NHSDigital · github-actions · Mar 1, 2026
@@ -20,7 +20,7 @@
 # All arguments are required except terraformAction, and internalRef.
 # Example:
 #   ./dispatch_internal_repo_workflow.sh \
-#     --infraRepoName "nhs-notify-web-template-management" \
+#     --infraRepoName "nhs-notify-dns" \
 #     --releaseVersion "v1.2.3" \
 #     --targetWorkflow "deploy.yaml" \
 #     --targetEnvironment "prod" \
@@ -86,7 +86,7 @@ while [[ $# -gt 0 ]]; do
       ;;
   esac
 done
-# Validate required parameters
+
 if [[ -z "$APP_PEM_FILE" ]]; then
   echo "[ERROR] PEM_FILE environment variable is not set or is empty."
   exit 1
@@ -140,7 +140,6 @@ PR_TRIGGER_PAT=$(curl --request POST \
   -H "Authorization: Bearer ${JWT}" \
   -H "X-GitHub-Api-Version: 2022-11-28" | jq -r '.token')
 
-
 # Set default values if not provided
 if [[ -z "$PR_TRIGGER_PAT" ]]; then
   echo "[ERROR] PR_TRIGGER_PAT environment variable is not set or is empty."

@@ -16,10 +16,10 @@ jobs:
 
     steps:
     - name: Check out the repository
-      uses: actions/checkout@v5.0.0
+      uses: actions/checkout@v4
 
     - name: Check out external repository
-      uses: actions/checkout@v5.0.0
+      uses: actions/checkout@v4
       with:
         repository: NHSDigital/nhs-notify-repository-template
         path: nhs-notify-repository-template

@@ -32,12 +32,12 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@v5.0.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
+        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
         with:
           results_file: results.sarif
           results_format: sarif
@@ -68,6 +68,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@df559355d593797519d70b90fc8edd5db049e7a2 # v3.29.9
+        uses: github/codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
         with:
           sarif_file: results.sarif
@@ -3,11 +3,6 @@ repos:
     rev: v5.0.0 # Use the ref you want to point at
     hooks:
       - id: trailing-whitespace
-        exclude: |
-          (?x)^(
-            frontend/src/__tests__/.*\.tsx\.snap |
-            frontend/src/__tests__/utils/markdownit/fixtures/index\.ts
-          )$
       - id: detect-aws-credentials
         args: [--allow-missing-credentials]
       - id: check-added-large-files
@@ -17,12 +12,8 @@ repos:
       - id: forbid-new-submodules
       - id: mixed-line-ending
       - id: pretty-format-json
-        exclude: |
-          (?x)^(
-            .*/?package-lock.json |
-            packages/event-schemas/schemas/[^/]+/[^/]+\.json
-          )$
         args: ['--autofix']
+        exclude: '(^|/)package(-lock)?\.json$'
     # -   id: ...
   - repo: local
     hooks:
@@ -42,7 +33,7 @@ repos:
     hooks:
       - id: check-file-format
         name: Check file format
-        entry: /usr/bin/env check=branch exclude=frontend/src/__tests__/utils/markdownit/fixtures/index.ts ./scripts/githooks/check-file-format.sh
+        entry: /usr/bin/env check=branch ./scripts/githooks/check-file-format.sh
         language: script
         pass_filenames: false
   - repo: local

@@ -67,10 +67,8 @@ function main() {
   esac
 
   if command -v editorconfig-checker > /dev/null 2>&1 && ! is-arg-true "${FORCE_USE_DOCKER:-false}"; then
-    echo "Running editorconfig-checker natively"
     filter="$filter" dry_run_opt="${dry_run_opt:-}" run-editorconfig-natively
   else
-    echo "Running editorconfig-checker in Docker"
     filter="$filter" dry_run_opt="${dry_run_opt:-}" run-editorconfig-in-docker
   fi
 }

@@ -52,21 +52,21 @@ function main() {
   esac
 
   if [ -n "$files" ]; then
-    if command -v markdownlint-cli > /dev/null 2>&1 && ! is-arg-true "${FORCE_USE_DOCKER:-false}"; then
+    if command -v markdownlint > /dev/null 2>&1 && ! is-arg-true "${FORCE_USE_DOCKER:-false}"; then
       files="$files" run-markdownlint-natively
     else
       files="$files" run-markdownlint-in-docker
     fi
   fi
 }
 
-# Run markdownlint-cli natively.
+# Run markdownlint natively.
 # Arguments (provided as environment variables):
 #   files=[files to check]
 function run-markdownlint-natively() {
 
   # shellcheck disable=SC2086
-  markdownlint-cli \
+  markdownlint \
     $files \
     --config "$PWD/scripts/config/markdownlint.yaml"
 }

@@ -33,7 +33,6 @@ EXCLUDED_FILES=(
   "Makefile"
   "project.code-workspace"
   "src/jekyll-devcontainer/src/.devcontainer/devcontainer.json"
-  ".eslintrc.json"
 )
 
 EXCLUDED_DIRS=(

@@ -34,29 +34,21 @@ GHCR_LOGIN_TOKEN="${GITHUB_TOKEN}"
 GHCR_LOGIN_USER="${GITHUB_ACTOR}"
 LAMBDA_NAME="${LAMBDA_NAME:-$(basename "$PWD")}"
 
-## Set image tag suffix based on git metadata.
-# Publish exactly one suffix:
-# - release-<semver>-<shortsha> when HEAD is tagged
-# - sha-<shortsha> otherwise
-echo "Checking git metadata for image tag suffixes..."
-SHORT_SHA="$(git rev-parse --short HEAD)"
-SHA_SUFFIX="sha-${SHORT_SHA}"
+## Set IMAGE_TAG_SUFFIX based on git tag or short SHA for unique lambda image tagging in ECR.
+#This ensures that each build produces a uniquely identifiable image, and tagged releases are easily traceable.
+echo "Checking if current commit is a tag..."
 GIT_TAG="$(git describe --tags --exact-match 2>/dev/null || true)"
-
 if [ -n "$GIT_TAG" ]; then
-  RELEASE_VERSION="${GIT_TAG#v}"
-  RELEASE_SUFFIX="release-${RELEASE_VERSION}-${SHORT_SHA}"
-  FINAL_SUFFIX="${RELEASE_SUFFIX}"
-  echo "On tag: $GIT_TAG"
-  echo "Publishing suffix: $FINAL_SUFFIX"
+  TAGGED="tag-$GIT_TAG"
+  echo "On tag: $GIT_TAG, exporting IMAGE_TAG_SUFFIX as tag: $TAGGED"
+  export IMAGE_TAG_SUFFIX="$TAGGED"
+
 else
-  echo "Not on a tag"
-  FINAL_SUFFIX="${SHA_SUFFIX}"
-  echo "Publishing suffix: $FINAL_SUFFIX"
+  SHORT_SHA="sha-$(git rev-parse --short HEAD)"
+  echo "Not on a tag, exporting IMAGE_TAG_SUFFIX as short SHA: $SHORT_SHA"
+  export IMAGE_TAG_SUFFIX="$SHORT_SHA"
 fi
 
-export IMAGE_TAG_SUFFIX="$FINAL_SUFFIX"
-
 ## Check if we are running in the context of a Terraform apply or plan, and set PUBLISH_LAMBDA_IMAGE accordingly. We only want to push images to ECR on apply, not on plan.
 echo "Checking if ACTION is 'apply' to set PUBLISH_LAMBDA_IMAGE..."
 if [ "$ACTION" = "apply" ]; then
@@ -89,7 +81,6 @@ if [ -n "${GHCR_LOGIN_USER:-}" ] && [ -n "${GHCR_LOGIN_TOKEN:-}" ]; then
     echo "GHCR login successful."
   else
     echo "GHCR login failed!" >&2
-    exit 1
   fi
 fi
 
@@ -99,10 +90,14 @@ IMAGE_TAG="${CSI}-${LAMBDA_NAME}"
 # Compose the full ECR image references.
 ECR_REPO_URI="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${ECR_REPO}"
 
-# Final tag name we will produce.
-IMAGE_TAG_FINAL="${ECR_REPO_URI}:${IMAGE_TAG}-${FINAL_SUFFIX}"
+# Final tag names we will produce
 
-echo "Will build and tag image: ${IMAGE_TAG_FINAL}"
+IMAGE_TAG_LATEST="${ECR_REPO_URI}:${IMAGE_TAG}-latest"
+IMAGE_TAG_SUFFIXED="${ECR_REPO_URI}:${IMAGE_TAG}-${IMAGE_TAG_SUFFIX}"
+
+echo "Will build and tag images:"
+echo "  LATEST -> ${IMAGE_TAG_LATEST}"
+echo "  SUFFIXED -> ${IMAGE_TAG_SUFFIXED}"
 
 # Build and tag the Docker image for the lambda.
 # --load makes the built image available to the local docker daemon (single-platform).
@@ -112,16 +107,20 @@ docker buildx build \
   --provenance=false \
   --sbom=false \
   --build-arg BASE_IMAGE="${BASE_IMAGE}" \
-  -t "${IMAGE_TAG_FINAL}" \
+  -t "${IMAGE_TAG_LATEST}" \
+  -t "${IMAGE_TAG_SUFFIXED}" \
   --load \
   .
 
-# Push the image tag to ECR on apply only. The Terraform configuration references the deterministic suffixed tag.
+# Push the image tag(s) to ECR on apply only. The Terraform configuration will reference image digest.
 if [ "${PUBLISH_LAMBDA_IMAGE:-false}" = "true" ]; then
   echo "PUBLISH_LAMBDA_IMAGE is set to true. Pushing Docker images to ECR..."
 
-  echo "Pushing ${IMAGE_TAG_FINAL}..."
-  docker push "${IMAGE_TAG_FINAL}"
+
+  for TAG in "${IMAGE_TAG_LATEST}" "${IMAGE_TAG_SUFFIXED}"; do
+    echo "Pushing ${TAG}..."
+    docker push "${TAG}"
+  done
 
   echo "Push complete."
 else