File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Load Diff This file was deleted.
Original file line number Diff line number Diff line change @@ -6,15 +6,15 @@ permissions: {}
66
77jobs :
88 get_config_values :
9- uses : NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
9+ uses : NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845
1010 with :
1111 verify_published_from_main_image : true
1212 permissions :
1313 attestations : read
1414 contents : read
1515 packages : read
1616 quality_checks :
17- uses : NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
17+ uses : NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845
1818 needs :
1919 - get_config_values
2020 permissions :
2727 SONAR_TOKEN : ' ${{ secrets.SONAR_TOKEN }}'
2828 tag_release :
2929 needs : [quality_checks, get_config_values]
30- uses : NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
30+ uses : NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845
3131 permissions :
3232 id-token : write
3333 contents : write
Original file line number Diff line number Diff line change @@ -7,23 +7,23 @@ permissions: {}
77jobs :
88 dependabot-auto-approve-and-merge :
99 needs : quality_checks
10- uses : NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
10+ uses : NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845
1111 permissions :
1212 contents : write
1313 pull-requests : write
1414 secrets :
1515 AUTOMERGE_APP_ID : ' ${{ secrets.AUTOMERGE_APP_ID }}'
1616 AUTOMERGE_PEM : ' ${{ secrets.AUTOMERGE_PEM }}'
1717 get_config_values :
18- uses : NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
18+ uses : NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845
1919 with :
2020 verify_published_from_main_image : false
2121 permissions :
2222 attestations : read
2323 contents : read
2424 packages : read
2525 quality_checks :
26- uses : NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
26+ uses : NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845
2727 needs :
2828 - get_config_values
2929 with :
3535 secrets :
3636 SONAR_TOKEN : ' ${{ secrets.SONAR_TOKEN }}'
3737 pr_title_format_check :
38- uses : NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
38+ uses : NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845
3939 permissions :
4040 pull-requests : write
4141 get_issue_number :
Original file line number Diff line number Diff line change @@ -7,15 +7,15 @@ permissions: {}
77
88jobs :
99 get_config_values :
10- uses : NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
10+ uses : NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845
1111 with :
1212 verify_published_from_main_image : false
1313 permissions :
1414 attestations : read
1515 contents : read
1616 packages : read
1717 quality_checks :
18- uses : NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
18+ uses : NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845
1919 needs :
2020 - get_config_values
2121 permissions :
2828 SONAR_TOKEN : ' ${{ secrets.SONAR_TOKEN }}'
2929 tag_release :
3030 needs : [quality_checks, get_config_values]
31- uses : NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
31+ uses : NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845
3232 permissions :
3333 id-token : write
3434 contents : write
Original file line number Diff line number Diff line change @@ -37,6 +37,7 @@ ignore:
3737 - vulnerability : CVE-2026-33810
3838 - vulnerability : CVE-2026-6100
3939 - vulnerability : CVE-2026-4786
40+ - vulnerability : GHSA-pc3f-x583-g7j2
4041# node_24 vulnerabilities
4142 - vulnerability : GHSA-c2c7-rcm5-vvqj
4243 - vulnerability : GHSA-7r86-cg39-jmmj
@@ -74,3 +75,5 @@ ignore:
7475 - vulnerability : CVE-2025-53066
7576 - vulnerability : CVE-2026-21945
7677 - vulnerability : CVE-2026-21932
78+ - vulnerability : CVE-2026-27143
79+ - vulnerability : CVE-2026-27144
Original file line number Diff line number Diff line change @@ -23,6 +23,14 @@ repos:
2323
2424 - repo : local
2525 hooks :
26+ - id : grype-scan-local
27+ name : Grype scan local changes
28+ entry : make
29+ args : ["grype-scan-local"]
30+ language : system
31+ pass_filenames : false
32+ always_run : true
33+
2634 - id : lint-githubactions
2735 name : Lint github actions
2836 entry : make
@@ -41,14 +49,15 @@ repos:
4149 types_or : [sh, shell]
4250 pass_filenames : false
4351
44- - id : git-secrets
45- name : Git Secrets
46- description : git-secrets scans commits, commit messages, and --no-ff merges to prevent adding secrets into your git repositories.
52+ - id : gitleaks
53+ name : Git Leaks
54+ description : gitleaks scans commits, commit messages, and --no-ff merges to prevent adding secrets into your git repositories.
4755 entry : bash
4856 args :
4957 - -c
50- - ' git-secrets --pre_commit_hook '
58+ - " gitleaks git --pre-commit --redact --staged --verbose "
5159 language : system
60+
5261 - id : check-commit-signing
5362 name : Check commit signing
5463 description : Ensures that commits are GPG signed
You can’t perform that action at this time.
0 commit comments