Merge remote-tracking branch 'origin/main' into dependabot/npm_and_yarn/devcontainers/cli-0.86.0

Author: anthony-nhs

.github/workflows/ci.yml

@@ -6,15 +6,15 @@ permissions: {}
 
 jobs:
   get_config_values:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845
+    uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@c4efd04c5ff1c7e92e7fe5932b29d0de1a301cdf
     with:
       verify_published_from_main_image: true
     permissions:
       attestations: read
       contents: read
       packages: read
   quality_checks:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@c4efd04c5ff1c7e92e7fe5932b29d0de1a301cdf
     needs:
       - get_config_values
     permissions:
@@ -27,7 +27,7 @@ jobs:
       SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}'
   tag_release:
     needs: [quality_checks, get_config_values]
-    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845
+    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@c4efd04c5ff1c7e92e7fe5932b29d0de1a301cdf
     permissions:
       id-token: write
       contents: write

.github/workflows/pull_request.yml

@@ -6,15 +6,15 @@ name: pull_request
 permissions: {}
 jobs:
   get_config_values:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845
+    uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@c4efd04c5ff1c7e92e7fe5932b29d0de1a301cdf
     with:
       verify_published_from_main_image: false
     permissions:
       attestations: read
       contents: read
       packages: read
   quality_checks:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@c4efd04c5ff1c7e92e7fe5932b29d0de1a301cdf
     needs:
       - get_config_values
     with:
@@ -26,7 +26,7 @@ jobs:
     secrets:
       SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}'
   pr_title_format_check:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845
+    uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@c4efd04c5ff1c7e92e7fe5932b29d0de1a301cdf
     permissions:
       pull-requests: write
   get_issue_number:

.github/workflows/release.yml

@@ -7,15 +7,15 @@ permissions: {}
 
 jobs:
   get_config_values:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845
+    uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@c4efd04c5ff1c7e92e7fe5932b29d0de1a301cdf
     with:
       verify_published_from_main_image: false
     permissions:
       attestations: read
       contents: read
       packages: read
   quality_checks:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@c4efd04c5ff1c7e92e7fe5932b29d0de1a301cdf
     needs:
       - get_config_values
     permissions:
@@ -28,7 +28,7 @@ jobs:
       SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}'
   tag_release:
     needs: [quality_checks, get_config_values]
-    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845
+    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@c4efd04c5ff1c7e92e7fe5932b29d0de1a301cdf
     permissions:
       id-token: write
       contents: write

.github/workflows/sync_copilot.yml

@@ -14,7 +14,7 @@ jobs:
 
     steps:
       - name: Sync shared instructions
-        uses: NHSDigital/eps-copilot-instructions@8b4d7f546fe9825a149cb8cc8cfdb31df58c3730
+        uses: NHSDigital/eps-copilot-instructions@f8e24afb5384bdd51b0daff4b1ebe57916995345
         with:
           copilot_instructions_ref: main
           calling_repo_base_branch: main

.grype.yaml

@@ -38,6 +38,15 @@ ignore:
   - vulnerability: CVE-2026-6100
   - vulnerability: CVE-2026-4786
   - vulnerability: GHSA-pc3f-x583-g7j2
+  - vulnerability: CVE-2026-3298
+  - vulnerability: GHSA-q339-8rmv-2mhv
+    package:
+      name: erb
+      version: 4.0.3
+  - vulnerability: GHSA-mh2q-q3fh-2475
+    package:
+      name: go.opentelemetry.io/otel
+      version: v1.40.0
 # node_24 vulnerabilities
   - vulnerability: GHSA-c2c7-rcm5-vvqj
   - vulnerability: GHSA-7r86-cg39-jmmj
@@ -53,8 +62,24 @@ ignore:
   - vulnerability: GHSA-2599-h6xx-hpxp
 # eps-storage-terraform vulnerabilities
   - vulnerability: CVE-2025-68119
+  - vulnerability: GHSA-mh2q-q3fh-2475
+    package:
+      name: go.opentelemetry.io/otel
+      version: v1.38.0
+  - vulnerability: GHSA-mh2q-q3fh-2475
+    package:
+      name: go.opentelemetry.io/otel
+      version: v1.39.0
 # eps-data-extract vulnerabilities
   - vulnerability: GHSA-6fmv-xxpf-w3cw
+  - vulnerability: CVE-2026-34282
+    package:
+      name: openjdk
+      version: 17.0.18+8
+  - vulnerability: CVE-2026-22016
+    package:
+      name: openjdk
+      version: 17.0.18+8
 # fhir-facade vulnerabilities
   - vulnerability: CVE-2022-26485
   - vulnerability: CVE-2022-26486
@@ -70,6 +95,21 @@ ignore:
   - vulnerability: CVE-2025-53066
   - vulnerability: CVE-2026-21945
   - vulnerability: CVE-2026-21932
+    package:
+      name: openjdk
+      version: 20.0.2+9-78
+  - vulnerability: CVE-2026-22016
+    package:
+      name: openjdk
+      version: 20.0.2+9-78
+  - vulnerability: CVE-2026-34282
+    package:
+      name: jdk
+      version: 20.0.2+9-78
+  - vulnerability: CVE-2026-22016
+    package:
+      name: jdk
+      version: 20.0.2+9-78
 # node-24_python_3_14_java_24 vulnerabilities
   - vulnerability: GHSA-6fmv-xxpf-w3cw
   - vulnerability: CVE-2025-53066
@@ -78,4 +118,11 @@ ignore:
   - vulnerability: CVE-2026-27143
   - vulnerability: CVE-2026-27144
   - vulnerability: CVE-2026-3298
-  
+  - vulnerability: CVE-2026-34282
+    package:
+      name: openjdk
+      version: 24.0.2+12
+  - vulnerability: CVE-2026-22016
+    package:
+      name: openjdk
+      version: 24.0.2+12

poetry.lock

@@ -21,4 +21,4 @@ python = "^3.12"
 [tool.poetry.scripts]
 
 [tool.poetry.group.dev.dependencies]
-pre-commit = "^4.5.1"
+pre-commit = "^4.6.0"