Chore: [AEA-0000] - move to new quality checks

.devcontainer/devcontainer.json

@@ -6,7 +6,7 @@
     "args": {
       "DOCKER_GID": "${env:DOCKER_GID:}",
       "IMAGE_NAME": "node_24_python_3_10",
-      "IMAGE_VERSION": "v1.2.0",
+      "IMAGE_VERSION": "v1.4.7",
       "USER_UID": "${localEnv:USER_ID:}",
       "USER_GID": "${localEnv:GROUP_ID:}"
     }

.github/CODEOWNERS

@@ -0,0 +1,2 @@
+# restrict access to approving workflow changes
+.github/workflows/ @NHSDigital/eps-administrators

.github/workflows/ci.yaml

@@ -4,17 +4,26 @@ on:
   push:
     branches:
       - main
+permissions: {}
 
 jobs:
   get_config_values:
     uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
+    permissions:
+      attestations: read
+      contents: read
+      packages: read
     with:
       verify_published_from_main_image: true
 
   quality_checks:
     name: Quality Checks
     needs: get_config_values
-    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
+    permissions:
+      contents: read
+      id-token: write
+      packages: read
     with:
       pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
     secrets:

.github/workflows/pull_request.yaml

@@ -6,6 +6,7 @@ on:
       - main
   workflow_dispatch:
 
+permissions: {}
 jobs:
   pr_title_format_check:
     name: PR Title Format Check
@@ -14,6 +15,10 @@ jobs:
       pull-requests: write
   get_config_values:
     uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
+    permissions:
+      attestations: read
+      contents: read
+      packages: read
     with:
       verify_published_from_main_image: false
 
@@ -23,11 +28,14 @@ jobs:
     runs-on: ubuntu-22.04
     permissions:
       id-token: write
+      contents: read
     outputs:
       pypi_token: ${{ steps.get_pypi_token.outputs.pypi_token }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         name: Checkout source code
+        with:
+          persist-credentials: false
 
       - name: Get PyPI token
         id: get_pypi_token
@@ -36,7 +44,11 @@ jobs:
   quality_checks:
     name: Quality Checks
     needs: get_config_values
-    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
+    permissions:
+      contents: read
+      id-token: write
+      packages: read
     with:
       pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
     secrets:
@@ -45,7 +57,7 @@ jobs:
   tag_release:
     name: Tag Release (Dry Run)
     needs: [get_config_values, get_pypi_token]
-    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711
+    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
     with:
       pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
       branch_name: ${{ github.event.pull_request.head.ref }}
@@ -56,6 +68,7 @@ jobs:
     permissions:
       id-token: write
       contents: write
+      packages: write
 
   dependabot_auto_approve_and_merge:
     name: Dependabot Auto Approve and Merge

.github/workflows/release.yaml

@@ -2,39 +2,55 @@ name: Release
 
 on:
   workflow_dispatch:
+permissions: {}
 
 jobs:
   get_pypi_token:
     name: Get PyPI Token for Trusted Publishing
     runs-on: ubuntu-22.04
     permissions:
       id-token: write
+      contents: read
     outputs:
       pypi_token: ${{ steps.get_pypi_token.outputs.pypi_token }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         name: Checkout source code
+        with:
+          persist-credentials: false
 
       - name: Get PyPI token
         id: get_pypi_token
         uses: ./.github/actions/get_pypi_token
   get_config_values:
     uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
+    permissions:
+      attestations: read
+      contents: read
+      packages: read
     with:
       verify_published_from_main_image: false
   quality_checks:
     name: Quality Checks
     needs: get_config_values
-    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
+    permissions:
+      contents: read
+      id-token: write
+      packages: read
     with:
       pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
     secrets:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
   get_next_version:
     name: Get Next Version Number for Poetry
-    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711
+    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
     needs: [get_config_values, quality_checks]
+    permissions:
+      id-token: write
+      contents: write
+      packages: write
     with:
       pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
       branch_name: main
@@ -43,6 +59,8 @@ jobs:
   build:
     name: Build Package and Upload as Artifact
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
     container:
       image: ${{ needs.get_config_values.outputs.pinned_image }}
       options: --user 1001:1001 --group-add 128
@@ -57,7 +75,9 @@ jobs:
         run: |
           cp /home/vscode/.tool-versions "$HOME/.tool-versions"
       - name: Git checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
       - name: make install
         run: |
           make install
@@ -80,7 +100,7 @@ jobs:
 
   tag_release:
     name: Tag Release
-    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711
+    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
     needs: [build, get_config_values, get_pypi_token]
     with:
       pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
@@ -94,6 +114,6 @@ jobs:
     secrets:
       PYPI_TOKEN: ${{ needs.get_pypi_token.outputs.pypi_token }}
     permissions:
-      actions: write
-      contents: write
       id-token: write
+      contents: write
+      packages: write

.github/workflows/sync_copilot.yml

@@ -4,6 +4,7 @@ on:
   workflow_dispatch:
   schedule:
     - cron: '0 6 * * 1'
+permissions: {}
 
 jobs:
   sync-copilot-instructions:

.gitignore

@@ -26,3 +26,4 @@ __pycache__/
 
 # Temp
 agents.md
+.sbom/

.grype.yaml

@@ -0,0 +1,5 @@
+ignore:
+  # urllib3 - fixed to older version to match spine
+  - vulnerability: GHSA-gm62-xv2j-4w53
+  - vulnerability: GHSA-2xpw-w6gg-jr37
+  - vulnerability: GHSA-38jv-5279-wg99

.pre-commit-config.yaml

@@ -18,6 +18,14 @@ repos:
 
   - repo: local
     hooks:
+      - id: grype-scan-local
+        name: Grype scan local changes
+        entry: make
+        args: ["grype-scan-local"]
+        language: system
+        pass_filenames: false
+        always_run: true
+
       - id: check-commit-signing
         name: Check commit signing
         description: Ensures that commits are GPG signed

zizmor.yml

@@ -0,0 +1,5 @@
+rules:
+  unpinned-images:
+    # these workflows use unpinned images because they are using a full image passed in that contains the tag
+    ignore:
+      - release.yaml:65:7