From c29e43ae79d9a9538ed64ef819e66d97b3b995b6 Mon Sep 17 00:00:00 2001 From: mindaugas-nhsdos Date: Fri, 3 Jul 2026 12:12:42 +0100 Subject: [PATCH 1/3] NHSO-71566: Pinned actions to commit sha --- .github/workflows/continuous-integration.yml | 10 +++---- .github/workflows/devsecops_security_scan.yml | 2 +- .../workflows/gitleaks_defenderforcloud.yml | 30 ------------------- .github/workflows/pr-lint.yaml | 2 +- 4 files changed, 7 insertions(+), 37 deletions(-) delete mode 100644 .github/workflows/gitleaks_defenderforcloud.yml diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml index c57a46d..5e08ab1 100644 --- a/.github/workflows/continuous-integration.yml +++ b/.github/workflows/continuous-integration.yml @@ -8,12 +8,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: fetch-depth: 0 # This causes all history to be fetched, which is required for calculate-version to function - name: Install Python 3.13 - uses: actions/setup-python@v1 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 with: python-version: 3.13 @@ -36,13 +36,13 @@ jobs: run: pip install "poetry<2.0.0" - name: Cache poetry packages - uses: actions/cache@v3 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 with: path: ~/.cache/pypoetry key: ${{ runner.os }}-build-cache-poetry-packages-${{ hashFiles('**/poetry.lock') }} - name: Cache node modules - uses: actions/cache@v3 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 with: path: ~/.npm key: ${{ runner.os }}-build-cache-npm-packages-${{ hashFiles('**/package-lock.json') }} @@ -58,7 +58,7 @@ jobs: - name: Create release (master only) id: create-release if: github.ref == 'refs/heads/master' - uses: actions/create-release@v1 + uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # V1.1.4 continue-on-error: true env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/devsecops_security_scan.yml b/.github/workflows/devsecops_security_scan.yml index 9c7e239..05e3a5a 100644 --- a/.github/workflows/devsecops_security_scan.yml +++ b/.github/workflows/devsecops_security_scan.yml @@ -13,4 +13,4 @@ permissions: security-events: write jobs: scan: - uses: NHSDigital/nhsapp-devsecops/.github/workflows/devsecops_security_scan_template.yml@develop + uses: NHSDigital/nhsapp-devsecops/.github/workflows/devsecops_security_scan_template.yml@b8dc1471a8a9e4e86bec06322c43668762c6b5b9 diff --git a/.github/workflows/gitleaks_defenderforcloud.yml b/.github/workflows/gitleaks_defenderforcloud.yml deleted file mode 100644 index d5badf0..0000000 --- a/.github/workflows/gitleaks_defenderforcloud.yml +++ /dev/null @@ -1,30 +0,0 @@ ---- -name: Gitleaks_DefenderforCloud -on: # yamllint disable-line rule:truthy - - workflow_dispatch: - schedule: - - cron: "0 22 * * *" # every day 22:00 UTC -permissions: - actions: read - contents: read - security-events: write - pull-requests: read - -concurrency: - group: gitleaks-${{ github.ref }} - cancel-in-progress: true - -jobs: - scan: - uses: NHSDigital/nhsapp-github-migration-tools/.github/workflows/gitleaks_secret_scan.yml@main - secrets: - NHSAPP_GITLEAKS_LICENSE: ${{ secrets.NHSAPP_GITLEAKS_LICENSE }} - scan2: - needs: scan - if: always() - uses: NHSDigital/nhsapp-github-migration-tools/.github/workflows/gitleaks_defenderforcloud.yml@main - with: - artifact_name: gitleaks-results.sarif - # yamllint disable-line rule:new-line-at-end-of-file - sarif_path: results.sarif \ No newline at end of file diff --git a/.github/workflows/pr-lint.yaml b/.github/workflows/pr-lint.yaml index 204bc2e..cd43ead 100644 --- a/.github/workflows/pr-lint.yaml +++ b/.github/workflows/pr-lint.yaml @@ -15,7 +15,7 @@ jobs: - name: Comment on PR if: contains(github.event.pull_request.head.ref, 'apm-') || contains(github.event.pull_request.head.ref, 'APM-') || contains(github.event.pull_request.head.ref, 'nhso-') || contains(github.event.pull_request.head.ref, 'NHSO-') - uses: unsplash/comment-on-pr@master + uses: unsplash/comment-on-pr@b5610c6125a7197eaec80072ea35ef53e1fc6035 # v1.3.1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: From 453329596d974f502e866de62580e90a788e406d Mon Sep 17 00:00:00 2001 From: Mindaugas Petrauskas Date: Fri, 3 Jul 2026 12:35:14 +0100 Subject: [PATCH 2/3] NHSO-71566: Checking if reverting to master fixes workflow --- .github/workflows/pr-lint.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-lint.yaml b/.github/workflows/pr-lint.yaml index cd43ead..204bc2e 100644 --- a/.github/workflows/pr-lint.yaml +++ b/.github/workflows/pr-lint.yaml @@ -15,7 +15,7 @@ jobs: - name: Comment on PR if: contains(github.event.pull_request.head.ref, 'apm-') || contains(github.event.pull_request.head.ref, 'APM-') || contains(github.event.pull_request.head.ref, 'nhso-') || contains(github.event.pull_request.head.ref, 'NHSO-') - uses: unsplash/comment-on-pr@b5610c6125a7197eaec80072ea35ef53e1fc6035 # v1.3.1 + uses: unsplash/comment-on-pr@master env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: From e58356a0e9b1de8158ed9a10a0f57ad49566695f Mon Sep 17 00:00:00 2001 From: Mindaugas Petrauskas Date: Fri, 3 Jul 2026 12:37:55 +0100 Subject: [PATCH 3/3] NHSO-71566: Pinning to master sha --- .github/workflows/pr-lint.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-lint.yaml b/.github/workflows/pr-lint.yaml index 204bc2e..d633e54 100644 --- a/.github/workflows/pr-lint.yaml +++ b/.github/workflows/pr-lint.yaml @@ -15,7 +15,7 @@ jobs: - name: Comment on PR if: contains(github.event.pull_request.head.ref, 'apm-') || contains(github.event.pull_request.head.ref, 'APM-') || contains(github.event.pull_request.head.ref, 'nhso-') || contains(github.event.pull_request.head.ref, 'NHSO-') - uses: unsplash/comment-on-pr@master + uses: unsplash/comment-on-pr@a9bf050e744c8282dee4bb0dbcf063186d8316c4 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: