diff --git a/.github/actions/acceptance-tests/action.yaml b/.github/actions/acceptance-tests/action.yaml index 92fb879c..7fe3c28a 100644 --- a/.github/actions/acceptance-tests/action.yaml +++ b/.github/actions/acceptance-tests/action.yaml @@ -24,7 +24,7 @@ runs: steps: - name: Fetch terraform output - uses: actions/download-artifact@v7 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7 with: name: terraform-output-${{ inputs.targetComponent }} diff --git a/.github/actions/build-docs/action.yml b/.github/actions/build-docs/action.yml index ab69b34a..0026ebbe 100644 --- a/.github/actions/build-docs/action.yml +++ b/.github/actions/build-docs/action.yml @@ -8,8 +8,8 @@ runs: using: "composite" steps: - name: Checkout - uses: actions/checkout@v6.0.2 - - uses: actions/setup-node@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: '.tool-versions' - name: Npm cli install @@ -17,7 +17,7 @@ runs: run: npm ci --min-release-age 3 shell: bash - name: Setup Ruby - uses: ruby/setup-ruby@v1.180.1 + uses: ruby/setup-ruby@3783f195e29b74ae398d7caca108814bbafde90e # v1.180.1 with: ruby-version: "3.2" # Not needed with a .ruby-version file bundler-cache: true # runs 'bundle install' and caches installed gems automatically @@ -25,7 +25,7 @@ runs: working-directory: "./docs" - name: Setup Pages id: pages - uses: actions/configure-pages@v5 + uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 - name: Build with Jekyll working-directory: ./docs # Outputs to the './_site' directory by default @@ -36,7 +36,7 @@ runs: JEKYLL_ENV: production - name: Upload artifact # Automatically uploads an artifact from the './_site' directory by default - uses: actions/upload-pages-artifact@v3 + uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3 with: path: "docs/_site/" name: jekyll-docs-${{ inputs.version }} diff --git a/.github/actions/create-lines-of-code-report/action.yaml b/.github/actions/create-lines-of-code-report/action.yaml index 07d62011..5f876cab 100644 --- a/.github/actions/create-lines-of-code-report/action.yaml +++ b/.github/actions/create-lines-of-code-report/action.yaml @@ -32,7 +32,7 @@ runs: run: zip lines-of-code-report.json.zip lines-of-code-report.json - name: "Upload CLOC report as an artefact" if: ${{ !env.ACT }} - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: lines-of-code-report.json.zip path: ./lines-of-code-report.json.zip @@ -44,7 +44,7 @@ runs: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT - name: "Authenticate to send the report" if: steps.check.outputs.secrets_exist == 'true' - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 with: role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }} aws-region: ${{ inputs.idp_aws_report_upload_region }} diff --git a/.github/actions/node-install/action.yaml b/.github/actions/node-install/action.yaml index bc883dc0..026ddcf2 100644 --- a/.github/actions/node-install/action.yaml +++ b/.github/actions/node-install/action.yaml @@ -10,7 +10,7 @@ runs: using: 'composite' steps: - name: 'Use Node.js' - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: '.tool-versions' registry-url: 'https://npm.pkg.github.com' diff --git a/.github/actions/scan-dependencies/action.yaml b/.github/actions/scan-dependencies/action.yaml index 9fbe3ca2..014cc5f0 100644 --- a/.github/actions/scan-dependencies/action.yaml +++ b/.github/actions/scan-dependencies/action.yaml @@ -32,7 +32,7 @@ runs: run: zip sbom-repository-report.json.zip sbom-repository-report.json - name: "Upload SBOM report as an artefact" if: ${{ !env.ACT }} - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: sbom-repository-report.json.zip path: ./sbom-repository-report.json.zip @@ -47,7 +47,7 @@ runs: run: zip vulnerabilities-repository-report.json.zip vulnerabilities-repository-report.json - name: "Upload vulnerabilities report as an artefact" if: ${{ !env.ACT }} - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: vulnerabilities-repository-report.json.zip path: ./vulnerabilities-repository-report.json.zip @@ -58,7 +58,7 @@ runs: run: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT - name: "Authenticate to send the reports" if: steps.check.outputs.secrets_exist == 'true' - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 with: role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }} aws-region: ${{ inputs.idp_aws_report_upload_region }} diff --git a/.github/workflows/cicd-1-pull-request.yaml b/.github/workflows/cicd-1-pull-request.yaml index ab3f11df..aa5a82bf 100644 --- a/.github/workflows/cicd-1-pull-request.yaml +++ b/.github/workflows/cicd-1-pull-request.yaml @@ -37,7 +37,7 @@ jobs: #skip_trivy_package: ${{ steps.skip_trivy.outputs.skip_trivy_package }} steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Set CI/CD variables" id: variables run: | @@ -158,7 +158,7 @@ jobs: APP_CLIENT_ID: ${{ secrets.APP_CLIENT_ID }} APP_PEM_FILE: ${{ secrets.APP_PEM_FILE }} steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Trigger dynamic environment creation shell: bash run: | diff --git a/.github/workflows/cicd-3-deploy.yaml b/.github/workflows/cicd-3-deploy.yaml index 4736c240..36dc2b3a 100644 --- a/.github/workflows/cicd-3-deploy.yaml +++ b/.github/workflows/cicd-3-deploy.yaml @@ -37,7 +37,7 @@ jobs: # tag: ${{ steps.variables.outputs.tag }} steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Set CI/CD variables" id: variables run: | @@ -70,8 +70,7 @@ jobs: needs: metadata steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 - + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Get version" id: get-asset-version shell: bash @@ -103,13 +102,13 @@ jobs: run: | gh release download ${{steps.get-asset-version.outputs.release_version}} -p jekyll-docs-*.tar --output artifact.tar - - uses: actions/upload-artifact@v7 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: jekyll-docs-${{steps.get-asset-version.outputs.release_version}} path: artifact.tar - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v5 + uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5 with: artifact_name: jekyll-docs-${{steps.get-asset-version.outputs.release_version}} diff --git a/.github/workflows/manual-combine-dependabot-prs.yaml b/.github/workflows/manual-combine-dependabot-prs.yaml index fbf04098..3e311ac5 100644 --- a/.github/workflows/manual-combine-dependabot-prs.yaml +++ b/.github/workflows/manual-combine-dependabot-prs.yaml @@ -15,7 +15,7 @@ jobs: steps: - name: combine-prs id: combine-prs - uses: github/combine-prs@v5.2.0 + uses: github/combine-prs@2909f404763c3177a456e052bdb7f2e85d3a7cb3 # v5.2.0 with: ci_required: false labels: dependencies diff --git a/.github/workflows/pr_closed.yml b/.github/workflows/pr_closed.yml index 8fe0dbe9..42e61428 100644 --- a/.github/workflows/pr_closed.yml +++ b/.github/workflows/pr_closed.yml @@ -50,8 +50,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6.0.2 - + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Updating Main Environment env: APP_PEM_FILE: ${{ secrets.APP_PEM_FILE }} diff --git a/.github/workflows/pr_destroy_dynamic_env.yml b/.github/workflows/pr_destroy_dynamic_env.yml index 15b28cf8..67abd292 100644 --- a/.github/workflows/pr_destroy_dynamic_env.yml +++ b/.github/workflows/pr_destroy_dynamic_env.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Trigger dynamic environment destroy env: APP_PEM_FILE: ${{ secrets.APP_PEM_FILE }} diff --git a/.github/workflows/release_created.yml b/.github/workflows/release_created.yml index 74eef62a..329282ae 100644 --- a/.github/workflows/release_created.yml +++ b/.github/workflows/release_created.yml @@ -26,8 +26,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6.0.2 - + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Updating Main Environment env: APP_PEM_FILE: ${{ secrets.APP_PEM_FILE }} diff --git a/.github/workflows/scheduled-repository-template-sync.yaml b/.github/workflows/scheduled-repository-template-sync.yaml index 19c7d7ef..e65f2bf2 100644 --- a/.github/workflows/scheduled-repository-template-sync.yaml +++ b/.github/workflows/scheduled-repository-template-sync.yaml @@ -16,10 +16,9 @@ jobs: steps: - name: Check out the repository - uses: actions/checkout@v6.0.2 - + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Check out external repository - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: NHSDigital/nhs-notify-repository-template path: nhs-notify-repository-template @@ -32,7 +31,7 @@ jobs: - name: Create Pull Request if: ${{ !env.ACT }} - uses: peter-evans/create-pull-request@v8 + uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8 with: token: ${{ secrets.GITHUB_TOKEN }} commit-message: Drift from template diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 4cc71e0f..19ad9d51 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -59,7 +59,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: SARIF file path: results.sarif diff --git a/.github/workflows/stage-1-commit.yaml b/.github/workflows/stage-1-commit.yaml index 298da95e..466b0ba6 100644 --- a/.github/workflows/stage-1-commit.yaml +++ b/.github/workflows/stage-1-commit.yaml @@ -44,7 +44,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 # Full history is needed to scan all commits - name: "Scan secrets" @@ -55,7 +55,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check file format" @@ -66,7 +66,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check Markdown format" @@ -80,7 +80,7 @@ jobs: contents: write steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check to see if Terraform Docs are up-to-date" @@ -101,7 +101,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check English usage" @@ -112,7 +112,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check TODO usage" @@ -124,8 +124,7 @@ jobs: terraform_changed: ${{ steps.check.outputs.terraform_changed }} steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 - + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Check for Terraform changes" id: check run: | @@ -148,7 +147,7 @@ jobs: if: needs.detect-terraform-changes.outputs.terraform_changed == 'true' steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Setup ASDF" uses: asdf-vm/actions/setup@b7bcd026f18772e44fe1026d729e1611cc435d47 - name: "Lint Terraform" @@ -164,7 +163,7 @@ jobs: # if: needs.detect-terraform-changes.outputs.terraform_changed == 'true' # steps: # - name: "Checkout code" - # uses: actions/checkout@v6.0.2 + # uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # - name: "Setup ASDF" # uses: asdf-vm/actions/setup@b7bcd026f18772e44fe1026d729e1611cc435d47 # - name: "Trivy IaC Scan" @@ -178,7 +177,7 @@ jobs: # timeout-minutes: 10 # steps: # - name: "Checkout code" - # uses: actions/checkout@v6.0.2 + # uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # - name: "Setup ASDF" # uses: asdf-vm/actions/setup@b7bcd026f18772e44fe1026d729e1611cc435d47 # - name: "Trivy Package Scan" @@ -192,7 +191,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Count lines of code" uses: ./.github/actions/create-lines-of-code-report with: @@ -211,7 +210,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Scan dependencies" uses: ./.github/actions/scan-dependencies with: diff --git a/.github/workflows/stage-2-test.yaml b/.github/workflows/stage-2-test.yaml index 0ac45800..da1b788b 100644 --- a/.github/workflows/stage-2-test.yaml +++ b/.github/workflows/stage-2-test.yaml @@ -47,9 +47,9 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Use Node.js" - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: '.tool-versions' - name: "Repo setup" @@ -65,9 +65,9 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Use Node.js" - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: '.tool-versions' - name: "Repo setup" @@ -80,14 +80,14 @@ jobs: run: | make test-unit - name: "Save the result of fast test suite" - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: unit-tests path: "**/.reports/unit" include-hidden-files: true if: always() - name: "Save the result of code coverage" - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: code-coverage-report path: ".reports/lcov.info" @@ -97,9 +97,9 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Use Node.js" - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: '.tool-versions' - name: "Repo setup" @@ -117,9 +117,9 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Use Node.js" - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: '.tool-versions' - name: "Repo setup" @@ -138,7 +138,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Run test coverage check" run: | make test-coverage @@ -155,11 +155,11 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 # Full history is needed to improving relevancy of reporting - name: "Download coverage report for SONAR" - uses: actions/download-artifact@v8 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v8 with: name: code-coverage-report - name: "Perform static analysis" diff --git a/.github/workflows/stage-3-build.yaml b/.github/workflows/stage-3-build.yaml index c4723120..404302bf 100644 --- a/.github/workflows/stage-3-build.yaml +++ b/.github/workflows/stage-3-build.yaml @@ -39,7 +39,7 @@ jobs: timeout-minutes: 3 steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Build docs" uses: ./.github/actions/build-docs with: @@ -50,7 +50,7 @@ jobs: timeout-minutes: 3 steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Build artefact 1" run: | echo "Building artefact 1 ..." @@ -67,7 +67,7 @@ jobs: timeout-minutes: 3 steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Build artefact n" run: | echo "Building artefact n ..." diff --git a/.github/workflows/stage-4-acceptance.yaml b/.github/workflows/stage-4-acceptance.yaml index 026ef499..3fa9cbda 100644 --- a/.github/workflows/stage-4-acceptance.yaml +++ b/.github/workflows/stage-4-acceptance.yaml @@ -45,10 +45,10 @@ jobs: name: Run Acceptance Tests runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Use Node.js" - uses: actions/setup-node@v6 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v6 with: node-version: "${{ inputs.nodejs_version }}" registry-url: "https://npm.pkg.github.com"