Merge remote-tracking branch 'origin/main' into dev_container_build

anthony-nhs · anthony-nhs · commit 9613aa41e3a3 · 2026-01-07T11:57:17.000Z
diff --git a/.gitallowed b/.gitallowed
@@ -2,3 +2,6 @@ token: ?"?\$\{\{\s*secrets\.GITHUB_TOKEN\s*\}\}"?
 .*\.gitallowed.*
 id-token: write
 password: \${{ secrets\.GITHUB_TOKEN }}
+def __init__\(self, token: str, owner: str, repo: str.*
+self\.token = token
+token = os\.environ\.get\(\"GH_TOKEN\"\)
diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
@@ -7,7 +7,7 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
-      day: "friday"
+      day: "thursday"
       time: "18:00" # UTC
     open-pull-requests-limit: 20
     commit-message:
@@ -20,7 +20,7 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
-      day: "friday"
+      day: "thursday"
       time: "18:00" # UTC
     open-pull-requests-limit: 20
     versioning-strategy: increase
@@ -34,7 +34,7 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
-      day: "friday"
+      day: "thursday"
       time: "18:00" # UTC
     open-pull-requests-limit: 20
     versioning-strategy: increase
diff --git a/.github/workflows/combine-dependabot-prs.yml b/.github/workflows/combine-dependabot-prs.yml
@@ -45,7 +45,7 @@ jobs:
         runs-on: ubuntu-22.04
         steps:
             - name: Checkout repository
-              uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
               with:
                   repository: NHSDigital/eps-common-workflows
                   sparse-checkout-cone-mode: false
diff --git a/.github/workflows/dependabot-auto-approve-and-merge.yml b/.github/workflows/dependabot-auto-approve-and-merge.yml
@@ -19,7 +19,7 @@ jobs:
         steps:
             - name: Get token from Github App
               id: get_app_token
-              uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42
+              uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf
               with:
                   app-id: ${{ secrets.AUTOMERGE_APP_ID }}
                   private-key: ${{ secrets.AUTOMERGE_PEM }}
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
@@ -62,7 +62,7 @@ jobs:
       tag_format: ${{ steps.load-config.outputs.TAG_FORMAT }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
 
       - name: Get asdf version
         id: asdf-version
diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml
@@ -42,14 +42,14 @@ jobs:
   quality_checks:
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165
+      - uses: actions/setup-java@f2beeb24e141e01a676f977032f5a29d81c9e27e
         if: ${{ inputs.install_java }}
         with:
           java-version: "21"
           distribution: "corretto"
 
       - name: Checkout code
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
         with:
           fetch-depth: 0
 
@@ -92,7 +92,7 @@ jobs:
           asdf_version: ${{ inputs.asdfVersion }}
 
       - name: Cache asdf
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830
+        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb
         with:
           path: |
             ~/.asdf
@@ -123,7 +123,7 @@ jobs:
           echo "@nhsdigital:registry=https://npm.pkg.github.com" >> ~/.npmrc
 
       - name: Cache npm dependencies
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830
+        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb
         with:
           path: ./node_modules
           key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
@@ -172,7 +172,7 @@ jobs:
         run: make lint
 
       - name: actionlint
-        uses: raven-actions/actionlint@3a24062651993d40fed1019b58ac6fbdfbf276cc
+        uses: raven-actions/actionlint@963d4779ef039e217e5d0e6fd73ce9ab7764e493
 
       - name: Run ShellCheck
         uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38
@@ -200,7 +200,7 @@ jobs:
         run: mvn sonar:sonar -Dsonar.login=${{ secrets.SONAR_TOKEN }}
 
       - name: SonarCloud Scan
-        uses: SonarSource/sonarqube-scan-action@fd88b7d7ccbaefd23d8f36f73b59db7a3d246602
+        uses: SonarSource/sonarqube-scan-action@a31c9398be7ace6bbfaf30c0bd5d415f843d45e9
         if: ${{ steps.check_java.outputs.uses_java == 'false' && env.SONAR_TOKEN_EXISTS == 'true' }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -211,7 +211,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
         with:
           ref: ${{ env.BRANCH_NAME }}
           fetch-depth: 0
@@ -270,7 +270,7 @@ jobs:
 
       - name: Cache npm dependencies
         if: steps.check_cdk.outputs.cdk_exists == 'true'
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830
+        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb
         with:
           path: ~/.npm
           key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
@@ -374,7 +374,7 @@ jobs:
           done
 
       - name: Download terraform plans
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
         with:
           pattern: "*_terraform_plan"
           path: terraform_plans/
@@ -415,7 +415,7 @@ jobs:
 
       - name: Upload cfn_guard_output
         if: failure()
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
         with:
           name: cfn_guard_output
           path: cfn_guard_output
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -33,7 +33,7 @@ jobs:
       tag_format: ${{ steps.load-config.outputs.TAG_FORMAT }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
 
       - name: Get asdf version
         id: asdf-version
diff --git a/.github/workflows/tag-release.yml b/.github/workflows/tag-release.yml
@@ -51,6 +51,9 @@ on:
             change_set_version:
                 description: "The change set version for deployments"
                 value: ${{ jobs.tag_release.outputs.change_set_version }}
+            next_version_tag:
+                description: "The next version tag that will be created"
+                value: ${{ jobs.tag_release.outputs.next_version_tag }}
         secrets:
             NPM_TOKEN:
                 required: false
@@ -64,7 +67,7 @@ jobs:
         runs-on: ubuntu-22.04
         steps:
             - name: Checkout semantic-release workflow
-              uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
               with:
                   repository: NHSDigital/eps-common-workflows
                   sparse-checkout-cone-mode: false
@@ -104,7 +107,7 @@ jobs:
 
             - name: Cache asdf artifact
               id: asdf_artifact_cache
-              uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830
+              uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb
               with:
                   path: asdf.tar.gz
                   key: ${{ steps.artifact_cache_key.outputs.key }}
@@ -113,7 +116,7 @@ jobs:
             - name: Cache asdf with installed npm packages
               if: ${{ steps.asdf_artifact_cache.outputs.cache-hit != 'true' }}
               id: installed_cache
-              uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830
+              uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb
               with:
                   path: ~/.asdf
                   key: ${{ steps.installed_cache_key.outputs.key }}
@@ -122,7 +125,7 @@ jobs:
             - name: Cache asdf
               if: ${{ steps.installed_cache.outcome == 'success' && steps.installed_cache.outputs.cache-hit != 'true' }}
               id: asdf_cache
-              uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830
+              uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb
               with:
                   path: ~/.asdf
                   key: ${{ steps.asdf_cache_key.outputs.key }}
@@ -150,10 +153,11 @@ jobs:
                   tar -czf asdf.tar.gz -C "$HOME" .asdf
 
             - name: Upload asdf artifact
-              uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4
+              uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
               with:
                   name: asdf_artifact
                   path: asdf.tar.gz
+                  overwrite: true
 
             - name: Prepare config artifact
               run: |
@@ -162,20 +166,22 @@ jobs:
                   cp releaseNotesTemplates/commit.hbs config_artifact/releaseNotesTemplates/
 
             - name: Upload config artifact
-              uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4
+              uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
               with:
                   name: config_artifact
                   path: config_artifact/
+                  overwrite: true
 
     tag_release:
         needs: install_semantic_release
         runs-on: ubuntu-22.04
         outputs:
             version_tag: ${{steps.output_version_tag.outputs.VERSION_TAG}}
             change_set_version: ${{ steps.output_change_set_version.outputs.CHANGE_SET_VERSION }}
+            next_version_tag: ${{ steps.output_version_tag.outputs.NEXT_VERSION_TAG }}
         steps:
             - name: Fetch asdf artifact
-              uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53
+              uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
               with:
                   name: asdf_artifact
             - name: Install asdf
@@ -204,7 +210,7 @@ jobs:
                   # echo "NODE_PATH=$NODE_PATH" >> $GITHUB_ENV
 
             - name: Clone calling repo
-              uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
               with:
                   repository: ${{ github.repository }}
                   ref: ${{ github.sha }}
@@ -219,13 +225,13 @@ jobs:
                   BRANCH_NAME: ${{ inputs.branch_name }}
 
             - name: Fetch semantic-release config
-              uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53
+              uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
               with:
                   name: config_artifact
 
             - name: Cache asdf
               if: ${{ inputs.publish_package }}
-              uses: actions/cache@v4
+              uses: actions/cache@v5
               with:
                   path: |
                       ~/.asdf
@@ -249,13 +255,13 @@ jobs:
 
             - name: Download extra artifact
               if: ${{ inputs.extra_artifact_name != '' }}
-              uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53
+              uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
               with:
-                artifact-ids: ${{ inputs.extra_artifact_id }}
-                github-token: ${{ secrets.GITHUB_TOKEN }}
-                repository: ${{ inputs.extra_artifact_repository }}
-                run-id: ${{ inputs.extra_artifact_run_id }}
-  
+                  artifact-ids: ${{ inputs.extra_artifact_id }}
+                  github-token: ${{ secrets.GITHUB_TOKEN }}
+                  repository: ${{ inputs.extra_artifact_repository }}
+                  run-id: ${{ inputs.extra_artifact_run_id }}
+
             - name: Set VERSION_TAG based on dry_run flag
               id: output_version_tag
               run: |
@@ -304,6 +310,7 @@ jobs:
                   fi
                   echo "VERSION_TAG=${VERSION_TAG}" >> "$GITHUB_OUTPUT"
                   echo "VERSION_TAG=${VERSION_TAG}" >> "$GITHUB_ENV"
+                  echo "NEXT_VERSION_TAG=${NEW_VERSION_TAG}" >> "$GITHUB_OUTPUT"
               env:
                   GITHUB_TOKEN: ${{ github.token }}
                   BRANCH_NAME: ${{ inputs.branch_name }}
@@ -345,7 +352,7 @@ jobs:
                   body: |
                       ## Info
                       [See code diff](${{ github.event.compare }})
-                      [Release workflow run](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})
+                      [Release workflow run](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) - Workflow ID: ${{ github.run_id }}
 
                       It was initialized by [${{ github.event.sender.login }}](${{ github.event.sender.html_url }})
 
diff --git a/.vscode/eps-common-workflows.code-workspace b/.vscode/eps-common-workflows.code-workspace
diff --git a/package-lock.json b/package-lock.json
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
