From 1f8150c9c1b04edd702d1cac334f209cf9390809 Mon Sep 17 00:00:00 2001 From: damientobin1 Date: Tue, 31 Mar 2026 13:52:37 +0100 Subject: [PATCH 1/9] CCM-14499: Pinning all GitHub Actions to SHAs --- .github/actions/acceptance-tests/action.yaml | 3 +- .github/actions/build-docs/action.yml | 12 +++----- .../create-lines-of-code-report/action.yaml | 6 ++-- .github/actions/node-install/action.yaml | 3 +- .github/actions/scan-dependencies/action.yaml | 9 ++---- .github/workflows/cicd-1-pull-request.yaml | 3 +- .github/workflows/cicd-3-deploy.yaml | 9 ++---- .../manual-combine-dependabot-prs.yaml | 3 +- .github/workflows/pr_closed.yml | 3 +- .github/workflows/release_created.yml | 3 +- .../scheduled-repository-template-sync.yaml | 9 ++---- .github/workflows/scorecard.yml | 3 +- .github/workflows/stage-1-commit.yaml | 30 +++++++------------ .github/workflows/stage-2-test.yaml | 27 ++++++----------- .github/workflows/stage-3-build.yaml | 9 ++---- .github/workflows/stage-4-acceptance.yaml | 3 +- 16 files changed, 45 insertions(+), 90 deletions(-) diff --git a/.github/actions/acceptance-tests/action.yaml b/.github/actions/acceptance-tests/action.yaml index 92fb879c..7ffe9427 100644 --- a/.github/actions/acceptance-tests/action.yaml +++ b/.github/actions/acceptance-tests/action.yaml @@ -24,8 +24,7 @@ runs: steps: - name: Fetch terraform output - uses: actions/download-artifact@v7 - with: + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7 with: name: terraform-output-${{ inputs.targetComponent }} - name: Get Node version diff --git a/.github/actions/build-docs/action.yml b/.github/actions/build-docs/action.yml index 2b95b54c..fc47dcdd 100644 --- a/.github/actions/build-docs/action.yml +++ b/.github/actions/build-docs/action.yml @@ -8,8 +8,7 @@ runs: using: "composite" steps: - name: Checkout - uses: actions/checkout@v6.0.2 - - uses: actions/setup-node@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/setup-node@v4 with: node-version: 18 - name: Npm cli install @@ -17,16 +16,14 @@ runs: run: npm ci shell: bash - name: Setup Ruby - uses: ruby/setup-ruby@v1.180.1 - with: + uses: ruby/setup-ruby@3783f195e29b74ae398d7caca108814bbafde90e # v1.180.1 with: ruby-version: "3.2" # Not needed with a .ruby-version file bundler-cache: true # runs 'bundle install' and caches installed gems automatically cache-version: 0 # Increment this number if you need to re-download cached gems working-directory: "./docs" - name: Setup Pages id: pages - uses: actions/configure-pages@v5 - - name: Build with Jekyll + uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 - name: Build with Jekyll working-directory: ./docs # Outputs to the './_site' directory by default shell: bash @@ -36,7 +33,6 @@ runs: JEKYLL_ENV: production - name: Upload artifact # Automatically uploads an artifact from the './_site' directory by default - uses: actions/upload-pages-artifact@v3 - with: + uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3 with: path: "docs/_site/" name: jekyll-docs-${{ inputs.version }} diff --git a/.github/actions/create-lines-of-code-report/action.yaml b/.github/actions/create-lines-of-code-report/action.yaml index 07d62011..b658529b 100644 --- a/.github/actions/create-lines-of-code-report/action.yaml +++ b/.github/actions/create-lines-of-code-report/action.yaml @@ -32,8 +32,7 @@ runs: run: zip lines-of-code-report.json.zip lines-of-code-report.json - name: "Upload CLOC report as an artefact" if: ${{ !env.ACT }} - uses: actions/upload-artifact@v7 - with: + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: lines-of-code-report.json.zip path: ./lines-of-code-report.json.zip retention-days: 21 @@ -44,8 +43,7 @@ runs: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT - name: "Authenticate to send the report" if: steps.check.outputs.secrets_exist == 'true' - uses: aws-actions/configure-aws-credentials@v4 - with: + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 with: role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }} aws-region: ${{ inputs.idp_aws_report_upload_region }} - name: "Send the CLOC report to the central location" diff --git a/.github/actions/node-install/action.yaml b/.github/actions/node-install/action.yaml index b1ed2d0b..397fde78 100644 --- a/.github/actions/node-install/action.yaml +++ b/.github/actions/node-install/action.yaml @@ -10,8 +10,7 @@ runs: using: 'composite' steps: - name: 'Use Node.js' - uses: actions/setup-node@v4 - with: + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: '.tool-versions' registry-url: 'https://npm.pkg.github.com' scope: '@nhsdigital' diff --git a/.github/actions/scan-dependencies/action.yaml b/.github/actions/scan-dependencies/action.yaml index 9fbe3ca2..8136c7f2 100644 --- a/.github/actions/scan-dependencies/action.yaml +++ b/.github/actions/scan-dependencies/action.yaml @@ -32,8 +32,7 @@ runs: run: zip sbom-repository-report.json.zip sbom-repository-report.json - name: "Upload SBOM report as an artefact" if: ${{ !env.ACT }} - uses: actions/upload-artifact@v7 - with: + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: sbom-repository-report.json.zip path: ./sbom-repository-report.json.zip retention-days: 21 @@ -47,8 +46,7 @@ runs: run: zip vulnerabilities-repository-report.json.zip vulnerabilities-repository-report.json - name: "Upload vulnerabilities report as an artefact" if: ${{ !env.ACT }} - uses: actions/upload-artifact@v7 - with: + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: vulnerabilities-repository-report.json.zip path: ./vulnerabilities-repository-report.json.zip retention-days: 21 @@ -58,8 +56,7 @@ runs: run: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT - name: "Authenticate to send the reports" if: steps.check.outputs.secrets_exist == 'true' - uses: aws-actions/configure-aws-credentials@v4 - with: + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 with: role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }} aws-region: ${{ inputs.idp_aws_report_upload_region }} - name: "Send the SBOM and vulnerabilities reports to the central location" diff --git a/.github/workflows/cicd-1-pull-request.yaml b/.github/workflows/cicd-1-pull-request.yaml index ab3f11df..46c44b44 100644 --- a/.github/workflows/cicd-1-pull-request.yaml +++ b/.github/workflows/cicd-1-pull-request.yaml @@ -37,8 +37,7 @@ jobs: #skip_trivy_package: ${{ steps.skip_trivy.outputs.skip_trivy_package }} steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 - - name: "Set CI/CD variables" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Set CI/CD variables" id: variables run: | datetime=$(date -u +'%Y-%m-%dT%H:%M:%S%z') diff --git a/.github/workflows/cicd-3-deploy.yaml b/.github/workflows/cicd-3-deploy.yaml index 4736c240..a284b9d7 100644 --- a/.github/workflows/cicd-3-deploy.yaml +++ b/.github/workflows/cicd-3-deploy.yaml @@ -37,8 +37,7 @@ jobs: # tag: ${{ steps.variables.outputs.tag }} steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 - - name: "Set CI/CD variables" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Set CI/CD variables" id: variables run: | datetime=$(date -u +'%Y-%m-%dT%H:%M:%S%z') @@ -70,8 +69,7 @@ jobs: needs: metadata steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 - + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Get version" id: get-asset-version shell: bash @@ -110,6 +108,5 @@ jobs: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v5 - with: + uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5 with: artifact_name: jekyll-docs-${{steps.get-asset-version.outputs.release_version}} diff --git a/.github/workflows/manual-combine-dependabot-prs.yaml b/.github/workflows/manual-combine-dependabot-prs.yaml index fbf04098..6c8e02a9 100644 --- a/.github/workflows/manual-combine-dependabot-prs.yaml +++ b/.github/workflows/manual-combine-dependabot-prs.yaml @@ -15,8 +15,7 @@ jobs: steps: - name: combine-prs id: combine-prs - uses: github/combine-prs@v5.2.0 - with: + uses: github/combine-prs@e6d37110da1b512313419ba6992492dad622139f # v5.2.0 with: ci_required: false labels: dependencies pr_title: Combined Dependabot PRs diff --git a/.github/workflows/pr_closed.yml b/.github/workflows/pr_closed.yml index 8fe0dbe9..42e61428 100644 --- a/.github/workflows/pr_closed.yml +++ b/.github/workflows/pr_closed.yml @@ -50,8 +50,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6.0.2 - + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Updating Main Environment env: APP_PEM_FILE: ${{ secrets.APP_PEM_FILE }} diff --git a/.github/workflows/release_created.yml b/.github/workflows/release_created.yml index 74eef62a..329282ae 100644 --- a/.github/workflows/release_created.yml +++ b/.github/workflows/release_created.yml @@ -26,8 +26,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6.0.2 - + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Updating Main Environment env: APP_PEM_FILE: ${{ secrets.APP_PEM_FILE }} diff --git a/.github/workflows/scheduled-repository-template-sync.yaml b/.github/workflows/scheduled-repository-template-sync.yaml index 19c7d7ef..4e56a945 100644 --- a/.github/workflows/scheduled-repository-template-sync.yaml +++ b/.github/workflows/scheduled-repository-template-sync.yaml @@ -16,11 +16,9 @@ jobs: steps: - name: Check out the repository - uses: actions/checkout@v6.0.2 - + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Check out external repository - uses: actions/checkout@v6.0.2 - with: + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: NHSDigital/nhs-notify-repository-template path: nhs-notify-repository-template token: ${{ github.token }} @@ -32,8 +30,7 @@ jobs: - name: Create Pull Request if: ${{ !env.ACT }} - uses: peter-evans/create-pull-request@v8 - with: + uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8 with: token: ${{ secrets.GITHUB_TOKEN }} commit-message: Drift from template branch: scheduledTemplateRepositorySync diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 4cc71e0f..208f5d48 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -59,8 +59,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@v7 - with: + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: SARIF file path: results.sarif retention-days: 5 diff --git a/.github/workflows/stage-1-commit.yaml b/.github/workflows/stage-1-commit.yaml index 58b75088..1469eb8a 100644 --- a/.github/workflows/stage-1-commit.yaml +++ b/.github/workflows/stage-1-commit.yaml @@ -44,8 +44,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 - with: + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 # Full history is needed to scan all commits - name: "Scan secrets" uses: ./.github/actions/scan-secrets @@ -55,8 +54,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 - with: + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check file format" uses: ./.github/actions/check-file-format @@ -66,8 +64,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 - with: + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check Markdown format" uses: ./.github/actions/check-markdown-format @@ -80,8 +77,7 @@ jobs: contents: write steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 - with: + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check to see if Terraform Docs are up-to-date" run: | @@ -101,8 +97,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 - with: + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check English usage" uses: ./.github/actions/check-english-usage @@ -112,8 +107,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 - with: + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check TODO usage" uses: ./.github/actions/check-todo-usage @@ -124,8 +118,7 @@ jobs: terraform_changed: ${{ steps.check.outputs.terraform_changed }} steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 - + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Check for Terraform changes" id: check run: | @@ -148,8 +141,7 @@ jobs: if: needs.detect-terraform-changes.outputs.terraform_changed == 'true' steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 - - name: "Setup ASDF" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Setup ASDF" uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302 - name: "Lint Terraform" uses: ./.github/actions/lint-terraform @@ -192,8 +184,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 - - name: "Count lines of code" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Count lines of code" uses: ./.github/actions/create-lines-of-code-report with: build_datetime: "${{ inputs.build_datetime }}" @@ -211,8 +202,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 - - name: "Scan dependencies" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Scan dependencies" uses: ./.github/actions/scan-dependencies with: build_datetime: "${{ inputs.build_datetime }}" diff --git a/.github/workflows/stage-2-test.yaml b/.github/workflows/stage-2-test.yaml index dd3ceea8..abcd3d84 100644 --- a/.github/workflows/stage-2-test.yaml +++ b/.github/workflows/stage-2-test.yaml @@ -47,8 +47,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 - - name: "Repo setup" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Repo setup" run: | npm ci - name: "Generate dependencies" @@ -61,8 +60,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 - - name: "Repo setup" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Repo setup" run: | npm ci - name: "Generate dependencies" @@ -72,15 +70,13 @@ jobs: run: | make test-unit - name: "Save the result of fast test suite" - uses: actions/upload-artifact@v7 - with: + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: unit-tests path: "**/.reports/unit" include-hidden-files: true if: always() - name: "Save the result of code coverage" - uses: actions/upload-artifact@v7 - with: + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: code-coverage-report path: ".reports/lcov.info" test-lint: @@ -89,8 +85,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 - - name: "Repo setup" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Repo setup" run: | npm ci - name: "Generate dependencies" @@ -105,8 +100,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 - - name: "Repo setup" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Repo setup" run: | npm ci - name: "Generate dependencies" @@ -122,8 +116,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 - - name: "Run test coverage check" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Run test coverage check" run: | make test-coverage - name: "Save the coverage check result" @@ -139,12 +132,10 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 - with: + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 # Full history is needed to improving relevancy of reporting - name: "Download coverage report for SONAR" - uses: actions/download-artifact@v7 - with: + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7 with: name: code-coverage-report - name: "Perform static analysis" uses: ./.github/actions/perform-static-analysis diff --git a/.github/workflows/stage-3-build.yaml b/.github/workflows/stage-3-build.yaml index c4723120..4fcc1524 100644 --- a/.github/workflows/stage-3-build.yaml +++ b/.github/workflows/stage-3-build.yaml @@ -39,8 +39,7 @@ jobs: timeout-minutes: 3 steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 - - name: "Build docs" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Build docs" uses: ./.github/actions/build-docs with: version: "${{ inputs.version }}" @@ -50,8 +49,7 @@ jobs: timeout-minutes: 3 steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 - - name: "Build artefact 1" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Build artefact 1" run: | echo "Building artefact 1 ..." - name: "Check artefact 1" @@ -67,8 +65,7 @@ jobs: timeout-minutes: 3 steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 - - name: "Build artefact n" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Build artefact n" run: | echo "Building artefact n ..." - name: "Check artefact n" diff --git a/.github/workflows/stage-4-acceptance.yaml b/.github/workflows/stage-4-acceptance.yaml index 98e84d7d..d3b167cb 100644 --- a/.github/workflows/stage-4-acceptance.yaml +++ b/.github/workflows/stage-4-acceptance.yaml @@ -48,8 +48,7 @@ jobs: - uses: actions/checkout@v6.0.2 - name: "Use Node.js" - uses: actions/setup-node@v4 - with: + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: "${{ inputs.nodejs_version }}" registry-url: "https://npm.pkg.github.com" scope: "@nhsdigital" From d64db1173f3b0555a22814503ae06e076f5bf037 Mon Sep 17 00:00:00 2001 From: damientobin1 Date: Tue, 31 Mar 2026 14:52:29 +0100 Subject: [PATCH 2/9] CCM-14499: Pinning all GitHub Actions to SHAs --- .github/actions/acceptance-tests/action.yaml | 3 ++- .github/actions/build-docs/action.yml | 6 ++++-- .github/actions/create-lines-of-code-report/action.yaml | 6 ++++-- .github/actions/node-install/action.yaml | 3 ++- .github/actions/scan-dependencies/action.yaml | 9 ++++++--- .github/workflows/cicd-3-deploy.yaml | 3 ++- .../workflows/scheduled-repository-template-sync.yaml | 3 ++- .github/workflows/scorecard.yml | 3 ++- .github/workflows/stage-2-test.yaml | 9 ++++++--- .github/workflows/stage-4-acceptance.yaml | 3 ++- 10 files changed, 32 insertions(+), 16 deletions(-) diff --git a/.github/actions/acceptance-tests/action.yaml b/.github/actions/acceptance-tests/action.yaml index 7ffe9427..7fe3c28a 100644 --- a/.github/actions/acceptance-tests/action.yaml +++ b/.github/actions/acceptance-tests/action.yaml @@ -24,7 +24,8 @@ runs: steps: - name: Fetch terraform output - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7 with: + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7 + with: name: terraform-output-${{ inputs.targetComponent }} - name: Get Node version diff --git a/.github/actions/build-docs/action.yml b/.github/actions/build-docs/action.yml index fc47dcdd..71d3f0a4 100644 --- a/.github/actions/build-docs/action.yml +++ b/.github/actions/build-docs/action.yml @@ -23,7 +23,8 @@ runs: working-directory: "./docs" - name: Setup Pages id: pages - uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 - name: Build with Jekyll + uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 + - name: Build with Jekyll working-directory: ./docs # Outputs to the './_site' directory by default shell: bash @@ -33,6 +34,7 @@ runs: JEKYLL_ENV: production - name: Upload artifact # Automatically uploads an artifact from the './_site' directory by default - uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3 with: + uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3 + with: path: "docs/_site/" name: jekyll-docs-${{ inputs.version }} diff --git a/.github/actions/create-lines-of-code-report/action.yaml b/.github/actions/create-lines-of-code-report/action.yaml index b658529b..5f876cab 100644 --- a/.github/actions/create-lines-of-code-report/action.yaml +++ b/.github/actions/create-lines-of-code-report/action.yaml @@ -32,7 +32,8 @@ runs: run: zip lines-of-code-report.json.zip lines-of-code-report.json - name: "Upload CLOC report as an artefact" if: ${{ !env.ACT }} - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 + with: name: lines-of-code-report.json.zip path: ./lines-of-code-report.json.zip retention-days: 21 @@ -43,7 +44,8 @@ runs: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT - name: "Authenticate to send the report" if: steps.check.outputs.secrets_exist == 'true' - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 with: + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 + with: role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }} aws-region: ${{ inputs.idp_aws_report_upload_region }} - name: "Send the CLOC report to the central location" diff --git a/.github/actions/node-install/action.yaml b/.github/actions/node-install/action.yaml index 397fde78..3b7eff93 100644 --- a/.github/actions/node-install/action.yaml +++ b/.github/actions/node-install/action.yaml @@ -10,7 +10,8 @@ runs: using: 'composite' steps: - name: 'Use Node.js' - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 + with: node-version-file: '.tool-versions' registry-url: 'https://npm.pkg.github.com' scope: '@nhsdigital' diff --git a/.github/actions/scan-dependencies/action.yaml b/.github/actions/scan-dependencies/action.yaml index 8136c7f2..014cc5f0 100644 --- a/.github/actions/scan-dependencies/action.yaml +++ b/.github/actions/scan-dependencies/action.yaml @@ -32,7 +32,8 @@ runs: run: zip sbom-repository-report.json.zip sbom-repository-report.json - name: "Upload SBOM report as an artefact" if: ${{ !env.ACT }} - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 + with: name: sbom-repository-report.json.zip path: ./sbom-repository-report.json.zip retention-days: 21 @@ -46,7 +47,8 @@ runs: run: zip vulnerabilities-repository-report.json.zip vulnerabilities-repository-report.json - name: "Upload vulnerabilities report as an artefact" if: ${{ !env.ACT }} - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 + with: name: vulnerabilities-repository-report.json.zip path: ./vulnerabilities-repository-report.json.zip retention-days: 21 @@ -56,7 +58,8 @@ runs: run: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT - name: "Authenticate to send the reports" if: steps.check.outputs.secrets_exist == 'true' - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 with: + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 + with: role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }} aws-region: ${{ inputs.idp_aws_report_upload_region }} - name: "Send the SBOM and vulnerabilities reports to the central location" diff --git a/.github/workflows/cicd-3-deploy.yaml b/.github/workflows/cicd-3-deploy.yaml index a284b9d7..9e6f9741 100644 --- a/.github/workflows/cicd-3-deploy.yaml +++ b/.github/workflows/cicd-3-deploy.yaml @@ -108,5 +108,6 @@ jobs: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5 with: + uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5 + with: artifact_name: jekyll-docs-${{steps.get-asset-version.outputs.release_version}} diff --git a/.github/workflows/scheduled-repository-template-sync.yaml b/.github/workflows/scheduled-repository-template-sync.yaml index 4e56a945..63815d2b 100644 --- a/.github/workflows/scheduled-repository-template-sync.yaml +++ b/.github/workflows/scheduled-repository-template-sync.yaml @@ -30,7 +30,8 @@ jobs: - name: Create Pull Request if: ${{ !env.ACT }} - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8 with: + uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8 + with: token: ${{ secrets.GITHUB_TOKEN }} commit-message: Drift from template branch: scheduledTemplateRepositorySync diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 208f5d48..19ad9d51 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -59,7 +59,8 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 + with: name: SARIF file path: results.sarif retention-days: 5 diff --git a/.github/workflows/stage-2-test.yaml b/.github/workflows/stage-2-test.yaml index abcd3d84..9580366c 100644 --- a/.github/workflows/stage-2-test.yaml +++ b/.github/workflows/stage-2-test.yaml @@ -70,13 +70,15 @@ jobs: run: | make test-unit - name: "Save the result of fast test suite" - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 + with: name: unit-tests path: "**/.reports/unit" include-hidden-files: true if: always() - name: "Save the result of code coverage" - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 + with: name: code-coverage-report path: ".reports/lcov.info" test-lint: @@ -135,7 +137,8 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 # Full history is needed to improving relevancy of reporting - name: "Download coverage report for SONAR" - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7 with: + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7 + with: name: code-coverage-report - name: "Perform static analysis" uses: ./.github/actions/perform-static-analysis diff --git a/.github/workflows/stage-4-acceptance.yaml b/.github/workflows/stage-4-acceptance.yaml index d3b167cb..09d0b6d5 100644 --- a/.github/workflows/stage-4-acceptance.yaml +++ b/.github/workflows/stage-4-acceptance.yaml @@ -48,7 +48,8 @@ jobs: - uses: actions/checkout@v6.0.2 - name: "Use Node.js" - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 + with: node-version: "${{ inputs.nodejs_version }}" registry-url: "https://npm.pkg.github.com" scope: "@nhsdigital" From 2726e4e6f99fc87bbda9378c83ba941062acc046 Mon Sep 17 00:00:00 2001 From: damientobin1 Date: Tue, 31 Mar 2026 16:03:13 +0100 Subject: [PATCH 3/9] CCM-14499: Pinning all GitHub Actions to SHAs --- .github/actions/build-docs/action.yml | 6 +++-- .github/workflows/cicd-1-pull-request.yaml | 3 ++- .github/workflows/cicd-3-deploy.yaml | 3 ++- .../manual-combine-dependabot-prs.yaml | 3 ++- .../scheduled-repository-template-sync.yaml | 3 ++- .github/workflows/stage-1-commit.yaml | 27 ++++++++++++------- .github/workflows/stage-2-test.yaml | 18 ++++++++----- .github/workflows/stage-3-build.yaml | 9 ++++--- 8 files changed, 48 insertions(+), 24 deletions(-) diff --git a/.github/actions/build-docs/action.yml b/.github/actions/build-docs/action.yml index 71d3f0a4..beb0ed22 100644 --- a/.github/actions/build-docs/action.yml +++ b/.github/actions/build-docs/action.yml @@ -8,7 +8,8 @@ runs: using: "composite" steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/setup-node@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/setup-node@v4 with: node-version: 18 - name: Npm cli install @@ -16,7 +17,8 @@ runs: run: npm ci shell: bash - name: Setup Ruby - uses: ruby/setup-ruby@3783f195e29b74ae398d7caca108814bbafde90e # v1.180.1 with: + uses: ruby/setup-ruby@3783f195e29b74ae398d7caca108814bbafde90e # v1.180.1 + with: ruby-version: "3.2" # Not needed with a .ruby-version file bundler-cache: true # runs 'bundle install' and caches installed gems automatically cache-version: 0 # Increment this number if you need to re-download cached gems diff --git a/.github/workflows/cicd-1-pull-request.yaml b/.github/workflows/cicd-1-pull-request.yaml index 46c44b44..4566adad 100644 --- a/.github/workflows/cicd-1-pull-request.yaml +++ b/.github/workflows/cicd-1-pull-request.yaml @@ -37,7 +37,8 @@ jobs: #skip_trivy_package: ${{ steps.skip_trivy.outputs.skip_trivy_package }} steps: - name: "Checkout code" - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Set CI/CD variables" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - name: "Set CI/CD variables" id: variables run: | datetime=$(date -u +'%Y-%m-%dT%H:%M:%S%z') diff --git a/.github/workflows/cicd-3-deploy.yaml b/.github/workflows/cicd-3-deploy.yaml index 9e6f9741..add373f2 100644 --- a/.github/workflows/cicd-3-deploy.yaml +++ b/.github/workflows/cicd-3-deploy.yaml @@ -37,7 +37,8 @@ jobs: # tag: ${{ steps.variables.outputs.tag }} steps: - name: "Checkout code" - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Set CI/CD variables" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - name: "Set CI/CD variables" id: variables run: | datetime=$(date -u +'%Y-%m-%dT%H:%M:%S%z') diff --git a/.github/workflows/manual-combine-dependabot-prs.yaml b/.github/workflows/manual-combine-dependabot-prs.yaml index 6c8e02a9..e1e5f075 100644 --- a/.github/workflows/manual-combine-dependabot-prs.yaml +++ b/.github/workflows/manual-combine-dependabot-prs.yaml @@ -15,7 +15,8 @@ jobs: steps: - name: combine-prs id: combine-prs - uses: github/combine-prs@e6d37110da1b512313419ba6992492dad622139f # v5.2.0 with: + uses: github/combine-prs@e6d37110da1b512313419ba6992492dad622139f # v5.2.0 + with: ci_required: false labels: dependencies pr_title: Combined Dependabot PRs diff --git a/.github/workflows/scheduled-repository-template-sync.yaml b/.github/workflows/scheduled-repository-template-sync.yaml index 63815d2b..e65f2bf2 100644 --- a/.github/workflows/scheduled-repository-template-sync.yaml +++ b/.github/workflows/scheduled-repository-template-sync.yaml @@ -18,7 +18,8 @@ jobs: - name: Check out the repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Check out external repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: repository: NHSDigital/nhs-notify-repository-template path: nhs-notify-repository-template token: ${{ github.token }} diff --git a/.github/workflows/stage-1-commit.yaml b/.github/workflows/stage-1-commit.yaml index 1469eb8a..20ca1d4f 100644 --- a/.github/workflows/stage-1-commit.yaml +++ b/.github/workflows/stage-1-commit.yaml @@ -44,7 +44,8 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: fetch-depth: 0 # Full history is needed to scan all commits - name: "Scan secrets" uses: ./.github/actions/scan-secrets @@ -54,7 +55,8 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check file format" uses: ./.github/actions/check-file-format @@ -64,7 +66,8 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check Markdown format" uses: ./.github/actions/check-markdown-format @@ -77,7 +80,8 @@ jobs: contents: write steps: - name: "Checkout code" - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check to see if Terraform Docs are up-to-date" run: | @@ -97,7 +101,8 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check English usage" uses: ./.github/actions/check-english-usage @@ -107,7 +112,8 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check TODO usage" uses: ./.github/actions/check-todo-usage @@ -141,7 +147,8 @@ jobs: if: needs.detect-terraform-changes.outputs.terraform_changed == 'true' steps: - name: "Checkout code" - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Setup ASDF" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - name: "Setup ASDF" uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302 - name: "Lint Terraform" uses: ./.github/actions/lint-terraform @@ -184,7 +191,8 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Count lines of code" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - name: "Count lines of code" uses: ./.github/actions/create-lines-of-code-report with: build_datetime: "${{ inputs.build_datetime }}" @@ -202,7 +210,8 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Scan dependencies" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - name: "Scan dependencies" uses: ./.github/actions/scan-dependencies with: build_datetime: "${{ inputs.build_datetime }}" diff --git a/.github/workflows/stage-2-test.yaml b/.github/workflows/stage-2-test.yaml index 9580366c..698820c2 100644 --- a/.github/workflows/stage-2-test.yaml +++ b/.github/workflows/stage-2-test.yaml @@ -47,7 +47,8 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Repo setup" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - name: "Repo setup" run: | npm ci - name: "Generate dependencies" @@ -60,7 +61,8 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Repo setup" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - name: "Repo setup" run: | npm ci - name: "Generate dependencies" @@ -87,7 +89,8 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Repo setup" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - name: "Repo setup" run: | npm ci - name: "Generate dependencies" @@ -102,7 +105,8 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Repo setup" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - name: "Repo setup" run: | npm ci - name: "Generate dependencies" @@ -118,7 +122,8 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Run test coverage check" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - name: "Run test coverage check" run: | make test-coverage - name: "Save the coverage check result" @@ -134,7 +139,8 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: fetch-depth: 0 # Full history is needed to improving relevancy of reporting - name: "Download coverage report for SONAR" uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7 diff --git a/.github/workflows/stage-3-build.yaml b/.github/workflows/stage-3-build.yaml index 4fcc1524..404302bf 100644 --- a/.github/workflows/stage-3-build.yaml +++ b/.github/workflows/stage-3-build.yaml @@ -39,7 +39,8 @@ jobs: timeout-minutes: 3 steps: - name: "Checkout code" - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Build docs" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - name: "Build docs" uses: ./.github/actions/build-docs with: version: "${{ inputs.version }}" @@ -49,7 +50,8 @@ jobs: timeout-minutes: 3 steps: - name: "Checkout code" - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Build artefact 1" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - name: "Build artefact 1" run: | echo "Building artefact 1 ..." - name: "Check artefact 1" @@ -65,7 +67,8 @@ jobs: timeout-minutes: 3 steps: - name: "Checkout code" - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Build artefact n" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - name: "Build artefact n" run: | echo "Building artefact n ..." - name: "Check artefact n" From 5f1d114587a452e6545c84e5ed159c5b95eab9c0 Mon Sep 17 00:00:00 2001 From: damientobin1 Date: Tue, 31 Mar 2026 17:48:52 +0100 Subject: [PATCH 4/9] CCM-14499: Pinning all GitHub Actions to SHAs --- .github/actions/create-lines-of-code-report/action.yaml | 2 +- .github/actions/scan-dependencies/action.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/create-lines-of-code-report/action.yaml b/.github/actions/create-lines-of-code-report/action.yaml index 5f876cab..f902108c 100644 --- a/.github/actions/create-lines-of-code-report/action.yaml +++ b/.github/actions/create-lines-of-code-report/action.yaml @@ -44,7 +44,7 @@ runs: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT - name: "Authenticate to send the report" if: steps.check.outputs.secrets_exist == 'true' - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 + uses: aws-actions/configure-aws-credentials@ff717079ee2060e4bcee96c4779b553acc87447c # v4 with: role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }} aws-region: ${{ inputs.idp_aws_report_upload_region }} diff --git a/.github/actions/scan-dependencies/action.yaml b/.github/actions/scan-dependencies/action.yaml index 014cc5f0..e72214db 100644 --- a/.github/actions/scan-dependencies/action.yaml +++ b/.github/actions/scan-dependencies/action.yaml @@ -58,7 +58,7 @@ runs: run: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT - name: "Authenticate to send the reports" if: steps.check.outputs.secrets_exist == 'true' - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 + uses: aws-actions/configure-aws-credentials@ff717079ee2060e4bcee96c4779b553acc87447c # v4 with: role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }} aws-region: ${{ inputs.idp_aws_report_upload_region }} From 83a11742f6012deaf9f0541767fab8092d9dc2c2 Mon Sep 17 00:00:00 2001 From: damientobin1 Date: Tue, 31 Mar 2026 18:18:36 +0100 Subject: [PATCH 5/9] CCM-14499: Correct configure-aws-credentials v4 SHA --- .github/actions/create-lines-of-code-report/action.yaml | 2 +- .github/actions/scan-dependencies/action.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/create-lines-of-code-report/action.yaml b/.github/actions/create-lines-of-code-report/action.yaml index f902108c..5f876cab 100644 --- a/.github/actions/create-lines-of-code-report/action.yaml +++ b/.github/actions/create-lines-of-code-report/action.yaml @@ -44,7 +44,7 @@ runs: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT - name: "Authenticate to send the report" if: steps.check.outputs.secrets_exist == 'true' - uses: aws-actions/configure-aws-credentials@ff717079ee2060e4bcee96c4779b553acc87447c # v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 with: role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }} aws-region: ${{ inputs.idp_aws_report_upload_region }} diff --git a/.github/actions/scan-dependencies/action.yaml b/.github/actions/scan-dependencies/action.yaml index e72214db..014cc5f0 100644 --- a/.github/actions/scan-dependencies/action.yaml +++ b/.github/actions/scan-dependencies/action.yaml @@ -58,7 +58,7 @@ runs: run: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT - name: "Authenticate to send the reports" if: steps.check.outputs.secrets_exist == 'true' - uses: aws-actions/configure-aws-credentials@ff717079ee2060e4bcee96c4779b553acc87447c # v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 with: role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }} aws-region: ${{ inputs.idp_aws_report_upload_region }} From e3c38958b2235be41b82ce92f4a7945ff2f709ca Mon Sep 17 00:00:00 2001 From: damientobin1 Date: Tue, 31 Mar 2026 18:40:53 +0100 Subject: [PATCH 6/9] CCM-14499: Correct annotated tag SHA pins --- .github/workflows/manual-combine-dependabot-prs.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/manual-combine-dependabot-prs.yaml b/.github/workflows/manual-combine-dependabot-prs.yaml index e1e5f075..3e311ac5 100644 --- a/.github/workflows/manual-combine-dependabot-prs.yaml +++ b/.github/workflows/manual-combine-dependabot-prs.yaml @@ -15,7 +15,7 @@ jobs: steps: - name: combine-prs id: combine-prs - uses: github/combine-prs@e6d37110da1b512313419ba6992492dad622139f # v5.2.0 + uses: github/combine-prs@2909f404763c3177a456e052bdb7f2e85d3a7cb3 # v5.2.0 with: ci_required: false labels: dependencies From c520a27e9e637129291becd663e94a3cc2473635 Mon Sep 17 00:00:00 2001 From: damientobin1 Date: Wed, 1 Apr 2026 11:04:06 +0100 Subject: [PATCH 7/9] CCM-14499: Pinning all GitHub Actions to SHAs --- .github/workflows/stage-2-test.yaml | 2 +- .github/workflows/stage-4-acceptance.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/stage-2-test.yaml b/.github/workflows/stage-2-test.yaml index 9ad08e73..f24e7386 100644 --- a/.github/workflows/stage-2-test.yaml +++ b/.github/workflows/stage-2-test.yaml @@ -143,7 +143,7 @@ jobs: with: fetch-depth: 0 # Full history is needed to improving relevancy of reporting - name: "Download coverage report for SONAR" - uses: actions/download-artifact@v8 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v8 with: name: code-coverage-report - name: "Perform static analysis" diff --git a/.github/workflows/stage-4-acceptance.yaml b/.github/workflows/stage-4-acceptance.yaml index 026ef499..3fa9cbda 100644 --- a/.github/workflows/stage-4-acceptance.yaml +++ b/.github/workflows/stage-4-acceptance.yaml @@ -45,10 +45,10 @@ jobs: name: Run Acceptance Tests runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Use Node.js" - uses: actions/setup-node@v6 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v6 with: node-version: "${{ inputs.nodejs_version }}" registry-url: "https://npm.pkg.github.com" From fbb8c5297e181682d8baca9cea7c61898ee51035 Mon Sep 17 00:00:00 2001 From: damientobin1 Date: Wed, 1 Apr 2026 12:39:37 +0100 Subject: [PATCH 8/9] CCM-14499: Pin remaining GitHub Actions refs to SHAs --- .github/actions/build-docs/action.yml | 2 +- .github/workflows/cicd-1-pull-request.yaml | 2 +- .github/workflows/cicd-3-deploy.yaml | 2 +- .github/workflows/pr_destroy_dynamic_env.yml | 2 +- .github/workflows/stage-1-commit.yaml | 4 ++-- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/actions/build-docs/action.yml b/.github/actions/build-docs/action.yml index beb0ed22..fe37712c 100644 --- a/.github/actions/build-docs/action.yml +++ b/.github/actions/build-docs/action.yml @@ -9,7 +9,7 @@ runs: steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 18 - name: Npm cli install diff --git a/.github/workflows/cicd-1-pull-request.yaml b/.github/workflows/cicd-1-pull-request.yaml index 4566adad..aa5a82bf 100644 --- a/.github/workflows/cicd-1-pull-request.yaml +++ b/.github/workflows/cicd-1-pull-request.yaml @@ -158,7 +158,7 @@ jobs: APP_CLIENT_ID: ${{ secrets.APP_CLIENT_ID }} APP_PEM_FILE: ${{ secrets.APP_PEM_FILE }} steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Trigger dynamic environment creation shell: bash run: | diff --git a/.github/workflows/cicd-3-deploy.yaml b/.github/workflows/cicd-3-deploy.yaml index add373f2..36dc2b3a 100644 --- a/.github/workflows/cicd-3-deploy.yaml +++ b/.github/workflows/cicd-3-deploy.yaml @@ -102,7 +102,7 @@ jobs: run: | gh release download ${{steps.get-asset-version.outputs.release_version}} -p jekyll-docs-*.tar --output artifact.tar - - uses: actions/upload-artifact@v7 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: jekyll-docs-${{steps.get-asset-version.outputs.release_version}} path: artifact.tar diff --git a/.github/workflows/pr_destroy_dynamic_env.yml b/.github/workflows/pr_destroy_dynamic_env.yml index 15b28cf8..67abd292 100644 --- a/.github/workflows/pr_destroy_dynamic_env.yml +++ b/.github/workflows/pr_destroy_dynamic_env.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Trigger dynamic environment destroy env: APP_PEM_FILE: ${{ secrets.APP_PEM_FILE }} diff --git a/.github/workflows/stage-1-commit.yaml b/.github/workflows/stage-1-commit.yaml index ccec37d1..466b0ba6 100644 --- a/.github/workflows/stage-1-commit.yaml +++ b/.github/workflows/stage-1-commit.yaml @@ -163,7 +163,7 @@ jobs: # if: needs.detect-terraform-changes.outputs.terraform_changed == 'true' # steps: # - name: "Checkout code" - # uses: actions/checkout@v6.0.2 + # uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # - name: "Setup ASDF" # uses: asdf-vm/actions/setup@b7bcd026f18772e44fe1026d729e1611cc435d47 # - name: "Trivy IaC Scan" @@ -177,7 +177,7 @@ jobs: # timeout-minutes: 10 # steps: # - name: "Checkout code" - # uses: actions/checkout@v6.0.2 + # uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # - name: "Setup ASDF" # uses: asdf-vm/actions/setup@b7bcd026f18772e44fe1026d729e1611cc435d47 # - name: "Trivy Package Scan" From 701cfbc98c418f2988461394fcb1d735694d2fea Mon Sep 17 00:00:00 2001 From: damientobin1 Date: Thu, 2 Apr 2026 11:47:24 +0100 Subject: [PATCH 9/9] CCM-14499: Pin new checkout and setup-node action refs in stage-2-test.yaml --- .github/workflows/stage-2-test.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/stage-2-test.yaml b/.github/workflows/stage-2-test.yaml index e80a4c00..da1b788b 100644 --- a/.github/workflows/stage-2-test.yaml +++ b/.github/workflows/stage-2-test.yaml @@ -47,9 +47,9 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Use Node.js" - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: '.tool-versions' - name: "Repo setup" @@ -65,9 +65,9 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Use Node.js" - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: '.tool-versions' - name: "Repo setup" @@ -97,9 +97,9 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Use Node.js" - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: '.tool-versions' - name: "Repo setup" @@ -117,9 +117,9 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Use Node.js" - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: '.tool-versions' - name: "Repo setup"