FLAGSAPI-1203 Update summary-care-record.yaml (#654)

NinaTombs · gps035 · web-flow · commit 8157d36293a8 · 2026-01-12T09:54:20.000Z
* Update summary-care-record.yaml https://nhsd-jira.digital.nhs.uk/browse/FLAGSAPI-1203 Updated to show that AAL2 is now supported in addition to AAL3. * Remove branch name check on PRs in favour of a check on the title IMO there is no value in requiring branch names to be in a certain format, and just causes people to have to redo work, like would be done here if not for this change --------- Co-authored-by: Sophie Somerville <12125546+gps035@users.noreply.github.com>
diff --git a/.github/workflows/pr-lint.yaml b/.github/workflows/pr-lint.yaml
@@ -1,24 +1,14 @@
 name: PR Quality Check
-on: pull_request
+on:
+  pull_request:
+    types: [opened, synchronize, edited, reopened]
 jobs:
   link-ticket:
     runs-on: ubuntu-latest
     steps:
-      - name: Check ticket name conforms to requirements
-        run: echo ${{ github.event.pull_request.head.ref }} | grep -i -E -q "((apm|niad|amb|flagsapi)-[0-9]+)|(dependabot\/)"
-
-      - name: Grab ticket name
-        if: contains(github.event.pull_request.head.ref, 'apm-') || contains(github.event.pull_request.head.ref, 'APM-') || contains(github.event.pull_request.head.ref, 'niad-') || contains(github.event.pull_request.head.ref, 'NIAD-') || contains(github.event.pull_request.head.ref, 'amb-') || contains(github.event.pull_request.head.ref, 'AMB-')
-        run: echo ::set-env name=TICKET_NAME::$(echo ${{ github.event.pull_request.head.ref }} | tr '[:lower:]' '[:upper:]' | grep -i -o '^\(APM\|NIAD\|AMB\)-[0-9]\+')
+      - name: Check PR title starts with Jira reference
         env:
-          ACTIONS_ALLOW_UNSECURE_COMMANDS: true
-
-      - name: Comment on PR
-        if: contains(github.event.pull_request.head.ref, 'apm-') || contains(github.event.pull_request.head.ref, 'APM-') || contains(github.event.pull_request.head.ref, 'niad-') || contains(github.event.pull_request.head.ref, 'NIAD-') || contains(github.event.pull_request.head.ref, 'amb-') || contains(github.event.pull_request.head.ref, 'AMB-')
-        uses: unsplash/comment-on-pr@master
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          msg: |
-            This branch is work on a ticket in the NHS Digital APM JIRA Project. Here's a handy link to the ticket:
-            # [${{ env.TICKET_NAME }}](https://nhsd-jira.digital.nhs.uk/browse/${{ env.TICKET_NAME}})
+          PR_TITLE: ${{ github.event.pull_request.title }}
+        run: |
+          JIRA_REGEX="^(APM|NIAD|AMB|FLAGSAPI)-([[:digit:]]+)"
+          [[ "$PR_TITLE" =~ $JIRA_REGEX ]] && exit 0 || exit 1
diff --git a/specification/summary-care-record.yaml b/specification/summary-care-record.yaml
@@ -81,24 +81,23 @@ info:
     This API has two authorisation methods. The first is [user-restricted](https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation#user-restricted-apis), meaning an end user must be present and authenticated to use it.
 
     The end user must be:
-    - a health or care staff providing direct care to patients
-    - strongly authenticated, using either an [NHS smartcard or a modern alternative](https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation/nhs-smartcards-for-developers) available via [NHS Care Identity Service 2 (NHS CIS2)](https://digital.nhs.uk/services/nhs-identity)
+    - a health or care worker providing direct care to patients
+    - strongly authenticated, using either an [NHS smartcard or a modern alternative](https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation/nhs-smartcards-for-developers) available via [CIS2 Authentication](https://digital.nhs.uk/services/care-identity-service/applications-and-services/cis2-authentication)
+    - authenticated to assurance level AAL2 or AAL3
 
-    The API uses OAuth 2.0 to authorise the calling system. It only supports CIS2 combined authentication and authorisation (see link below). Do not use separate authentication and authorisation:
-    - [user-restricted RESTful API - using NHS CIS2 - combined authentication and authorisation](https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation/user-restricted-restful-apis-nhs-cis2-combined-authentication-and-authorisation)
-
-    For more details, see [user-restricted APIs](https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation#user-restricted-apis).
-
-    The second authorisation method is [application-restricted](https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation#application-restricted-apis) (signed JWT authentication), meaning a few specific API calls can be authorised by the application making the requests. This is typically provided so that GPs can perform batch updates of multiple Summary Care Records without having to log in as a specific user.
+    The API uses OAuth 2.0 to authorise the calling system. It supports the following security patterns:
+    - [user-restricted RESTful API - CIS2 - combined authentication and authorisation](https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation/user-restricted-restful-apis-nhs-cis2-combined-authentication-and-authorisation)
+    - [user-restricted RESTful API - CIS2 - seperate authentication and authorisation](https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation/user-restricted-restful-apis-cis2-separate-authentication-and-authorisation)
+    
+    The second authorisation method is [application-restricted](https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation#application-restricted-apis), meaning a few specific API calls can be authorised by the application making the requests. This is typically provided so that GPs can perform batch updates of multiple Summary Care Records without having to log in as a specific user.
     
     The following specific endpoint and method combinations can be used with application-restricted authentication, in addition to user-restricted authentication:
     
     - GET DocumentReference
     - GET Bundle
     - POST Bundle
     
-    For more details, see:
-    - [application-restricted APIs](https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation#application-restricted-apis) and 
+    For more details, see the following security pattern:    
     - [application-restricted RESTful APIs - signed with JWT authentication](https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation/application-restricted-restful-apis-signed-jwt-authentication)
 
     ## Environments and testing
