From cd3f8d9e0c2add2f56692026cc744c947dafd9c5 Mon Sep 17 00:00:00 2001 From: damientobin1 Date: Tue, 31 Mar 2026 13:52:40 +0100 Subject: [PATCH 1/8] CCM-14499: Pinning all GitHub Actions to SHAs --- .github/actions/build-docs/action.yml | 12 ++---- .../create-lines-of-code-report/action.yaml | 6 +-- .github/actions/scan-dependencies/action.yaml | 9 ++--- .../actions/sync-template-repo/action.yaml | 3 +- .github/workflows/cicd-1-pull-request.yaml | 3 +- .github/workflows/cicd-3-deploy.yaml | 9 ++--- .../manual-combine-dependabot-prs.yaml | 3 +- .github/workflows/release_created.yaml | 3 +- .../scheduled-repository-template-sync.yaml | 6 +-- .github/workflows/scorecard.yml | 3 +- .github/workflows/stage-1-commit.yaml | 39 +++++++------------ .github/workflows/stage-2-test.yaml | 12 ++---- .github/workflows/stage-3-build.yaml | 6 +-- .github/workflows/stage-4-acceptance.yaml | 27 +++++-------- 14 files changed, 47 insertions(+), 94 deletions(-) diff --git a/.github/actions/build-docs/action.yml b/.github/actions/build-docs/action.yml index d7f1ff7..34bea8d 100644 --- a/.github/actions/build-docs/action.yml +++ b/.github/actions/build-docs/action.yml @@ -8,8 +8,7 @@ runs: using: "composite" steps: - name: Checkout - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - uses: actions/setup-node@v4 with: node-version: 22 - name: Npm cli install @@ -17,16 +16,14 @@ runs: run: npm ci shell: bash - name: Setup Ruby - uses: ruby/setup-ruby@v1.180.1 - with: + uses: ruby/setup-ruby@3783f195e29b74ae398d7caca108814bbafde90e # v1.180.1 with: ruby-version: "3.2" # Not needed with a .ruby-version file bundler-cache: true # runs 'bundle install' and caches installed gems automatically cache-version: 0 # Increment this number if you need to re-download cached gems working-directory: "./docs" - name: Setup Pages id: pages - uses: actions/configure-pages@v5 - - name: Build with Jekyll + uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 - name: Build with Jekyll working-directory: ./docs # Outputs to the './_site' directory by default shell: bash @@ -36,7 +33,6 @@ runs: JEKYLL_ENV: production - name: Upload artifact # Automatically uploads an artifact from the './_site' directory by default - uses: actions/upload-pages-artifact@v3 - with: + uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3 with: path: "docs/_site/" name: jekyll-docs-${{ inputs.version }} diff --git a/.github/actions/create-lines-of-code-report/action.yaml b/.github/actions/create-lines-of-code-report/action.yaml index 86396f7..016fb55 100644 --- a/.github/actions/create-lines-of-code-report/action.yaml +++ b/.github/actions/create-lines-of-code-report/action.yaml @@ -32,8 +32,7 @@ runs: run: zip lines-of-code-report.json.zip lines-of-code-report.json - name: "Upload CLOC report as an artefact" if: ${{ !env.ACT }} - uses: actions/upload-artifact@v4 - with: + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: lines-of-code-report.json.zip path: ./lines-of-code-report.json.zip retention-days: 21 @@ -44,8 +43,7 @@ runs: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT - name: "Authenticate to send the report" if: steps.check.outputs.secrets_exist == 'true' - uses: aws-actions/configure-aws-credentials@v4 - with: + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 with: role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }} aws-region: ${{ inputs.idp_aws_report_upload_region }} - name: "Send the CLOC report to the central location" diff --git a/.github/actions/scan-dependencies/action.yaml b/.github/actions/scan-dependencies/action.yaml index 1000df1..971fe64 100644 --- a/.github/actions/scan-dependencies/action.yaml +++ b/.github/actions/scan-dependencies/action.yaml @@ -32,8 +32,7 @@ runs: run: zip sbom-repository-report.json.zip sbom-repository-report.json - name: "Upload SBOM report as an artefact" if: ${{ !env.ACT }} - uses: actions/upload-artifact@v4 - with: + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: sbom-repository-report.json.zip path: ./sbom-repository-report.json.zip retention-days: 21 @@ -47,8 +46,7 @@ runs: run: zip vulnerabilities-repository-report.json.zip vulnerabilities-repository-report.json - name: "Upload vulnerabilities report as an artefact" if: ${{ !env.ACT }} - uses: actions/upload-artifact@v4 - with: + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: vulnerabilities-repository-report.json.zip path: ./vulnerabilities-repository-report.json.zip retention-days: 21 @@ -58,8 +56,7 @@ runs: run: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT - name: "Authenticate to send the reports" if: steps.check.outputs.secrets_exist == 'true' - uses: aws-actions/configure-aws-credentials@v4 - with: + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 with: role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }} aws-region: ${{ inputs.idp_aws_report_upload_region }} - name: "Send the SBOM and vulnerabilities reports to the central location" diff --git a/.github/actions/sync-template-repo/action.yaml b/.github/actions/sync-template-repo/action.yaml index b5f32d8..676ede1 100644 --- a/.github/actions/sync-template-repo/action.yaml +++ b/.github/actions/sync-template-repo/action.yaml @@ -8,8 +8,7 @@ runs: using: "composite" steps: - name: "Check out template repository" - uses: actions/checkout@v4 - with: + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: repository: NHSDigital/nhs-notify-repository-template path: nhs-notify-repository-template token: ${{ inputs.github_token }} diff --git a/.github/workflows/cicd-1-pull-request.yaml b/.github/workflows/cicd-1-pull-request.yaml index 2f8d20c..7e07c38 100644 --- a/.github/workflows/cicd-1-pull-request.yaml +++ b/.github/workflows/cicd-1-pull-request.yaml @@ -29,8 +29,7 @@ jobs: does_pull_request_exist: ${{ steps.pr_exists.outputs.does_pull_request_exist }} steps: - name: "Checkout code" - uses: actions/checkout@v4 - - name: "Set CI/CD variables" + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Set CI/CD variables" id: variables run: | datetime=$(date -u +'%Y-%m-%dT%H:%M:%S%z') diff --git a/.github/workflows/cicd-3-deploy.yaml b/.github/workflows/cicd-3-deploy.yaml index 5230577..c1d7cc2 100644 --- a/.github/workflows/cicd-3-deploy.yaml +++ b/.github/workflows/cicd-3-deploy.yaml @@ -37,8 +37,7 @@ jobs: # tag: ${{ steps.variables.outputs.tag }} steps: - name: "Checkout code" - uses: actions/checkout@v4 - - name: "Set CI/CD variables" + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Set CI/CD variables" id: variables run: | datetime=$(date -u +'%Y-%m-%dT%H:%M:%S%z') @@ -70,8 +69,7 @@ jobs: needs: metadata steps: - name: "Checkout code" - uses: actions/checkout@v4 - + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Get version" id: get-asset-version shell: bash @@ -110,6 +108,5 @@ jobs: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v4 - with: + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4 with: artifact_name: jekyll-docs-${{steps.get-asset-version.outputs.release_version}} diff --git a/.github/workflows/manual-combine-dependabot-prs.yaml b/.github/workflows/manual-combine-dependabot-prs.yaml index fbf0409..6c8e02a 100644 --- a/.github/workflows/manual-combine-dependabot-prs.yaml +++ b/.github/workflows/manual-combine-dependabot-prs.yaml @@ -15,8 +15,7 @@ jobs: steps: - name: combine-prs id: combine-prs - uses: github/combine-prs@v5.2.0 - with: + uses: github/combine-prs@e6d37110da1b512313419ba6992492dad622139f # v5.2.0 with: ci_required: false labels: dependencies pr_title: Combined Dependabot PRs diff --git a/.github/workflows/release_created.yaml b/.github/workflows/release_created.yaml index bac7f06..3d928a7 100644 --- a/.github/workflows/release_created.yaml +++ b/.github/workflows/release_created.yaml @@ -19,8 +19,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v5.0.0 - + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: "Package and Publish Terraform modules" run: | ARTIFACTS_DIR="$PWD/../../artifacts" diff --git a/.github/workflows/scheduled-repository-template-sync.yaml b/.github/workflows/scheduled-repository-template-sync.yaml index 548495f..8dff314 100644 --- a/.github/workflows/scheduled-repository-template-sync.yaml +++ b/.github/workflows/scheduled-repository-template-sync.yaml @@ -16,8 +16,7 @@ jobs: steps: - name: Check out the repository - uses: actions/checkout@v4 - + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Sync repository template uses: ./.github/actions/sync-template-repo with: @@ -25,8 +24,7 @@ jobs: - name: Create Pull Request if: ${{ !env.ACT }} - uses: peter-evans/create-pull-request@v7.0.8 - with: + uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 with: token: ${{ secrets.GITHUB_TOKEN }} commit-message: Drift from template branch: scheduledTemplateRepositorySync diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 5552785..a521ebf 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -59,8 +59,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@v4 - with: + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: SARIF file path: results.sarif retention-days: 5 diff --git a/.github/workflows/stage-1-commit.yaml b/.github/workflows/stage-1-commit.yaml index eda2c98..324426c 100644 --- a/.github/workflows/stage-1-commit.yaml +++ b/.github/workflows/stage-1-commit.yaml @@ -39,8 +39,7 @@ jobs: timeout-minutes: 2 steps: - name: "Checkout code" - uses: actions/checkout@v4 - with: + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 # Full history is needed to scan all commits - name: "Scan secrets" uses: ./.github/actions/scan-secrets @@ -50,8 +49,7 @@ jobs: timeout-minutes: 2 steps: - name: "Checkout code" - uses: actions/checkout@v4 - with: + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check file format" uses: ./.github/actions/check-file-format @@ -61,8 +59,7 @@ jobs: timeout-minutes: 2 steps: - name: "Checkout code" - uses: actions/checkout@v4 - with: + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check Markdown format" uses: ./.github/actions/check-markdown-format @@ -75,8 +72,7 @@ jobs: contents: write steps: - name: "Checkout code" - uses: actions/checkout@v4 - with: + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check to see if Terraform Docs are up-to-date" run: | @@ -96,8 +92,7 @@ jobs: timeout-minutes: 2 steps: - name: "Checkout code" - uses: actions/checkout@v4 - with: + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check English usage" uses: ./.github/actions/check-english-usage @@ -107,8 +102,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v4 - with: + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check TODO usage" uses: ./.github/actions/check-todo-usage @@ -119,8 +113,7 @@ jobs: terraform_changed: ${{ steps.check.outputs.terraform_changed }} steps: - name: "Checkout code" - uses: actions/checkout@v4 - + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Check for Terraform changes" id: check run: | @@ -143,10 +136,8 @@ jobs: if: needs.detect-terraform-changes.outputs.terraform_changed == 'true' steps: - name: "Checkout code" - uses: actions/checkout@v4 - - name: "Setup ASDF" - uses: asdf-vm/actions/setup@v4 - - name: "Lint Terraform" + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Setup ASDF" + uses: asdf-vm/actions/setup@a7acd3c0f80eb138922a2da9514d1df22864eaca # v4 - name: "Lint Terraform" uses: ./.github/actions/lint-terraform trivy: name: "Trivy Scan" @@ -156,10 +147,8 @@ jobs: if: needs.detect-terraform-changes.outputs.terraform_changed == 'true' steps: - name: "Checkout code" - uses: actions/checkout@v4 - - name: "Setup ASDF" - uses: asdf-vm/actions/setup@v4 - - name: "Perform Setup" + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Setup ASDF" + uses: asdf-vm/actions/setup@a7acd3c0f80eb138922a2da9514d1df22864eaca # v4 - name: "Perform Setup" uses: ./.github/actions/setup - name: "Trivy Scan" uses: ./.github/actions/trivy @@ -172,8 +161,7 @@ jobs: timeout-minutes: 2 steps: - name: "Checkout code" - uses: actions/checkout@v4 - - name: "Count lines of code" + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Count lines of code" uses: ./.github/actions/create-lines-of-code-report with: build_datetime: "${{ inputs.build_datetime }}" @@ -191,8 +179,7 @@ jobs: timeout-minutes: 2 steps: - name: "Checkout code" - uses: actions/checkout@v4 - - name: "Scan dependencies" + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Scan dependencies" uses: ./.github/actions/scan-dependencies with: build_datetime: "${{ inputs.build_datetime }}" diff --git a/.github/workflows/stage-2-test.yaml b/.github/workflows/stage-2-test.yaml index efcb2ac..bdbf89b 100644 --- a/.github/workflows/stage-2-test.yaml +++ b/.github/workflows/stage-2-test.yaml @@ -39,8 +39,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v4 - - name: "Run unit test suite" + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Run unit test suite" run: | make test-unit - name: "Save the result of fast test suite" @@ -52,8 +51,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v4 - - name: "Run linting" + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Run linting" run: | make test-lint - name: "Save the linting result" @@ -66,8 +64,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v4 - - name: "Run test coverage check" + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Run test coverage check" run: | make test-coverage - name: "Save the coverage check result" @@ -83,8 +80,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v4 - with: + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 # Full history is needed to improving relevancy of reporting - name: "Perform static analysis" uses: ./.github/actions/perform-static-analysis diff --git a/.github/workflows/stage-3-build.yaml b/.github/workflows/stage-3-build.yaml index 7d7bdbc..92ca003 100644 --- a/.github/workflows/stage-3-build.yaml +++ b/.github/workflows/stage-3-build.yaml @@ -39,8 +39,7 @@ jobs: timeout-minutes: 3 steps: - name: "Checkout code" - uses: actions/checkout@v4 - - name: "Build artefact 1" + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Build artefact 1" run: | echo "Building artefact 1 ..." - name: "Check artefact 1" @@ -56,8 +55,7 @@ jobs: timeout-minutes: 3 steps: - name: "Checkout code" - uses: actions/checkout@v4 - - name: "Build artefact n" + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Build artefact n" run: | echo "Building artefact n ..." - name: "Check artefact n" diff --git a/.github/workflows/stage-4-acceptance.yaml b/.github/workflows/stage-4-acceptance.yaml index d554f98..7e4c94b 100644 --- a/.github/workflows/stage-4-acceptance.yaml +++ b/.github/workflows/stage-4-acceptance.yaml @@ -39,8 +39,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v4 - - name: "Create infractructure" + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Create infractructure" run: | echo "Creating infractructure..." - name: "Update database" @@ -56,8 +55,7 @@ jobs: timeout-minutes: 10 steps: - name: "Checkout code" - uses: actions/checkout@v4 - - name: "Run contract test" + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Run contract test" run: | make test-contract - name: "Save result" @@ -70,8 +68,7 @@ jobs: timeout-minutes: 10 steps: - name: "Checkout code" - uses: actions/checkout@v4 - - name: "Run security test" + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Run security test" run: | make test-security - name: "Save result" @@ -84,8 +81,7 @@ jobs: timeout-minutes: 10 steps: - name: "Checkout code" - uses: actions/checkout@v4 - - name: "Run UI test" + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Run UI test" run: | make test-ui - name: "Save result" @@ -98,8 +94,7 @@ jobs: timeout-minutes: 10 steps: - name: "Checkout code" - uses: actions/checkout@v4 - - name: "Run UI performance test" + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Run UI performance test" run: | make test-ui-performance - name: "Save result" @@ -112,8 +107,7 @@ jobs: timeout-minutes: 10 steps: - name: "Checkout code" - uses: actions/checkout@v4 - - name: "Run integration test" + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Run integration test" run: | make test-integration - name: "Save result" @@ -126,8 +120,7 @@ jobs: timeout-minutes: 10 steps: - name: "Checkout code" - uses: actions/checkout@v4 - - name: "Run accessibility test" + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Run accessibility test" run: | make test-accessibility - name: "Save result" @@ -140,8 +133,7 @@ jobs: timeout-minutes: 10 steps: - name: "Checkout code" - uses: actions/checkout@v4 - - name: "Run load tests" + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Run load tests" run: | make test-load - name: "Save result" @@ -164,7 +156,6 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@v4 - - name: "Tear down environment" + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Tear down environment" run: | echo "Tearing down environment..." From 39d83b4085fd9ef8ed9cba7288dfbaa141649a97 Mon Sep 17 00:00:00 2001 From: damientobin1 Date: Tue, 31 Mar 2026 14:52:32 +0100 Subject: [PATCH 2/8] CCM-14499: Pinning all GitHub Actions to SHAs --- .github/actions/build-docs/action.yml | 6 ++-- .../create-lines-of-code-report/action.yaml | 6 ++-- .github/actions/scan-dependencies/action.yaml | 9 +++-- .../actions/sync-template-repo/action.yaml | 3 +- .github/workflows/cicd-1-pull-request.yaml | 3 +- .github/workflows/cicd-3-deploy.yaml | 6 ++-- .github/workflows/scorecard.yml | 3 +- .github/workflows/stage-1-commit.yaml | 36 ++++++++++++------- .github/workflows/stage-2-test.yaml | 12 ++++--- .github/workflows/stage-3-build.yaml | 6 ++-- .github/workflows/stage-4-acceptance.yaml | 27 +++++++++----- 11 files changed, 78 insertions(+), 39 deletions(-) diff --git a/.github/actions/build-docs/action.yml b/.github/actions/build-docs/action.yml index 34bea8d..8c91bd1 100644 --- a/.github/actions/build-docs/action.yml +++ b/.github/actions/build-docs/action.yml @@ -23,7 +23,8 @@ runs: working-directory: "./docs" - name: Setup Pages id: pages - uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 - name: Build with Jekyll + uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 + - name: Build with Jekyll working-directory: ./docs # Outputs to the './_site' directory by default shell: bash @@ -33,6 +34,7 @@ runs: JEKYLL_ENV: production - name: Upload artifact # Automatically uploads an artifact from the './_site' directory by default - uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3 with: + uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3 + with: path: "docs/_site/" name: jekyll-docs-${{ inputs.version }} diff --git a/.github/actions/create-lines-of-code-report/action.yaml b/.github/actions/create-lines-of-code-report/action.yaml index 016fb55..0f149dd 100644 --- a/.github/actions/create-lines-of-code-report/action.yaml +++ b/.github/actions/create-lines-of-code-report/action.yaml @@ -32,7 +32,8 @@ runs: run: zip lines-of-code-report.json.zip lines-of-code-report.json - name: "Upload CLOC report as an artefact" if: ${{ !env.ACT }} - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + with: name: lines-of-code-report.json.zip path: ./lines-of-code-report.json.zip retention-days: 21 @@ -43,7 +44,8 @@ runs: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT - name: "Authenticate to send the report" if: steps.check.outputs.secrets_exist == 'true' - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 with: + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 + with: role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }} aws-region: ${{ inputs.idp_aws_report_upload_region }} - name: "Send the CLOC report to the central location" diff --git a/.github/actions/scan-dependencies/action.yaml b/.github/actions/scan-dependencies/action.yaml index 971fe64..2d47d0b 100644 --- a/.github/actions/scan-dependencies/action.yaml +++ b/.github/actions/scan-dependencies/action.yaml @@ -32,7 +32,8 @@ runs: run: zip sbom-repository-report.json.zip sbom-repository-report.json - name: "Upload SBOM report as an artefact" if: ${{ !env.ACT }} - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + with: name: sbom-repository-report.json.zip path: ./sbom-repository-report.json.zip retention-days: 21 @@ -46,7 +47,8 @@ runs: run: zip vulnerabilities-repository-report.json.zip vulnerabilities-repository-report.json - name: "Upload vulnerabilities report as an artefact" if: ${{ !env.ACT }} - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + with: name: vulnerabilities-repository-report.json.zip path: ./vulnerabilities-repository-report.json.zip retention-days: 21 @@ -56,7 +58,8 @@ runs: run: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT - name: "Authenticate to send the reports" if: steps.check.outputs.secrets_exist == 'true' - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 with: + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 + with: role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }} aws-region: ${{ inputs.idp_aws_report_upload_region }} - name: "Send the SBOM and vulnerabilities reports to the central location" diff --git a/.github/actions/sync-template-repo/action.yaml b/.github/actions/sync-template-repo/action.yaml index 676ede1..1b2ccdb 100644 --- a/.github/actions/sync-template-repo/action.yaml +++ b/.github/actions/sync-template-repo/action.yaml @@ -8,7 +8,8 @@ runs: using: "composite" steps: - name: "Check out template repository" - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: repository: NHSDigital/nhs-notify-repository-template path: nhs-notify-repository-template token: ${{ inputs.github_token }} diff --git a/.github/workflows/cicd-1-pull-request.yaml b/.github/workflows/cicd-1-pull-request.yaml index 7e07c38..52ee997 100644 --- a/.github/workflows/cicd-1-pull-request.yaml +++ b/.github/workflows/cicd-1-pull-request.yaml @@ -29,7 +29,8 @@ jobs: does_pull_request_exist: ${{ steps.pr_exists.outputs.does_pull_request_exist }} steps: - name: "Checkout code" - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Set CI/CD variables" + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - name: "Set CI/CD variables" id: variables run: | datetime=$(date -u +'%Y-%m-%dT%H:%M:%S%z') diff --git a/.github/workflows/cicd-3-deploy.yaml b/.github/workflows/cicd-3-deploy.yaml index c1d7cc2..4ba4ee8 100644 --- a/.github/workflows/cicd-3-deploy.yaml +++ b/.github/workflows/cicd-3-deploy.yaml @@ -37,7 +37,8 @@ jobs: # tag: ${{ steps.variables.outputs.tag }} steps: - name: "Checkout code" - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Set CI/CD variables" + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - name: "Set CI/CD variables" id: variables run: | datetime=$(date -u +'%Y-%m-%dT%H:%M:%S%z') @@ -108,5 +109,6 @@ jobs: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4 with: + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4 + with: artifact_name: jekyll-docs-${{steps.get-asset-version.outputs.release_version}} diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index a521ebf..5264140 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -59,7 +59,8 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + with: name: SARIF file path: results.sarif retention-days: 5 diff --git a/.github/workflows/stage-1-commit.yaml b/.github/workflows/stage-1-commit.yaml index 324426c..5a2f922 100644 --- a/.github/workflows/stage-1-commit.yaml +++ b/.github/workflows/stage-1-commit.yaml @@ -39,7 +39,8 @@ jobs: timeout-minutes: 2 steps: - name: "Checkout code" - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: fetch-depth: 0 # Full history is needed to scan all commits - name: "Scan secrets" uses: ./.github/actions/scan-secrets @@ -49,7 +50,8 @@ jobs: timeout-minutes: 2 steps: - name: "Checkout code" - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check file format" uses: ./.github/actions/check-file-format @@ -59,7 +61,8 @@ jobs: timeout-minutes: 2 steps: - name: "Checkout code" - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check Markdown format" uses: ./.github/actions/check-markdown-format @@ -72,7 +75,8 @@ jobs: contents: write steps: - name: "Checkout code" - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check to see if Terraform Docs are up-to-date" run: | @@ -92,7 +96,8 @@ jobs: timeout-minutes: 2 steps: - name: "Checkout code" - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check English usage" uses: ./.github/actions/check-english-usage @@ -102,7 +107,8 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check TODO usage" uses: ./.github/actions/check-todo-usage @@ -136,8 +142,10 @@ jobs: if: needs.detect-terraform-changes.outputs.terraform_changed == 'true' steps: - name: "Checkout code" - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Setup ASDF" - uses: asdf-vm/actions/setup@a7acd3c0f80eb138922a2da9514d1df22864eaca # v4 - name: "Lint Terraform" + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - name: "Setup ASDF" + uses: asdf-vm/actions/setup@a7acd3c0f80eb138922a2da9514d1df22864eaca # v4 + - name: "Lint Terraform" uses: ./.github/actions/lint-terraform trivy: name: "Trivy Scan" @@ -147,8 +155,10 @@ jobs: if: needs.detect-terraform-changes.outputs.terraform_changed == 'true' steps: - name: "Checkout code" - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Setup ASDF" - uses: asdf-vm/actions/setup@a7acd3c0f80eb138922a2da9514d1df22864eaca # v4 - name: "Perform Setup" + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - name: "Setup ASDF" + uses: asdf-vm/actions/setup@a7acd3c0f80eb138922a2da9514d1df22864eaca # v4 + - name: "Perform Setup" uses: ./.github/actions/setup - name: "Trivy Scan" uses: ./.github/actions/trivy @@ -161,7 +171,8 @@ jobs: timeout-minutes: 2 steps: - name: "Checkout code" - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Count lines of code" + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - name: "Count lines of code" uses: ./.github/actions/create-lines-of-code-report with: build_datetime: "${{ inputs.build_datetime }}" @@ -179,7 +190,8 @@ jobs: timeout-minutes: 2 steps: - name: "Checkout code" - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Scan dependencies" + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - name: "Scan dependencies" uses: ./.github/actions/scan-dependencies with: build_datetime: "${{ inputs.build_datetime }}" diff --git a/.github/workflows/stage-2-test.yaml b/.github/workflows/stage-2-test.yaml index bdbf89b..4531030 100644 --- a/.github/workflows/stage-2-test.yaml +++ b/.github/workflows/stage-2-test.yaml @@ -39,7 +39,8 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Run unit test suite" + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - name: "Run unit test suite" run: | make test-unit - name: "Save the result of fast test suite" @@ -51,7 +52,8 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Run linting" + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - name: "Run linting" run: | make test-lint - name: "Save the linting result" @@ -64,7 +66,8 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Run test coverage check" + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - name: "Run test coverage check" run: | make test-coverage - name: "Save the coverage check result" @@ -80,7 +83,8 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: fetch-depth: 0 # Full history is needed to improving relevancy of reporting - name: "Perform static analysis" uses: ./.github/actions/perform-static-analysis diff --git a/.github/workflows/stage-3-build.yaml b/.github/workflows/stage-3-build.yaml index 92ca003..2b5995c 100644 --- a/.github/workflows/stage-3-build.yaml +++ b/.github/workflows/stage-3-build.yaml @@ -39,7 +39,8 @@ jobs: timeout-minutes: 3 steps: - name: "Checkout code" - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Build artefact 1" + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - name: "Build artefact 1" run: | echo "Building artefact 1 ..." - name: "Check artefact 1" @@ -55,7 +56,8 @@ jobs: timeout-minutes: 3 steps: - name: "Checkout code" - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Build artefact n" + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - name: "Build artefact n" run: | echo "Building artefact n ..." - name: "Check artefact n" diff --git a/.github/workflows/stage-4-acceptance.yaml b/.github/workflows/stage-4-acceptance.yaml index 7e4c94b..3d65b93 100644 --- a/.github/workflows/stage-4-acceptance.yaml +++ b/.github/workflows/stage-4-acceptance.yaml @@ -39,7 +39,8 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Create infractructure" + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - name: "Create infractructure" run: | echo "Creating infractructure..." - name: "Update database" @@ -55,7 +56,8 @@ jobs: timeout-minutes: 10 steps: - name: "Checkout code" - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Run contract test" + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - name: "Run contract test" run: | make test-contract - name: "Save result" @@ -68,7 +70,8 @@ jobs: timeout-minutes: 10 steps: - name: "Checkout code" - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Run security test" + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - name: "Run security test" run: | make test-security - name: "Save result" @@ -81,7 +84,8 @@ jobs: timeout-minutes: 10 steps: - name: "Checkout code" - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Run UI test" + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - name: "Run UI test" run: | make test-ui - name: "Save result" @@ -94,7 +98,8 @@ jobs: timeout-minutes: 10 steps: - name: "Checkout code" - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Run UI performance test" + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - name: "Run UI performance test" run: | make test-ui-performance - name: "Save result" @@ -107,7 +112,8 @@ jobs: timeout-minutes: 10 steps: - name: "Checkout code" - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Run integration test" + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - name: "Run integration test" run: | make test-integration - name: "Save result" @@ -120,7 +126,8 @@ jobs: timeout-minutes: 10 steps: - name: "Checkout code" - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Run accessibility test" + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - name: "Run accessibility test" run: | make test-accessibility - name: "Save result" @@ -133,7 +140,8 @@ jobs: timeout-minutes: 10 steps: - name: "Checkout code" - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Run load tests" + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - name: "Run load tests" run: | make test-load - name: "Save result" @@ -156,6 +164,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Tear down environment" + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - name: "Tear down environment" run: | echo "Tearing down environment..." From 266c53f7ee2ea0af250ba94252dac4cee55a2267 Mon Sep 17 00:00:00 2001 From: damientobin1 Date: Tue, 31 Mar 2026 15:08:20 +0100 Subject: [PATCH 3/8] CCM-14499: Pinning all GitHub Actions to SHAs --- .github/actions/build-docs/action.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/actions/build-docs/action.yml b/.github/actions/build-docs/action.yml index 8c91bd1..d17d18d 100644 --- a/.github/actions/build-docs/action.yml +++ b/.github/actions/build-docs/action.yml @@ -8,7 +8,8 @@ runs: using: "composite" steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - uses: actions/setup-node@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-node@v4 with: node-version: 22 - name: Npm cli install From 8b1e49c3b72b49569fb5ce608f1c9b16b658e6f1 Mon Sep 17 00:00:00 2001 From: damientobin1 Date: Tue, 31 Mar 2026 16:37:43 +0100 Subject: [PATCH 4/8] CCM-14499: Pinning all GitHub Actions to SHAs --- .github/actions/build-docs/action.yml | 3 ++- .github/workflows/manual-combine-dependabot-prs.yaml | 3 ++- .github/workflows/scheduled-repository-template-sync.yaml | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/actions/build-docs/action.yml b/.github/actions/build-docs/action.yml index d17d18d..2a2f0ad 100644 --- a/.github/actions/build-docs/action.yml +++ b/.github/actions/build-docs/action.yml @@ -17,7 +17,8 @@ runs: run: npm ci shell: bash - name: Setup Ruby - uses: ruby/setup-ruby@3783f195e29b74ae398d7caca108814bbafde90e # v1.180.1 with: + uses: ruby/setup-ruby@3783f195e29b74ae398d7caca108814bbafde90e # v1.180.1 + with: ruby-version: "3.2" # Not needed with a .ruby-version file bundler-cache: true # runs 'bundle install' and caches installed gems automatically cache-version: 0 # Increment this number if you need to re-download cached gems diff --git a/.github/workflows/manual-combine-dependabot-prs.yaml b/.github/workflows/manual-combine-dependabot-prs.yaml index 6c8e02a..e1e5f07 100644 --- a/.github/workflows/manual-combine-dependabot-prs.yaml +++ b/.github/workflows/manual-combine-dependabot-prs.yaml @@ -15,7 +15,8 @@ jobs: steps: - name: combine-prs id: combine-prs - uses: github/combine-prs@e6d37110da1b512313419ba6992492dad622139f # v5.2.0 with: + uses: github/combine-prs@e6d37110da1b512313419ba6992492dad622139f # v5.2.0 + with: ci_required: false labels: dependencies pr_title: Combined Dependabot PRs diff --git a/.github/workflows/scheduled-repository-template-sync.yaml b/.github/workflows/scheduled-repository-template-sync.yaml index 8dff314..acfc025 100644 --- a/.github/workflows/scheduled-repository-template-sync.yaml +++ b/.github/workflows/scheduled-repository-template-sync.yaml @@ -24,7 +24,8 @@ jobs: - name: Create Pull Request if: ${{ !env.ACT }} - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 with: + uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 + with: token: ${{ secrets.GITHUB_TOKEN }} commit-message: Drift from template branch: scheduledTemplateRepositorySync From 5b97bcad5b9e757a24a3bff603227e4fa7b2cbc8 Mon Sep 17 00:00:00 2001 From: damientobin1 Date: Tue, 31 Mar 2026 17:49:15 +0100 Subject: [PATCH 5/8] CCM-14499: Pinning all GitHub Actions to SHAs --- .github/actions/create-lines-of-code-report/action.yaml | 2 +- .github/actions/scan-dependencies/action.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/create-lines-of-code-report/action.yaml b/.github/actions/create-lines-of-code-report/action.yaml index 0f149dd..fd2cc13 100644 --- a/.github/actions/create-lines-of-code-report/action.yaml +++ b/.github/actions/create-lines-of-code-report/action.yaml @@ -44,7 +44,7 @@ runs: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT - name: "Authenticate to send the report" if: steps.check.outputs.secrets_exist == 'true' - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 + uses: aws-actions/configure-aws-credentials@ff717079ee2060e4bcee96c4779b553acc87447c # v4 with: role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }} aws-region: ${{ inputs.idp_aws_report_upload_region }} diff --git a/.github/actions/scan-dependencies/action.yaml b/.github/actions/scan-dependencies/action.yaml index 2d47d0b..22e78a1 100644 --- a/.github/actions/scan-dependencies/action.yaml +++ b/.github/actions/scan-dependencies/action.yaml @@ -58,7 +58,7 @@ runs: run: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT - name: "Authenticate to send the reports" if: steps.check.outputs.secrets_exist == 'true' - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 + uses: aws-actions/configure-aws-credentials@ff717079ee2060e4bcee96c4779b553acc87447c # v4 with: role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }} aws-region: ${{ inputs.idp_aws_report_upload_region }} From 076becd959bc0d452057e7afae9aacd5f0ad41c1 Mon Sep 17 00:00:00 2001 From: damientobin1 Date: Tue, 31 Mar 2026 18:19:07 +0100 Subject: [PATCH 6/8] CCM-14499: Correct configure-aws-credentials v4 SHA --- .github/actions/create-lines-of-code-report/action.yaml | 2 +- .github/actions/scan-dependencies/action.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/create-lines-of-code-report/action.yaml b/.github/actions/create-lines-of-code-report/action.yaml index fd2cc13..0f149dd 100644 --- a/.github/actions/create-lines-of-code-report/action.yaml +++ b/.github/actions/create-lines-of-code-report/action.yaml @@ -44,7 +44,7 @@ runs: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT - name: "Authenticate to send the report" if: steps.check.outputs.secrets_exist == 'true' - uses: aws-actions/configure-aws-credentials@ff717079ee2060e4bcee96c4779b553acc87447c # v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 with: role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }} aws-region: ${{ inputs.idp_aws_report_upload_region }} diff --git a/.github/actions/scan-dependencies/action.yaml b/.github/actions/scan-dependencies/action.yaml index 22e78a1..2d47d0b 100644 --- a/.github/actions/scan-dependencies/action.yaml +++ b/.github/actions/scan-dependencies/action.yaml @@ -58,7 +58,7 @@ runs: run: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT - name: "Authenticate to send the reports" if: steps.check.outputs.secrets_exist == 'true' - uses: aws-actions/configure-aws-credentials@ff717079ee2060e4bcee96c4779b553acc87447c # v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 with: role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }} aws-region: ${{ inputs.idp_aws_report_upload_region }} From 67a22a83692c06ad3077237a6d952ca96100b1c3 Mon Sep 17 00:00:00 2001 From: damientobin1 Date: Tue, 31 Mar 2026 18:41:06 +0100 Subject: [PATCH 7/8] CCM-14499: Correct annotated tag SHA pins --- .github/workflows/manual-combine-dependabot-prs.yaml | 2 +- .github/workflows/stage-1-commit.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/manual-combine-dependabot-prs.yaml b/.github/workflows/manual-combine-dependabot-prs.yaml index e1e5f07..3e311ac 100644 --- a/.github/workflows/manual-combine-dependabot-prs.yaml +++ b/.github/workflows/manual-combine-dependabot-prs.yaml @@ -15,7 +15,7 @@ jobs: steps: - name: combine-prs id: combine-prs - uses: github/combine-prs@e6d37110da1b512313419ba6992492dad622139f # v5.2.0 + uses: github/combine-prs@2909f404763c3177a456e052bdb7f2e85d3a7cb3 # v5.2.0 with: ci_required: false labels: dependencies diff --git a/.github/workflows/stage-1-commit.yaml b/.github/workflows/stage-1-commit.yaml index 5a2f922..28f9c65 100644 --- a/.github/workflows/stage-1-commit.yaml +++ b/.github/workflows/stage-1-commit.yaml @@ -144,7 +144,7 @@ jobs: - name: "Checkout code" uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Setup ASDF" - uses: asdf-vm/actions/setup@a7acd3c0f80eb138922a2da9514d1df22864eaca # v4 + uses: asdf-vm/actions/setup@b7bcd026f18772e44fe1026d729e1611cc435d47 # v4 - name: "Lint Terraform" uses: ./.github/actions/lint-terraform trivy: @@ -157,7 +157,7 @@ jobs: - name: "Checkout code" uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Setup ASDF" - uses: asdf-vm/actions/setup@a7acd3c0f80eb138922a2da9514d1df22864eaca # v4 + uses: asdf-vm/actions/setup@b7bcd026f18772e44fe1026d729e1611cc435d47 # v4 - name: "Perform Setup" uses: ./.github/actions/setup - name: "Trivy Scan" From 636caaafd986b6c7aa11e7ab6c6c1702ee6d5ccf Mon Sep 17 00:00:00 2001 From: damientobin1 Date: Wed, 1 Apr 2026 12:39:51 +0100 Subject: [PATCH 8/8] CCM-14499: Pin remaining GitHub Actions refs to SHAs --- .github/actions/build-docs/action.yml | 2 +- .github/workflows/cicd-3-deploy.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/build-docs/action.yml b/.github/actions/build-docs/action.yml index 2a2f0ad..2467307 100644 --- a/.github/actions/build-docs/action.yml +++ b/.github/actions/build-docs/action.yml @@ -9,7 +9,7 @@ runs: steps: - name: Checkout uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 22 - name: Npm cli install diff --git a/.github/workflows/cicd-3-deploy.yaml b/.github/workflows/cicd-3-deploy.yaml index 4ba4ee8..bc65231 100644 --- a/.github/workflows/cicd-3-deploy.yaml +++ b/.github/workflows/cicd-3-deploy.yaml @@ -102,7 +102,7 @@ jobs: run: | gh release download ${{steps.get-asset-version.outputs.release_version}} -p jekyll-docs-*.tar --output artifact.tar - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: jekyll-docs-${{steps.get-asset-version.outputs.release_version}} path: artifact.tar