Merge remote-tracking branch 'origin/main' into release_script

Author: anthony-nhs

.gitallowed

@@ -6,3 +6,4 @@ def __init__\(self, token: str, owner: str, repo: str.*
 self\.token = token
 token = os\.environ\.get\(\"GH_TOKEN\"\)
 poetry\.lock
+\-Dsonar\.token=\"\$SONAR_TOKEN\"

.github/workflows/combine-dependabot-prs.yml

@@ -45,7 +45,7 @@ jobs:
         runs-on: ubuntu-22.04
         steps:
             - name: Checkout repository
-              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
               with:
                   repository: NHSDigital/eps-common-workflows
                   sparse-checkout-cone-mode: false

.github/workflows/pull_request.yml

@@ -23,7 +23,7 @@ jobs:
       tag_format: ${{ steps.load-config.outputs.TAG_FORMAT }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
 
       - name: Get asdf version
         id: asdf-version
@@ -47,6 +47,5 @@ jobs:
       dry_run: true
       asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}
       branch_name: ${{ github.event.pull_request.head.ref }}
-      publish_package: false
       tag_format: ${{ needs.get_asdf_version.outputs.tag_format }}
     secrets: inherit

.github/workflows/quality-checks.yml

@@ -23,19 +23,29 @@ on:
         type: boolean
         description: Toggle to reinstall poetry on top of python version installed by asdf.
         default: false
+      run_docker_scan:
+        type: boolean
+        description: Toggle to run docker vulnerability scan on this repository.
+        default: false
+        required: false
+      docker_images:
+        type: string
+        description: comma separated list of docker image references to scan when docker scanning is enabled.
+        default: ""
+        required: false
 
 jobs:
   quality_checks:
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/setup-java@f2beeb24e141e01a676f977032f5a29d81c9e27e
+      - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654
         if: ${{ inputs.install_java }}
         with:
           java-version: "21"
           distribution: "corretto"
 
       - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           ref: ${{ env.BRANCH_NAME }}
           fetch-depth: 0
@@ -237,7 +247,6 @@ jobs:
 
       - name: Run unit tests
         run: make test
-
       - name: Generate SBOM
         uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8
         with:
@@ -328,7 +337,14 @@ jobs:
 
       - name: Run SonarQube analysis
         if: ${{ steps.check_languages.outputs.uses_java == 'true' && env.SONAR_TOKEN_EXISTS == 'true' }}
-        run: mvn sonar:sonar -Dsonar.login=${{ secrets.SONAR_TOKEN }}
+        run: |
+          # issues with sonar scanner and sslcontext-kickstart 9.1.0, forcing re-download
+          rm -rf ~/.m2/repository/io/github/hakky54/sslcontext-kickstart/9.1.0
+          mvn dependency:get -U -Dartifact=io.github.hakky54:sslcontext-kickstart:9.1.0
+          # run sonar scan
+          mvn sonar:sonar -Dsonar.token="$SONAR_TOKEN"
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
       - name: SonarCloud Scan
         uses: SonarSource/sonarqube-scan-action@a31c9398be7ace6bbfaf30c0bd5d415f843d45e9
@@ -337,16 +353,199 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
-  # CloudFormation validation (runs only if templates exist, ~3-5 minutes)
+  get_docker_images_to_scan:
+    outputs:
+      docker_images: ${{ steps.normalized_docker_images.outputs.images }}
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          ref: ${{ env.BRANCH_NAME }}
+          fetch-depth: 0
+      - name: Determine docker images to scan
+        id: normalized_docker_images
+        env:
+          DOCKER_IMAGES: ${{ inputs.docker_images }}
+        run: |
+          if [ "${{ inputs.run_docker_scan }}" != "true" ]; then
+            echo "Docker scanning disabled; emitting empty image list."
+            echo 'images=[]' >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          INPUT="${DOCKER_IMAGES}"
+
+          if [ -z "$INPUT" ]; then
+            INPUT="[]"
+          fi
+
+          normalize_to_json_array() {
+            local raw="$1"
+
+            # If the input already looks like JSON, return as-is
+            if echo "$raw" | grep -q '^[[:space:]]*\['; then
+              echo "$raw"
+              return
+            fi
+
+            local json="["
+            local first=true
+            IFS=',' read -ra ITEMS <<< "$raw"
+            for item in "${ITEMS[@]}"; do
+              # Trim whitespace around each image reference
+              item=$(echo "$item" | xargs)
+              if [ -z "$item" ]; then
+                continue
+              fi
+              if [ "$first" = true ]; then
+                first=false
+              else
+                json+=", "
+              fi
+              json+="\"$item\""
+            done
+            json+="]"
+            echo "$json"
+          }
+
+          NORMALIZED=$(normalize_to_json_array "$INPUT")
+
+          if [ "$NORMALIZED" = "[]" ]; then
+            echo "No docker images provided"
+            exit 1
+          fi
+
+          echo "Using provided docker images: $NORMALIZED"
+          echo "images=$NORMALIZED" >> "$GITHUB_OUTPUT"
+
+  docker_vulnerability_scan:
+    runs-on: ubuntu-22.04
+    needs: get_docker_images_to_scan
+    if: ${{ inputs.run_docker_scan == true }}
+    strategy:
+      matrix:
+        docker_image: ${{ fromJson(needs.get_docker_images_to_scan.outputs.docker_images) }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          ref: ${{ env.BRANCH_NAME }}
+          fetch-depth: 0
+      # using git commit sha for version of action to ensure we have stable version
+      - name: Install asdf
+        uses: asdf-vm/actions/setup@b7bcd026f18772e44fe1026d729e1611cc435d47
+        with:
+          asdf_version: ${{ inputs.asdfVersion }}
+
+      - name: Cache asdf
+        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb
+        with:
+          path: |
+            ~/.asdf
+          key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}-${{ inputs.asdfVersion }}
+          restore-keys: |
+            ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}-${{ inputs.asdfVersion }}
+
+      - name: Install asdf dependencies in .tool-versions
+        uses: asdf-vm/actions/install@b7bcd026f18772e44fe1026d729e1611cc435d47
+        with:
+          asdf_version: ${{ inputs.asdfVersion }}
+        env:
+          PYTHON_CONFIGURE_OPTS: --enable-shared
+
+      - name: Reinstall poetry
+        if: ${{ inputs.reinstall_poetry }}
+        run: |
+          poetry_tool_version=$(cat .tool-versions | grep poetry)
+          poetry_version=${poetry_tool_version//"poetry "}
+          asdf uninstall poetry "$poetry_version"
+          asdf install poetry
+
+      - name: Setting up .npmrc
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          echo "//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}" >> ~/.npmrc
+          echo "@nhsdigital:registry=https://npm.pkg.github.com" >> ~/.npmrc
+
+      - name: Cache npm dependencies
+        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb
+        with:
+          path: ./node_modules
+          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-
+
+      - name: make install
+        run: |
+          make install
+
+      - name: Build docker images
+        if: ${{ inputs.run_docker_scan == true }}
+        run: |
+          make docker-build
+
+      - name: Check docker vulnerabilities
+        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8
+        with:
+          scan-type: "image"
+          image-ref: ${{ matrix.docker_image }}
+          severity: "CRITICAL,HIGH"
+          scanners: "vuln"
+          vuln-type: "os,library"
+          format: "table"
+          output: "dependency_results_docker.txt"
+          exit-code: "1"
+          trivy-config: trivy.yaml
+
+      - name: Show docker vulnerability output
+        if: always()
+        run: |
+          echo "Scan output for ${{ matrix.docker_image }}"
+          if [ -f dependency_results_docker.txt ]; then
+            cat dependency_results_docker.txt
+          fi
+
   IaC-validation:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           ref: ${{ env.BRANCH_NAME }}
           fetch-depth: 0
 
+      # using git commit sha for version of action to ensure we have stable version
+      - name: Install asdf
+        uses: asdf-vm/actions/setup@b7bcd026f18772e44fe1026d729e1611cc435d47
+        with:
+          asdf_version: ${{ inputs.asdfVersion }}
+
+      - name: Cache asdf
+        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb
+        with:
+          path: |
+            ~/.asdf
+          key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}-${{ inputs.asdfVersion }}
+          restore-keys: |
+            ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}-${{ inputs.asdfVersion }}
+
+      - name: Install asdf dependencies in .tool-versions
+        uses: asdf-vm/actions/install@b7bcd026f18772e44fe1026d729e1611cc435d47
+        with:
+          asdf_version: ${{ inputs.asdfVersion }}
+        env:
+          PYTHON_CONFIGURE_OPTS: --enable-shared
+
+      - name: Reinstall poetry
+        if: ${{ inputs.reinstall_poetry }}
+        run: |
+          poetry_tool_version=$(cat .tool-versions | grep poetry)
+          poetry_version=${poetry_tool_version//"poetry "}
+          asdf uninstall poetry "$poetry_version"
+          asdf install poetry
+
       - name: Check for SAM templates
         id: check_sam_templates
         run: |

.github/workflows/release.yml

@@ -15,7 +15,7 @@ jobs:
       tag_format: ${{ steps.load-config.outputs.TAG_FORMAT }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
 
       - name: Get asdf version
         id: asdf-version
@@ -39,6 +39,5 @@ jobs:
       dry_run: false
       asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}
       branch_name: main
-      publish_package: false
       tag_format: ${{ needs.get_asdf_version.outputs.tag_format }}
     secrets: inherit

.github/workflows/tag-release.yml

@@ -15,10 +15,11 @@ on:
                 type: string
                 required: false
                 default: "0.18.0"
-            publish_package:
-                description: "Whether to publish a package to an npm registry"
-                required: true
-                type: boolean
+            publish_packages:
+                description: "comma separated list of package folders to publish to an npm registry"
+                required: false
+                type: string
+                default: ""
             tag_format:
                 description: "The tag format to use for the release tags"
                 required: false
@@ -67,7 +68,7 @@ jobs:
         runs-on: ubuntu-22.04
         steps:
             - name: Checkout semantic-release workflow
-              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
               with:
                   repository: NHSDigital/eps-common-workflows
                   sparse-checkout-cone-mode: false
@@ -210,7 +211,7 @@ jobs:
                   # echo "NODE_PATH=$NODE_PATH" >> $GITHUB_ENV
 
             - name: Clone calling repo
-              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
               with:
                   repository: ${{ github.repository }}
                   ref: ${{ github.sha }}
@@ -230,7 +231,7 @@ jobs:
                   name: config_artifact
 
             - name: Cache asdf
-              if: ${{ inputs.publish_package }}
+              if: inputs.publish_packages != ''
               uses: actions/cache@v5
               with:
                   path: |
@@ -240,15 +241,15 @@ jobs:
                       ${{ runner.os }}-asdf-
 
             - name: Install asdf dependencies in .tool-versions
-              if: ${{ inputs.publish_package }}
+              if: inputs.publish_packages != ''
               uses: asdf-vm/actions/install@b7bcd026f18772e44fe1026d729e1611cc435d47
               with:
                   asdf_version: ${{ inputs.asdfVersion }}
               env:
                   PYTHON_CONFIGURE_OPTS: --enable-shared
 
             - name: Install Dependencies and Build Package
-              if: ${{ inputs.publish_package }}
+              if: inputs.publish_packages != ''
               run: |
                   make install
                   make build
@@ -314,7 +315,7 @@ jobs:
               env:
                   GITHUB_TOKEN: ${{ github.token }}
                   BRANCH_NAME: ${{ inputs.branch_name }}
-                  PUBLISH_PACKAGE: ${{ inputs.publish_package }}
+                  PUBLISH_PACKAGES: ${{ inputs.publish_packages }}
                   TAG_FORMAT: ${{ inputs.tag_format }}
                   NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
                   MAIN_BRANCH: ${{ inputs.main_branch }}
@@ -325,7 +326,7 @@ jobs:
               env:
                   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
                   NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-                  PUBLISH_PACKAGE: ${{ inputs.publish_package }}
+                  PUBLISH_PACKAGES: ${{ inputs.publish_packages }}
                   TAG_FORMAT: ${{ inputs.tag_format }}
                   MAIN_BRANCH: ${{ inputs.main_branch }}
                   EXTRA_ASSET: ${{ inputs.extra_artifact_name }}

.trivyignore.yaml

@@ -0,0 +1,9 @@
+vulnerabilities:
+  - id: CVE-2026-24842
+    paths:
+      - "package-lock.json"
+    statement: downstream dependency for tar - waiting for new npm release
+    expired_at: 2026-06-01
+  - id: CVE-2026-25128
+    statement: fast-xml-parser vulnerability accepted as risk - dependency of aws-sdk/client-dynamodb
+    expired_at: 2026-03-01