Skip to content

Commit dc95752

Browse files
anthony-nhsanthony-nhs
authored
Chore: [AEA-6424] - use new quality checks (#2548)
## Summary - Routine Change ### Details - move to latest qc - remove all trivy files - add CODEOWNERS to restrict updates to workflows - use least permissions on all workflows - add --ignore-scripts true to npm install
1 parent ed65f34 commit dc95752

18 files changed

Lines changed: 184 additions & 99 deletions

.devcontainer/devcontainer.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66
"args": {
77
"DOCKER_GID": "${env:DOCKER_GID:}",
88
"IMAGE_NAME": "node_24_python_3_12",
9-
"IMAGE_VERSION": "v1.2.0",
9+
"IMAGE_VERSION": "v1.4.4",
1010
"USER_UID": "${localEnv:USER_ID:}",
1111
"USER_GID": "${localEnv:GROUP_ID:}"
1212
},

.gitallowed

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ self.token = token
66
--token=\$\{\{\s*steps\.generate-token\.outputs\.token\s*\}\}
77
--token=\$GITHUB-TOKEN
88
--token="\$GITHUB-TOKEN"
9+
--token="\$GITHUB_TOKEN"
910
"accountId": "123456789012"
1011
accountId: "123456789012"
1112
console\.log\(`access token : \${access_token}`\)

.github/CODEOWNERS

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
# restrict access to approving workflow changes
2+
.github/workflows/ @NHSDigital/eps-admins

.github/workflows/ci.yml

Lines changed: 26 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -4,23 +4,27 @@ on:
44
push:
55
branches: [main]
66

7-
env:
8-
BRANCH_NAME: ${{ github.ref_name }}
9-
7+
permissions: {}
108
jobs:
119
get_config_values:
12-
uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@5ac2707dd9cd60ad127275179495b9c890d74711
10+
uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@c8f899f30a6a726859b0277faa73cd9ff7f4de20
1311
with:
1412
verify_published_from_main_image: true
15-
13+
permissions:
14+
attestations: read
15+
contents: read
16+
packages: read
1617
quality_checks:
17-
uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711
18+
uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@c8f899f30a6a726859b0277faa73cd9ff7f4de20
1819
needs: [get_config_values]
1920
with:
2021
pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
2122
secrets:
2223
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
23-
24+
permissions:
25+
contents: read
26+
id-token: write
27+
packages: read
2428
get_commit_id:
2529
runs-on: ubuntu-22.04
2630
outputs:
@@ -33,26 +37,33 @@ jobs:
3337
3438
tag_release:
3539
needs: [quality_checks, get_commit_id, get_config_values]
36-
uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711
40+
uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@c8f899f30a6a726859b0277faa73cd9ff7f4de20
3741
permissions:
3842
id-token: write
3943
contents: write
44+
packages: write
4045
with:
4146
dry_run: true
4247
pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
4348
branch_name: main
4449
tag_format: ${{ needs.get_config_values.outputs.tag_format }}
45-
secrets: inherit
4650

4751
package_code:
4852
needs: [tag_release, get_config_values]
4953
uses: ./.github/workflows/sam_package_code.yml
5054
with:
5155
pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
56+
permissions:
57+
contents: read
58+
packages: read
59+
id-token: write
5260

5361
release_dev:
5462
needs: [tag_release, package_code, get_commit_id, get_config_values]
5563
uses: ./.github/workflows/sam_release_code.yml
64+
permissions:
65+
contents: write
66+
id-token: write
5667
with:
5768
ARTIFACT_BUCKET_PREFIX: ${{needs.tag_release.outputs.version_tag}}
5869
STACK_NAME: pfp
@@ -91,6 +102,9 @@ jobs:
91102
release_dev_sandbox:
92103
needs: [tag_release, package_code, get_commit_id, get_config_values]
93104
uses: ./.github/workflows/sam_release_code.yml
105+
permissions:
106+
contents: write
107+
id-token: write
94108
with:
95109
ARTIFACT_BUCKET_PREFIX: ${{needs.tag_release.outputs.version_tag}}
96110
STACK_NAME: pfp-sandbox
@@ -127,6 +141,9 @@ jobs:
127141
get_commit_id,
128142
]
129143
uses: ./.github/workflows/sam_release_code.yml
144+
permissions:
145+
contents: write
146+
id-token: write
130147
with:
131148
ARTIFACT_BUCKET_PREFIX: ${{needs.tag_release.outputs.version_tag}}
132149
STACK_NAME: pfp

.github/workflows/delete_old_cloudformation_stacks.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@ on:
1111
- cron: "0 0,12 * * *"
1212
push:
1313
branches: [main]
14+
permissions: {}
1415

1516
jobs:
1617
delete-old-cloudformation-stacks:
@@ -24,6 +25,7 @@ jobs:
2425
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
2526
with:
2627
ref: ${{ github.event.inputs.branch_name || github.ref_name }}
28+
persist-credentials: false
2729
sparse-checkout: |
2830
.github/scripts
2931
@@ -52,6 +54,7 @@ jobs:
5254
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
5355
with:
5456
ref: ${{ github.event.inputs.branch_name || github.ref_name }}
57+
persist-credentials: false
5558
fetch-depth: 0
5659

5760
- name: Configure AWS Credentials

.github/workflows/pull_request.yml

Lines changed: 31 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -4,41 +4,50 @@ on:
44
pull_request:
55
branches: [main]
66

7-
env:
8-
BRANCH_NAME: ${{ github.event.pull_request.head.ref }}
7+
permissions: {}
98

109
jobs:
1110
dependabot-auto-approve-and-merge:
1211
needs: quality_checks
13-
uses: NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@5ac2707dd9cd60ad127275179495b9c890d74711
12+
uses: NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@c8f899f30a6a726859b0277faa73cd9ff7f4de20
1413
secrets:
1514
AUTOMERGE_APP_ID: ${{ secrets.AUTOMERGE_APP_ID }}
1615
AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }}
16+
permissions:
17+
contents: write
18+
pull-requests: write
1719
get_config_values:
18-
uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@5ac2707dd9cd60ad127275179495b9c890d74711
20+
uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@c8f899f30a6a726859b0277faa73cd9ff7f4de20
1921
with:
2022
verify_published_from_main_image: false
21-
23+
permissions:
24+
attestations: read
25+
contents: read
26+
packages: read
2227

2328
quality_checks:
24-
uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711
29+
uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@c8f899f30a6a726859b0277faa73cd9ff7f4de20
2530
needs: [get_config_values]
2631
with:
2732
pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
2833
secrets:
2934
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
30-
35+
permissions:
36+
contents: read
37+
id-token: write
38+
packages: read
3139
pr_title_format_check:
32-
uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@5ac2707dd9cd60ad127275179495b9c890d74711
33-
40+
uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@c8f899f30a6a726859b0277faa73cd9ff7f4de20
41+
permissions:
42+
pull-requests: write
3443
get_issue_number:
3544
runs-on: ubuntu-22.04
3645
needs: quality_checks
3746
outputs:
3847
issue_number: ${{steps.get_issue_number.outputs.result}}
3948

4049
steps:
41-
- uses: actions/github-script@v8
50+
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd
4251
name: get issue number
4352
id: get_issue_number
4453
with:
@@ -60,16 +69,16 @@ jobs:
6069

6170
tag_release:
6271
needs: [get_config_values]
63-
uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711
72+
uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@c8f899f30a6a726859b0277faa73cd9ff7f4de20
6473
permissions:
6574
id-token: write
6675
contents: write
76+
packages: write
6777
with:
6878
dry_run: true
6979
pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
7080
branch_name: ${{ github.event.pull_request.head.ref }}
7181
tag_format: ${{ needs.get_config_values.outputs.tag_format }}
72-
secrets: inherit
7382

7483
get_commit_id:
7584
runs-on: ubuntu-22.04
@@ -86,10 +95,17 @@ jobs:
8695
uses: ./.github/workflows/sam_package_code.yml
8796
with:
8897
pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
98+
permissions:
99+
contents: read
100+
packages: read
101+
id-token: write
89102

90103
release_code:
91104
needs: [get_issue_number, package_code, get_commit_id, get_config_values]
92105
uses: ./.github/workflows/sam_release_code.yml
106+
permissions:
107+
contents: write
108+
id-token: write
93109
with:
94110
IS_PULL_REQUEST: true
95111
STACK_NAME: pfp-pr-${{needs.get_issue_number.outputs.issue_number}}
@@ -122,6 +138,9 @@ jobs:
122138
release_sandbox_code:
123139
needs: [get_issue_number, package_code, get_commit_id, get_config_values]
124140
uses: ./.github/workflows/sam_release_code.yml
141+
permissions:
142+
contents: write
143+
id-token: write
125144
with:
126145
IS_PULL_REQUEST: true
127146
STACK_NAME: pfp-pr-${{needs.get_issue_number.outputs.issue_number}}-sandbox

.github/workflows/release.yml

Lines changed: 38 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -2,21 +2,28 @@ name: deploy to environments
22

33
on:
44
workflow_dispatch:
5+
permissions: {}
56

67
jobs:
78
get_config_values:
8-
uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@5ac2707dd9cd60ad127275179495b9c890d74711
9+
uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@c8f899f30a6a726859b0277faa73cd9ff7f4de20
910
with:
1011
verify_published_from_main_image: true
11-
12+
permissions:
13+
attestations: read
14+
contents: read
15+
packages: read
1216
quality_checks:
13-
uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711
17+
uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@c8f899f30a6a726859b0277faa73cd9ff7f4de20
1418
needs: [get_config_values]
1519
with:
1620
pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
1721
secrets:
1822
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
19-
23+
permissions:
24+
contents: read
25+
id-token: write
26+
packages: read
2027
get_commit_id:
2128
runs-on: ubuntu-22.04
2229
outputs:
@@ -29,10 +36,11 @@ jobs:
2936
3037
tag_release:
3138
needs: [quality_checks, get_commit_id, get_config_values]
32-
uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711
39+
uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@c8f899f30a6a726859b0277faa73cd9ff7f4de20
3340
permissions:
3441
id-token: write
3542
contents: write
43+
packages: write
3644
with:
3745
dry_run: false
3846
pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
@@ -48,10 +56,17 @@ jobs:
4856
uses: ./.github/workflows/sam_package_code.yml
4957
with:
5058
pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
59+
permissions:
60+
contents: read
61+
packages: read
62+
id-token: write
5163

5264
release_dev:
5365
needs: [tag_release, package_code, get_commit_id, get_config_values]
5466
uses: ./.github/workflows/sam_release_code.yml
67+
permissions:
68+
contents: write
69+
id-token: write
5570
with:
5671
ARTIFACT_BUCKET_PREFIX: ${{needs.tag_release.outputs.version_tag}}
5772
STACK_NAME: pfp
@@ -92,6 +107,9 @@ jobs:
92107
release_dev_sandbox:
93108
needs: [tag_release, package_code, get_commit_id, get_config_values]
94109
uses: ./.github/workflows/sam_release_code.yml
110+
permissions:
111+
contents: write
112+
id-token: write
95113
with:
96114
ARTIFACT_BUCKET_PREFIX: ${{needs.tag_release.outputs.version_tag}}
97115
STACK_NAME: pfp-sandbox
@@ -131,6 +149,9 @@ jobs:
131149
get_config_values,
132150
]
133151
uses: ./.github/workflows/sam_release_code.yml
152+
permissions:
153+
contents: write
154+
id-token: write
134155
with:
135156
ARTIFACT_BUCKET_PREFIX: ${{needs.tag_release.outputs.version_tag}}
136157
STACK_NAME: pfp
@@ -171,6 +192,9 @@ jobs:
171192
get_config_values,
172193
]
173194
uses: ./.github/workflows/sam_release_code.yml
195+
permissions:
196+
contents: write
197+
id-token: write
174198
with:
175199
ARTIFACT_BUCKET_PREFIX: ${{needs.tag_release.outputs.version_tag}}
176200
STACK_NAME: pfp
@@ -205,6 +229,9 @@ jobs:
205229
release_int:
206230
needs: [tag_release, release_qa, package_code, get_commit_id, get_config_values]
207231
uses: ./.github/workflows/sam_release_code.yml
232+
permissions:
233+
contents: write
234+
id-token: write
208235
with:
209236
ARTIFACT_BUCKET_PREFIX: ${{needs.tag_release.outputs.version_tag}}
210237
STACK_NAME: pfp
@@ -245,6 +272,9 @@ jobs:
245272
release_sandbox:
246273
needs: [tag_release, release_qa, package_code, get_commit_id, get_config_values]
247274
uses: ./.github/workflows/sam_release_code.yml
275+
permissions:
276+
contents: write
277+
id-token: write
248278
with:
249279
ARTIFACT_BUCKET_PREFIX: ${{needs.tag_release.outputs.version_tag}}
250280
STACK_NAME: pfp-sandbox
@@ -274,6 +304,9 @@ jobs:
274304
needs:
275305
[tag_release, release_int, release_sandbox, package_code, get_commit_id, get_config_values]
276306
uses: ./.github/workflows/sam_release_code.yml
307+
permissions:
308+
contents: write
309+
id-token: write
277310
with:
278311
ARTIFACT_BUCKET_PREFIX: ${{needs.tag_release.outputs.version_tag}}
279312
STACK_NAME: pfp

0 commit comments

Comments
 (0)