NHSDigital · anthony-nhs · Apr 7, 2026 · Mar 28, 2026 · Mar 30, 2026 · Mar 30, 2026
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -6,7 +6,7 @@
     "args": {
       "DOCKER_GID": "${env:DOCKER_GID:}",
       "IMAGE_NAME": "node_24_python_3_14",
-      "IMAGE_VERSION": "v1.2.0",
+      "IMAGE_VERSION": "v1.4.2",
       "USER_UID": "${localEnv:USER_ID:}",
       "USER_GID": "${localEnv:GROUP_ID:}"
     },

diff --git a/.github/workflows/combine-dependabot-prs.yml b/.github/workflows/combine-dependabot-prs.yml
diff --git a/.github/workflows/dependabot-auto-approve-and-merge.yml b/.github/workflows/dependabot-auto-approve-and-merge.yml
@@ -15,7 +15,7 @@ permissions:
 jobs:
     dependabot:
         runs-on: ubuntu-22.04
-        if: ${{ github.actor == 'dependabot[bot]' }}
+        if: (github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.user.login == 'eps-create-pull-request[bot]') && github.repository == github.event.pull_request.head.repo.full_name
         steps:
             - name: Get token from Github App
               id: get_app_token

diff --git a/.github/workflows/get-repo-config.yml b/.github/workflows/get-repo-config.yml
@@ -53,6 +53,7 @@ jobs:
               with:
                   ref: ${{ env.BRANCH_NAME }}
                   fetch-depth: 0
+                  persist-credentials: false
 
             - name: Load config value
               id: load-config

diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
@@ -43,4 +43,3 @@ jobs:
       pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
       branch_name: ${{ github.event.pull_request.head.ref }}
       tag_format: ${{ needs.get_config_values.outputs.tag_format }}
-    secrets: inherit
diff --git a/.github/workflows/quality-checks-devcontainer.yml b/.github/workflows/quality-checks-devcontainer.yml
@@ -46,6 +46,7 @@ jobs:
         with:
           ref: ${{ env.BRANCH_NAME }}
           fetch-depth: 0
+          persist-credentials: false
 
       - &setup_npmrc
         name: Setting up .npmrc
@@ -121,14 +122,7 @@ jobs:
           fi
       - name: Check licenses
         run: |
-          make trivy-license-check
-
-      - name: Show license scan output
-        if: always()
-        run: |
-          if [ -f license_scan.txt ]; then
-            cat .trivy_out/license_scan.txt
-          fi
+          make grant-scan
       - name: Run code lint
         run: |
           make lint
@@ -140,51 +134,19 @@ jobs:
       - name: Run unit tests
         run: |
           make test
-      - name: make generate sbom
+      - name: Generate sbom
         run: |
-          make trivy-generate-sbom
+          make syft-generate-sbom-dev-dependencies
       - name: Upload sbom
         uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
         with:
-          name: sbom.cdx.json
-          path: .trivy_out/sbom.cdx.json
+          name: sbom.dev.cdx.json
+          path: .sbom/sbom.dev.cdx.json
 
-      - name: Check python vulnerabilities
-        if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }}
-        continue-on-error: ${{ github.actor == 'dependabot[bot]' }}
+      - name: Check vulnerabilities
         run: |
-          make trivy-scan-python
+          make grype-scan-dev-dependencies
 
-      - name: Check node vulnerabilities
-        if: ${{ steps.check_languages.outputs.uses_node == 'true' }}
-        continue-on-error: ${{ github.actor == 'dependabot[bot]' }}
-        run: |
-          make trivy-scan-node
-      - name: Check go vulnerabilities
-        if: ${{ steps.check_languages.outputs.uses_go == 'true' }}
-        continue-on-error: ${{ github.actor == 'dependabot[bot]' }}
-        run: |
-          make trivy-scan-go
-      - name: Check java vulnerabilities
-        if: ${{ steps.check_languages.outputs.uses_java == 'true' }}
-        continue-on-error: ${{ github.actor == 'dependabot[bot]' }}
-        run: |
-          make trivy-scan-java
-      - name: Show vulnerability output
-        if: always()
-        run: |
-          if [ -f .trivy_out/dependency_results_python.txt ]; then
-            cat .trivy_out/dependency_results_python.txt
-          fi
-          if [ -f .trivy_out/dependency_results_node.txt ]; then
-            cat .trivy_out/dependency_results_node.txt
-          fi
-          if [ -f .trivy_out/dependency_results_java.txt ]; then
-            cat .trivy_out/dependency_results_java.txt
-          fi
-          if [ -f .trivy_out/dependency_results_go.txt ]; then
-            cat .trivy_out/dependency_results_go.txt
-          fi
       - name: "check is SONAR_TOKEN exists"
         env:
           super_secret: ${{ secrets.SONAR_TOKEN }}
@@ -310,18 +272,10 @@ jobs:
       - name: Check docker vulnerabilities
         continue-on-error: ${{ github.actor == 'dependabot[bot]' }}
         run: |
-          make trivy-scan-docker
+          make grype-scan-docker-image
         env:
           DOCKER_IMAGE: ${{ matrix.docker_image }}
 
-      - name: Show docker vulnerability output
-        if: always()
-        run: |
-          echo "Scan output for ${{ matrix.docker_image }}"
-          if [ -f .trivy_out/dependency_results_docker.txt ]; then
-            cat .trivy_out/dependency_results_docker.txt
-          fi
-
   IaC-validation:
     runs-on: ubuntu-22.04
     container:

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -28,4 +28,3 @@ jobs:
       pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
       branch_name: main
       tag_format: ${{ needs.get_config_values.outputs.tag_format }}
-    secrets: inherit
diff --git a/.github/workflows/tag-release-devcontainer.yml b/.github/workflows/tag-release-devcontainer.yml
@@ -114,6 +114,7 @@ jobs:
               with:
                   repository: ${{ github.repository }}
                   ref: ${{ github.sha }}
+                  persist-credentials: true # needed for semantic-release to push tags and commits
 
             - name: Checkout semantic-release workflow
               uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
@@ -127,6 +128,7 @@ jobs:
                       release.config.cjs
                       releaseNotesTemplates/commit.hbs
                       packages/
+                  persist-credentials: false
             - name: Install semantic release dependencies globally
               run: |
                   cd common_workflow_config
@@ -279,6 +281,7 @@ jobs:
                   repository: ${{ github.repository }}
                   ref: gh-pages
                   path: gh-pages
+                  persist-credentials: true # needed for push to gh-pages
 
             - name: Publish release notes to gh-pages
               if: ${{ !inputs.dry_run }}
@@ -319,5 +322,7 @@ jobs:
               shell: bash
               run: |
                   TIMESTAMP=$(date +%s)
-                  VERSION=$(echo ${{ steps.output_version_tag.outputs.VERSION_TAG }} | tr . -)
+                  VERSION=$(echo "${VERSION_TAG}" | tr . -)
                   echo CHANGE_SET_VERSION="$VERSION-$TIMESTAMP" >> "$GITHUB_OUTPUT"
+              env:
+                  VERSION_TAG: ${{ steps.output_version_tag.outputs.VERSION_TAG }}
diff --git a/.gitignore b/.gitignore
@@ -8,3 +8,4 @@ release_notes
 .venv
 .asdf
 .trivy_out
+.sbom
diff --git a/.grype.yaml b/.grype.yaml
@@ -0,0 +1,6 @@
+ignore:
+  # undici
+  - vulnerability: GHSA-v9p9-hfj2-hcw8
+  - vulnerability: GHSA-vrm6-8vpv-qv8q
+  # picomatch
+  - vulnerability: GHSA-c2c7-rcm5-vvqj
diff --git a/combine-prs.js b/combine-prs.js
-Original file line number
+Diff line change
@@ Expand Up / @@ -8,3 +8,4 @@ release_notes @@
     .venv
     .asdf
     .trivy_out
+    .sbom