Skip to content

Chore: [AEA-0000] - fix sync copilot workflow #1052

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
anthony-nhs merged 1 commit into from
Apr 1, 2026
Merged

Chore: [AEA-0000] - fix sync copilot workflow #1052

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion .devcontainer/devcontainer.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,6 @@
"USER_GID": "${localEnv:GROUP_ID:}"
}
},
"postAttachCommand": "git-secrets --register-aws; git-secrets --add-provider -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt",
"mounts": [
"source=${env:HOME}${env:USERPROFILE}/.aws,target=/home/vscode/.aws,type=bind",
Comment on lines 13 to 15
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removing the postAttachCommand drops the git-secrets --register-aws and custom deny rules setup. With no other references to these rules in the repo, developers using the devcontainer will no longer have those git-secrets patterns configured, reducing local secret-detection coverage. If this is intentional, consider migrating the rules setup into the pre-commit hook (or another repo-managed bootstrap step) so it remains consistently applied.

Copilot uses AI. Check for mistakes.
"source=${env:HOME}${env:USERPROFILE}/.ssh,target=/home/vscode/.ssh,type=bind",
Expand Down
6 changes: 3 additions & 3 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ updates:
commit-message:
prefix: "Upgrade: [dependabot] - "
cooldown:
default-days: 3
default-days: 7
###################################
Comment on lines 22 to 26
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description only mentions fixing the Copilot sync workflow, but this change set also adjusts dependabot cooldowns, adds a new pre-commit hook, updates the devcontainer update workflow, and removes a devcontainer hook. Please update the PR description to reflect these additional changes (or split into separate PRs) to keep review/audit context accurate.

Copilot uses AI. Check for mistakes.
# Poetry #########################
###################################
Expand All @@ -37,7 +37,7 @@ updates:
prefix: "Upgrade: [dependabot] - "
versioning-strategy: increase
cooldown:
default-days: 3
default-days: 7
###################################
# NPM workspace ##################
###################################
Expand All @@ -54,4 +54,4 @@ updates:
registries:
- npm-github
cooldown:
default-days: 3
default-days: 7
4 changes: 2 additions & 2 deletions .github/workflows/sync_copilot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,9 +14,9 @@ jobs:

steps:
- name: Sync shared instructions
uses: NHSDigital/eps-copilot-instructions@08241b83de78b996e7796806be8435314e9f0b7a
uses: NHSDigital/eps-copilot-instructions@a7849a16aabd5c1edef13e29467a480fa08555f8
with:
common_workflows_ref: main
copilot_instructions_ref: main
calling_repo_base_branch: main
CREATE_PULL_REQUEST_APP_ID: ${{ secrets.CREATE_PULL_REQUEST_APP_ID }}
CREATE_PULL_REQUEST_PEM: ${{ secrets.CREATE_PULL_REQUEST_PEM }}
24 changes: 14 additions & 10 deletions .github/workflows/update_dev_container_version.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,19 +1,23 @@
name: Update Devcontainer Version
name: Update devcontainer version

on:
workflow_dispatch:
schedule:
- cron: "0 18 * * 4"
- cron: '0 6 * * 4'
permissions: {}

jobs:
update_devcontainer_version:
uses: NHSDigital/eps-common-workflows/.github/workflows/update-dev-container-version.yml@f3d19a678a725917a5c59cae4d76db621bb7c9c7
update-devcontainer-version:
runs-on: ubuntu-22.04
environment: create_pull_request
permissions:
contents: read
packages: read
pull-requests: write
with:
base_branch: main
secrets:
CREATE_PULL_REQUEST_APP_ID: ${{ secrets.CREATE_PULL_REQUEST_APP_ID }}
CREATE_PULL_REQUEST_PEM: ${{ secrets.CREATE_PULL_REQUEST_PEM }}

steps:
- name: Update devcontainer version
uses: NHSDigital/eps-update-devcontainer@dc3a8c5f11e7226ee4f5f2bb35bd0d1265092306
with:
calling_repo_base_branch: main
CREATE_PULL_REQUEST_APP_ID: ${{ secrets.CREATE_PULL_REQUEST_APP_ID }}
CREATE_PULL_REQUEST_PEM: ${{ secrets.CREATE_PULL_REQUEST_PEM }}
20 changes: 20 additions & 0 deletions .pre-commit-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,26 @@ repos:

- repo: local
hooks:
- id: check-commit-signing
name: Check commit signing
description: Ensures that commits are GPG signed
entry: bash
args:
- -c
- |
if ! git config --get commit.gpgsign | grep -q "true" > /dev/null 2>&1; then
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The commit signing check only matches the literal string "true". Git boolean config values can be set as "1"/"yes"/"on" etc., which would incorrectly fail this hook even though signing is enabled. Consider using git config --bool --get commit.gpgsign (or equivalent) for a reliable boolean check instead of grepping the raw value.

Suggested change
if ! git config --get commit.gpgsign | grep -q "true" > /dev/null 2>&1; then
if [ "$(git config --bool --get commit.gpgsign 2>/dev/null)" != "true" ]; then

Copilot uses AI. Check for mistakes.
echo "Error: Commit signing is not enabled."
echo "Please enable commit signing with:"
echo " git config commit.gpgsign true"
echo ""
echo "For more information, see: https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits"
Comment on lines +28 to +38
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The hook messaging says commits must be "GPG signed", but GitHub supports SSH commit signing as well; commit.gpgsign=true can be used with non-GPG signing formats depending on user config. To avoid misleading guidance, consider wording this as "commit signing" (or "signed commits") rather than specifically "GPG".

Copilot uses AI. Check for mistakes.
exit 1
fi
echo "Commit signing is properly configured."
language: system
pass_filenames: false
always_run: true

- id: lint-cdk
name: Lint cdk
entry: npm
Expand Down
Loading