Chore: [AEA-6424] - New quality checks#1990
Conversation
There was a problem hiding this comment.
Pull request overview
Adds configuration and workflow adjustments to support new automated quality/security checks (zizmor + grype), and tightens GitHub Actions defaults (permissions/credential persistence) across CI/CD workflows.
Changes:
- Introduces zizmor and grype configuration (with ignore lists) and ignores generated SBOM output.
- Updates multiple GitHub Actions workflows to set explicit
permissions: {}defaults, reduce credential persistence, and normalize env var usage. - Updates the devcontainer image version and removes the legacy PR-comment “link dev website” workflow.
Reviewed changes
Copilot reviewed 13 out of 14 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
zizmor.yml |
Adds zizmor rules with targeted ignore coordinates for existing findings. |
.grype.yaml |
Adds grype ignore list for specific GHSA IDs. |
.gitignore |
Ignores .sbom/ output directory. |
.github/workflows/update_dev_container_version.yml |
Minor formatting-only change. |
.github/workflows/sync_copilot.yml |
Adds workflow-level permissions: {} (job keeps explicit permissions). |
.github/workflows/run_regression_tests.yml |
Adds permissions: {} default; normalizes GITHUB_TOKEN usage and quoting. |
.github/workflows/release.yml |
Adds permissions: {} and removes reusable-workflow secret inheritance. |
.github/workflows/release_all_stacks.yml |
Adds permissions: {} default; refactors bash interpolation to env variables; adjusts checkout credential persistence; adds env blocks for some steps. |
.github/workflows/pull_request.yml |
Adds permissions: {} default; changes checkout behavior; removes reusable-workflow secret inheritance; changes deployed URL reporting. |
.github/workflows/link_dev_website.yml |
Removes workflow that commented deployed URL on PR open. |
.github/workflows/delete_old_cloudformation_stacks.yml |
Adds workflow-level permissions: {} default; reduces checkout credential persistence; removes comments/ref usage. |
.github/workflows/ci.yml |
Adds permissions: {} default and removes reusable-workflow secret inheritance. |
.github/workflows/cdk_package_code.yml |
Adds permissions: {} default; reduces checkout credential persistence. |
.devcontainer/devcontainer.json |
Updates devcontainer image version. |
Comments suppressed due to low confidence (5)
.github/workflows/pull_request.yml:29
- In a
pull_requestworkflow, omittingrefinactions/checkoutwill check out the PR merge ref by default. That meansgit show -s --format=%smay read the merge commit message instead of the PR head commit, breaking the#skip-qclogic. Setrefto the PR head SHA/ref (e.g.${{ github.event.pull_request.head.sha }}) when checking out for commit-message inspection.
AUTOMERGE_APP_ID: ${{ secrets.AUTOMERGE_APP_ID }}
AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }}
get_commit_message:
runs-on: ubuntu-22.04
outputs:
.github/workflows/pull_request.yml:212
- This reusable-workflow call to
release_all_stacks.ymlno longer passes any secrets. The called workflow references secrets such asCLOUD_FORMATION_DEPLOY_ROLE, APIGEE credentials, OIDC client IDs, andJWT_PRIVATE_KEY; without an explicitsecrets:mapping (orsecrets: inherit), those values will be unset and deployments/regression tests will fail. Pass an explicit allow-list of required secrets (preferred) or restoresecrets: inherit.
mockOidcIssuer: "https://identity.ptl.api.platform.nhs.uk/realms/Cis2-mock-internal-dev"
mockOidcAuthorizeEndpoint: "https://internal-dev.api.service.nhs.uk/oauth2-mock/authorize"
mockOidcTokenEndpoint: "https://internal-dev.api.service.nhs.uk/oauth2-mock/token"
mockOidcUserInfoEndpoint: "https://internal-dev.api.service.nhs.uk/oauth2-mock/userinfo"
.github/workflows/ci.yml:89
- This reusable-workflow invocation of
release_all_stacks.ymlno longer passes secrets. Since the called workflow consumes repository secrets (AWS role to assume, APIGEE credentials, OIDC client IDs, JWT private key, etc.), it will fail unless the caller provides them viasecrets:(preferred allow-list) orsecrets: inherit.
mockOidcjwksEndpoint: "https://identity.ptl.api.platform.nhs.uk/realms/Cis2-mock-internal-dev/protocol/openid-connect/certs"
allowLocalhostAccess: true
useCustomCognitoDomain: true
APIGEE_CIS2_TOKEN_ENDPOINT: "https://internal-dev.api.service.nhs.uk/oauth2/token"
.github/workflows/release.yml:91
- These
release_*jobs callrelease_all_stacks.ymlas a reusable workflow but no longer pass secrets. The reusable workflow references secrets likeCLOUD_FORMATION_DEPLOY_ROLE, APIGEE credentials, OIDC client IDs, andJWT_PRIVATE_KEY, so deployments will fail unless the caller passes them via an explicitsecrets:allow-list (preferred) or restoressecrets: inherit.
mockOidcjwksEndpoint: "https://identity.ptl.api.platform.nhs.uk/realms/Cis2-mock-internal-dev/protocol/openid-connect/certs"
allowLocalhostAccess: true
useCustomCognitoDomain: true
.github/workflows/pull_request.yml:224
- PR description says this is only “new quality checks”, but this workflow change now reports the deployed URL only in the Actions step summary. Given the removal of the
link_dev_websiteworkflow, the deployed URL may no longer be posted back to the PR as a comment; please confirm this behavior change is intended and update the PR description if so.
APIGEE_PDS_ENDPOINT: "https://internal-dev.api.service.nhs.uk/personal-demographics/FHIR/R4/"
APIGEE_DOHS_ENDPOINT: "https://int.api.service.nhs.uk/service-search-api/"
JWT_KID: "eps-cpt-ui-dev"
ROLE_ID: "555254242106"
LOG_LEVEL: "DEBUG"
RUN_REGRESSION_TESTS: true
|
This PR is linked to a ticket in an NHS Digital JIRA Project. Here's a handy link to the ticket: AEA-0000 |
zizmor.yml
Outdated
| - delete_old_cloudformation_stacks.yml:18:9 | ||
| - run_regression_tests.yml:51:28 | ||
| unpinned-uses: | ||
| disable: true |
There was a problem hiding this comment.
unpinned-uses is globally disabled here. This removes a key supply-chain check (detecting uses: owner/repo@branch instead of a pinned SHA/tag) and can allow unsafe workflow updates to slip in unnoticed. Consider re-enabling unpinned-uses and using targeted ignore: entries only where a non-pinned reference is explicitly required.
| disable: true |
.github/workflows/pull_request.yml
Outdated
| jobs: | ||
| get_config_values: | ||
| uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@5ac2707dd9cd60ad127275179495b9c890d74711 | ||
| uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@test_zizmor |
There was a problem hiding this comment.
This reusable workflow reference uses @test_zizmor (a branch or non-immutable ref). For supply-chain safety and reproducibility, pin reusable workflows to an immutable commit SHA (or a trusted version tag) instead of a moving branch name.
.github/workflows/pull_request.yml
Outdated
| dependabot-auto-approve-and-merge: | ||
| needs: quality_checks | ||
| uses: NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@5ac2707dd9cd60ad127275179495b9c890d74711 | ||
| uses: NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@test_zizmor |
There was a problem hiding this comment.
This reusable workflow reference uses @test_zizmor (a branch or non-immutable ref). For supply-chain safety and reproducibility, pin reusable workflows to an immutable commit SHA (or a trusted version tag) instead of a moving branch name.
.github/workflows/pull_request.yml
Outdated
| # always run, but only block in the non-skip case | ||
| needs: [get_commit_message, get_config_values] | ||
| uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711 | ||
| uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@test_zizmor |
There was a problem hiding this comment.
This reusable workflow reference uses @test_zizmor (a branch or non-immutable ref). For supply-chain safety and reproducibility, pin reusable workflows to an immutable commit SHA (or a trusted version tag) instead of a moving branch name.
.github/workflows/pull_request.yml
Outdated
|
|
||
| pr_title_format_check: | ||
| uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@5ac2707dd9cd60ad127275179495b9c890d74711 | ||
| uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@test_zizmor |
There was a problem hiding this comment.
This reusable workflow reference uses @test_zizmor (a branch or non-immutable ref). For supply-chain safety and reproducibility, pin reusable workflows to an immutable commit SHA (or a trusted version tag) instead of a moving branch name.
| uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@test_zizmor | |
| uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@<FULL_40_CHAR_COMMIT_SHA> |
.github/workflows/pull_request.yml
Outdated
| tag_release: | ||
| needs: [get_config_values] | ||
| uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711 | ||
| uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@test_zizmor |
There was a problem hiding this comment.
This reusable workflow reference uses @test_zizmor (a branch or non-immutable ref). For supply-chain safety and reproducibility, pin reusable workflows to an immutable commit SHA (or a trusted version tag) instead of a moving branch name.
anthony-nhs
changed the title
|
Summary
Details