Chore: [AEA-6424] - use new common workflows#4525
Merged
anthony-nhs merged 29 commits intomasterfrom Apr 13, 2026
Merged
Conversation
Contributor
|
This PR is linked to a ticket in an NHS Digital JIRA Project. Here's a handy link to the ticket: AEA-0000 |
Contributor
There was a problem hiding this comment.
Pull request overview
Updates repository automation to align with newer shared EPS workflows and security tooling configuration, mainly by adjusting GitHub Actions workflow permissions/checkout behavior and swapping vulnerability scanning configuration files.
Changes:
- Add Zizmor and Grype configuration and update pre-commit hooks (including a new local Grype scan hook).
- Update multiple GitHub Actions workflows to use explicit
permissions: {}defaults andpersist-credentials: falseon checkouts, plus some token/env handling tweaks. - Remove legacy Trivy and CodeQL configuration/workflows and an older
release_refworkflow.
Reviewed changes
Copilot reviewed 21 out of 22 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
zizmor.yml |
Adds Zizmor rule config/ignores for workflow linting. |
trivy.yaml |
Removes Trivy config indirection to .trivyignore. |
.trivyignore.yaml |
Removes Trivy vulnerability ignore list. |
.pre-commit-config.yaml |
Updates pre-commit hooks version and adds a new local “grype-scan-local” hook. |
.grype.yaml |
Adds Grype vulnerability ignore list. |
.gitignore |
Ignores .sbom/. |
.github/workflows/update_validator_version.yml |
Updates permissions/checkout and adds a GitHub App token generation step. |
.github/workflows/update_dev_container_version.yml |
Minor workflow formatting change. |
.github/workflows/sync_copilot.yml |
Adds explicit workflow-level permissions block. |
.github/workflows/run_regression_tests.yml |
Adds explicit workflow permissions and refines token/env passing. |
.github/workflows/run_pact_tests.yml |
Adds explicit workflow permissions and updates checkout credential persistence. |
.github/workflows/run_epsat_tests.yml |
Adds explicit workflow permissions and updates checkout credential persistence. |
.github/workflows/release.yml |
Adds workflow/job permissions blocks and removes a local get_version job dependency. |
.github/workflows/release_ref.yml |
Removes the dedicated REF release workflow. |
.github/workflows/pull_request.yml |
Switches to common workflows (currently via a branch ref) and adds explicit permissions blocks. |
.github/workflows/delete_old_cloudformation_stacks.yml |
Adds explicit workflow permissions, checkout changes, and pins AWS credentials action. |
.github/workflows/codeql-analysis.yml |
Removes CodeQL analysis workflow. |
.github/workflows/ci.yml |
Adds workflow/job permissions blocks and removes a local get_version job dependency. |
.github/workflows/cdk_release_code.yml |
Adds explicit workflow permissions and adjusts account-id propagation + checkout credential persistence. |
.github/workflows/cdk_package_code.yml |
Adjusts checkout credential persistence and switches some env propagation to step outputs. |
.gitallowed |
Allows a new ${GITHUB_TOKEN} token pattern. |
.devcontainer/devcontainer.json |
Bumps devcontainer image version. |
Comments suppressed due to low confidence (2)
.github/workflows/pull_request.yml:60
- With workflow-level
permissions: {}, this job currently has no token permissions.actions/github-scriptcallsrepos.listPullRequestsAssociatedWithCommit, which will fail without at leastpull-requests: read(and typicallycontents: read). Add explicit job-level permissions here (or relax the workflow-level restriction) so this step can query the API.
get_issue_number:
runs-on: ubuntu-22.04
needs: quality_checks
outputs:
issue_number: ${{ steps.get_issue_number.outputs.result }}
version: ${{ steps.get_issue_number.outputs.version_number }}
steps:
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd
name: get issue number
.github/workflows/update_validator_version.yml:52
- The
Create GitHub App Tokenstep is currently unused, whilecreate-pull-requestuses a long-lived PAT (secrets.VALIDATOR_UPGRADE_PAT). Prefer using the generated GitHub App token output for the PR creation and remove the PAT usage. Also,commit-messagereferencesenv.BRANCH_NAME, but this workflow no longer defines it, so the message will be blank/incorrect; use a defined value (e.g.,masterorenv.NEW_BRANCH_NAME).
- name: Create GitHub App Token
uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859
id: generate-token
with:
app-id: "${{ secrets.CREATE_PULL_REQUEST_APP_ID }}"
private-key: "${{ secrets.CREATE_PULL_REQUEST_PEM }}"
- name: Create pull request
if: env.HAS_VALIDATOR_CHANGED == 'true'
uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
with:
base: master
branch: ${{ env.NEW_BRANCH_NAME }}
title: "Upgrade: [dependabot] - bump fhir validator from ${{ env.CURRENT_VALIDATOR_VERSION }} to ${{ env.NEW_VALIDATOR_VERSION }}"
body: "This PR was automatically created by GitHub Actions to update validator versions."
commit-message: "Update validator versions on ${{ env.BRANCH_NAME }}"
sign-commits: true
token: ${{ secrets.VALIDATOR_UPGRADE_PAT }}
labels: dependencies
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 23 out of 24 changed files in this pull request and generated 4 comments.
Comments suppressed due to low confidence (1)
.github/workflows/update_validator_version.yml:30
NEW_BRANCH_NAMEis being set, but it is no longer used anywhere in this workflow (thecreate-pull-requeststep no longer setsbranch:). Either re-addbranch: ${{ env.NEW_BRANCH_NAME }}(or similar) to avoid branch collisions, or remove the unused branch-name step to prevent confusion.
- name: Set up date-time branch name
id: datetime
run: |
# shellcheck disable=SC2086
echo "NEW_BRANCH_NAME=update-validator-$(date +'%Y%m%d-%H%M%S')" >> $GITHUB_ENV
anthony-nhs
changed the title
|
tstephen-nhs
approved these changes
Apr 13, 2026
anthony-nhs
temporarily deployed
to
internal-dev
GitHub Actions
Inactive
anthony-nhs
temporarily deployed
to
internal-dev
GitHub Actions
Inactive
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Details