From e7c280964a649e4f9befd68330add0b91bf50e21 Mon Sep 17 00:00:00 2001 From: oliverbeumkes-nhs Date: Tue, 17 Mar 2026 11:42:08 +0000 Subject: [PATCH 1/4] [PRM-691] Removal of rogue v infront of version --- .github/workflows/tool-create-release.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/tool-create-release.yml b/.github/workflows/tool-create-release.yml index 69892d69..fb99661a 100644 --- a/.github/workflows/tool-create-release.yml +++ b/.github/workflows/tool-create-release.yml @@ -11,8 +11,9 @@ on: required: true permissions: + pull-requests: write id-token: write - contents: write + contents: read jobs: create_release: @@ -21,14 +22,14 @@ jobs: steps: - name: Validate Tag Format run: | - if [[ ! "${{ github.event.inputs.tag }}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then + if [[ ! "$tag" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then echo "Error: Tag must be in the format X.Y.Z (e.g. 1.0.0)" exit 1 fi - name: Configure AWS Credentials id: credentials - uses: aws-actions/configure-aws-credentials@v8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0 + uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0 with: role-to-assume: ${{ secrets.IAM_ROLE }} aws-region: ${{ vars.AWS_REGION }} From ddf30d2b21147203fb162f893817b2ae466c89a3 Mon Sep 17 00:00:00 2001 From: oliverbeumkes-nhs Date: Tue, 17 Mar 2026 11:44:38 +0000 Subject: [PATCH 2/4] Use env tag not inputs.tag --- .github/workflows/tool-create-release.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/workflows/tool-create-release.yml b/.github/workflows/tool-create-release.yml index fb99661a..64178f6b 100644 --- a/.github/workflows/tool-create-release.yml +++ b/.github/workflows/tool-create-release.yml @@ -19,6 +19,8 @@ jobs: create_release: name: Create Release runs-on: ubuntu-latest + env: + tag: ${{ inputs.tag }} steps: - name: Validate Tag Format run: | @@ -43,8 +45,8 @@ jobs: run: | git config --global user.name "github-actions" git config --global user.email "github@github.com" - git tag ${{ github.event.inputs.tag }} - git push origin ${{ github.event.inputs.tag }} + git tag $tag + git push origin $tag - name: Full Deployment uses: ./.github/workflows/full-deployment.yml @@ -56,7 +58,6 @@ jobs: - name: Re-tag ECR Images with Release Tag env: IMAGE_SHA: ${{ github.sha }} - IMAGE_TAG: ${{ inputs.tag }} run: | repo-list=['deductions/ehr-out-service', 'deductions/ehr-repo', @@ -70,8 +71,8 @@ jobs: for repo in "${repo-list[@]}"; do repo=${{ steps.credentials.outputs.aws-account-id }}.dkr.ecr.eu-west-2.amazonaws.com/$repo docker pull $repo:$IMAGE_SHA - docker tag $repo:$IMAGE_SHA $repo:$IMAGE_TAG - docker push $repo:$IMAGE_TAG + docker tag $repo:$IMAGE_SHA $repo:$tag + docker push $repo:$tag done From 8e6c0c29f93cf0f43a6977745a2b0e7b2c6b9534 Mon Sep 17 00:00:00 2001 From: oliverbeumkes-nhs Date: Tue, 17 Mar 2026 11:45:51 +0000 Subject: [PATCH 3/4] Give contents write for creating tags --- .github/workflows/tool-create-release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tool-create-release.yml b/.github/workflows/tool-create-release.yml index 64178f6b..5f124b22 100644 --- a/.github/workflows/tool-create-release.yml +++ b/.github/workflows/tool-create-release.yml @@ -13,7 +13,7 @@ on: permissions: pull-requests: write id-token: write - contents: read + contents: write jobs: create_release: From 39a2aeac9428bc49adef3ed36489f91612eabd05 Mon Sep 17 00:00:00 2001 From: oliverbeumkes-nhs Date: Tue, 17 Mar 2026 11:46:41 +0000 Subject: [PATCH 4/4] Remove pull-request write permissions --- .github/workflows/tool-create-release.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/tool-create-release.yml b/.github/workflows/tool-create-release.yml index 5f124b22..83daec62 100644 --- a/.github/workflows/tool-create-release.yml +++ b/.github/workflows/tool-create-release.yml @@ -11,7 +11,6 @@ on: required: true permissions: - pull-requests: write id-token: write contents: write