From 4a2fbefebc95f72503522156423c949439c747ae Mon Sep 17 00:00:00 2001
From: Anthony Brown <anthony.brown8@nhs.net>
Date: Mon, 30 Mar 2026 17:06:50 +0000
Subject: [PATCH 1/2] sync copilot

---
 .github/workflows/sync_copilot.yml | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 .github/workflows/sync_copilot.yml

diff --git a/.github/workflows/sync_copilot.yml b/.github/workflows/sync_copilot.yml
new file mode 100644
index 0000000..72b62eb
--- /dev/null
+++ b/.github/workflows/sync_copilot.yml
@@ -0,0 +1,22 @@
+name: Sync Copilot Instructions
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 6 * * 1'
+
+jobs:
+  sync-copilot-instructions:
+    runs-on: ubuntu-22.04
+    environment: create_pull_request
+    permissions:
+      contents: read
+
+    steps:
+      - name: Sync shared instructions
+        uses: NHSDigital/eps-copilot-instructions@a7849a16aabd5c1edef13e29467a480fa08555f8
+        with:
+          copilot_instructions_ref: main
+          calling_repo_base_branch: main
+          CREATE_PULL_REQUEST_APP_ID: ${{ secrets.CREATE_PULL_REQUEST_APP_ID }}
+          CREATE_PULL_REQUEST_PEM: ${{ secrets.CREATE_PULL_REQUEST_PEM }}

From a883c1f5759126dbd222abcf3be3c6a78f6db5c8 Mon Sep 17 00:00:00 2001
From: Anthony Brown <anthony.brown8@nhs.net>
Date: Wed, 1 Apr 2026 12:21:35 +0000
Subject: [PATCH 2/2] add pre-commit to check signing

---
 .github/workflows/sync_copilot.yml |  4 +++-
 .pre-commit-config.yaml            | 28 ++++++++++++++++++++++++++++
 2 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/sync_copilot.yml b/.github/workflows/sync_copilot.yml
index 72b62eb..fa03c3a 100644
--- a/.github/workflows/sync_copilot.yml
+++ b/.github/workflows/sync_copilot.yml
@@ -5,6 +5,8 @@ on:
   schedule:
     - cron: '0 6 * * 1'
 
+permissions: {}
+
 jobs:
   sync-copilot-instructions:
     runs-on: ubuntu-22.04
@@ -14,7 +16,7 @@ jobs:
 
     steps:
       - name: Sync shared instructions
-        uses: NHSDigital/eps-copilot-instructions@a7849a16aabd5c1edef13e29467a480fa08555f8
+        uses: NHSDigital/eps-copilot-instructions@304ab2f4b7cdc15a1d7c0a0fae5290fad41b2451
         with:
           copilot_instructions_ref: main
           calling_repo_base_branch: main
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index a4aafc5..46f8ca0 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -49,6 +49,34 @@ repos:
           - -c
           - 'git-secrets --pre_commit_hook'
         language: system
+      - id: check-commit-signing
+        name: Check commit signing
+        description: Ensures that commits are GPG signed
+        entry: bash
+        args:
+          - -c
+          - |
+            if ! git config --get user.signingkey > /dev/null 2>&1; then
+              echo "Error: Git signing key not configured."
+              echo "Please configure your GPG signing key with:"
+              echo "  git config user.signingkey <YOUR_GPG_KEY_ID>"
+              echo ""
+              echo "To find your GPG key ID, run: gpg --list-secret-keys --keyid-format=long"
+              echo "For more information, see: https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits"
+              exit 1
+            fi
+            if ! git config --get commit.gpgsign | grep -q "true" > /dev/null 2>&1; then
+              echo "Error: Commit signing is not enabled."
+              echo "Please enable commit signing with:"
+              echo "  git config commit.gpgsign true"
+              echo ""
+              echo "For more information, see: https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits"
+              exit 1
+            fi
+            echo "Commit signing is properly configured."
+        language: system
+        pass_filenames: false
+        always_run: true
 
 fail_fast: true
 default_stages: [pre-commit]