Conversation
There was a problem hiding this comment.
Pull request overview
Adds configuration and workflow adjustments to support new automated quality/security checks (zizmor + grype), and tightens GitHub Actions defaults (permissions/credential persistence) across CI/CD workflows.
Changes:
- Introduces zizmor and grype configuration (with ignore lists) and ignores generated SBOM output.
- Updates multiple GitHub Actions workflows to set explicit
permissions: {}defaults, reduce credential persistence, and normalize env var usage. - Updates the devcontainer image version and removes the legacy PR-comment “link dev website” workflow.
Reviewed changes
Copilot reviewed 13 out of 14 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
zizmor.yml |
Adds zizmor rules with targeted ignore coordinates for existing findings. |
.grype.yaml |
Adds grype ignore list for specific GHSA IDs. |
.gitignore |
Ignores .sbom/ output directory. |
.github/workflows/update_dev_container_version.yml |
Minor formatting-only change. |
.github/workflows/sync_copilot.yml |
Adds workflow-level permissions: {} (job keeps explicit permissions). |
.github/workflows/run_regression_tests.yml |
Adds permissions: {} default; normalizes GITHUB_TOKEN usage and quoting. |
.github/workflows/release.yml |
Adds permissions: {} and removes reusable-workflow secret inheritance. |
.github/workflows/release_all_stacks.yml |
Adds permissions: {} default; refactors bash interpolation to env variables; adjusts checkout credential persistence; adds env blocks for some steps. |
.github/workflows/pull_request.yml |
Adds permissions: {} default; changes checkout behavior; removes reusable-workflow secret inheritance; changes deployed URL reporting. |
.github/workflows/link_dev_website.yml |
Removes workflow that commented deployed URL on PR open. |
.github/workflows/delete_old_cloudformation_stacks.yml |
Adds workflow-level permissions: {} default; reduces checkout credential persistence; removes comments/ref usage. |
.github/workflows/ci.yml |
Adds permissions: {} default and removes reusable-workflow secret inheritance. |
.github/workflows/cdk_package_code.yml |
Adds permissions: {} default; reduces checkout credential persistence. |
.devcontainer/devcontainer.json |
Updates devcontainer image version. |
Comments suppressed due to low confidence (5)
.github/workflows/pull_request.yml:29
- In a
pull_requestworkflow, omittingrefinactions/checkoutwill check out the PR merge ref by default. That meansgit show -s --format=%smay read the merge commit message instead of the PR head commit, breaking the#skip-qclogic. Setrefto the PR head SHA/ref (e.g.${{ github.event.pull_request.head.sha }}) when checking out for commit-message inspection.
AUTOMERGE_APP_ID: ${{ secrets.AUTOMERGE_APP_ID }}
AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }}
get_commit_message:
runs-on: ubuntu-22.04
outputs:
.github/workflows/pull_request.yml:212
- This reusable-workflow call to
release_all_stacks.ymlno longer passes any secrets. The called workflow references secrets such asCLOUD_FORMATION_DEPLOY_ROLE, APIGEE credentials, OIDC client IDs, andJWT_PRIVATE_KEY; without an explicitsecrets:mapping (orsecrets: inherit), those values will be unset and deployments/regression tests will fail. Pass an explicit allow-list of required secrets (preferred) or restoresecrets: inherit.
mockOidcIssuer: "https://identity.ptl.api.platform.nhs.uk/realms/Cis2-mock-internal-dev"
mockOidcAuthorizeEndpoint: "https://internal-dev.api.service.nhs.uk/oauth2-mock/authorize"
mockOidcTokenEndpoint: "https://internal-dev.api.service.nhs.uk/oauth2-mock/token"
mockOidcUserInfoEndpoint: "https://internal-dev.api.service.nhs.uk/oauth2-mock/userinfo"
.github/workflows/ci.yml:89
- This reusable-workflow invocation of
release_all_stacks.ymlno longer passes secrets. Since the called workflow consumes repository secrets (AWS role to assume, APIGEE credentials, OIDC client IDs, JWT private key, etc.), it will fail unless the caller provides them viasecrets:(preferred allow-list) orsecrets: inherit.
mockOidcjwksEndpoint: "https://identity.ptl.api.platform.nhs.uk/realms/Cis2-mock-internal-dev/protocol/openid-connect/certs"
allowLocalhostAccess: true
useCustomCognitoDomain: true
APIGEE_CIS2_TOKEN_ENDPOINT: "https://internal-dev.api.service.nhs.uk/oauth2/token"
.github/workflows/release.yml:91
- These
release_*jobs callrelease_all_stacks.ymlas a reusable workflow but no longer pass secrets. The reusable workflow references secrets likeCLOUD_FORMATION_DEPLOY_ROLE, APIGEE credentials, OIDC client IDs, andJWT_PRIVATE_KEY, so deployments will fail unless the caller passes them via an explicitsecrets:allow-list (preferred) or restoressecrets: inherit.
mockOidcjwksEndpoint: "https://identity.ptl.api.platform.nhs.uk/realms/Cis2-mock-internal-dev/protocol/openid-connect/certs"
allowLocalhostAccess: true
useCustomCognitoDomain: true
.github/workflows/pull_request.yml:224
- PR description says this is only “new quality checks”, but this workflow change now reports the deployed URL only in the Actions step summary. Given the removal of the
link_dev_websiteworkflow, the deployed URL may no longer be posted back to the PR as a comment; please confirm this behavior change is intended and update the PR description if so.
APIGEE_PDS_ENDPOINT: "https://internal-dev.api.service.nhs.uk/personal-demographics/FHIR/R4/"
APIGEE_DOHS_ENDPOINT: "https://int.api.service.nhs.uk/service-search-api/"
JWT_KID: "eps-cpt-ui-dev"
ROLE_ID: "555254242106"
LOG_LEVEL: "DEBUG"
RUN_REGRESSION_TESTS: true
|
|
||
| env: | ||
| BRANCH_NAME: ${{ github.event.pull_request.head.ref }} | ||
| permissions: {} |
There was a problem hiding this comment.
permissions: {} at workflow level removes all default GITHUB_TOKEN scopes. Jobs in this workflow that call GitHub APIs or check out the repo (e.g. get_commit_message, quality_gate, get_issue_number) currently have no job-level permissions, so actions/checkout / actions/github-script are likely to fail. Add least-privilege job permissions (e.g. contents: read for checkout, actions: read for listing workflow jobs, and pull-requests: read if needed for PR lookup).
| aws s3 cp ".build/packages/cpt-ui/dist/assets/" "s3://${staticBucketName}/source_maps/${{ inputs.COMMIT_ID }}/site/assets/" --exclude "*" --include "*.map" --recursive | ||
| aws s3 cp ".build/packages/staticContent/jwks/${TARGET_ENVIRONMENT}/jwks.json" "s3://${staticBucketName}/jwks.json" | ||
| aws s3 cp --recursive ".build/packages/cpt-ui/dist/" "s3://${staticBucketName}/${VERSION_NUMBER}/" | ||
| aws s3 cp ".build/packages/cpt-ui/dist/assets/" "s3://${staticBucketName}/source_maps/${COMMIT_ID}/site/assets/" --exclude "*" --include "*.map" --recursive |
There was a problem hiding this comment.
This step now references ${SERVICE_NAME}, ${TARGET_ENVIRONMENT}, ${VERSION_NUMBER} and ${COMMIT_ID}, but none of these are set in the job environment and this step has no env: block, so they will expand to empty strings at runtime. Add an env: mapping for these inputs (as done in nearby steps) to avoid uploading to the wrong S3 paths / querying the wrong CloudFormation export names.
| aws s3 cp ".build/packages/cpt-ui/dist/assets/" "s3://${staticBucketName}/source_maps/${COMMIT_ID}/site/assets/" --exclude "*" --include "*.map" --recursive | |
| aws s3 cp ".build/packages/cpt-ui/dist/assets/" "s3://${staticBucketName}/source_maps/${COMMIT_ID}/site/assets/" --exclude "*" --include "*.map" --recursive | |
| env: | |
| SERVICE_NAME: ${{ inputs.SERVICE_NAME }} | |
| TARGET_ENVIRONMENT: ${{ inputs.TARGET_ENVIRONMENT }} | |
| VERSION_NUMBER: ${{ inputs.VERSION_NUMBER }} | |
| COMMIT_ID: ${{ inputs.COMMIT_ID }} |
| # these are ignored because they are using known secrets | ||
| ignore: | ||
| - delete_old_cloudformation_stacks.yml:29:31 | ||
| - delete_old_cloudformation_stacks.yml:18:9 |
There was a problem hiding this comment.
delete_old_cloudformation_stacks.yml:18:9 doesn’t appear to correspond to a secret reference in the current workflow (line 18 is the checkout step). If this ignore is stale, it can hide real findings or confuse future updates; consider removing it or updating it to the actual secret location flagged by zizmor.
| - delete_old_cloudformation_stacks.yml:18:9 |
|
This PR is linked to a ticket in an NHS Digital JIRA Project. Here's a handy link to the ticket: AEA-0000 |
|
Summary
Details