Skip to content

Chore: [AEA-0000] - move to new qc#653

Merged
MatthewPopat-NHS merged 7 commits intomainfrom
use_new_qc
Apr 8, 2026
Merged

Chore: [AEA-0000] - move to new qc#653
MatthewPopat-NHS merged 7 commits intomainfrom
use_new_qc

Conversation

@anthony-nhs
Copy link
Copy Markdown
Contributor

@anthony-nhs anthony-nhs commented Apr 7, 2026
edited
Loading

Summary

  • Routine Change

Details

  • move to latest qc
  • remove all trivy files
  • add CODEOWNERS to restrict updates to workflows
  • use least permissions on all workflows
  • add --ignore-scripts true to npm install

Copilot AI review requested due to automatic review settings April 7, 2026 11:20
Copilot AI reviewed Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Routine QC/tooling migration PR that updates the repo’s security/quality tooling configuration and aligns GitHub Actions workflows/devcontainer with the new baseline.

Changes:

  • Replace Trivy ignore/config with Grype + add local pre-commit scanning support.
  • Update GitHub Actions workflows to newer eps-common-workflows SHAs, add CODEOWNERS protection for workflow changes, and adjust workflow security settings.
  • Bump devcontainer image version and add supporting config (zizmor + gitignore).

Reviewed changes

Copilot reviewed 12 out of 13 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
zizmor.yml Adds zizmor rule ignore configuration.
.pre-commit-config.yaml Adds a local grype-scan-local pre-commit hook.
.grype.yaml Adds Grype vulnerability ignore configuration.
.gitignore Ignores generated SBOM directory.
.github/workflows/sync_copilot.yml Updates workflow default permissions configuration.
.github/workflows/ci.yml Updates reusable workflow SHAs and sets workflow permissions.
.github/workflows/release.yml Updates reusable workflow SHAs and sets workflow permissions.
.github/workflows/pull_request.yml Updates reusable workflow SHAs and sets workflow permissions.
.github/workflows/package_npm_code.yml Sets workflow permissions and adjusts checkout behavior.
.github/CODEOWNERS Requires EPS admins to review workflow changes.
.devcontainer/devcontainer.json Bumps devcontainer image version.
trivy.yaml Removed as part of the move away from Trivy config.
.trivyignore.yaml Removed Trivy vulnerability ignore list.

@anthony-nhs anthony-nhs requested a review from Copilot April 7, 2026 11:30
Copilot AI reviewed Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 12 out of 13 changed files in this pull request and generated 3 comments.

.github/workflows/pull_request.yml Outdated
@@ -56,7 +67,6 @@ jobs:
}
Copy link

Copilot AI Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This fallback assumes listPullRequestsAssociatedWithCommit(...).data[0] always exists; if no PR is associated with the commit, this will throw. Since this workflow only runs on pull_request, context.issue.number should already be present—consider removing the fallback branch entirely (or guard against an empty .data result if you intend this script to be reusable for other events).

Copilot uses AI. Check for mistakes.
@anthony-nhs anthony-nhs requested a review from Copilot April 7, 2026 13:44
Copilot AI reviewed Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 13 out of 14 changed files in this pull request and generated no new comments.

@anthony-nhs anthony-nhs requested a review from Copilot April 7, 2026 14:40
Copilot AI reviewed Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 13 out of 14 changed files in this pull request and generated 2 comments.

Makefile

install-node:
npm ci
npm ci --ignore-scripts true
Copy link

Copilot AI Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

npm ci --ignore-scripts true passes an extra positional argument (true) to npm ci, which can cause the command to fail or behave unexpectedly. Use the boolean flag form (npm ci --ignore-scripts) or the explicit assignment form (--ignore-scripts=true) so the install reliably runs with scripts disabled.

Suggested change
npm ci --ignore-scripts true
npm ci --ignore-scripts

Copilot uses AI. Check for mistakes.
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Apr 8, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@MatthewPopat-NHS MatthewPopat-NHS merged commit 88e26b2 into main Apr 8, 2026
12 checks passed
@MatthewPopat-NHS MatthewPopat-NHS deleted the use_new_qc branch April 8, 2026 14:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@MatthewPopat-NHS MatthewPopat-NHS MatthewPopat-NHS approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@anthony-nhs @MatthewPopat-NHS