Chore: [AEA-0000] - use new quality checks

.devcontainer/devcontainer.json

@@ -6,7 +6,7 @@
     "args": {
       "DOCKER_GID": "${env:DOCKER_GID:}",
       "IMAGE_NAME": "node_24_python_3_14",
-      "IMAGE_VERSION": "v1.2.0",
+      "IMAGE_VERSION": "v1.4.4",
       "USER_UID": "${localEnv:USER_ID:}",
       "USER_GID": "${localEnv:GROUP_ID:}"
     }

.gitallowed

@@ -38,3 +38,9 @@ token = get_bot_token\(\)
 def from_token
 token = os\.getenv
 password: \${{secrets\.DEPENDABOT_TOKEN}}
+token = result\.stdout\.strip\(\)
+token = cli\.resolve_gh_auth_token\('explicit-token'\)
+token = cli\.resolve_gh_auth_token\("explicit-token"\)
+token = cli\._get_or_create_gh_auth_token\(\)
+token = cli\._get_or_create_gh_auth_token\(\)
+assert token == 

.github/CODEOWNERS

@@ -0,0 +1,2 @@
+# restrict access to approving workflow changes
+.github/workflows/ @NHSDigital/eps-administrators

.github/workflows/pull_request.yml

@@ -4,9 +4,7 @@ on:
   pull_request:
     branches: [main]
 
-env:
-  BRANCH_NAME: ${{ github.event.pull_request.head.ref }}
-
+permissions: {}
 jobs:
   dependabot-auto-approve-and-merge:
     needs: quality_checks
@@ -20,12 +18,20 @@ jobs:
 
   get_config_values:
     uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
+    permissions:
+      attestations: read
+      contents: read
+      packages: read
     with:
       verify_published_from_main_image: false
 
   quality_checks:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
     needs: [get_config_values]
+    permissions:
+      contents: read
+      id-token: write
+      packages: read
     with:
       pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
     secrets:
@@ -39,9 +45,12 @@ jobs:
   tag_release:
     needs: [get_config_values]
     uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
+    permissions:
+      id-token: write
+      contents: write
+      packages: write
     with:
       dry_run: true
       pinned_image: "${{ needs.get_config_values.outputs.pinned_image }}"
       branch_name: ${{ github.event.pull_request.head.ref }}
       tag_format: ${{ needs.get_config_values.outputs.tag_format }}
-    secrets: inherit

.github/workflows/release.yml

@@ -4,29 +4,36 @@ on:
   push:
     branches: [main]
 
-env:
-  BRANCH_NAME: ${{ github.event.ref.BRANCH_NAME }}
+permissions: {}
 
 jobs:
   get_config_values:
     uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
+    permissions:
+      attestations: read
+      contents: read
+      packages: read
 
   quality_checks:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
     needs: [get_config_values]
+    permissions:
+      contents: read
+      id-token: write
+      packages: read
     with:
       pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
     secrets:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
   tag_release:
     needs: [quality_checks, get_config_values]
     uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
+    permissions:
+      id-token: write
+      contents: write
+      packages: write
     with:
       dry_run: false
       pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
       branch_name: main
       tag_format: ${{ needs.get_config_values.outputs.tag_format }}
-    secrets: inherit
-    permissions:
-      id-token: write
-      contents: write

.github/workflows/sync_copilot.yml

@@ -4,6 +4,7 @@ on:
   workflow_dispatch:
   schedule:
     - cron: '0 6 * * 1'
+permissions: {}
 
 jobs:
   sync-copilot-instructions:

.github/workflows/update_repo_status_data.yml

@@ -4,9 +4,15 @@ on:
   workflow_dispatch:
   schedule:
     - cron: "0 * * * *"
+permissions: {}
+
 jobs:
   get_config_values:
     uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
+    permissions:
+      attestations: read
+      contents: read
+      packages: read
 
   update_repo_status:
     runs-on: ubuntu-22.04
@@ -26,6 +32,8 @@ jobs:
           cp /home/vscode/.tool-versions "$HOME/.tool-versions"
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
 
       - name: make install
         run: |
@@ -49,6 +57,7 @@ jobs:
       - name: Checkout gh-pages
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
+          persist-credentials: true
           ref: gh-pages
           path: gh-pages
 

.gitignore

@@ -9,3 +9,5 @@ coverage.xml
 Gemfile.lock
 coverage/
 .trivy_out/
+.secrets/
+.sbom/

.pre-commit-config.yaml

@@ -30,6 +30,13 @@ repos:
 
   - repo: local
     hooks:
+      - id: grype-scan-local
+        name: Grype scan local changes
+        entry: make
+        args: ["grype-scan-local"]
+        language: system
+        pass_filenames: false
+        always_run: true
       - id: check-commit-signing
         name: Check commit signing
         description: Ensures that commits are GPG signed

zizmor.yml

@@ -0,0 +1,9 @@
+rules:
+  unpinned-images:
+    # these workflows use unpinned images because they are using a full image passed in that contains the tag
+    ignore:
+      - update_repo_status_data.yml:21:7
+  secrets-outside-env:
+    # these are ignored because they are using known secrets
+    ignore:
+      - update_repo_status_data.yml:46:28