_GID": "${localEnv:GROUP_ID:}"
     }
   },
-  // Conditionally register git-secrets to avoid failures when it is already configured
-  // but continue to fail in the case of genuine unexpected errors
   "postCreateCommand": "bash -lc 'if ! git config --get-all secrets.patterns | grep -Fq AKIA; then git-secrets --register-aws; fi; if ! git config --get-all secrets.providers | grep -Fxq \"cat /usr/share/secrets-scanner/nhsd-rules-deny.txt\"; then git-secrets --add-provider -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt; fi'",
   "mounts": [
     "source=${env:HOME}${env:USERPROFILE}/.aws,target=/home/vscode/.aws,type=bind",
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -27,7 +27,7 @@ jobs:
           echo "commit_id=${{ github.sha }}" >> "$GITHUB_OUTPUT"
           echo "sha_short=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT"
   get_config_values:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@97059401fbec4c0914532277dfe8ce95dd3213fd
+    uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@b0172dbdb3af4ae232873106553c316d79d784fc
     with:
       verify_published_from_main_image: true
   quality_checks:
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
@@ -9,7 +9,7 @@ env:
 
 jobs:
   get_config_values:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@97059401fbec4c0914532277dfe8ce95dd3213fd
+    uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@b0172dbdb3af4ae232873106553c316d79d784fc
     with:
       verify_published_from_main_image: false
   dependabot-auto-approve-and-merge:
@@ -19,7 +19,7 @@ jobs:
       AUTOMERGE_APP_ID: ${{ secrets.AUTOMERGE_APP_ID }}
       AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }}
   pr_title_format_check:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@97059401fbec4c0914532277dfe8ce95dd3213fd
+    uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@b0172dbdb3af4ae232873106553c316d79d784fc
   quality_checks:
     uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@352f15f692c23b18f67215ad858f27b06a878717
     needs: [get_config_values, get_commit_id]
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -10,7 +10,7 @@ env:
 
 jobs:
   get_config_values:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@97059401fbec4c0914532277dfe8ce95dd3213fd
+    uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@b0172dbdb3af4ae232873106553c316d79d784fc
     with:
       verify_published_from_main_image: true
   get_commit_id:
diff --git a/.github/workflows/update_dev_container_version.yml b/.github/workflows/update_dev_container_version.yml
@@ -0,0 +1,19 @@
+name: Update Devcontainer Version
+
+on:
+    workflow_dispatch:
+    schedule:
+        - cron: "0 18 * * 4"
+
+jobs:
+    update_devcontainer_version:
+        uses: NHSDigital/eps-common-workflows/.github/workflows/update-dev-container-version.yml@23342d86a245c076937abd6aecdd0ce06446b1e6
+        permissions:
+            contents: read
+            packages: read
+            pull-requests: write
+        with:
+            base_branch: main
+        secrets:
+            CREATE_PULL_REQUEST_APP_ID: ${{ secrets.CREATE_PULL_REQUEST_APP_ID }}
+            CREATE_PULL_REQUEST_PEM: ${{ secrets.CREATE_PULL_REQUEST_PEM }}
diff --git a/packages/cdkConstructs/tests/constructs/RestApiGateway.test.ts b/packages/cdkConstructs/tests/constructs/RestApiGateway.test.ts
@@ -24,7 +24,7 @@ describe("RestApiGateway without mTLS", () => {
       statements: [
         new PolicyStatement({
           actions: ["lambda:InvokeFunction"],
-          resources: ["*"]
+          resources: ["arn:aws:lambda:eu-west-2:123456789012:function:test-function"]
         })
       ]
     })
@@ -181,7 +181,7 @@ describe("RestApiGateway with CSOC logs", () => {
       statements: [
         new PolicyStatement({
           actions: ["lambda:InvokeFunction"],
-          resources: ["*"]
+          resources: ["arn:aws:lambda:eu-west-2:123456789012:function:test-function"]
         })
       ]
     })
@@ -229,7 +229,7 @@ describe("RestApiGateway with mTLS", () => {
       statements: [
         new PolicyStatement({
           actions: ["lambda:InvokeFunction"],
-          resources: ["*"]
+          resources: ["arn:aws:lambda:eu-west-2:123456789012:function:test-function"]
         })
       ]
     })
