From 3a04b3b27f499aba54586c1246dfa35bdba058dd Mon Sep 17 00:00:00 2001 From: damientobin1 Date: Tue, 31 Mar 2026 13:52:38 +0100 Subject: [PATCH 1/8] CCM-14499: Pinning all GitHub Actions to SHAs --- .github/actions/acceptance-tests/action.yaml | 3 +- .github/actions/build-docs/action.yml | 15 +++---- .github/actions/build-schemas/action.yml | 6 +-- .../create-lines-of-code-report/action.yaml | 6 +-- .github/actions/node-install/action.yaml | 3 +- .github/actions/scan-dependencies/action.yaml | 9 ++--- .github/workflows/cicd-1-pull-request.yaml | 5 +-- .github/workflows/cicd-3-deploy.yaml | 8 ++-- .../manual-combine-dependabot-prs.yaml | 3 +- .../scheduled-repository-template-sync.yaml | 3 +- .github/workflows/scorecard.yml | 3 +- .github/workflows/stage-1-commit.yaml | 31 ++++++--------- .github/workflows/stage-2-test.yaml | 39 +++++++------------ .github/workflows/stage-3-build.yaml | 6 +-- .github/workflows/stage-4-acceptance.yaml | 20 ++++------ .github/workflows/stage-5-publish.yaml | 6 +-- 16 files changed, 57 insertions(+), 109 deletions(-) diff --git a/.github/actions/acceptance-tests/action.yaml b/.github/actions/acceptance-tests/action.yaml index 698ddba1..64e47ecb 100644 --- a/.github/actions/acceptance-tests/action.yaml +++ b/.github/actions/acceptance-tests/action.yaml @@ -60,7 +60,6 @@ runs: ENVIRONMENT: ${{ inputs.targetEnvironment }} - name: Archive integration test results if: ${{ inputs.testType == 'integration' }} - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 - with: + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: Integration test report path: "tests/playwright/playwright-report" diff --git a/.github/actions/build-docs/action.yml b/.github/actions/build-docs/action.yml index abdd78ff..ffcdb123 100644 --- a/.github/actions/build-docs/action.yml +++ b/.github/actions/build-docs/action.yml @@ -14,8 +14,7 @@ runs: using: "composite" steps: - name: Checkout - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - - uses: ./.github/actions/node-install + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - uses: ./.github/actions/node-install with: node-version: ${{ inputs.node-version }} GITHUB_TOKEN: ${{ inputs.GITHUB_TOKEN }} @@ -24,16 +23,14 @@ runs: run: npm ci shell: bash - name: Setup Ruby - uses: ruby/setup-ruby@d5126b9b3579e429dd52e51e68624dda2e05be25 # v1.267.0 - with: + uses: ruby/setup-ruby@d5126b9b3579e429dd52e51e68624dda2e05be25 # v1.267.0 with: ruby-version: "3.4.7" # Not needed with a .ruby-version file bundler-cache: true # Enable automatic gem caching cache-version: 0 # Increment this number if you need to re-download cached gems working-directory: "./docs" - name: Setup Pages id: pages - uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 - - name: Build with Jekyll + uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 - name: Build with Jekyll working-directory: ./docs # Outputs to the './_site' directory by default shell: bash @@ -45,8 +42,7 @@ runs: VERSION: ${{ inputs.version }} - name: Upload artifact # Automatically uploads an artifact from the './_site' directory by default - uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3 - with: + uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3 with: path: "docs/_site/" name: jekyll-docs-${{ inputs.version }} @@ -55,7 +51,6 @@ runs: shell: bash - name: Upload artifact - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 - with: + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: path: "artifact.tar" name: schemas-${{ inputs.version }} diff --git a/.github/actions/build-schemas/action.yml b/.github/actions/build-schemas/action.yml index 76f22fc4..fb9adea7 100644 --- a/.github/actions/build-schemas/action.yml +++ b/.github/actions/build-schemas/action.yml @@ -8,8 +8,7 @@ runs: using: "composite" steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - uses: actions/setup-node@v4 with: node-version: 18 @@ -28,7 +27,6 @@ runs: shell: bash - name: Upload artifact - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 - with: + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: path: "artifact.tar" name: schemas-${{ inputs.version }} diff --git a/.github/actions/create-lines-of-code-report/action.yaml b/.github/actions/create-lines-of-code-report/action.yaml index fce03124..01e14bd3 100644 --- a/.github/actions/create-lines-of-code-report/action.yaml +++ b/.github/actions/create-lines-of-code-report/action.yaml @@ -33,8 +33,7 @@ runs: run: zip lines-of-code-report.json.zip lines-of-code-report.json - name: "Upload CLOC report as an artefact" if: ${{ !env.ACT }} - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 - with: + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: lines-of-code-report.json.zip path: ./lines-of-code-report.json.zip retention-days: 21 @@ -45,8 +44,7 @@ runs: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT - name: "Authenticate to send the report" if: steps.check.outputs.secrets_exist == 'true' - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 - with: + uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6 with: role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }} aws-region: ${{ inputs.idp_aws_report_upload_region }} - name: "Send the CLOC report to the central location" diff --git a/.github/actions/node-install/action.yaml b/.github/actions/node-install/action.yaml index a30fec39..07d8d661 100644 --- a/.github/actions/node-install/action.yaml +++ b/.github/actions/node-install/action.yaml @@ -13,8 +13,7 @@ runs: using: 'composite' steps: - name: 'Use Node.js' - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 - with: + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version: '${{ inputs.node-version }}' cache: 'npm' cache-dependency-path: '**/package-lock.json' diff --git a/.github/actions/scan-dependencies/action.yaml b/.github/actions/scan-dependencies/action.yaml index 2418823d..2bf5369a 100644 --- a/.github/actions/scan-dependencies/action.yaml +++ b/.github/actions/scan-dependencies/action.yaml @@ -33,8 +33,7 @@ runs: run: zip sbom-repository-report.json.zip sbom-repository-report.json - name: "Upload SBOM report as an artefact" if: ${{ !env.ACT }} - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 - with: + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: sbom-repository-report.json.zip path: ./sbom-repository-report.json.zip retention-days: 21 @@ -49,8 +48,7 @@ runs: run: zip vulnerabilities-repository-report.json.zip vulnerabilities-repository-report.json - name: "Upload vulnerabilities report as an artefact" if: ${{ !env.ACT }} - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 - with: + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: vulnerabilities-repository-report.json.zip path: ./vulnerabilities-repository-report.json.zip retention-days: 21 @@ -60,8 +58,7 @@ runs: run: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT - name: "Authenticate to send the reports" if: steps.check.outputs.secrets_exist == 'true' - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 - with: + uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6 with: role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }} aws-region: ${{ inputs.idp_aws_report_upload_region }} - name: "Send the SBOM and vulnerabilities reports to the central location" diff --git a/.github/workflows/cicd-1-pull-request.yaml b/.github/workflows/cicd-1-pull-request.yaml index 94747291..f57f4eba 100644 --- a/.github/workflows/cicd-1-pull-request.yaml +++ b/.github/workflows/cicd-1-pull-request.yaml @@ -40,8 +40,7 @@ jobs: # skip_trivy_package: ${{ steps.skip_trivy.outputs.skip_trivy_package }} steps: - name: "Checkout code" - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - - name: "Set CI/CD variables" + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Set CI/CD variables" id: variables run: | datetime=$(date -u +'%Y-%m-%dT%H:%M:%S%z') @@ -163,7 +162,7 @@ jobs: id-token: write if: needs.metadata.outputs.does_pull_request_exist == 'true' || (github.event_name == 'pull_request' && (github.event.action == 'opened' || github.event.action == 'reopened')) steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: actions/checkout@v5.0.0 - name: Trigger dynamic environment creation env: APP_PEM_FILE: ${{ secrets.APP_PEM_FILE }} diff --git a/.github/workflows/cicd-3-deploy.yaml b/.github/workflows/cicd-3-deploy.yaml index 6895ce9f..32b8f30c 100644 --- a/.github/workflows/cicd-3-deploy.yaml +++ b/.github/workflows/cicd-3-deploy.yaml @@ -52,8 +52,7 @@ jobs: # tag: ${{ steps.variables.outputs.tag }} steps: - name: "Checkout code" - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - - name: "Set CI/CD variables" + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Set CI/CD variables" id: variables run: | datetime=$(date -u +'%Y-%m-%dT%H:%M:%S%z') @@ -135,13 +134,12 @@ jobs: run: | gh release download ${{steps.get-asset-version.outputs.release_version}} -p jekyll-docs-*.tar --output artifact.tar - - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + - uses: actions/upload-artifact@v4 with: name: jekyll-docs-${{steps.get-asset-version.outputs.release_version}} path: artifact.tar - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4 - with: + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4 with: artifact_name: jekyll-docs-${{steps.get-asset-version.outputs.release_version}} diff --git a/.github/workflows/manual-combine-dependabot-prs.yaml b/.github/workflows/manual-combine-dependabot-prs.yaml index 3e311ac5..6c8e02a9 100644 --- a/.github/workflows/manual-combine-dependabot-prs.yaml +++ b/.github/workflows/manual-combine-dependabot-prs.yaml @@ -15,8 +15,7 @@ jobs: steps: - name: combine-prs id: combine-prs - uses: github/combine-prs@2909f404763c3177a456e052bdb7f2e85d3a7cb3 # v5.2.0 - with: + uses: github/combine-prs@e6d37110da1b512313419ba6992492dad622139f # v5.2.0 with: ci_required: false labels: dependencies pr_title: Combined Dependabot PRs diff --git a/.github/workflows/scheduled-repository-template-sync.yaml b/.github/workflows/scheduled-repository-template-sync.yaml index ec169ab4..4d0aee19 100644 --- a/.github/workflows/scheduled-repository-template-sync.yaml +++ b/.github/workflows/scheduled-repository-template-sync.yaml @@ -18,8 +18,7 @@ jobs: - name: Check out the repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Check out external repository - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - with: + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: repository: NHSDigital/nhs-notify-repository-template path: nhs-notify-repository-template token: ${{ github.token }} diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 5732c057..a22f3719 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -59,8 +59,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 - with: + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: SARIF file path: results.sarif retention-days: 5 diff --git a/.github/workflows/stage-1-commit.yaml b/.github/workflows/stage-1-commit.yaml index 6f46e768..d616520e 100644 --- a/.github/workflows/stage-1-commit.yaml +++ b/.github/workflows/stage-1-commit.yaml @@ -44,8 +44,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - with: + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: fetch-depth: 0 # Full history is needed to scan all commits - name: "Scan secrets" uses: ./.github/actions/scan-secrets @@ -55,8 +54,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - - name: "Check file format" + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Check file format" uses: ./.github/actions/check-file-format check-markdown-format: name: "Check Markdown format" @@ -64,8 +62,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - - name: "Check Markdown format" + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Check Markdown format" uses: ./.github/actions/check-markdown-format terraform-docs: name: "Run terraform-docs" @@ -76,8 +73,7 @@ jobs: contents: write steps: - name: "Checkout code" - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - with: + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check to see if Terraform Docs are up-to-date" run: | @@ -97,8 +93,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - - name: "Check English usage" + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Check English usage" uses: ./.github/actions/check-english-usage check-todo-usage: name: "Check TODO usage" @@ -106,8 +101,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - - name: "Check TODO usage" + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Check TODO usage" uses: ./.github/actions/check-todo-usage detect-terraform-changes: name: "Detect Terraform Changes" @@ -139,8 +133,7 @@ jobs: if: needs.detect-terraform-changes.outputs.terraform_changed == 'true' steps: - name: "Checkout code" - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - - name: "Setup ASDF" + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Setup ASDF" uses: asdf-vm/actions/setup@b7bcd026f18772e44fe1026d729e1611cc435d47 # v4 - name: "Lint Terraform" uses: ./.github/actions/lint-terraform @@ -158,7 +151,7 @@ jobs: # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # steps: # - name: "Checkout code" - # uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + # uses: actions/checkout@v4 # - name: "Setup ASDF" # uses: asdf-vm/actions/setup@b7bcd026f18772e44fe1026d729e1611cc435d47 # v4 # - name: "Trivy IaC Scan" @@ -175,7 +168,7 @@ jobs: # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # steps: # - name: "Checkout code" - # uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + # uses: actions/checkout@v4 # - name: "Setup ASDF" # uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302 # - name: "Trivy Package Scan" @@ -189,8 +182,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - - name: "Count lines of code" + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Count lines of code" uses: ./.github/actions/create-lines-of-code-report with: build_datetime: "${{ inputs.build_datetime }}" @@ -208,8 +200,7 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - - name: "Scan dependencies" + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Scan dependencies" uses: ./.github/actions/scan-dependencies with: build_datetime: "${{ inputs.build_datetime }}" diff --git a/.github/workflows/stage-2-test.yaml b/.github/workflows/stage-2-test.yaml index e2adb145..2b47cf25 100644 --- a/.github/workflows/stage-2-test.yaml +++ b/.github/workflows/stage-2-test.yaml @@ -52,8 +52,7 @@ jobs: - name: "Checkout code" uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Check for schema changes" - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 - id: filter + uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 id: filter with: filters: | schemas: @@ -73,8 +72,7 @@ jobs: packages: read steps: - name: "Checkout code" - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - - uses: ./.github/actions/node-install + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - uses: ./.github/actions/node-install with: node-version: ${{ inputs.nodejs_version }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -94,14 +92,12 @@ jobs: packages: read steps: - name: "Checkout code" - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - - uses: ./.github/actions/node-install + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - uses: ./.github/actions/node-install with: node-version: ${{ inputs.nodejs_version }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: "Setup Python" - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 - with: + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ inputs.python_version }} cache: 'pip' cache-dependency-path: '**/requirements*.txt' @@ -109,20 +105,17 @@ jobs: run: | make test-unit - name: "Save the result of fast test suite" - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 - with: + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: unit-tests path: "**/.reports/unit" include-hidden-files: true if: always() - name: "Save the result of code coverage" - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 - with: + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: code-coverage-report path: ".reports/lcov.info" - name: "Save Python coverage reports" - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 - with: + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: python-coverage-reports path: | src/**/coverage.xml @@ -137,10 +130,8 @@ jobs: packages: read steps: - name: "Checkout code" - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - - name: "Setup Python" - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 - with: + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Setup Python" + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ inputs.python_version }} cache: 'pip' cache-dependency-path: '**/requirements*.txt' @@ -162,8 +153,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: "Checkout code" - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - - uses: ./.github/actions/node-install + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - uses: ./.github/actions/node-install with: node-version: ${{ inputs.nodejs_version }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -180,16 +170,13 @@ jobs: timeout-minutes: 4 steps: - name: "Checkout code" - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - with: + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: fetch-depth: 0 # Full history is needed to improving relevancy of reporting - name: "Download coverage report for SONAR" - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 - with: + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: name: code-coverage-report - name: "Download Python coverage reports" - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 - with: + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: name: python-coverage-reports path: . - name: "Perform static analysis" diff --git a/.github/workflows/stage-3-build.yaml b/.github/workflows/stage-3-build.yaml index dc197c7b..81e72fc9 100644 --- a/.github/workflows/stage-3-build.yaml +++ b/.github/workflows/stage-3-build.yaml @@ -46,8 +46,7 @@ jobs: - name: "Checkout code" uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Check for relevant changes" - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 - id: filter + uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 id: filter with: filters: | docs: @@ -73,8 +72,7 @@ jobs: contents: read steps: - name: "Checkout code" - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - - name: "Build docs" + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Build docs" uses: ./.github/actions/build-docs with: version: "${{ inputs.version }}" diff --git a/.github/workflows/stage-4-acceptance.yaml b/.github/workflows/stage-4-acceptance.yaml index 42fecc70..889207ae 100644 --- a/.github/workflows/stage-4-acceptance.yaml +++ b/.github/workflows/stage-4-acceptance.yaml @@ -28,8 +28,7 @@ jobs: timeout-minutes: 10 steps: - name: "Checkout code" - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - - name: "Run contract test" + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Run contract test" run: | make test-contract - name: "Save result" @@ -41,8 +40,7 @@ jobs: timeout-minutes: 10 steps: - name: "Checkout code" - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - - name: "Run security test" + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Run security test" run: | make test-security - name: "Save result" @@ -54,8 +52,7 @@ jobs: timeout-minutes: 10 steps: - name: "Checkout code" - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - - name: "Run UI test" + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Run UI test" run: | make test-ui - name: "Save result" @@ -67,8 +64,7 @@ jobs: timeout-minutes: 10 steps: - name: "Checkout code" - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - - name: "Run UI performance test" + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Run UI performance test" run: | make test-ui-performance - name: "Save result" @@ -78,7 +74,7 @@ jobs: name: "Integration test" runs-on: ubuntu-latest steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: actions/checkout@v5.0.0 # Calls out to the nhs-notify-internal repo. # The nhs-notify-internal repo will run the tests # setup in ./.github/actions/acceptance-tests/action.yaml @@ -104,8 +100,7 @@ jobs: timeout-minutes: 10 steps: - name: "Checkout code" - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - - name: "Run accessibility test" + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Run accessibility test" run: | make test-accessibility - name: "Save result" @@ -117,8 +112,7 @@ jobs: timeout-minutes: 10 steps: - name: "Checkout code" - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - - name: "Run load tests" + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Run load tests" run: | make test-load - name: "Save result" diff --git a/.github/workflows/stage-5-publish.yaml b/.github/workflows/stage-5-publish.yaml index 4f82d871..2892cb6f 100644 --- a/.github/workflows/stage-5-publish.yaml +++ b/.github/workflows/stage-5-publish.yaml @@ -45,14 +45,12 @@ jobs: - name: "Checkout code" uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Get artifacts: jekyll docs" - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 - with: + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: path: ./artifacts/jekyll-docs-${{ inputs.version }} name: jekyll-docs-${{ inputs.version }} - name: "Get artifacts: schema" - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 - with: + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: path: ./artifacts/schemas-${{ inputs.version }} name: schemas-${{ inputs.version }} From 54bd48bce67260ea7ab4fcb15394d23ac0d53481 Mon Sep 17 00:00:00 2001 From: damientobin1 Date: Tue, 31 Mar 2026 14:52:30 +0100 Subject: [PATCH 2/8] CCM-14499: Pinning all GitHub Actions to SHAs --- .github/actions/acceptance-tests/action.yaml | 3 ++- .github/actions/build-docs/action.yml | 9 ++++--- .github/actions/build-schemas/action.yml | 3 ++- .../create-lines-of-code-report/action.yaml | 6 +++-- .github/actions/node-install/action.yaml | 3 ++- .github/actions/scan-dependencies/action.yaml | 9 ++++--- .github/workflows/cicd-1-pull-request.yaml | 3 ++- .github/workflows/cicd-3-deploy.yaml | 6 +++-- .../scheduled-repository-template-sync.yaml | 3 ++- .github/workflows/scorecard.yml | 3 ++- .github/workflows/stage-1-commit.yaml | 27 ++++++++++++------- .github/workflows/stage-2-test.yaml | 27 ++++++++++++------- .github/workflows/stage-3-build.yaml | 3 ++- .github/workflows/stage-4-acceptance.yaml | 18 ++++++++----- .github/workflows/stage-5-publish.yaml | 6 +++-- 15 files changed, 86 insertions(+), 43 deletions(-) diff --git a/.github/actions/acceptance-tests/action.yaml b/.github/actions/acceptance-tests/action.yaml index 64e47ecb..3b76f9bb 100644 --- a/.github/actions/acceptance-tests/action.yaml +++ b/.github/actions/acceptance-tests/action.yaml @@ -60,6 +60,7 @@ runs: ENVIRONMENT: ${{ inputs.targetEnvironment }} - name: Archive integration test results if: ${{ inputs.testType == 'integration' }} - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + with: name: Integration test report path: "tests/playwright/playwright-report" diff --git a/.github/actions/build-docs/action.yml b/.github/actions/build-docs/action.yml index ffcdb123..7fee4bd1 100644 --- a/.github/actions/build-docs/action.yml +++ b/.github/actions/build-docs/action.yml @@ -30,7 +30,8 @@ runs: working-directory: "./docs" - name: Setup Pages id: pages - uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 - name: Build with Jekyll + uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 + - name: Build with Jekyll working-directory: ./docs # Outputs to the './_site' directory by default shell: bash @@ -42,7 +43,8 @@ runs: VERSION: ${{ inputs.version }} - name: Upload artifact # Automatically uploads an artifact from the './_site' directory by default - uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3 with: + uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3 + with: path: "docs/_site/" name: jekyll-docs-${{ inputs.version }} @@ -51,6 +53,7 @@ runs: shell: bash - name: Upload artifact - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + with: path: "artifact.tar" name: schemas-${{ inputs.version }} diff --git a/.github/actions/build-schemas/action.yml b/.github/actions/build-schemas/action.yml index fb9adea7..77f996fb 100644 --- a/.github/actions/build-schemas/action.yml +++ b/.github/actions/build-schemas/action.yml @@ -27,6 +27,7 @@ runs: shell: bash - name: Upload artifact - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + with: path: "artifact.tar" name: schemas-${{ inputs.version }} diff --git a/.github/actions/create-lines-of-code-report/action.yaml b/.github/actions/create-lines-of-code-report/action.yaml index 01e14bd3..5e3a18b0 100644 --- a/.github/actions/create-lines-of-code-report/action.yaml +++ b/.github/actions/create-lines-of-code-report/action.yaml @@ -33,7 +33,8 @@ runs: run: zip lines-of-code-report.json.zip lines-of-code-report.json - name: "Upload CLOC report as an artefact" if: ${{ !env.ACT }} - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + with: name: lines-of-code-report.json.zip path: ./lines-of-code-report.json.zip retention-days: 21 @@ -44,7 +45,8 @@ runs: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT - name: "Authenticate to send the report" if: steps.check.outputs.secrets_exist == 'true' - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6 with: + uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6 + with: role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }} aws-region: ${{ inputs.idp_aws_report_upload_region }} - name: "Send the CLOC report to the central location" diff --git a/.github/actions/node-install/action.yaml b/.github/actions/node-install/action.yaml index 07d8d661..a30fec39 100644 --- a/.github/actions/node-install/action.yaml +++ b/.github/actions/node-install/action.yaml @@ -13,7 +13,8 @@ runs: using: 'composite' steps: - name: 'Use Node.js' - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 + with: node-version: '${{ inputs.node-version }}' cache: 'npm' cache-dependency-path: '**/package-lock.json' diff --git a/.github/actions/scan-dependencies/action.yaml b/.github/actions/scan-dependencies/action.yaml index 2bf5369a..cc03f414 100644 --- a/.github/actions/scan-dependencies/action.yaml +++ b/.github/actions/scan-dependencies/action.yaml @@ -33,7 +33,8 @@ runs: run: zip sbom-repository-report.json.zip sbom-repository-report.json - name: "Upload SBOM report as an artefact" if: ${{ !env.ACT }} - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + with: name: sbom-repository-report.json.zip path: ./sbom-repository-report.json.zip retention-days: 21 @@ -48,7 +49,8 @@ runs: run: zip vulnerabilities-repository-report.json.zip vulnerabilities-repository-report.json - name: "Upload vulnerabilities report as an artefact" if: ${{ !env.ACT }} - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + with: name: vulnerabilities-repository-report.json.zip path: ./vulnerabilities-repository-report.json.zip retention-days: 21 @@ -58,7 +60,8 @@ runs: run: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT - name: "Authenticate to send the reports" if: steps.check.outputs.secrets_exist == 'true' - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6 with: + uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6 + with: role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }} aws-region: ${{ inputs.idp_aws_report_upload_region }} - name: "Send the SBOM and vulnerabilities reports to the central location" diff --git a/.github/workflows/cicd-1-pull-request.yaml b/.github/workflows/cicd-1-pull-request.yaml index f57f4eba..051cdafc 100644 --- a/.github/workflows/cicd-1-pull-request.yaml +++ b/.github/workflows/cicd-1-pull-request.yaml @@ -40,7 +40,8 @@ jobs: # skip_trivy_package: ${{ steps.skip_trivy.outputs.skip_trivy_package }} steps: - name: "Checkout code" - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Set CI/CD variables" + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - name: "Set CI/CD variables" id: variables run: | datetime=$(date -u +'%Y-%m-%dT%H:%M:%S%z') diff --git a/.github/workflows/cicd-3-deploy.yaml b/.github/workflows/cicd-3-deploy.yaml index 32b8f30c..e3067d8d 100644 --- a/.github/workflows/cicd-3-deploy.yaml +++ b/.github/workflows/cicd-3-deploy.yaml @@ -52,7 +52,8 @@ jobs: # tag: ${{ steps.variables.outputs.tag }} steps: - name: "Checkout code" - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Set CI/CD variables" + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - name: "Set CI/CD variables" id: variables run: | datetime=$(date -u +'%Y-%m-%dT%H:%M:%S%z') @@ -141,5 +142,6 @@ jobs: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4 with: + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4 + with: artifact_name: jekyll-docs-${{steps.get-asset-version.outputs.release_version}} diff --git a/.github/workflows/scheduled-repository-template-sync.yaml b/.github/workflows/scheduled-repository-template-sync.yaml index 4d0aee19..ec169ab4 100644 --- a/.github/workflows/scheduled-repository-template-sync.yaml +++ b/.github/workflows/scheduled-repository-template-sync.yaml @@ -18,7 +18,8 @@ jobs: - name: Check out the repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Check out external repository - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + with: repository: NHSDigital/nhs-notify-repository-template path: nhs-notify-repository-template token: ${{ github.token }} diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index a22f3719..dde6e394 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -59,7 +59,8 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + with: name: SARIF file path: results.sarif retention-days: 5 diff --git a/.github/workflows/stage-1-commit.yaml b/.github/workflows/stage-1-commit.yaml index d616520e..ee633705 100644 --- a/.github/workflows/stage-1-commit.yaml +++ b/.github/workflows/stage-1-commit.yaml @@ -44,7 +44,8 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + with: fetch-depth: 0 # Full history is needed to scan all commits - name: "Scan secrets" uses: ./.github/actions/scan-secrets @@ -54,7 +55,8 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Check file format" + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - name: "Check file format" uses: ./.github/actions/check-file-format check-markdown-format: name: "Check Markdown format" @@ -62,7 +64,8 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Check Markdown format" + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - name: "Check Markdown format" uses: ./.github/actions/check-markdown-format terraform-docs: name: "Run terraform-docs" @@ -73,7 +76,8 @@ jobs: contents: write steps: - name: "Checkout code" - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + with: fetch-depth: 0 # Full history is needed to compare branches - name: "Check to see if Terraform Docs are up-to-date" run: | @@ -93,7 +97,8 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Check English usage" + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - name: "Check English usage" uses: ./.github/actions/check-english-usage check-todo-usage: name: "Check TODO usage" @@ -101,7 +106,8 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Check TODO usage" + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - name: "Check TODO usage" uses: ./.github/actions/check-todo-usage detect-terraform-changes: name: "Detect Terraform Changes" @@ -133,7 +139,8 @@ jobs: if: needs.detect-terraform-changes.outputs.terraform_changed == 'true' steps: - name: "Checkout code" - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Setup ASDF" + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - name: "Setup ASDF" uses: asdf-vm/actions/setup@b7bcd026f18772e44fe1026d729e1611cc435d47 # v4 - name: "Lint Terraform" uses: ./.github/actions/lint-terraform @@ -182,7 +189,8 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Count lines of code" + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - name: "Count lines of code" uses: ./.github/actions/create-lines-of-code-report with: build_datetime: "${{ inputs.build_datetime }}" @@ -200,7 +208,8 @@ jobs: timeout-minutes: 5 steps: - name: "Checkout code" - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Scan dependencies" + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - name: "Scan dependencies" uses: ./.github/actions/scan-dependencies with: build_datetime: "${{ inputs.build_datetime }}" diff --git a/.github/workflows/stage-2-test.yaml b/.github/workflows/stage-2-test.yaml index 2b47cf25..712744cf 100644 --- a/.github/workflows/stage-2-test.yaml +++ b/.github/workflows/stage-2-test.yaml @@ -97,7 +97,8 @@ jobs: node-version: ${{ inputs.nodejs_version }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: "Setup Python" - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + with: python-version: ${{ inputs.python_version }} cache: 'pip' cache-dependency-path: '**/requirements*.txt' @@ -105,17 +106,20 @@ jobs: run: | make test-unit - name: "Save the result of fast test suite" - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + with: name: unit-tests path: "**/.reports/unit" include-hidden-files: true if: always() - name: "Save the result of code coverage" - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + with: name: code-coverage-report path: ".reports/lcov.info" - name: "Save Python coverage reports" - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + with: name: python-coverage-reports path: | src/**/coverage.xml @@ -130,8 +134,10 @@ jobs: packages: read steps: - name: "Checkout code" - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Setup Python" - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - name: "Setup Python" + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + with: python-version: ${{ inputs.python_version }} cache: 'pip' cache-dependency-path: '**/requirements*.txt' @@ -170,13 +176,16 @@ jobs: timeout-minutes: 4 steps: - name: "Checkout code" - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + with: fetch-depth: 0 # Full history is needed to improving relevancy of reporting - name: "Download coverage report for SONAR" - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 + with: name: code-coverage-report - name: "Download Python coverage reports" - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 + with: name: python-coverage-reports path: . - name: "Perform static analysis" diff --git a/.github/workflows/stage-3-build.yaml b/.github/workflows/stage-3-build.yaml index 81e72fc9..754ca1f2 100644 --- a/.github/workflows/stage-3-build.yaml +++ b/.github/workflows/stage-3-build.yaml @@ -72,7 +72,8 @@ jobs: contents: read steps: - name: "Checkout code" - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Build docs" + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - name: "Build docs" uses: ./.github/actions/build-docs with: version: "${{ inputs.version }}" diff --git a/.github/workflows/stage-4-acceptance.yaml b/.github/workflows/stage-4-acceptance.yaml index 889207ae..f44a90e2 100644 --- a/.github/workflows/stage-4-acceptance.yaml +++ b/.github/workflows/stage-4-acceptance.yaml @@ -28,7 +28,8 @@ jobs: timeout-minutes: 10 steps: - name: "Checkout code" - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Run contract test" + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - name: "Run contract test" run: | make test-contract - name: "Save result" @@ -40,7 +41,8 @@ jobs: timeout-minutes: 10 steps: - name: "Checkout code" - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Run security test" + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - name: "Run security test" run: | make test-security - name: "Save result" @@ -52,7 +54,8 @@ jobs: timeout-minutes: 10 steps: - name: "Checkout code" - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Run UI test" + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - name: "Run UI test" run: | make test-ui - name: "Save result" @@ -64,7 +67,8 @@ jobs: timeout-minutes: 10 steps: - name: "Checkout code" - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Run UI performance test" + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - name: "Run UI performance test" run: | make test-ui-performance - name: "Save result" @@ -100,7 +104,8 @@ jobs: timeout-minutes: 10 steps: - name: "Checkout code" - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Run accessibility test" + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - name: "Run accessibility test" run: | make test-accessibility - name: "Save result" @@ -112,7 +117,8 @@ jobs: timeout-minutes: 10 steps: - name: "Checkout code" - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Run load tests" + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - name: "Run load tests" run: | make test-load - name: "Save result" diff --git a/.github/workflows/stage-5-publish.yaml b/.github/workflows/stage-5-publish.yaml index 2892cb6f..4f82d871 100644 --- a/.github/workflows/stage-5-publish.yaml +++ b/.github/workflows/stage-5-publish.yaml @@ -45,12 +45,14 @@ jobs: - name: "Checkout code" uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Get artifacts: jekyll docs" - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 + with: path: ./artifacts/jekyll-docs-${{ inputs.version }} name: jekyll-docs-${{ inputs.version }} - name: "Get artifacts: schema" - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 + with: path: ./artifacts/schemas-${{ inputs.version }} name: schemas-${{ inputs.version }} From 5c5fe16b7e4fc3c44bcd8b08521f478f799bdc0a Mon Sep 17 00:00:00 2001 From: damientobin1 Date: Tue, 31 Mar 2026 15:08:01 +0100 Subject: [PATCH 3/8] CCM-14499: Pinning all GitHub Actions to SHAs --- .github/actions/build-docs/action.yml | 3 ++- .github/actions/build-schemas/action.yml | 3 ++- .github/workflows/stage-2-test.yaml | 12 ++++++++---- .github/workflows/stage-3-build.yaml | 3 ++- 4 files changed, 14 insertions(+), 7 deletions(-) diff --git a/.github/actions/build-docs/action.yml b/.github/actions/build-docs/action.yml index 7fee4bd1..512fda41 100644 --- a/.github/actions/build-docs/action.yml +++ b/.github/actions/build-docs/action.yml @@ -14,7 +14,8 @@ runs: using: "composite" steps: - name: Checkout - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - uses: ./.github/actions/node-install + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - uses: ./.github/actions/node-install with: node-version: ${{ inputs.node-version }} GITHUB_TOKEN: ${{ inputs.GITHUB_TOKEN }} diff --git a/.github/actions/build-schemas/action.yml b/.github/actions/build-schemas/action.yml index 77f996fb..742883fb 100644 --- a/.github/actions/build-schemas/action.yml +++ b/.github/actions/build-schemas/action.yml @@ -8,7 +8,8 @@ runs: using: "composite" steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - uses: actions/setup-node@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/setup-node@v4 with: node-version: 18 diff --git a/.github/workflows/stage-2-test.yaml b/.github/workflows/stage-2-test.yaml index 712744cf..66886510 100644 --- a/.github/workflows/stage-2-test.yaml +++ b/.github/workflows/stage-2-test.yaml @@ -52,7 +52,8 @@ jobs: - name: "Checkout code" uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Check for schema changes" - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 id: filter + uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 + id: filter with: filters: | schemas: @@ -72,7 +73,8 @@ jobs: packages: read steps: - name: "Checkout code" - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - uses: ./.github/actions/node-install + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - uses: ./.github/actions/node-install with: node-version: ${{ inputs.nodejs_version }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -92,7 +94,8 @@ jobs: packages: read steps: - name: "Checkout code" - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - uses: ./.github/actions/node-install + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - uses: ./.github/actions/node-install with: node-version: ${{ inputs.nodejs_version }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -159,7 +162,8 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: "Checkout code" - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - uses: ./.github/actions/node-install + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - uses: ./.github/actions/node-install with: node-version: ${{ inputs.nodejs_version }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/stage-3-build.yaml b/.github/workflows/stage-3-build.yaml index 754ca1f2..dc197c7b 100644 --- a/.github/workflows/stage-3-build.yaml +++ b/.github/workflows/stage-3-build.yaml @@ -46,7 +46,8 @@ jobs: - name: "Checkout code" uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: "Check for relevant changes" - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 id: filter + uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 + id: filter with: filters: | docs: From 58eff96b351b214e01ed1eda47907abeebe4d662 Mon Sep 17 00:00:00 2001 From: damientobin1 Date: Tue, 31 Mar 2026 17:48:55 +0100 Subject: [PATCH 4/8] CCM-14499: Pinning all GitHub Actions to SHAs --- .github/actions/create-lines-of-code-report/action.yaml | 2 +- .github/actions/scan-dependencies/action.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/create-lines-of-code-report/action.yaml b/.github/actions/create-lines-of-code-report/action.yaml index 5e3a18b0..88ac9f39 100644 --- a/.github/actions/create-lines-of-code-report/action.yaml +++ b/.github/actions/create-lines-of-code-report/action.yaml @@ -45,7 +45,7 @@ runs: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT - name: "Authenticate to send the report" if: steps.check.outputs.secrets_exist == 'true' - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6 + uses: aws-actions/configure-aws-credentials@ff717079ee2060e4bcee96c4779b553acc87447c # v4 with: role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }} aws-region: ${{ inputs.idp_aws_report_upload_region }} diff --git a/.github/actions/scan-dependencies/action.yaml b/.github/actions/scan-dependencies/action.yaml index cc03f414..3f16e117 100644 --- a/.github/actions/scan-dependencies/action.yaml +++ b/.github/actions/scan-dependencies/action.yaml @@ -60,7 +60,7 @@ runs: run: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT - name: "Authenticate to send the reports" if: steps.check.outputs.secrets_exist == 'true' - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6 + uses: aws-actions/configure-aws-credentials@ff717079ee2060e4bcee96c4779b553acc87447c # v4 with: role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }} aws-region: ${{ inputs.idp_aws_report_upload_region }} From 5246fd19f72fd95300938baac45a4d86afcc18fc Mon Sep 17 00:00:00 2001 From: damientobin1 Date: Tue, 31 Mar 2026 18:18:39 +0100 Subject: [PATCH 5/8] CCM-14499: Correct configure-aws-credentials v4 SHA --- .github/actions/create-lines-of-code-report/action.yaml | 2 +- .github/actions/scan-dependencies/action.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/create-lines-of-code-report/action.yaml b/.github/actions/create-lines-of-code-report/action.yaml index 88ac9f39..d1f8132c 100644 --- a/.github/actions/create-lines-of-code-report/action.yaml +++ b/.github/actions/create-lines-of-code-report/action.yaml @@ -45,7 +45,7 @@ runs: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT - name: "Authenticate to send the report" if: steps.check.outputs.secrets_exist == 'true' - uses: aws-actions/configure-aws-credentials@ff717079ee2060e4bcee96c4779b553acc87447c # v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 with: role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }} aws-region: ${{ inputs.idp_aws_report_upload_region }} diff --git a/.github/actions/scan-dependencies/action.yaml b/.github/actions/scan-dependencies/action.yaml index 3f16e117..fa57130d 100644 --- a/.github/actions/scan-dependencies/action.yaml +++ b/.github/actions/scan-dependencies/action.yaml @@ -60,7 +60,7 @@ runs: run: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT - name: "Authenticate to send the reports" if: steps.check.outputs.secrets_exist == 'true' - uses: aws-actions/configure-aws-credentials@ff717079ee2060e4bcee96c4779b553acc87447c # v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 with: role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }} aws-region: ${{ inputs.idp_aws_report_upload_region }} From 6d8e39261faa4271be04eb50004a1e39affde47f Mon Sep 17 00:00:00 2001 From: damientobin1 Date: Tue, 31 Mar 2026 18:40:57 +0100 Subject: [PATCH 6/8] CCM-14499: Correct annotated tag SHA pins --- .github/workflows/manual-combine-dependabot-prs.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/manual-combine-dependabot-prs.yaml b/.github/workflows/manual-combine-dependabot-prs.yaml index 6c8e02a9..f3a7dc3e 100644 --- a/.github/workflows/manual-combine-dependabot-prs.yaml +++ b/.github/workflows/manual-combine-dependabot-prs.yaml @@ -15,7 +15,7 @@ jobs: steps: - name: combine-prs id: combine-prs - uses: github/combine-prs@e6d37110da1b512313419ba6992492dad622139f # v5.2.0 with: + uses: github/combine-prs@2909f404763c3177a456e052bdb7f2e85d3a7cb3 # v5.2.0 with: ci_required: false labels: dependencies pr_title: Combined Dependabot PRs From c8309e18a85d31c7ffaf7b2b0a6074222e65c802 Mon Sep 17 00:00:00 2001 From: damientobin1 Date: Wed, 1 Apr 2026 12:39:40 +0100 Subject: [PATCH 7/8] CCM-14499: Pin remaining GitHub Actions refs to SHAs --- .github/actions/build-schemas/action.yml | 2 +- .github/actions/create-lines-of-code-report/action.yaml | 2 +- .github/actions/scan-dependencies/action.yaml | 2 +- .github/workflows/cicd-1-pull-request.yaml | 2 +- .github/workflows/cicd-3-deploy.yaml | 2 +- .github/workflows/stage-1-commit.yaml | 4 ++-- .github/workflows/stage-4-acceptance.yaml | 2 +- 7 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/actions/build-schemas/action.yml b/.github/actions/build-schemas/action.yml index 742883fb..5dbfa42d 100644 --- a/.github/actions/build-schemas/action.yml +++ b/.github/actions/build-schemas/action.yml @@ -9,7 +9,7 @@ runs: steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 18 diff --git a/.github/actions/create-lines-of-code-report/action.yaml b/.github/actions/create-lines-of-code-report/action.yaml index d1f8132c..5e3a18b0 100644 --- a/.github/actions/create-lines-of-code-report/action.yaml +++ b/.github/actions/create-lines-of-code-report/action.yaml @@ -45,7 +45,7 @@ runs: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT - name: "Authenticate to send the report" if: steps.check.outputs.secrets_exist == 'true' - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 + uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6 with: role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }} aws-region: ${{ inputs.idp_aws_report_upload_region }} diff --git a/.github/actions/scan-dependencies/action.yaml b/.github/actions/scan-dependencies/action.yaml index fa57130d..cc03f414 100644 --- a/.github/actions/scan-dependencies/action.yaml +++ b/.github/actions/scan-dependencies/action.yaml @@ -60,7 +60,7 @@ runs: run: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT - name: "Authenticate to send the reports" if: steps.check.outputs.secrets_exist == 'true' - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 + uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6 with: role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }} aws-region: ${{ inputs.idp_aws_report_upload_region }} diff --git a/.github/workflows/cicd-1-pull-request.yaml b/.github/workflows/cicd-1-pull-request.yaml index 051cdafc..94747291 100644 --- a/.github/workflows/cicd-1-pull-request.yaml +++ b/.github/workflows/cicd-1-pull-request.yaml @@ -163,7 +163,7 @@ jobs: id-token: write if: needs.metadata.outputs.does_pull_request_exist == 'true' || (github.event_name == 'pull_request' && (github.event.action == 'opened' || github.event.action == 'reopened')) steps: - - uses: actions/checkout@v5.0.0 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Trigger dynamic environment creation env: APP_PEM_FILE: ${{ secrets.APP_PEM_FILE }} diff --git a/.github/workflows/cicd-3-deploy.yaml b/.github/workflows/cicd-3-deploy.yaml index e3067d8d..f5c90294 100644 --- a/.github/workflows/cicd-3-deploy.yaml +++ b/.github/workflows/cicd-3-deploy.yaml @@ -135,7 +135,7 @@ jobs: run: | gh release download ${{steps.get-asset-version.outputs.release_version}} -p jekyll-docs-*.tar --output artifact.tar - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: jekyll-docs-${{steps.get-asset-version.outputs.release_version}} path: artifact.tar diff --git a/.github/workflows/stage-1-commit.yaml b/.github/workflows/stage-1-commit.yaml index ee633705..121add73 100644 --- a/.github/workflows/stage-1-commit.yaml +++ b/.github/workflows/stage-1-commit.yaml @@ -158,7 +158,7 @@ jobs: # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # steps: # - name: "Checkout code" - # uses: actions/checkout@v4 + # uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 # - name: "Setup ASDF" # uses: asdf-vm/actions/setup@b7bcd026f18772e44fe1026d729e1611cc435d47 # v4 # - name: "Trivy IaC Scan" @@ -175,7 +175,7 @@ jobs: # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # steps: # - name: "Checkout code" - # uses: actions/checkout@v4 + # uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 # - name: "Setup ASDF" # uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302 # - name: "Trivy Package Scan" diff --git a/.github/workflows/stage-4-acceptance.yaml b/.github/workflows/stage-4-acceptance.yaml index f44a90e2..42fecc70 100644 --- a/.github/workflows/stage-4-acceptance.yaml +++ b/.github/workflows/stage-4-acceptance.yaml @@ -78,7 +78,7 @@ jobs: name: "Integration test" runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5.0.0 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 # Calls out to the nhs-notify-internal repo. # The nhs-notify-internal repo will run the tests # setup in ./.github/actions/acceptance-tests/action.yaml From 87584678ad11911bfb633b3d5aa8b7dee1fabd5a Mon Sep 17 00:00:00 2001 From: damientobin1 Date: Thu, 2 Apr 2026 11:02:38 +0100 Subject: [PATCH 8/8] CCM-14499: Pinning all GitHub Actions to SHAs --- .github/actions/build-docs/action.yml | 3 ++- .github/workflows/manual-combine-dependabot-prs.yaml | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/actions/build-docs/action.yml b/.github/actions/build-docs/action.yml index 512fda41..df5217cd 100644 --- a/.github/actions/build-docs/action.yml +++ b/.github/actions/build-docs/action.yml @@ -24,7 +24,8 @@ runs: run: npm ci shell: bash - name: Setup Ruby - uses: ruby/setup-ruby@d5126b9b3579e429dd52e51e68624dda2e05be25 # v1.267.0 with: + uses: ruby/setup-ruby@d5126b9b3579e429dd52e51e68624dda2e05be25 # v1.267.0 + with: ruby-version: "3.4.7" # Not needed with a .ruby-version file bundler-cache: true # Enable automatic gem caching cache-version: 0 # Increment this number if you need to re-download cached gems diff --git a/.github/workflows/manual-combine-dependabot-prs.yaml b/.github/workflows/manual-combine-dependabot-prs.yaml index f3a7dc3e..3e311ac5 100644 --- a/.github/workflows/manual-combine-dependabot-prs.yaml +++ b/.github/workflows/manual-combine-dependabot-prs.yaml @@ -15,7 +15,8 @@ jobs: steps: - name: combine-prs id: combine-prs - uses: github/combine-prs@2909f404763c3177a456e052bdb7f2e85d3a7cb3 # v5.2.0 with: + uses: github/combine-prs@2909f404763c3177a456e052bdb7f2e85d3a7cb3 # v5.2.0 + with: ci_required: false labels: dependencies pr_title: Combined Dependabot PRs