Merge branch 'main' into aea-0000-add-cdk-tips

Author: tstephen-nhs

.devcontainer/devcontainer.json

@@ -6,7 +6,7 @@
     "args": {
       "DOCKER_GID": "${env:DOCKER_GID:}",
       "IMAGE_NAME": "node_24_python_3_14",
-      "IMAGE_VERSION": "v1.4.2",
+      "IMAGE_VERSION": "v1.4.8",
       "USER_UID": "${localEnv:USER_ID:}",
       "USER_GID": "${localEnv:GROUP_ID:}"
     },

.gitallowed

@@ -0,0 +1,21 @@
+name: Auto-approve dependency updates
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '*/30 * * * *'
+
+permissions: {}
+jobs:
+  auto-approve-dependabot:
+    runs-on: ubuntu-22.04
+    environment: create_pull_request
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Auto approve and enable auto-merge
+        uses: NHSDigital/eps-dependabot-approve@da0503449b218ccd99bc547e242007d5514e4d2f
+        with:
+          AUTOMERGE_APP_ID: ${{ secrets.AUTOMERGE_APP_ID }}
+          AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }}

.github/workflows/auto_approve_dependabot.yml

@@ -2,12 +2,12 @@ name: ci
 
 on:
     push:
-        branches: [main]
+        branches: [ main ]
 
 permissions: {}
 jobs:
     get_config_values:
-        uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@f3d19a678a725917a5c59cae4d76db621bb7c9c7
+        uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845
         permissions:
             attestations: "read"
             contents: "read"
@@ -16,21 +16,24 @@ jobs:
             verify_published_from_main_image: false
 
     quality_checks:
-        uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@f3d19a678a725917a5c59cae4d76db621bb7c9c7
-        needs: [get_config_values]
+        uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845
+        needs: [ get_config_values ]
         permissions:
             contents: "read"
+            packages: "read"
+            id-token: "write"
         with:
             pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
         secrets:
             SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
     tag_release:
-        needs: [get_config_values]
-        uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@f3d19a678a725917a5c59cae4d76db621bb7c9c7
+        needs: [ get_config_values ]
+        uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845
         permissions:
             id-token: "write"
             contents: "write"
+            packages: "write"
         with:
             dry_run: true
             pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}

.github/workflows/ci.yml

@@ -1,52 +1,41 @@
 name: pull_request
-
 on:
-    pull_request:
-        branches: [main]
-
+  pull_request:
+    branches: [main]
 permissions: {}
-
 jobs:
-    get_config_values:
-        uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@f3d19a678a725917a5c59cae4d76db621bb7c9c7
-        permissions:
-            attestations: "read"
-            contents: "read"
-            packages: "read"
-        with:
-            verify_published_from_main_image: false
-
-    dependabot-auto-approve-and-merge:
-        uses: NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@f3d19a678a725917a5c59cae4d76db621bb7c9c7
-        permissions:
-            contents: "write"
-            pull-requests: "write"
-        secrets:
-            AUTOMERGE_APP_ID: ${{ secrets.AUTOMERGE_APP_ID }}
-            AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }}
-
-    quality_checks:
-        uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@f3d19a678a725917a5c59cae4d76db621bb7c9c7
-        permissions:
-            contents: "read"
-        needs: [get_config_values]
-        with:
-            pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
-        secrets:
-            SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-
-    pr_title_format_check:
-        uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@f3d19a678a725917a5c59cae4d76db621bb7c9c7
-        permissions:
-            pull-requests: "write"
-    tag_release:
-        needs: [get_config_values]
-        uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@f3d19a678a725917a5c59cae4d76db621bb7c9c7
-        permissions:
-            id-token: "write"
-            contents: "write"
-        with:
-            dry_run: true
-            pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
-            branch_name: ${{ github.event.pull_request.head.ref }}
-            tag_format: ${{ needs.get_config_values.outputs.tag_format }}
+  get_config_values:
+    uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845
+    permissions:
+      attestations: "read"
+      contents: "read"
+      packages: "read"
+    with:
+      verify_published_from_main_image: false
+  quality_checks:
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845
+    permissions:
+      contents: "read"
+      packages: "read"
+      id-token: "write"
+    needs: [get_config_values]
+    with:
+      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
+    secrets:
+      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+  pr_title_format_check:
+    uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845
+    permissions:
+      pull-requests: "write"
+  tag_release:
+    needs: [get_config_values]
+    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845
+    permissions:
+      id-token: "write"
+      contents: "write"
+      packages: "write"
+    with:
+      dry_run: true
+      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
+      branch_name: ${{ github.event.pull_request.head.ref }}
+      tag_format: ${{ needs.get_config_values.outputs.tag_format }}

.github/workflows/pull_request.yml

@@ -9,7 +9,7 @@ permissions: {}
 
 jobs:
     get_config_values:
-        uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@f3d19a678a725917a5c59cae4d76db621bb7c9c7
+        uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845
         permissions:
             attestations: "read"
             contents: "read"
@@ -18,21 +18,24 @@ jobs:
             verify_published_from_main_image: false
 
     quality_checks:
-        uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@f3d19a678a725917a5c59cae4d76db621bb7c9c7
-        needs: [get_config_values]
+        uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845
+        needs: [ get_config_values ]
         permissions:
             contents: "read"
+            packages: "read"
+            id-token: "write"
         with:
             pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
         secrets:
             SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
     tag_release:
-        needs: [get_config_values]
-        uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@f3d19a678a725917a5c59cae4d76db621bb7c9c7
+        needs: [ get_config_values ]
+        uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845
         permissions:
             id-token: "write"
             contents: "write"
+            packages: "write"
         with:
             dry_run: false
             pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}

.github/workflows/release.yml

@@ -26,27 +26,27 @@ repos:
       - id: zizmor-action
         name: Check action.yml
         entry: zizmor
-        args: ["action.yml"]
+        args: [ "action.yml" ]
         language: system
         files: action.yml
         pass_filenames: false
 
       - id: lint-githubactions
         name: Lint github actions
         entry: make
-        args: ["actionlint"]
+        args: [ "actionlint" ]
         language: system
         files: ^.github
-        types_or: [yaml]
+        types_or: [ yaml ]
         pass_filenames: false
 
       - id: lint-githubaction-scripts
         name: Lint github action scripts
         entry: make
-        args: ["shellcheck"]
+        args: [ "shellcheck" ]
         language: system
         files: ^.github/scripts
-        types_or: [sh, shell]
+        types_or: [ sh, shell ]
         pass_filenames: false
 
       - id: check-commit-signing
@@ -78,14 +78,15 @@ repos:
         pass_filenames: false
         always_run: true
 
-      - id: git-secrets
-        name: Git Secrets
-        description: git-secrets scans commits, commit messages, and --no-ff merges to prevent adding secrets into your git repositories.
+      - id: gitleaks
+        name: Git Leaks
+        description: gitleaks scans commits, commit messages, and --no-ff merges to
+          prevent adding secrets into your git repositories.
         entry: bash
         args:
           - -c
-          - "git-secrets --pre_commit_hook"
+          - "gitleaks git --pre-commit --redact --staged --verbose"
         language: system
 
 fail_fast: true
-default_stages: [pre-commit]
+default_stages: [ pre-commit ]

.pre-commit-config.yaml

@@ -61,7 +61,7 @@ runs:
         private-key: "${{ inputs.CREATE_PULL_REQUEST_PEM }}"
 
     - name: Create Pull Request
-      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0
+      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1
       with:
         token: "${{ steps.generate-token.outputs.token }}"
         commit-message: "Upgrade: [dependabot] - sync Copilot instructions"