Skip to content

Chore: [AEA-0000] - move to new quality checks#130

Merged
anthony-nhs merged 8 commits intomainfrom
new_qc
Apr 16, 2026
Merged

Chore: [AEA-0000] - move to new quality checks#130
anthony-nhs merged 8 commits intomainfrom
new_qc

Conversation

@anthony-nhs
Copy link
Copy Markdown
Contributor

@anthony-nhs anthony-nhs commented Apr 15, 2026

Summary

  • Routine Change

Details

  • move to new quality checks

Copilot AI review requested due to automatic review settings April 15, 2026 13:00
Copilot AI reviewed Apr 15, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the repository’s security/quality tooling configuration to align with the newer “quality checks” approach (moving away from Trivy ignores and introducing Grype/Zizmor configuration), and tightens GitHub Actions permissions.

Changes:

  • Add Zizmor and Grype configuration, remove legacy Trivy ignore configuration.
  • Add a local pre-commit hook to run a Grype scan on local changes and ignore generated SBOM output.
  • Update GitHub Actions workflows to use permissions: {} by default and bump referenced shared workflow revisions / devcontainer image version.

Reviewed changes

Copilot reviewed 11 out of 12 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
zizmor.yml Adds an ignore entry for Zizmor’s unpinned-images rule.
trivy.yaml Removes Trivy ignorefile configuration.
.trivyignore.yaml Removes legacy Trivy vulnerability ignore list.
.pre-commit-config.yaml Adds a local Grype scan hook.
.grype.yaml Adds Grype vulnerability ignore configuration.
.gitignore Ignores generated .sbom/ directory.
.github/workflows/sync_copilot.yml Sets default workflow token permissions to none ({}) and specifies minimal job permissions.
.github/workflows/release.yaml Updates shared workflow refs, pins checkout action, disables persisted credentials, and applies permission hardening.
.github/workflows/pull_request.yaml Updates shared workflow refs, disables persisted credentials, and applies permission hardening.
.github/workflows/ci.yaml Updates shared workflow refs and applies permission hardening.
.github/CODEOWNERS Adds CODEOWNERS rule for workflow changes.
.devcontainer/devcontainer.json Bumps devcontainer image version.

Comment thread .github/workflows/release.yaml
Comment thread .github/workflows/release.yaml
Comment thread .github/workflows/release.yaml
Comment thread .github/workflows/pull_request.yaml
Comment thread zizmor.yml Outdated
Comment thread .grype.yaml
@anthony-nhs anthony-nhs requested a review from Copilot April 16, 2026 08:06
Copilot AI reviewed Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 11 out of 12 changed files in this pull request and generated 1 comment.

Comment thread .pre-commit-config.yaml
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Apr 16, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@anthony-nhs anthony-nhs merged commit 5f688ad into main Apr 16, 2026
12 checks passed
@anthony-nhs anthony-nhs deleted the new_qc branch April 16, 2026 09:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@originalphil originalphil originalphil approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@anthony-nhs @originalphil