Chore: [AEA-0000] - update tag release workflow to use correct notes file#126
Merged
anthony-nhs merged 48 commits intomainfrom Apr 7, 2026
Merged
Chore: [AEA-0000] - update tag release workflow to use correct notes file#126anthony-nhs merged 48 commits intomainfrom
anthony-nhs merged 48 commits intomainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates the reusable GitHub Actions workflows, primarily changing how release notes are generated/published for tag releases, while also tightening workflow permissions and adjusting the repo’s security/scanning tooling configuration.
Changes:
- Update
tag-release-devcontainerto publish gh-pages release notes fromCHANGELOG.md(instead of fetching/editing the GitHub Release body). - Add/standardize explicit
permissions: {}and job-level permissions across multiple workflows; adjust checkout credential persistence. - Replace/remove Trivy config/docs and add Grype/Zizmor-related configuration and hooks; remove deprecated “combine PRs” workflow/scripts.
Reviewed changes
Copilot reviewed 1 out of 1 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
zizmor.yml |
Adds Zizmor rule configuration/ignores for specific workflows. |
trivy.yaml |
Removes Trivy ignorefile configuration entry. |
README.md |
Removes documentation for Trivy exclusions and several removed workflows/docs. |
Makefile |
Changes Node install to use npm ci with scripts disabled. |
combine-prs.js |
Removes the JS implementation for combining PRs. |
.trivyignore.yaml |
Removes Trivy ignore rules/expirations. |
.pre-commit-config.yaml |
Adds a local Grype scan hook to pre-commit configuration. |
.grype.yaml |
Adds Grype ignore configuration for specific GHSA IDs. |
.github/workflows/update-dev-container-version.yml |
Minor formatting change (blank line). |
.github/workflows/tag-release-devcontainer.yml |
Switches gh-pages release notes source to CHANGELOG.md; adjusts permissions and checkout credential persistence; removes release-body editing steps. |
.github/workflows/sync_copilot.yml |
Adds top-level permissions: {} and sets job permissions. |
.github/workflows/release.yml |
Adds top-level/job permissions and removes secrets: inherit from tag release job. |
.github/workflows/quality-checks.properties.json |
Removes the workflow template metadata file. |
.github/workflows/quality-checks-devcontainer.yml |
Adds explicit permissions; swaps Trivy-based steps for Grant/Syft/Grype; adds Zizmor and adjusts secrets scanning setup. |
.github/workflows/pull_request.yml |
Adds top-level/job permissions and removes secrets: inherit from tag release job. |
.github/workflows/pr_title_check.yml |
Adds top-level permissions: {} and removes PR-commenting steps. |
.github/workflows/get-repo-config.yml |
Adds top-level/job permissions and disables checkout credential persistence. |
.github/workflows/dependabot-auto-approve-and-merge.yml |
Moves permissions to job-level and tightens the if condition (bot + same-repo check). |
.github/workflows/combine-dependabot-prs.yml |
Removes the combine Dependabot PRs workflow. |
.github/CODEOWNERS |
Adds codeowners rule for workflow changes. |
.devcontainer/devcontainer.json |
Bumps devcontainer image version. |
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Details