From b4a0900cc861fb2841a83b3c97cecd5789ffdc65 Mon Sep 17 00:00:00 2001 From: Valswyn-NHS Date: Mon, 20 Apr 2026 11:51:34 +0100 Subject: [PATCH 1/3] APM-7202-Github-bestpractices --- .github/workflows/cd.yml | 12 ++++++------ .github/workflows/pr.yml | 28 ++++++++++++++-------------- .github/workflows/sbom.yml | 15 ++++++--------- 3 files changed, 26 insertions(+), 29 deletions(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index bbbc247..e8a10cd 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -4,21 +4,21 @@ on: branches: - main paths: - - 'src/pytest_nhsd_apim/**' - - 'pyproject.toml' - - 'setup.py' + - "src/pytest_nhsd_apim/**" + - "pyproject.toml" + - "setup.py" jobs: publish: runs-on: ubuntu-latest steps: - name: Checkout current branch - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install Python 3.13 - uses: actions/setup-python@v6 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: 3.13 - + - name: install gnome-keyring run: | sudo apt-get update diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index bbfc02f..7f8222e 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -1,14 +1,13 @@ name: PR validation -on: - pull_request +on: pull_request jobs: check_changes: runs-on: ubuntu-latest - outputs: + outputs: src_changed: ${{ steps.filter.outputs.src }} steps: - name: Checkout current branch - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Check the Src folder for changes uses: dorny/paths-filter@v3 @@ -20,7 +19,6 @@ jobs: - 'pyproject.toml' - 'setup.py' - integration-tests: needs: check_changes if: needs.check_changes.outputs.src_changed == 'true' @@ -32,12 +30,12 @@ jobs: steps: - name: Checkout current branch - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Install Python 3.13 - uses: actions/setup-python@v6 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: 3.13 @@ -52,7 +50,8 @@ jobs: - name: get otp id: otp - run: echo ::set-output name=key::$(poetry run python scripts/otp.py ${APIGEE_USERNAME} ${APIGEE_OTP_KEY}) + run: echo ::set-output name=key::$(poetry run python scripts/otp.py + ${APIGEE_USERNAME} ${APIGEE_OTP_KEY}) - name: Install get_token run: | @@ -64,9 +63,9 @@ jobs: run: | echo ::add-mask $(SSO_LOGIN_URL=https://login.apigee.com ./get_token -u ${APIGEE_USERNAME}:${APIGEE_PASSWORD} -m ${{ steps.otp.outputs.key }}) echo ::set-output name=token::$(SSO_LOGIN_URL=https://login.apigee.com ./get_token -u ${APIGEE_USERNAME}:${APIGEE_PASSWORD} -m ${{ steps.otp.outputs.key }}) - + - name: Install Poetry - run: | + run: |+ make install-deps make build-install echo "export PATH=$HOME/.local/bin:$PATH" >> $GITHUB_ENV @@ -81,12 +80,12 @@ jobs: steps: - name: Checkout current branch - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: path: pr - name: Checkout main - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: refs/heads/main path: main @@ -98,9 +97,10 @@ jobs: echo ::set-output name=candidate::$(grep version pr/pyproject.toml | awk -F\" '{print $2}') - name: Install Python 3.13 - uses: actions/setup-python@v6 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: 3.13 - name: Compare versions - run: python pr/scripts/compare_version.py ${{ steps.versions.outputs.current }} ${{ steps.versions.outputs.candidate }} \ No newline at end of file + run: python pr/scripts/compare_version.py ${{ steps.versions.outputs.current }} + ${{ steps.versions.outputs.candidate }} diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index afdab6e..750097b 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -24,10 +24,10 @@ jobs: contents: write steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup Python 3.13 - uses: actions/setup-python@v6 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: "3.13" @@ -69,7 +69,7 @@ jobs: python .github/scripts/sbom_json_to_csv.py sbom.json SBOM_${REPO_NAME}.csv - name: Upload SBOM CSV as artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: sbom-csv path: SBOM_${{ github.event.repository.name }}.csv @@ -81,8 +81,6 @@ jobs: - name: Scan SBOM for Vulnerabilities (JSON) run: | grype sbom:sbom.json -o json > grype-report.json - - - name: Convert Grype JSON to CSV run: | @@ -90,9 +88,8 @@ jobs: REPO_NAME=$(basename $GITHUB_REPOSITORY) python .github/scripts/grype_json_to_csv.py grype-report.json grype-report-${REPO_NAME}.csv - - name: Upload Vulnerability Report - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: grype-report path: grype-report-${{ github.event.repository.name }}.csv @@ -104,7 +101,7 @@ jobs: python .github/scripts/sbom_packages_to_csv.py sbom.json $REPO_NAME - name: Upload Package Inventory CSV - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: sbom-packages - path: sbom-packages-${{ github.event.repository.name }}.csv \ No newline at end of file + path: sbom-packages-${{ github.event.repository.name }}.csv From 641d2cd75723c11e2b871ff14f2a54e3436dc4ec Mon Sep 17 00:00:00 2001 From: Valswyn-NHS Date: Tue, 21 Apr 2026 15:25:51 +0100 Subject: [PATCH 2/3] Added interval, cooldown for dependabot and scan secrets --- .github/dependabot.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 3a01d87..78c1d8d 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -7,13 +7,13 @@ updates: - package-ecosystem: "pip" directory: "/" schedule: - interval: "daily" + interval: "weekly" target-branch: "main" - labels: ["dependencies", "python", "poetry"] + labels: [ "dependencies", "python", "poetry" ] open-pull-requests-limit: 10 ignore: - dependency-name: "*" - update-types: ["version-update:semver-major"] + update-types: [ "version-update:semver-major" ] # --------------------------- # GitHub Actions @@ -21,6 +21,8 @@ updates: - package-ecosystem: "github-actions" directory: "/" schedule: - interval: "daily" + interval: "weekly" target-branch: "main" - labels: ["dependencies", "github-actions"] \ No newline at end of file + labels: [ "dependencies", "github-actions" ] + cooldown: + default-days: 7 From 69ab14179260ccffd51090f98bec17f0b2dd347c Mon Sep 17 00:00:00 2001 From: Valswyn-NHS Date: Wed, 22 Apr 2026 16:15:59 +0100 Subject: [PATCH 3/3] Config for precommit and gitleaks --- scripts/config/gitleaks.toml | 0 scripts/config/pre-commit.yaml | 0 2 files changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 scripts/config/gitleaks.toml mode change 100644 => 100755 scripts/config/pre-commit.yaml diff --git a/scripts/config/gitleaks.toml b/scripts/config/gitleaks.toml old mode 100644 new mode 100755 diff --git a/scripts/config/pre-commit.yaml b/scripts/config/pre-commit.yaml old mode 100644 new mode 100755