NHSDigital · sathiya-nhs · Apr 22, 2026 · Apr 20, 2026 · Apr 21, 2026 · Apr 21, 2026
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -7,20 +7,22 @@ updates:
   - package-ecosystem: "pip"
     directory: "/"
     schedule:
-      interval: "daily"
+      interval: "weekly"
     target-branch: "main"
-    labels: ["dependencies", "python", "poetry"]
+    labels: [ "dependencies", "python", "poetry" ]
     open-pull-requests-limit: 10
     ignore:
       - dependency-name: "*"
-        update-types: ["version-update:semver-major"]
+        update-types: [ "version-update:semver-major" ]
 
   # ---------------------------
   # GitHub Actions
   # ---------------------------
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "daily"
+      interval: "weekly"
     target-branch: "main"
-    labels: ["dependencies", "github-actions"]
+    labels: [ "dependencies", "github-actions" ]
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
@@ -4,21 +4,21 @@ on:
     branches:
       - main
     paths:
-      - 'src/pytest_nhsd_apim/**'
-      - 'pyproject.toml'
-      - 'setup.py'
+      - "src/pytest_nhsd_apim/**"
+      - "pyproject.toml"
+      - "setup.py"
 jobs:
   publish:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout current branch
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Install Python 3.13
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: 3.13
-      
+
       - name: install gnome-keyring
         run: |
           sudo apt-get update

diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -1,14 +1,13 @@
 name: PR validation
-on: 
-  pull_request
+on: pull_request
 jobs:
   check_changes:
     runs-on: ubuntu-latest
-    outputs: 
+    outputs:
       src_changed: ${{ steps.filter.outputs.src }}
     steps:
       - name: Checkout current branch
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Check the Src folder for changes
         uses: dorny/paths-filter@v3
@@ -20,7 +19,6 @@ jobs:
               - 'pyproject.toml'
               - 'setup.py'
 
-
   integration-tests:
     needs: check_changes
     if: needs.check_changes.outputs.src_changed == 'true'
@@ -32,12 +30,12 @@ jobs:
     steps:
 
       - name: Checkout current branch
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
 
       - name: Install Python 3.13
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: 3.13
 
@@ -52,7 +50,8 @@ jobs:
 
       - name: get otp
         id: otp
-        run: echo ::set-output name=key::$(poetry run python scripts/otp.py ${APIGEE_USERNAME} ${APIGEE_OTP_KEY})
+        run: echo ::set-output name=key::$(poetry run python scripts/otp.py
+          ${APIGEE_USERNAME} ${APIGEE_OTP_KEY})
 
       - name: Install get_token
         run: |
@@ -64,9 +63,9 @@ jobs:
         run: |
           echo ::add-mask $(SSO_LOGIN_URL=https://login.apigee.com ./get_token -u ${APIGEE_USERNAME}:${APIGEE_PASSWORD} -m ${{ steps.otp.outputs.key }})
           echo ::set-output name=token::$(SSO_LOGIN_URL=https://login.apigee.com ./get_token -u ${APIGEE_USERNAME}:${APIGEE_PASSWORD} -m ${{ steps.otp.outputs.key }})
-      
+
       - name: Install Poetry
-        run: |
+        run: |+
           make install-deps
           make build-install
           echo "export PATH=$HOME/.local/bin:$PATH" >> $GITHUB_ENV
@@ -81,12 +80,12 @@ jobs:
     steps:
 
       - name: Checkout current branch
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           path: pr
 
       - name: Checkout main
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: refs/heads/main
           path: main
@@ -98,9 +97,10 @@ jobs:
           echo ::set-output name=candidate::$(grep version pr/pyproject.toml | awk -F\" '{print $2}')
 
       - name: Install Python 3.13
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: 3.13
 
       - name: Compare versions
-        run: python pr/scripts/compare_version.py ${{ steps.versions.outputs.current }} ${{ steps.versions.outputs.candidate }}
+        run: python pr/scripts/compare_version.py ${{ steps.versions.outputs.current }}
+          ${{ steps.versions.outputs.candidate }}
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
@@ -24,10 +24,10 @@ jobs:
       contents: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v6        
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2        
 
       - name: Setup Python 3.13
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: "3.13"
 
@@ -69,7 +69,7 @@ jobs:
           python .github/scripts/sbom_json_to_csv.py sbom.json SBOM_${REPO_NAME}.csv
 
       - name: Upload SBOM CSV as artifact
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: sbom-csv
           path: SBOM_${{ github.event.repository.name }}.csv
@@ -81,18 +81,15 @@ jobs:
       - name: Scan SBOM for Vulnerabilities (JSON)
         run: |
           grype sbom:sbom.json -o json > grype-report.json
-
-
 
       - name: Convert Grype JSON to CSV
         run: |
           pip install --upgrade pip
           REPO_NAME=$(basename $GITHUB_REPOSITORY)
           python .github/scripts/grype_json_to_csv.py grype-report.json grype-report-${REPO_NAME}.csv
 
-
       - name: Upload Vulnerability Report
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: grype-report
           path: grype-report-${{ github.event.repository.name }}.csv
@@ -104,7 +101,7 @@ jobs:
           python .github/scripts/sbom_packages_to_csv.py sbom.json $REPO_NAME
 
       - name: Upload Package Inventory CSV
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: sbom-packages
-          path: sbom-packages-${{ github.event.repository.name }}.csv
+          path: sbom-packages-${{ github.event.repository.name }}.csv
diff --git a/scripts/config/gitleaks.toml b/scripts/config/gitleaks.toml
diff --git a/scripts/config/pre-commit.yaml b/scripts/config/pre-commit.yaml