diff --git a/.gitallowed b/.gitallowed deleted file mode 100644 index bb5927a..0000000 --- a/.gitallowed +++ /dev/null @@ -1,3 +0,0 @@ -id-token: write -password: \${{secrets\.GITHUB_TOKEN}} -\.gitallowed diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 990b349..2b0de6b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,7 +6,7 @@ permissions: {} jobs: get_config_values: - uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929 + uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845 with: verify_published_from_main_image: true permissions: @@ -14,7 +14,7 @@ jobs: contents: read packages: read quality_checks: - uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929 + uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845 needs: - get_config_values permissions: @@ -27,7 +27,7 @@ jobs: SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}' tag_release: needs: [quality_checks, get_config_values] - uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929 + uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845 permissions: id-token: write contents: write diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 9ce6472..0c3c324 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -7,7 +7,7 @@ permissions: {} jobs: dependabot-auto-approve-and-merge: needs: quality_checks - uses: NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929 + uses: NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845 permissions: contents: write pull-requests: write @@ -15,7 +15,7 @@ jobs: AUTOMERGE_APP_ID: '${{ secrets.AUTOMERGE_APP_ID }}' AUTOMERGE_PEM: '${{ secrets.AUTOMERGE_PEM }}' get_config_values: - uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929 + uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845 with: verify_published_from_main_image: false permissions: @@ -23,7 +23,7 @@ jobs: contents: read packages: read quality_checks: - uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929 + uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845 needs: - get_config_values with: @@ -35,7 +35,7 @@ jobs: secrets: SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}' pr_title_format_check: - uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929 + uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845 permissions: pull-requests: write get_issue_number: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d00ff1a..983f4e8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,7 +7,7 @@ permissions: {} jobs: get_config_values: - uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929 + uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845 with: verify_published_from_main_image: false permissions: @@ -15,7 +15,7 @@ jobs: contents: read packages: read quality_checks: - uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929 + uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845 needs: - get_config_values permissions: @@ -28,7 +28,7 @@ jobs: SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}' tag_release: needs: [quality_checks, get_config_values] - uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929 + uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@8b259f4f2d2b8ff1345fb0d2f9b9f0fbb9d19845 permissions: id-token: write contents: write diff --git a/.grype.yaml b/.grype.yaml index e5b6aef..4bf5381 100644 --- a/.grype.yaml +++ b/.grype.yaml @@ -37,6 +37,7 @@ ignore: - vulnerability: CVE-2026-33810 - vulnerability: CVE-2026-6100 - vulnerability: CVE-2026-4786 + - vulnerability: GHSA-pc3f-x583-g7j2 # node_24 vulnerabilities - vulnerability: GHSA-c2c7-rcm5-vvqj - vulnerability: GHSA-7r86-cg39-jmmj diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 46f8ca0..67def3f 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -23,6 +23,14 @@ repos: - repo: local hooks: + - id: grype-scan-local + name: Grype scan local changes + entry: make + args: ["grype-scan-local"] + language: system + pass_filenames: false + always_run: true + - id: lint-githubactions name: Lint github actions entry: make @@ -41,14 +49,15 @@ repos: types_or: [sh, shell] pass_filenames: false - - id: git-secrets - name: Git Secrets - description: git-secrets scans commits, commit messages, and --no-ff merges to prevent adding secrets into your git repositories. + - id: gitleaks + name: Git Leaks + description: gitleaks scans commits, commit messages, and --no-ff merges to prevent adding secrets into your git repositories. entry: bash args: - -c - - 'git-secrets --pre_commit_hook' + - "gitleaks git --pre-commit --redact --staged --verbose" language: system + - id: check-commit-signing name: Check commit signing description: Ensures that commits are GPG signed