Skip to content

Chore: [AEA-0000] - use new quality checks#95

Merged
anthony-nhs merged 3 commits intomainfrom
new_qc
Apr 14, 2026
Merged

Chore: [AEA-0000] - use new quality checks#95
anthony-nhs merged 3 commits intomainfrom
new_qc

Conversation

@anthony-nhs
Copy link
Copy Markdown
Collaborator

@anthony-nhs anthony-nhs commented Apr 14, 2026

Summary

  • Routine Change

Details

  • use new quality checks

Copilot AI review requested due to automatic review settings April 14, 2026 16:15
Copilot AI reviewed Apr 14, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates repository quality/security tooling to align with the newer EPS common workflow “quality checks” approach and related local developer checks, while tightening GitHub Actions permissions.

Changes:

  • Switch PR/release workflows to the newer eps-common-workflows quality-checks reusable workflow revision and add explicit minimal job permissions.
  • Harden GitHub Actions (default permissions: {}, targeted job permissions, and actions/checkout credential persistence tweaks).
  • Add/adjust local and repo hygiene tooling (Grype pre-commit hook, Zizmor config, ignore generated security artefact directories, CODEOWNERS for workflows, git-secrets allowlist updates, devcontainer image bump).

Reviewed changes

Copilot reviewed 9 out of 10 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
zizmor.yml Adds Zizmor rule ignores for known workflow findings.
.pre-commit-config.yaml Adds a local Grype scan hook.
.gitignore Ignores .secrets/ and .sbom/ artefact directories.
.github/workflows/update_repo_status_data.yml Tightens permissions and checkout credential handling while preserving gh-pages publishing.
.github/workflows/sync_copilot.yml Sets workflow default permissions to none and scopes job permissions.
.github/workflows/release.yml Moves to newer reusable quality checks and adds explicit permissions per job.
.github/workflows/pull_request.yml Moves to newer reusable quality checks and adds explicit permissions per job.
.github/CODEOWNERS Restricts approval of workflow changes to EPS administrators.
.gitallowed Extends git-secrets allowlist patterns for token-related strings.
.devcontainer/devcontainer.json Updates the devcontainer image version.

Comment thread .gitallowed
Comment on lines +45 to +46
token = cli\._get_or_create_gh_auth_token\(\)
assert token ==
Copy link

Copilot AI Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new allowlist entries include a duplicate regex (the _get_or_create_gh_auth_token() line is repeated) and an apparently truncated/broad pattern (assert token == ) that could unintentionally suppress secret-detection matches. Please dedupe and tighten/remove the assert token == entry (e.g., only allow a specific non-secret placeholder) so the allowlist remains as narrow as possible.

Suggested change
token = cli\._get_or_create_gh_auth_token\(\)
assert token ==
assert token == "test-token"

Copilot uses AI. Check for mistakes.
@anthony-nhs anthony-nhs merged commit 1cb6aa3 into main Apr 14, 2026
17 of 18 checks passed
@anthony-nhs anthony-nhs deleted the new_qc branch April 14, 2026 16:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@anthony-nhs