NHSDigital
diff --git a/‎.gitallowed‎
Lines changed: 1 addition & 0 deletions b/‎.gitallowed‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎.github/workflows/combine-dependabot-prs.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/combine-dependabot-prs.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/pull_request.yml‎
Lines changed: 1 addition & 2 deletions b/‎.github/workflows/pull_request.yml‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎.github/workflows/quality-checks.yml‎
Lines changed: 41 additions & 4 deletions b/‎.github/workflows/quality-checks.yml‎
Lines changed: 41 additions & 4 deletions
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 1 addition & 2 deletions b/‎.github/workflows/release.yml‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎.github/workflows/tag-release.yml‎
Lines changed: 12 additions & 11 deletions b/‎.github/workflows/tag-release.yml‎
Lines changed: 12 additions & 11 deletions
@@ -5,3 +5,4 @@ password: \${{ secrets\.GITHUB_TOKEN }}
 def __init__\(self, token: str, owner: str, repo: str.*
 self\.token = token
 token = os\.environ\.get\(\"GH_TOKEN\"\)
+\-Dsonar\.token=\"\$SONAR_TOKEN\"
@@ -45,7 +45,7 @@ jobs:
         runs-on: ubuntu-22.04
         steps:
             - name: Checkout repository
-              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
               with:
                   repository: NHSDigital/eps-common-workflows
                   sparse-checkout-cone-mode: false
 
@@ -23,7 +23,7 @@ jobs:
       tag_format: ${{ steps.load-config.outputs.TAG_FORMAT }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
 
       - name: Get asdf version
         id: asdf-version
@@ -47,6 +47,5 @@ jobs:
       dry_run: true
       asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}
       branch_name: ${{ github.event.pull_request.head.ref }}
-      publish_package: false
       tag_format: ${{ needs.get_asdf_version.outputs.tag_format }}
     secrets: inherit
@@ -28,14 +28,14 @@ jobs:
   quality_checks:
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/setup-java@f2beeb24e141e01a676f977032f5a29d81c9e27e
+      - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654
         if: ${{ inputs.install_java }}
         with:
           java-version: "21"
           distribution: "corretto"
 
       - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           ref: ${{ env.BRANCH_NAME }}
           fetch-depth: 0
@@ -328,7 +328,14 @@ jobs:
 
       - name: Run SonarQube analysis
         if: ${{ steps.check_languages.outputs.uses_java == 'true' && env.SONAR_TOKEN_EXISTS == 'true' }}
-        run: mvn sonar:sonar -Dsonar.login=${{ secrets.SONAR_TOKEN }}
+        run: |
+          # issues with sonar scanner and sslcontext-kickstart 9.1.0, forcing re-download
+          rm -rf ~/.m2/repository/io/github/hakky54/sslcontext-kickstart/9.1.0
+          mvn dependency:get -U -Dartifact=io.github.hakky54:sslcontext-kickstart:9.1.0
+          # run sonar scan
+          mvn sonar:sonar -Dsonar.token="$SONAR_TOKEN"
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
       - name: SonarCloud Scan
         uses: SonarSource/sonarqube-scan-action@a31c9398be7ace6bbfaf30c0bd5d415f843d45e9
@@ -342,11 +349,41 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           ref: ${{ env.BRANCH_NAME }}
           fetch-depth: 0
 
+      # using git commit sha for version of action to ensure we have stable version
+      - name: Install asdf
+        uses: asdf-vm/actions/setup@b7bcd026f18772e44fe1026d729e1611cc435d47
+        with:
+          asdf_version: ${{ inputs.asdfVersion }}
+
+      - name: Cache asdf
+        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb
+        with:
+          path: |
+            ~/.asdf
+          key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}-${{ inputs.asdfVersion }}
+          restore-keys: |
+            ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}-${{ inputs.asdfVersion }}
+
+      - name: Install asdf dependencies in .tool-versions
+        uses: asdf-vm/actions/install@b7bcd026f18772e44fe1026d729e1611cc435d47
+        with:
+          asdf_version: ${{ inputs.asdfVersion }}
+        env:
+          PYTHON_CONFIGURE_OPTS: --enable-shared
+
+      - name: Reinstall poetry
+        if: ${{ inputs.reinstall_poetry }}
+        run: |
+          poetry_tool_version=$(cat .tool-versions | grep poetry)
+          poetry_version=${poetry_tool_version//"poetry "}
+          asdf uninstall poetry "$poetry_version"
+          asdf install poetry
+
       - name: Check for SAM templates
         id: check_sam_templates
         run: |
 
@@ -15,7 +15,7 @@ jobs:
       tag_format: ${{ steps.load-config.outputs.TAG_FORMAT }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
 
       - name: Get asdf version
         id: asdf-version
@@ -39,6 +39,5 @@ jobs:
       dry_run: false
       asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}
       branch_name: main
-      publish_package: false
       tag_format: ${{ needs.get_asdf_version.outputs.tag_format }}
     secrets: inherit
@@ -15,10 +15,11 @@ on:
                 type: string
                 required: false
                 default: "0.18.0"
-            publish_package:
-                description: "Whether to publish a package to an npm registry"
-                required: true
-                type: boolean
+            publish_packages:
+                description: "comma separated list of package folders to publish to an npm registry"
+                required: false
+                type: string
+                default: ""
             tag_format:
                 description: "The tag format to use for the release tags"
                 required: false
@@ -67,7 +68,7 @@ jobs:
         runs-on: ubuntu-22.04
         steps:
             - name: Checkout semantic-release workflow
-              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
               with:
                   repository: NHSDigital/eps-common-workflows
                   sparse-checkout-cone-mode: false
@@ -210,7 +211,7 @@ jobs:
                   # echo "NODE_PATH=$NODE_PATH" >> $GITHUB_ENV
 
             - name: Clone calling repo
-              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
               with:
                   repository: ${{ github.repository }}
                   ref: ${{ github.sha }}
@@ -230,7 +231,7 @@ jobs:
                   name: config_artifact
 
             - name: Cache asdf
-              if: ${{ inputs.publish_package }}
+              if: inputs.publish_packages != ''
               uses: actions/cache@v5
               with:
                   path: |
@@ -240,15 +241,15 @@ jobs:
                       ${{ runner.os }}-asdf-
 
             - name: Install asdf dependencies in .tool-versions
-              if: ${{ inputs.publish_package }}
+              if: inputs.publish_packages != ''
               uses: asdf-vm/actions/install@b7bcd026f18772e44fe1026d729e1611cc435d47
               with:
                   asdf_version: ${{ inputs.asdfVersion }}
               env:
                   PYTHON_CONFIGURE_OPTS: --enable-shared
 
             - name: Install Dependencies and Build Package
-              if: ${{ inputs.publish_package }}
+              if: inputs.publish_packages != ''
               run: |
                   make install
                   make build
@@ -314,7 +315,7 @@ jobs:
               env:
                   GITHUB_TOKEN: ${{ github.token }}
                   BRANCH_NAME: ${{ inputs.branch_name }}
-                  PUBLISH_PACKAGE: ${{ inputs.publish_package }}
+                  PUBLISH_PACKAGES: ${{ inputs.publish_packages }}
                   TAG_FORMAT: ${{ inputs.tag_format }}
                   NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
                   MAIN_BRANCH: ${{ inputs.main_branch }}
@@ -325,7 +326,7 @@ jobs:
               env:
                   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
                   NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-                  PUBLISH_PACKAGE: ${{ inputs.publish_package }}
+                  PUBLISH_PACKAGES: ${{ inputs.publish_packages }}
                   TAG_FORMAT: ${{ inputs.tag_format }}
                   MAIN_BRANCH: ${{ inputs.main_branch }}
                   EXTRA_ASSET: ${{ inputs.extra_artifact_name }}