Chore: [AEA-6242] - move to new quality checks (#997)

## Summary

- Routine Change

### Details

- move to new quality checks

Author: anthony-nhs

.devcontainer/devcontainer.json

@@ -6,7 +6,7 @@
     "args": {
       "DOCKER_GID": "${env:DOCKER_GID:}",
       "IMAGE_NAME": "node_24_python_3_14",
-      "IMAGE_VERSION": "v1.2.0",
+      "IMAGE_VERSION": "v1.4.4",
       "USER_UID": "${localEnv:USER_ID:}",
       "USER_GID": "${localEnv:GROUP_ID:}"
     }

.github/CODEOWNERS

@@ -0,0 +1,2 @@
+# restrict access to approving workflow changes
+.github/workflows/ @NHSDigital/eps-admins

.github/workflows/cdk_package_code.yml

@@ -13,6 +13,7 @@ on:
         type: string
         required: true
 
+permissions: {}
 jobs:
   package_code:
     runs-on: ubuntu-22.04
@@ -33,7 +34,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
-          ref: ${{ env.BRANCH_NAME }}
+          persist-credentials: false
       - name: Setting up .npmrc
         env:
           NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/cdk_release_code.yml

@@ -41,6 +41,8 @@ on:
       CDK_DEPLOY_ROLE:
         required: true
 
+permissions: {}
+
 jobs:
   deploy_cdk_code:
     runs-on: ubuntu-22.04
@@ -217,6 +219,7 @@ jobs:
         with:
           ref: gh-pages
           path: gh-pages
+          persist-credentials: true
 
       - name: Update release tag in github pages
         if: ${{ inputs.DEPLOY_CDK_CODE == true }}

.github/workflows/ci.yml

@@ -4,16 +4,22 @@ on:
   push:
     branches: [main]
 
-env:
-  BRANCH_NAME: ${{ github.event.ref.BRANCH_NAME }}
+permissions: {}
 
 jobs:
   get_config_values:
     uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
-
+    permissions:
+      attestations: read
+      contents: read
+      packages: read
   quality_checks:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
     needs: [get_config_values]
+    permissions:
+      contents: read
+      id-token: write
+      packages: read
     with:
       pinned_image: "${{ needs.get_config_values.outputs.pinned_image }}"
     secrets:
@@ -31,20 +37,24 @@ jobs:
 
   tag_release:
     needs: [quality_checks, get_commit_id, get_config_values]
-    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711
+    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
     permissions:
       id-token: write
       contents: write
+      packages: write
     with:
       dry_run: true
       pinned_image: "${{ needs.get_config_values.outputs.pinned_image }}"
       branch_name: main
       tag_format: ${{ needs.get_config_values.outputs.tag_format }}
-    secrets: inherit
 
   package_code:
     needs: [tag_release, get_commit_id, get_config_values]
     uses: ./.github/workflows/cdk_package_code.yml
+    permissions:
+      contents: write
+      id-token: write
+      packages: read
     with:
       VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}}
       COMMIT_ID: ${{needs.get_commit_id.outputs.commit_id}}
@@ -53,6 +63,9 @@ jobs:
   release_dev:
     needs: [tag_release, package_code, get_commit_id, get_config_values]
     uses: ./.github/workflows/cdk_release_code.yml
+    permissions:
+      contents: write
+      id-token: write
     with:
       TARGET_ENVIRONMENT: dev
       VERSION: ${{needs.tag_release.outputs.version_tag}}
@@ -70,6 +83,9 @@ jobs:
   release_qa:
     needs: [tag_release, release_dev, package_code, get_commit_id, get_config_values]
     uses: ./.github/workflows/cdk_release_code.yml
+    permissions:
+      contents: write
+      id-token: write
     with:
       pinned_image: "${{ needs.get_config_values.outputs.pinned_image }}"
       TARGET_ENVIRONMENT: qa

.github/workflows/pull_request.yml

@@ -4,31 +4,41 @@ on:
   pull_request:
     branches: [main]
 
-env:
-  BRANCH_NAME: ${{ github.event.pull_request.head.ref }}
+permissions: {}
 
 jobs:
   get_config_values:
     uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
-
+    permissions:
+      attestations: read
+      contents: read
+      packages: read
   dependabot-auto-approve-and-merge:
     uses: NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
+    permissions:
+      contents: write
+      pull-requests: write
     secrets:
       AUTOMERGE_APP_ID: ${{ secrets.AUTOMERGE_APP_ID }}
       AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }}
 
 
   quality_checks:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
     needs: [get_config_values]
+    permissions:
+      contents: read
+      id-token: write
+      packages: read
     with:
       pinned_image: "${{ needs.get_config_values.outputs.pinned_image }}"
     secrets:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
   pr_title_format_check:
     uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
-
+    permissions:
+      pull-requests: write
   get_issue_number:
     runs-on: ubuntu-22.04
     outputs:
@@ -57,16 +67,16 @@ jobs:
 
   tag_release:
     needs: [get_config_values]
-    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711
+    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
     permissions:
       id-token: write
       contents: write
+      packages: write
     with:
       dry_run: true
       pinned_image: "${{ needs.get_config_values.outputs.pinned_image }}"
       branch_name: ${{ github.event.pull_request.head.ref }}
       tag_format: ${{ needs.get_config_values.outputs.tag_format }}
-    secrets: inherit
 
   get_commit_id:
     runs-on: ubuntu-22.04
@@ -81,6 +91,10 @@ jobs:
   package_code:
     needs: [quality_checks, get_issue_number, get_commit_id, get_config_values]
     uses: ./.github/workflows/cdk_package_code.yml
+    permissions:
+      contents: read
+      id-token: write
+      packages: read
     with:
       pinned_image: "${{ needs.get_config_values.outputs.pinned_image }}"
       VERSION_NUMBER: ${{needs.get_issue_number.outputs.issue_number}}
@@ -89,6 +103,9 @@ jobs:
   show_dev_changes:
     needs: [quality_checks, get_issue_number, package_code, get_commit_id, get_config_values]
     uses: ./.github/workflows/cdk_release_code.yml
+    permissions:
+      contents: write
+      id-token: write
     with:
       pinned_image: "${{ needs.get_config_values.outputs.pinned_image }}"
       TARGET_ENVIRONMENT: dev

.github/workflows/release.yml

@@ -3,16 +3,22 @@ name: deploy to environments
 on:
   workflow_dispatch:
 
-env:
-  BRANCH_NAME: ${{ github.event.ref.BRANCH_NAME }}
+permissions: {}
 
 jobs:
   get_config_values:
     uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
-
+    permissions:
+      attestations: read
+      contents: read
+      packages: read
   quality_checks:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
     needs: [get_config_values]
+    permissions:
+      contents: read
+      id-token: write
+      packages: read
     with:
       pinned_image: "${{ needs.get_config_values.outputs.pinned_image }}"
     secrets:
@@ -30,10 +36,11 @@ jobs:
 
   tag_release:
     needs: [quality_checks, get_commit_id, get_config_values]
-    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711
+    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
     permissions:
       id-token: write
       contents: write
+      packages: write
     with:
       dry_run: false
       pinned_image: "${{ needs.get_config_values.outputs.pinned_image }}"
@@ -46,6 +53,10 @@ jobs:
   package_code:
     needs: [tag_release, get_commit_id, get_config_values]
     uses: ./.github/workflows/cdk_package_code.yml
+    permissions:
+      contents: read
+      id-token: write
+      packages: read
     with:
       pinned_image: "${{ needs.get_config_values.outputs.pinned_image }}"
       VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}}
@@ -54,6 +65,9 @@ jobs:
   release_dev:
     needs: [tag_release, package_code, get_commit_id, get_config_values]
     uses: ./.github/workflows/cdk_release_code.yml
+    permissions:
+      contents: write
+      id-token: write
     with:
       pinned_image: "${{ needs.get_config_values.outputs.pinned_image }}"
       TARGET_ENVIRONMENT: dev
@@ -71,6 +85,9 @@ jobs:
   release_ref:
     needs: [tag_release, package_code, get_commit_id, release_dev, get_config_values]
     uses: ./.github/workflows/cdk_release_code.yml
+    permissions:
+      contents: write
+      id-token: write
     with:
       pinned_image: "${{ needs.get_config_values.outputs.pinned_image }}"
       TARGET_ENVIRONMENT: ref
@@ -88,6 +105,9 @@ jobs:
   release_qa:
     needs: [tag_release, package_code, get_commit_id, release_dev, get_config_values]
     uses: ./.github/workflows/cdk_release_code.yml
+    permissions:
+      contents: write
+      id-token: write
     with:
       pinned_image: "${{ needs.get_config_values.outputs.pinned_image }}"
       TARGET_ENVIRONMENT: qa
@@ -113,6 +133,9 @@ jobs:
         get_config_values,
       ]
     uses: ./.github/workflows/cdk_release_code.yml
+    permissions:
+      contents: write
+      id-token: write
     with:
       pinned_image: "${{ needs.get_config_values.outputs.pinned_image }}"
       TARGET_ENVIRONMENT: int
@@ -130,6 +153,9 @@ jobs:
   release_prod:
     needs: [tag_release, package_code, get_commit_id, release_int, get_config_values]
     uses: ./.github/workflows/cdk_release_code.yml
+    permissions:
+      contents: write
+      id-token: write
     with:
       pinned_image: "${{ needs.get_config_values.outputs.pinned_image }}"
       TARGET_ENVIRONMENT: prod

.github/workflows/sync_copilot.yml

@@ -4,6 +4,7 @@ on:
   workflow_dispatch:
   schedule:
     - cron: '0 6 * * 1'
+permissions: {}
 
 jobs:
   sync-copilot-instructions:

.gitignore

@@ -33,3 +33,4 @@ cdk.out/
 .npmrc
 .cfn_guard_out/
 .trivy_out/
+.sbom/

.pre-commit-config.yaml

@@ -23,6 +23,14 @@ repos:
 
   - repo: local
     hooks:
+      - id: grype-scan-local
+        name: Grype scan local changes
+        entry: make
+        args: ["grype-scan-local"]
+        language: system
+        pass_filenames: false
+        always_run: true
+
       - id: check-commit-signing
         name: Check commit signing
         description: Ensures that commits are GPG signed