diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml index c57a46d..5e08ab1 100644 --- a/.github/workflows/continuous-integration.yml +++ b/.github/workflows/continuous-integration.yml @@ -8,12 +8,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: fetch-depth: 0 # This causes all history to be fetched, which is required for calculate-version to function - name: Install Python 3.13 - uses: actions/setup-python@v1 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 with: python-version: 3.13 @@ -36,13 +36,13 @@ jobs: run: pip install "poetry<2.0.0" - name: Cache poetry packages - uses: actions/cache@v3 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 with: path: ~/.cache/pypoetry key: ${{ runner.os }}-build-cache-poetry-packages-${{ hashFiles('**/poetry.lock') }} - name: Cache node modules - uses: actions/cache@v3 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 with: path: ~/.npm key: ${{ runner.os }}-build-cache-npm-packages-${{ hashFiles('**/package-lock.json') }} @@ -58,7 +58,7 @@ jobs: - name: Create release (master only) id: create-release if: github.ref == 'refs/heads/master' - uses: actions/create-release@v1 + uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # V1.1.4 continue-on-error: true env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/devsecops_security_scan.yml b/.github/workflows/devsecops_security_scan.yml index 9c7e239..05e3a5a 100644 --- a/.github/workflows/devsecops_security_scan.yml +++ b/.github/workflows/devsecops_security_scan.yml @@ -13,4 +13,4 @@ permissions: security-events: write jobs: scan: - uses: NHSDigital/nhsapp-devsecops/.github/workflows/devsecops_security_scan_template.yml@develop + uses: NHSDigital/nhsapp-devsecops/.github/workflows/devsecops_security_scan_template.yml@b8dc1471a8a9e4e86bec06322c43668762c6b5b9 diff --git a/.github/workflows/gitleaks_defenderforcloud.yml b/.github/workflows/gitleaks_defenderforcloud.yml deleted file mode 100644 index d5badf0..0000000 --- a/.github/workflows/gitleaks_defenderforcloud.yml +++ /dev/null @@ -1,30 +0,0 @@ ---- -name: Gitleaks_DefenderforCloud -on: # yamllint disable-line rule:truthy - - workflow_dispatch: - schedule: - - cron: "0 22 * * *" # every day 22:00 UTC -permissions: - actions: read - contents: read - security-events: write - pull-requests: read - -concurrency: - group: gitleaks-${{ github.ref }} - cancel-in-progress: true - -jobs: - scan: - uses: NHSDigital/nhsapp-github-migration-tools/.github/workflows/gitleaks_secret_scan.yml@main - secrets: - NHSAPP_GITLEAKS_LICENSE: ${{ secrets.NHSAPP_GITLEAKS_LICENSE }} - scan2: - needs: scan - if: always() - uses: NHSDigital/nhsapp-github-migration-tools/.github/workflows/gitleaks_defenderforcloud.yml@main - with: - artifact_name: gitleaks-results.sarif - # yamllint disable-line rule:new-line-at-end-of-file - sarif_path: results.sarif \ No newline at end of file diff --git a/.github/workflows/pr-lint.yaml b/.github/workflows/pr-lint.yaml index 204bc2e..d633e54 100644 --- a/.github/workflows/pr-lint.yaml +++ b/.github/workflows/pr-lint.yaml @@ -15,7 +15,7 @@ jobs: - name: Comment on PR if: contains(github.event.pull_request.head.ref, 'apm-') || contains(github.event.pull_request.head.ref, 'APM-') || contains(github.event.pull_request.head.ref, 'nhso-') || contains(github.event.pull_request.head.ref, 'NHSO-') - uses: unsplash/comment-on-pr@master + uses: unsplash/comment-on-pr@a9bf050e744c8282dee4bb0dbcf063186d8316c4 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: