From eaf404b4865e4dd0562fb83863f611aa2e175040 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 18 Mar 2026 09:55:29 +0000 Subject: [PATCH 1/2] use new workflow --- .github/workflows/cdk_release_code.yml | 53 -------------------------- .github/workflows/ci.yml | 4 +- .github/workflows/pull_request.yml | 2 +- .github/workflows/release.yml | 10 ++--- 4 files changed, 5 insertions(+), 64 deletions(-) diff --git a/.github/workflows/cdk_release_code.yml b/.github/workflows/cdk_release_code.yml index c42319a1..ca29ae2d 100644 --- a/.github/workflows/cdk_release_code.yml +++ b/.github/workflows/cdk_release_code.yml @@ -21,18 +21,6 @@ on: COMMIT_ID: required: true type: string - CREATE_INT_RELEASE_NOTES: - type: boolean - default: false - CREATE_INT_RC_RELEASE_NOTES: - type: boolean - default: false - CREATE_PROD_RELEASE_NOTES: - type: boolean - default: false - MARK_JIRA_RELEASED: - type: boolean - default: false pinned_image: type: string required: true @@ -83,18 +71,6 @@ jobs: mkdir -p .build tar -xf artifact.tar - - name: create_int_rc_release_notes - uses: ./.github/actions/update_confluence_jira - if: ${{ inputs.CREATE_INT_RC_RELEASE_NOTES == true }} - with: - TARGET_ENVIRONMENT: int - RELEASE_TAG: ${{ inputs.VERSION_NUMBER }} - CONFLUENCE_PAGE_ID: "913232854" - CREATE_RC_RELEASE_NOTES: true - DEV_CLOUD_FORMATION_CHECK_VERSION_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_CHECK_VERSION_ROLE }} - TARGET_CLOUD_FORMATION_CHECK_VERSION_ROLE: ${{ secrets.INT_CLOUD_FORMATION_CHECK_VERSION_ROLE }} - DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE }} - - name: Configure AWS Credentials id: connect-aws uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 @@ -116,35 +92,6 @@ jobs: CDK_CONFIG_isPullRequest: ${{ inputs.IS_PULL_REQUEST }} CDK_CONFIG_environment: ${{ inputs.TARGET_ENVIRONMENT }} - - name: create_int_release_notes - uses: ./.github/actions/update_confluence_jira - if: ${{ inputs.CREATE_INT_RELEASE_NOTES == true && always() && !failure() && !cancelled() }} - with: - TARGET_ENVIRONMENT: int - CONFLUENCE_PAGE_ID: "913232855" - CREATE_RC_RELEASE_NOTES: false - DEV_CLOUD_FORMATION_CHECK_VERSION_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_CHECK_VERSION_ROLE }} - TARGET_CLOUD_FORMATION_CHECK_VERSION_ROLE: ${{ secrets.INT_CLOUD_FORMATION_CHECK_VERSION_ROLE }} - DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE }} - - - name: create_prod_release_notes - uses: ./.github/actions/update_confluence_jira - if: ${{ inputs.CREATE_PROD_RELEASE_NOTES == true && always() && !failure() && !cancelled() }} - with: - TARGET_ENVIRONMENT: prod - CONFLUENCE_PAGE_ID: "913232856" - CREATE_RC_RELEASE_NOTES: false - DEV_CLOUD_FORMATION_CHECK_VERSION_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_CHECK_VERSION_ROLE }} - TARGET_CLOUD_FORMATION_CHECK_VERSION_ROLE: ${{ secrets.PROD_CLOUD_FORMATION_CHECK_VERSION_ROLE }} - DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE }} - - - name: mark_released_in_jira - uses: ./.github/actions/mark_jira_released - if: ${{ inputs.MARK_JIRA_RELEASED == true && always() && !failure() && !cancelled() }} - with: - RELEASE_TAG: ${{ inputs.VERSION_NUMBER }} - DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE }} - - name: Checkout gh-pages if: ${{ !startsWith(inputs.STACK_NAME, 'lambda-resources-pr-') }} uses: actions/checkout@v6.0.2 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 61092158..be1e78cc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -32,7 +32,7 @@ jobs: tag_release: needs: [quality_checks, get_commit_id, get_config_values] - uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@383f3f9eaf3cb553ebcd74897bfed4d5e387629e + uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@update_jira with: dry_run: true pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} @@ -57,8 +57,6 @@ jobs: BUILD_ARTIFACT: packaged_code VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}} COMMIT_ID: ${{needs.get_commit_id.outputs.commit_id}} - CREATE_INT_RELEASE_NOTES: true - CREATE_PROD_RELEASE_NOTES: true IS_PULL_REQUEST: false secrets: CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_DEPLOY_ROLE }} diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index b346ea3b..dfe2e7ee 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -82,7 +82,7 @@ jobs: tag_release: if: github.event_name != 'merge_group' needs: [get_config_values] - uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@383f3f9eaf3cb553ebcd74897bfed4d5e387629e + uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@update_jira with: dry_run: true pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b41f6c37..1ad3b65e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -31,12 +31,14 @@ jobs: tag_release: needs: [quality_checks, get_commit_id, get_config_values] - uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@383f3f9eaf3cb553ebcd74897bfed4d5e387629e + uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@update_jira with: dry_run: false pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} branch_name: main tag_format: ${{ needs.get_config_values.outputs.tag_format }} + update_jira: true + jira_release_prefix: "aws-dashboards" secrets: inherit package_code: @@ -56,8 +58,6 @@ jobs: BUILD_ARTIFACT: packaged_code VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}} COMMIT_ID: ${{needs.get_commit_id.outputs.commit_id}} - CREATE_INT_RELEASE_NOTES: true - CREATE_PROD_RELEASE_NOTES: true IS_PULL_REQUEST: false secrets: CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_DEPLOY_ROLE }} @@ -110,8 +110,6 @@ jobs: BUILD_ARTIFACT: packaged_code VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}} COMMIT_ID: ${{needs.get_commit_id.outputs.commit_id}} - CREATE_INT_RELEASE_NOTES: true - CREATE_INT_RC_RELEASE_NOTES: true IS_PULL_REQUEST: false secrets: CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.INT_CLOUD_FORMATION_DEPLOY_ROLE }} @@ -132,8 +130,6 @@ jobs: BUILD_ARTIFACT: packaged_code VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}} COMMIT_ID: ${{needs.get_commit_id.outputs.commit_id}} - MARK_JIRA_RELEASED: true - CREATE_PROD_RELEASE_NOTES: true IS_PULL_REQUEST: false secrets: CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.PROD_CLOUD_FORMATION_DEPLOY_ROLE }} From 60461b60fc7f45133909898791f41f5d09af3c14 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 18 Mar 2026 10:03:28 +0000 Subject: [PATCH 2/2] fix trivy --- .gitignore | 1 + .trivyignore.yaml | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/.gitignore b/.gitignore index f694af97..c132d930 100644 --- a/.gitignore +++ b/.gitignore @@ -33,3 +33,4 @@ amplify_outputs.json .asdf cdk.out/ .npmrc +.trivy_out/ diff --git a/.trivyignore.yaml b/.trivyignore.yaml index 3c59b33a..c0308ffd 100644 --- a/.trivyignore.yaml +++ b/.trivyignore.yaml @@ -8,3 +8,10 @@ vulnerabilities: - id: CVE-2026-27904 statement: minimatch vulnerability accepted as risk - dependency of various packages expired_at: 2026-04-01 + - id: CVE-2026-33036 + statement: fast-xml-parser - dependency of @aws-sdk + expired_at: 2026-06-01 + - id: CVE-2026-32141 + statement: flatted vulnerability accepted + expired_at: 2026-06-01 +