Skip to content

Chore: [AEA-0000] - move to new qc #653

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
MatthewPopat-NHS merged 7 commits into from
Apr 8, 2026
Merged

Chore: [AEA-0000] - move to new qc #653

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
402b458
update
anthony-nhs Apr 7, 2026
b36b474
update
anthony-nhs Apr 7, 2026
947222e
update
anthony-nhs Apr 7, 2026
a7c4ee7
no script
anthony-nhs Apr 7, 2026
a5ed87b
remove unused job
anthony-nhs Apr 7, 2026
d862429
update tag
anthony-nhs Apr 7, 2026
770fcb8
Merge branch 'main' into use_new_qc
anthony-nhs Apr 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .devcontainer/devcontainer.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"args": {
"DOCKER_GID": "${env:DOCKER_GID:}",
"IMAGE_NAME": "node_24_python_3_14",
"IMAGE_VERSION": "v1.2.0",
"IMAGE_VERSION": "v1.4.4",
"USER_UID": "${localEnv:USER_ID:}",
"USER_GID": "${localEnv:GROUP_ID:}"
}
Expand Down
2 changes: 2 additions & 0 deletions .github/CODEOWNERS
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
# restrict access to approving workflow changes
Comment thread
MatthewPopat-NHS marked this conversation as resolved.
.github/workflows/ @NHSDigital/eps-admins
23 changes: 16 additions & 7 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,17 +4,23 @@ on:
push:
branches: [main]

env:
BRANCH_NAME: ${{ github.ref_name }}

permissions: {}
Comment thread
anthony-nhs marked this conversation as resolved.
jobs:
get_config_values:
uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@b0172dbdb3af4ae232873106553c316d79d784fc
uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@f747b664d45e3a554d5ab72af509ab8e14fe84aa
with:
verify_published_from_main_image: true
permissions:
attestations: read
contents: read
packages: read
quality_checks:
uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@352f15f692c23b18f67215ad858f27b06a878717
uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@f747b664d45e3a554d5ab72af509ab8e14fe84aa
needs: [get_config_values]
permissions:
contents: read
id-token: write
packages: read
with:
pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
run_docker_scan: false
Expand All @@ -23,14 +29,17 @@ jobs:

tag_release:
needs: [quality_checks, get_config_values]
uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@352f15f692c23b18f67215ad858f27b06a878717
uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@f747b664d45e3a554d5ab72af509ab8e14fe84aa
permissions:
contents: write
id-token: write
packages: write
with:
dry_run: true
pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
branch_name: main
publish_packages: packages/cdkConstructs,packages/deploymentUtils
tag_format: ${{ needs.get_config_values.outputs.tag_format }}
secrets: inherit

package_npm_code:
needs: [quality_checks, get_config_values]
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/package_npm_code.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ on:
pinned_image:
type: string
required: true

permissions: {}
Comment thread
anthony-nhs marked this conversation as resolved.
jobs:
package_npm_code:
runs-on: ubuntu-22.04
Expand All @@ -23,7 +23,7 @@ jobs:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
with:
ref: ${{ env.BRANCH_NAME }}
persist-credentials: false

- name: Install dependencies
run: |
Expand Down
33 changes: 23 additions & 10 deletions .github/workflows/pull_request.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,25 +4,36 @@ on:
pull_request:
branches: [main]

env:
BRANCH_NAME: ${{ github.event.pull_request.head.ref }}

permissions: {}
jobs:
Comment thread
anthony-nhs marked this conversation as resolved.
get_config_values:
uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@b0172dbdb3af4ae232873106553c316d79d784fc
uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@f747b664d45e3a554d5ab72af509ab8e14fe84aa
with:
verify_published_from_main_image: false
permissions:
attestations: read
contents: read
packages: read
dependabot-auto-approve-and-merge:
needs: quality_checks
uses: NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@352f15f692c23b18f67215ad858f27b06a878717
uses: NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@f747b664d45e3a554d5ab72af509ab8e14fe84aa
permissions:
contents: write
pull-requests: write
secrets:
AUTOMERGE_APP_ID: ${{ secrets.AUTOMERGE_APP_ID }}
AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }}
pr_title_format_check:
uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@b0172dbdb3af4ae232873106553c316d79d784fc
uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@f747b664d45e3a554d5ab72af509ab8e14fe84aa
permissions:
pull-requests: write
quality_checks:
uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@352f15f692c23b18f67215ad858f27b06a878717
uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@f747b664d45e3a554d5ab72af509ab8e14fe84aa
needs: [get_config_values]
permissions:
contents: read
id-token: write
packages: read
with:
pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
run_docker_scan: false
Expand Down Expand Up @@ -56,7 +67,6 @@ jobs:
}
Copy link

Copilot AI Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This fallback assumes listPullRequestsAssociatedWithCommit(...).data[0] always exists; if no PR is associated with the commit, this will throw. Since this workflow only runs on pull_request, context.issue.number should already be present—consider removing the fallback branch entirely (or guard against an empty .data result if you intend this script to be reusable for other events).

Copilot uses AI. Check for mistakes.
result-encoding: string


package_npm_code:
needs: [quality_checks, get_config_values]
uses: ./.github/workflows/package_npm_code.yml
Comment thread
MatthewPopat-NHS marked this conversation as resolved.
Expand All @@ -65,11 +75,14 @@ jobs:

tag_release:
needs: [get_config_values]
uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@352f15f692c23b18f67215ad858f27b06a878717
uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@f747b664d45e3a554d5ab72af509ab8e14fe84aa
permissions:
contents: write
id-token: write
packages: write
with:
dry_run: true
pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
branch_name: ${{ github.event.pull_request.head.ref }}
publish_packages: packages/cdkConstructs,packages/deploymentUtils
tag_format: ${{ needs.get_config_values.outputs.tag_format }}
secrets: inherit
23 changes: 16 additions & 7 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,17 +5,23 @@ on:
schedule:
- cron: "0 8 * * 3"

env:
BRANCH_NAME: ${{ github.ref_name }}

permissions: {}
jobs:
Comment thread
anthony-nhs marked this conversation as resolved.
get_config_values:
uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@b0172dbdb3af4ae232873106553c316d79d784fc
uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@f747b664d45e3a554d5ab72af509ab8e14fe84aa
with:
verify_published_from_main_image: true
permissions:
attestations: read
contents: read
packages: read
quality_checks:
uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@352f15f692c23b18f67215ad858f27b06a878717
uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@f747b664d45e3a554d5ab72af509ab8e14fe84aa
needs: [get_config_values]
permissions:
contents: read
id-token: write
packages: read
with:
pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
run_docker_scan: false
Expand All @@ -24,11 +30,14 @@ jobs:

tag_release:
needs: [quality_checks, get_config_values]
uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@352f15f692c23b18f67215ad858f27b06a878717
uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@f747b664d45e3a554d5ab72af509ab8e14fe84aa
permissions:
contents: write
id-token: write
packages: write
with:
dry_run: false
pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
branch_name: main
publish_packages: packages/cdkConstructs,packages/deploymentUtils
tag_format: ${{ needs.get_config_values.outputs.tag_format }}
secrets: inherit
2 changes: 1 addition & 1 deletion .github/workflows/sync_copilot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ on:
workflow_dispatch:
schedule:
- cron: "0 6 * * 1"

permissions: {}
jobs:
sync-copilot-instructions:
runs-on: ubuntu-22.04
Expand Down
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,3 +28,4 @@ _site/
vendor
.trivy_out/
*.tgz
.sbom/
10 changes: 10 additions & 0 deletions .grype.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
ignore:
# picomatch
- vulnerability: GHSA-c2c7-rcm5-vvqj
# flatted
- vulnerability: GHSA-rf6f-7fwh-wjgh
# minimatch
- vulnerability: GHSA-3ppc-4f35-3m26
- vulnerability: GHSA-7r86-cg39-jmmj
- vulnerability: GHSA-23c5-xmqv-rm74
- vulnerability: GHSA-25h7-pfq9-p65f
Comment thread
MatthewPopat-NHS marked this conversation as resolved.
8 changes: 8 additions & 0 deletions .pre-commit-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,14 @@ repos:

- repo: local
hooks:
- id: grype-scan-local
name: Grype scan local changes
entry: make
args: ["grype-scan-local"]
language: system
pass_filenames: false
always_run: true

- id: check-commit-signing
name: Check commit signing
description: Ensures that commits are GPG signed
Expand Down
82 changes: 0 additions & 82 deletions .trivyignore.yaml
View file
Open in desktop

This file was deleted.

1 change: 0 additions & 1 deletion trivy.yaml
View file
Open in desktop

This file was deleted.

5 changes: 5 additions & 0 deletions zizmor.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
rules:
unpinned-images:
# these workflows use unpinned images because they are using a full image passed in that contains the tag
ignore:
- package_npm_code.yml:14:13
Comment thread
anthony-nhs marked this conversation as resolved.
Loading