diff --git a/.github/actions/acceptance-tests/action.yml b/.github/actions/acceptance-tests/action.yml index 3a0998696..2291ca4a2 100644 --- a/.github/actions/acceptance-tests/action.yml +++ b/.github/actions/acceptance-tests/action.yml @@ -24,7 +24,7 @@ runs: steps: - name: Fetch terraform output - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: name: terraform-output-${{ inputs.targetComponent }} diff --git a/.github/actions/build-docs/action.yml b/.github/actions/build-docs/action.yml index 8b887bf34..fe61bd19d 100644 --- a/.github/actions/build-docs/action.yml +++ b/.github/actions/build-docs/action.yml @@ -11,8 +11,8 @@ runs: using: "composite" steps: - name: Checkout - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 22 registry-url: 'https://npm.pkg.github.com' @@ -23,7 +23,7 @@ runs: run: npm ci shell: bash - name: Setup Ruby - uses: ruby/setup-ruby@v1.180.1 + uses: ruby/setup-ruby@3783f195e29b74ae398d7caca108814bbafde90e # v1.180.1 with: ruby-version: "3.2" # Not needed with a .ruby-version file bundler-cache: true # runs 'bundle install' and caches installed gems automatically @@ -31,7 +31,7 @@ runs: working-directory: "./docs" - name: Setup Pages id: pages - uses: actions/configure-pages@v5 + uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 - name: Build with Jekyll working-directory: ./docs # Outputs to the './_site' directory by default @@ -43,7 +43,7 @@ runs: - name: Upload artifact # Automatically uploads an artifact from the './_site' directory by default - uses: actions/upload-pages-artifact@v3 + uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3 with: path: "docs/_site/" name: jekyll-docs-${{ inputs.version }} diff --git a/.github/actions/build-libraries/action.yml b/.github/actions/build-libraries/action.yml index 5c2d36189..437672207 100644 --- a/.github/actions/build-libraries/action.yml +++ b/.github/actions/build-libraries/action.yml @@ -11,8 +11,8 @@ runs: using: "composite" steps: - name: Checkout - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 22 registry-url: 'https://npm.pkg.github.com' @@ -31,41 +31,40 @@ runs: make build VERSION="${{ inputs.version }}" - name: Upload abstractions artifact - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: path: "src/server/abstractions/bin/Release" name: libs-abstractions-${{ inputs.version }} include-hidden-files: true - name: Upload data artifact - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: path: "src/server/data/bin/Release" name: libs-data-${{ inputs.version }} include-hidden-files: true - name: Upload letter artifact - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: path: "src/server/letter/bin/Release" name: libs-letter-${{ inputs.version }} include-hidden-files: true - name: Upload host artifact - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: path: "src/server/host/bin/Release" name: libs-host-${{ inputs.version }} include-hidden-files: true - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - run: mkdir -p ${{ runner.temp }}/myimage shell: bash - name: Build and export - uses: docker/build-push-action@v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 with: context: src/server file: src/server/Dockerfile @@ -75,7 +74,7 @@ runs: outputs: type=docker,dest=${{ runner.temp }}/myimage/myimage.tar - name: Upload artifact - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: libs-host-docker-${{ inputs.version }} path: ${{ runner.temp }}/myimage diff --git a/.github/actions/build-oas-spec/action.yml b/.github/actions/build-oas-spec/action.yml index 3251acab7..ad2a5f325 100644 --- a/.github/actions/build-oas-spec/action.yml +++ b/.github/actions/build-oas-spec/action.yml @@ -24,14 +24,14 @@ runs: steps: - name: Checkout - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ inputs.nodejs_version }} registry-url: 'https://npm.pkg.github.com' - name: "Cache node_modules" - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: | **/node_modules @@ -68,7 +68,7 @@ runs: fi - name: Upload API OAS specification artifact - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: path: "build" name: api-oas-specification-${{ inputs.apimEnv }}${{ inputs.version != '' && format('-{0}', inputs.version) || '' }} diff --git a/.github/actions/build-proxies/action.yml b/.github/actions/build-proxies/action.yml index 24c2e4c4a..728edf4bc 100644 --- a/.github/actions/build-proxies/action.yml +++ b/.github/actions/build-proxies/action.yml @@ -36,7 +36,7 @@ runs: steps: - name: Download OAS Spec artifact from workflow if: ${{ inputs.isRelease == 'false' }} - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: api-oas-specification-${{ inputs.apimEnv }}${{ inputs.version != '' && format('-{0}', inputs.version) || '' }} path: ./build @@ -96,7 +96,7 @@ runs: echo "APIM_ENV=$APIM_ENV" >> $GITHUB_ENV - name: Upload OAS Spec - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: ${{ env.APIM_ENV }}-build-output path: ./build diff --git a/.github/actions/build-sandbox/action.yml b/.github/actions/build-sandbox/action.yml index 5bcef84c2..32e10cae8 100644 --- a/.github/actions/build-sandbox/action.yml +++ b/.github/actions/build-sandbox/action.yml @@ -13,8 +13,8 @@ runs: steps: - name: Checkout - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 22 registry-url: 'https://npm.pkg.github.com' diff --git a/.github/actions/build-sdk/action.yml b/.github/actions/build-sdk/action.yml index 5c5d3d52b..0a9cf0965 100644 --- a/.github/actions/build-sdk/action.yml +++ b/.github/actions/build-sdk/action.yml @@ -11,8 +11,8 @@ runs: using: "composite" steps: - name: Checkout - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 22 registry-url: 'https://npm.pkg.github.com' @@ -56,43 +56,43 @@ runs: make build VERSION="${{ inputs.version }}" - name: Upload html artifact - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: path: "sdk/html" name: sdk-html-${{ inputs.version }} - name: Upload swagger artifact - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: path: "sdk/swagger" name: sdk-swagger-${{ inputs.version }} - name: Upload ts artifact - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: path: "sdk/typescript" name: sdk-ts-${{ inputs.version }} - name: Upload python artifact - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: path: "sdk/python" name: sdk-python-${{ inputs.version }} - name: Upload csharp artifact - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: path: "sdk/csharp" name: sdk-csharp-${{ inputs.version }} - name: Upload artifact - uses: actions/upload-pages-artifact@v3 + uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3 with: path: "sdk/html/" name: sdk-html-docs-${{ inputs.version }} - name: Upload swagger pages artifact - uses: actions/upload-pages-artifact@v3 + uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3 with: path: "sdk/swagger/" name: sdk-swagger-docs-${{ inputs.version }} diff --git a/.github/actions/build-server/action.yml b/.github/actions/build-server/action.yml index 1a9ad7063..f167882bc 100644 --- a/.github/actions/build-server/action.yml +++ b/.github/actions/build-server/action.yml @@ -11,8 +11,8 @@ runs: using: "composite" steps: - name: Checkout - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 22 registry-url: 'https://npm.pkg.github.com' @@ -36,13 +36,13 @@ runs: make build VERSION="${{ inputs.version }}" - name: Upload csharp-server artifact - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: path: "server/csharp-server" name: server-csharp-${{ inputs.version }} - name: Upload csharp-server docker artifact - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: path: "server/Dockerfile" name: server-csharp-docker-${{ inputs.version }} diff --git a/.github/actions/node-install/action.yaml b/.github/actions/node-install/action.yaml index 48527b570..22e92f0fb 100644 --- a/.github/actions/node-install/action.yaml +++ b/.github/actions/node-install/action.yaml @@ -10,7 +10,7 @@ runs: using: 'composite' steps: - name: 'Use Node.js' - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version-file: '.tool-versions' registry-url: 'https://npm.pkg.github.com' diff --git a/.github/workflows/cicd-1-pull-request.yaml b/.github/workflows/cicd-1-pull-request.yaml index 2a67fe771..35b699244 100644 --- a/.github/workflows/cicd-1-pull-request.yaml +++ b/.github/workflows/cicd-1-pull-request.yaml @@ -33,7 +33,7 @@ jobs: deploy_proxy: ${{ steps.deploy_proxy.outputs.deploy_proxy }} steps: - name: "Checkout code" - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Set CI/CD variables" id: variables run: | diff --git a/.github/workflows/cicd-3-deploy.yaml b/.github/workflows/cicd-3-deploy.yaml index 35de7d75c..6a46ed13d 100644 --- a/.github/workflows/cicd-3-deploy.yaml +++ b/.github/workflows/cicd-3-deploy.yaml @@ -37,7 +37,7 @@ jobs: # tag: ${{ steps.variables.outputs.tag }} steps: - name: "Checkout code" - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Set CI/CD variables" id: variables run: | @@ -70,8 +70,7 @@ jobs: needs: metadata steps: - name: "Checkout code" - uses: actions/checkout@v5 - + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Get version" id: get-asset-version shell: bash @@ -103,13 +102,13 @@ jobs: run: | gh release download ${{steps.get-asset-version.outputs.release_version}} -p jekyll-docs-*.tar --output artifact.tar - - uses: actions/upload-artifact@v7 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: jekyll-docs-${{steps.get-asset-version.outputs.release_version}} path: artifact.tar - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v4 + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4 with: artifact_name: jekyll-docs-${{steps.get-asset-version.outputs.release_version}} diff --git a/.github/workflows/manual-combine-dependabot-prs.yaml b/.github/workflows/manual-combine-dependabot-prs.yaml index fbf04098f..3e311ac55 100644 --- a/.github/workflows/manual-combine-dependabot-prs.yaml +++ b/.github/workflows/manual-combine-dependabot-prs.yaml @@ -15,7 +15,7 @@ jobs: steps: - name: combine-prs id: combine-prs - uses: github/combine-prs@v5.2.0 + uses: github/combine-prs@2909f404763c3177a456e052bdb7f2e85d3a7cb3 # v5.2.0 with: ci_required: false labels: dependencies diff --git a/.github/workflows/manual-proxy-environment-deploy.yaml b/.github/workflows/manual-proxy-environment-deploy.yaml index 123126132..e20264950 100644 --- a/.github/workflows/manual-proxy-environment-deploy.yaml +++ b/.github/workflows/manual-proxy-environment-deploy.yaml @@ -29,9 +29,8 @@ jobs: name: Deploy to Environment steps: - name: Checkout - uses: actions/checkout@v4 - - - uses: actions/setup-node@v6 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version: 22 diff --git a/.github/workflows/pr_closed.yaml b/.github/workflows/pr_closed.yaml index 31f81c713..a27a896b9 100644 --- a/.github/workflows/pr_closed.yaml +++ b/.github/workflows/pr_closed.yaml @@ -48,8 +48,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v5 - + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Updating Main Environment env: APP_CLIENT_ID: ${{ secrets.APP_CLIENT_ID }} @@ -75,10 +74,9 @@ jobs: packages: read steps: - name: Checkout code - uses: actions/checkout@v5.0.0 - + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Setup NodeJS - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: '.tool-versions' registry-url: 'https://npm.pkg.github.com' @@ -112,7 +110,7 @@ jobs: packages: read steps: - name: "Checkout code" - uses: actions/checkout@v5.0.0 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: "Repo setup" uses: ./.github/actions/node-install with: @@ -135,10 +133,9 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v5.0.0 - + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Setup NodeJS - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: '.tool-versions' registry-url: 'https://npm.pkg.github.com' diff --git a/.github/workflows/pr_destroy_dynamic_env.yaml b/.github/workflows/pr_destroy_dynamic_env.yaml index 66eb1a2b6..4e8ac70f5 100644 --- a/.github/workflows/pr_destroy_dynamic_env.yaml +++ b/.github/workflows/pr_destroy_dynamic_env.yaml @@ -20,7 +20,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Trigger dynamic environment destruction env: @@ -44,7 +44,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Trigger dynamic proxy destruction env: diff --git a/.github/workflows/release_created.yaml b/.github/workflows/release_created.yaml index 6abc3f8c6..47d9c855a 100644 --- a/.github/workflows/release_created.yaml +++ b/.github/workflows/release_created.yaml @@ -26,8 +26,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v5 - + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Deploy Nonprod Environment env: APP_CLIENT_ID: ${{ secrets.APP_CLIENT_ID }} @@ -58,8 +57,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@v5 - + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Build proxies" uses: ./.github/actions/build-proxies with: diff --git a/.github/workflows/scheduled-repository-template-sync.yaml b/.github/workflows/scheduled-repository-template-sync.yaml index ef78a02d5..e86287866 100644 --- a/.github/workflows/scheduled-repository-template-sync.yaml +++ b/.github/workflows/scheduled-repository-template-sync.yaml @@ -16,8 +16,7 @@ jobs: steps: - name: Check out the repository - uses: actions/checkout@v5 - + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Sync repository template uses: NHSDigital/nhs-notify-shared-modules/.github/actions/sync-template-repo@3.0.8 with: @@ -25,7 +24,7 @@ jobs: - name: Create Pull Request if: ${{ !env.ACT }} - uses: peter-evans/create-pull-request@v8.1.0 + uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0 with: token: ${{ secrets.GITHUB_TOKEN }} commit-message: Drift from template diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 81fe298c3..3dfb15070 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -59,7 +59,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: SARIF file path: results.sarif diff --git a/.github/workflows/stage-1-commit.yaml b/.github/workflows/stage-1-commit.yaml index d8e59cb9d..401b19460 100644 --- a/.github/workflows/stage-1-commit.yaml +++ b/.github/workflows/stage-1-commit.yaml @@ -47,7 +47,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: fetch-depth: 0 # Full history is needed to scan all commits - name: "Scan secrets" @@ -58,7 +58,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check file format" @@ -69,7 +69,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check Markdown format" @@ -83,7 +83,7 @@ jobs: contents: write steps: - name: "Checkout code" - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check to see if Terraform Docs are up-to-date" @@ -104,7 +104,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check English usage" @@ -115,7 +115,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check TODO usage" @@ -127,8 +127,7 @@ jobs: terraform_changed: ${{ steps.check.outputs.terraform_changed }} steps: - name: "Checkout code" - uses: actions/checkout@v5 - + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Check for Terraform changes" id: check run: | @@ -151,7 +150,7 @@ jobs: if: needs.detect-terraform-changes.outputs.terraform_changed == 'true' steps: - name: "Checkout code" - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Setup ASDF" uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302 - name: "Lint Terraform" @@ -170,7 +169,7 @@ jobs: # NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} # steps: # - name: "Checkout code" - # uses: actions/checkout@v4 + # uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # - name: "Setup ASDF" # uses: asdf-vm/actions/setup@b7bcd026f18772e44fe1026d729e1611cc435d47 # - name: "Trivy IaC Scan" @@ -185,7 +184,7 @@ jobs: # timeout-minutes: 10 # steps: # - name: "Checkout code" - # uses: actions/checkout@v4 + # uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # - name: "Setup ASDF" # uses: asdf-vm/actions/setup@b7bcd026f18772e44fe1026d729e1611cc435d47 # - name: "Trivy Package Scan" @@ -199,7 +198,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Count lines of code" uses: NHSDigital/nhs-notify-shared-modules/.github/actions/create-lines-of-code-report@3.0.8 with: @@ -218,7 +217,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Scan dependencies" uses: NHSDigital/nhs-notify-shared-modules/.github/actions/scan-dependencies@3.0.8 with: @@ -240,7 +239,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 @@ -275,8 +274,7 @@ jobs: contents: read steps: - name: Checkout code - uses: actions/checkout@v4 - + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Check schema versions run: | source scripts/is_valid_increment.sh @@ -304,10 +302,9 @@ jobs: packages: read steps: - name: Checkout code - uses: actions/checkout@v5.0.0 - + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Setup NodeJS - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ inputs.nodejs_version }} registry-url: "https://npm.pkg.github.com" diff --git a/.github/workflows/stage-2-test.yaml b/.github/workflows/stage-2-test.yaml index 47ce194e2..8bdf019da 100644 --- a/.github/workflows/stage-2-test.yaml +++ b/.github/workflows/stage-2-test.yaml @@ -48,14 +48,14 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Setup NodeJS - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ inputs.nodejs_version }} registry-url: "https://npm.pkg.github.com" - name: "Cache node_modules" - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: | **/node_modules @@ -79,14 +79,14 @@ jobs: NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: "Checkout code" - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Setup NodeJS - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ inputs.nodejs_version }} registry-url: "https://npm.pkg.github.com" - name: "Cache node_modules" - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: | **/node_modules @@ -105,14 +105,14 @@ jobs: run: | make test-unit - name: "Save the result of fast test suite" - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: unit-tests path: "**/.reports/unit" include-hidden-files: true if: always() - name: "Save the result of code coverage" - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: code-coverage-report path: ".reports/lcov.info" @@ -127,9 +127,9 @@ jobs: contents: read steps: - name: "Checkout code" - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Cache node_modules" - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: | **/node_modules @@ -155,14 +155,14 @@ jobs: NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: "Checkout code" - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Setup NodeJS - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ inputs.nodejs_version }} registry-url: "https://npm.pkg.github.com" - name: "Cache node_modules" - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: | **/node_modules @@ -188,14 +188,14 @@ jobs: NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: "Checkout code" - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Setup NodeJS - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ inputs.nodejs_version }} registry-url: "https://npm.pkg.github.com" - name: "Cache node_modules" - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: | **/node_modules @@ -220,7 +220,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Run test coverage check" run: | make test-coverage @@ -237,11 +237,11 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: fetch-depth: 0 # Full history is needed to improving relevancy of reporting - name: "Download coverage report for SONAR" - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: code-coverage-report - name: "Perform static analysis" diff --git a/.github/workflows/stage-3-build.yaml b/.github/workflows/stage-3-build.yaml index a8441e7ff..3d476c2d6 100644 --- a/.github/workflows/stage-3-build.yaml +++ b/.github/workflows/stage-3-build.yaml @@ -52,7 +52,7 @@ jobs: timeout-minutes: 10 steps: - name: "Checkout code" - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Build docs" uses: ./.github/actions/build-docs with: @@ -70,7 +70,7 @@ jobs: apimEnv: [internal-dev-pr, internal-dev, int, ref, prod] steps: - name: "Checkout code" - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Build OAS spec" uses: ./.github/actions/build-oas-spec with: @@ -87,7 +87,7 @@ jobs: timeout-minutes: 10 steps: - name: "Checkout code" - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Build proxies" uses: ./.github/actions/build-oas-spec with: @@ -104,7 +104,7 @@ jobs: timeout-minutes: 10 steps: - name: "Checkout code" - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Build sdks" uses: ./.github/actions/build-sdk with: @@ -118,7 +118,7 @@ jobs: # timeout-minutes: 10 # steps: # - name: "Checkout code" - # uses: actions/checkout@v5 + # uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 # - name: "Build servers" # uses: ./.github/actions/build-server # with: @@ -129,7 +129,7 @@ jobs: # timeout-minutes: 10 # steps: # - name: "Checkout code" - # uses: actions/checkout@v5 + # uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 # - name: "Build servers" # uses: ./.github/actions/build-libraries # with: @@ -140,7 +140,7 @@ jobs: outputs: environment_name: ${{ steps.set-environment.outputs.environment_name }} steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Set environment name id: set-environment run: echo "environment_name=${{ inputs.pr_number != '' && format('pr{0}', inputs.pr_number) || 'main' }}" >> $GITHUB_OUTPUT @@ -174,7 +174,7 @@ jobs: APP_PEM_FILE: ${{ secrets.APP_PEM_FILE }} steps: - name: "Checkout code" - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Build proxies" uses: ./.github/actions/build-proxies with: diff --git a/.github/workflows/stage-4-acceptance.yaml b/.github/workflows/stage-4-acceptance.yaml index 9220394e7..520adc266 100644 --- a/.github/workflows/stage-4-acceptance.yaml +++ b/.github/workflows/stage-4-acceptance.yaml @@ -48,10 +48,10 @@ jobs: name: Run Acceptance Tests runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5.0.0 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: "Use Node.js" - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version: "${{ inputs.nodejs_version }}" registry-url: "https://npm.pkg.github.com" @@ -87,7 +87,7 @@ jobs: runs-on: ubuntu-latest if: inputs.proxy_deployed == 'true' steps: - - uses: actions/checkout@v5.0.0 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: "Run e2e tests" #uses: ./.github/actions/e2e-tests diff --git a/.github/workflows/stage-5-publish.yaml b/.github/workflows/stage-5-publish.yaml index 8c50adf9c..4202d28f0 100644 --- a/.github/workflows/stage-5-publish.yaml +++ b/.github/workflows/stage-5-publish.yaml @@ -46,46 +46,45 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@v5 - + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Get the artefacts 1" - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: path: ./artifacts/jekyll-docs-${{ inputs.version }} name: jekyll-docs-${{ inputs.version }} - name: "Get the artefacts 2" - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: path: ./artifacts/sdk-html-docs-${{ inputs.version }} name: sdk-html-docs-${{ inputs.version }} - name: "Get the artefacts 3" - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: path: ./artifacts/sdk-swagger-docs-${{ inputs.version }} name: sdk-swagger-docs-${{ inputs.version }} - name: "Get the artefacts 4" - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: path: ./artifacts/sdk-html-${{ inputs.version }} name: sdk-html-${{ inputs.version }} - name: "Get the artefacts 5" - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: path: ./artifacts/sdk-ts-${{ inputs.version }} name: sdk-ts-${{ inputs.version }} - name: "Get the artefacts 6" - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: path: ./artifacts/sdk-python-${{ inputs.version }} name: sdk-python-${{ inputs.version }} - name: "Get the artefacts 7" - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: path: ./artifacts/sdk-csharp-${{ inputs.version }} name: sdk-csharp-${{ inputs.version }} @@ -99,7 +98,7 @@ jobs: - name: "Create release" id: create_release - uses: actions/create-release@v1 + uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -111,7 +110,7 @@ jobs: prerelease: ${{ inputs.is_version_prerelease == 'true'}} - name: "Upload jekyll docs release asset" - uses: actions/upload-release-asset@v1 + uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -121,7 +120,7 @@ jobs: asset_content_type: "application/gzip" - name: "Upload sdk html docs release asset" - uses: actions/upload-release-asset@v1 + uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -131,7 +130,7 @@ jobs: asset_content_type: "application/gzip" - name: "Upload sdk swagger docs release asset" - uses: actions/upload-release-asset@v1 + uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -147,7 +146,7 @@ jobs: shell: bash - name: "Upload sdk html release asset" - uses: actions/upload-release-asset@v1 + uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -163,7 +162,7 @@ jobs: shell: bash - name: "Upload sdk ts release asset" - uses: actions/upload-release-asset@v1 + uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -179,7 +178,7 @@ jobs: shell: bash - name: "Upload sdk python release asset" - uses: actions/upload-release-asset@v1 + uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -195,7 +194,7 @@ jobs: shell: bash - name: "Upload sdk csharp release asset" - uses: actions/upload-release-asset@v1 + uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -235,7 +234,7 @@ jobs: apimEnv: [internal-dev, int, ref, prod] steps: - name: "Download OAS spec artifact" - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: path: ./artifacts/api-oas-specification-${{ matrix.apimEnv }}-${{ inputs.version }} name: api-oas-specification-${{ matrix.apimEnv }}-${{ inputs.version }} @@ -246,7 +245,7 @@ jobs: shell: bash - name: "Upload OAS specification release asset" - uses: actions/upload-release-asset@v1 + uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -293,7 +292,7 @@ jobs: contents: read steps: - name: "Get the artefacts" - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: path: . name: sdk-csharp-${{ inputs.version }} @@ -349,11 +348,11 @@ jobs: contents: read steps: - name: "Get the artefacts" - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: path: . name: sdk-ts-${{ inputs.version }} - - uses: actions/setup-node@v6 + - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version: "24.3" registry-url: "https://npm.pkg.github.com" @@ -378,7 +377,7 @@ jobs: run: echo "secret_exist=${{ secrets.TEAMS_NOTIFICATION_WEBHOOK_URL != '' }}" >> $GITHUB_OUTPUT - name: "Notify on publishing packages" if: steps.check.outputs.secret_exist == 'true' - uses: nhs-england-tools/notify-msteams-action@v1.0.5 + uses: nhs-england-tools/notify-msteams-action@a9fbb9bb41ef7db9c74d4fdc893f12812094fecf # v1.0.5 with: github-token: ${{ secrets.GITHUB_TOKEN }} teams-webhook-url: ${{ secrets.TEAMS_NOTIFICATION_WEBHOOK_URL }}