Chore: [AEA-6424] - use new common workflows

[anthony-nhs]

Summary

• Routine Change

Details

• move to latest qc
• remove all trivy files
• add CODEOWNERS to restrict updates to workflows
• use least permissions on all workflows
• add --ignore-scripts true to npm install

[Copilot]

Pull request overview

Updates the repository to align with the latest EPS common workflow patterns and security posture (least-privilege workflows, pinned actions), while adjusting local tooling and housekeeping files.

Changes:

• Migrates CI/release workflows to newer eps-common-workflows revisions and adds workflow-level permissions: {} with job-scoped permissions.
• Removes Trivy ignore configuration, adds Zizmor config, and introduces a local Grype pre-commit hook.
• Hardens supply-chain defaults (e.g., npm ci --ignore-scripts, pinned GitHub Actions, CODEOWNERS for workflows, devcontainer image bump).

Reviewed changes

Copilot reviewed 16 out of 17 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
zizmor.yml	Adds Zizmor rule ignores for known findings.
Makefile	Uses npm ci --ignore-scripts to reduce install-time risk.
.trivyignore.yaml	Removes Trivy ignore list (note: Trivy config still exists elsewhere).
.pre-commit-config.yaml	Adds a local Grype scan hook.
.gitignore	Ignores generated .sbom/ output.
.github/workflows/sync_copilot.yml	Applies workflow-level empty permissions.
.github/workflows/run_regression_tests.yml	Applies workflow-level empty permissions and checkout hardening.
.github/workflows/release.yml	Updates common workflow refs and scopes job permissions.
.github/workflows/release_all_stacks.yml	Adds workflow-level empty permissions, checkout hardening, and safer env handling for gh-pages update.
.github/workflows/pull_request.yml	Updates common workflow refs, adds workflow-level empty permissions, and checkout hardening.
.github/workflows/delete_old_cloudformation_stacks.yml	Adds workflow-level empty permissions and checkout hardening.
.github/workflows/create_release_notes.yml	Removes unused workflow file.
.github/workflows/ci.yml	Updates common workflow refs and scopes job permissions.
.github/workflows/cdk_package_code.yml	Adds workflow-level empty permissions, checkout hardening, and pins upload-artifact.
.github/CODEOWNERS	Requires @NHSDigital/eps-admins review for workflow changes.
.github/actions/sync_documents/action.yml	Uses env variables for safer shell interpolation/quoting.
.devcontainer/devcontainer.json	Bumps devcontainer image version.

Comments suppressed due to low confidence (1)

.github/workflows/pull_request.yml:149

• get_issue_number uses actions/github-script without providing a token input, so it relies on GITHUB_TOKEN. With workflow-level permissions: {} this job has no scopes and the API calls will fail. Add a job-level permissions: block (at least pull-requests: read, and likely contents: read) and/or explicitly pass github-token.

  get_issue_number:
    runs-on: ubuntu-22.04
    outputs:
      issue_number: ${{steps.get_issue_number.outputs.result}}

    steps:
      - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd
        name: get issue number
        id: get_issue_number
        with:
          script: |
            if (context.issue.number) {
              // Return issue number if present
              return context.issue.number;
            } else {
              // Otherwise return issue number from commit
              return (
                await github.rest.repos.listPullRequestsAssociatedWithCommit({
                  commit_sha: context.sha,
                  owner: context.repo.owner,
                  repo: context.repo.repo,
                })
              ).data[0].number;
            }
          result-encoding: string

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud