NHSDigital · anthony-nhs · Apr 13, 2026 · Apr 8, 2026 · Apr 8, 2026 · Apr 8, 2026
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -6,7 +6,7 @@
     "args": {
       "DOCKER_GID": "${env:DOCKER_GID:}",
       "IMAGE_NAME": "node_24_python_3_14",
-      "IMAGE_VERSION": "v1.2.0",
+      "IMAGE_VERSION": "v1.4.4",
       "USER_UID": "${localEnv:USER_ID:}",
       "USER_GID": "${localEnv:GROUP_ID:}"
     }

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1,2 @@
+# restrict access to approving workflow changes
+.github/workflows/ @NHSDigital/eps-admins
diff --git a/.github/actions/sync_documents/action.yml b/.github/actions/sync_documents/action.yml
@@ -64,8 +64,8 @@ runs:
       shell: bash
       run: |
         printf "\n"
-        echo "Comparing local files with s3://${{ steps.find-destination-bucket.outputs.BUCKET_NAME }}..."
-        DIFFS=$(aws s3 sync ./s3-content s3://${{ steps.find-destination-bucket.outputs.BUCKET_NAME }} --dryrun)
+        echo "Comparing local files with s3://${BUCKET_NAME}..."
+        DIFFS=$(aws s3 sync ./s3-content "s3://${BUCKET_NAME}" --dryrun)
 
         if [ -z "$DIFFS" ]; then
           echo -e "\033[0;32m✔ NO DISCREPANCIES FOUND.\033[0m"
@@ -76,9 +76,12 @@ runs:
           echo "--------------------------------------------------\033[0m"
 
           CLEAN_DIFFS="${DIFFS//$'\n'/'%0A'}"
-          echo "::warning title=Discrepancy Found in ${{ inputs.TARGET_ENVIRONMENT }}::$CLEAN_DIFFS"
+          echo "::warning title=Discrepancy Found in ${TARGET_ENVIRONMENT}::$CLEAN_DIFFS"
         fi
         printf "\n"
+      env:
+        TARGET_ENVIRONMENT: ${{ inputs.TARGET_ENVIRONMENT }}
+        BUCKET_NAME: ${{ steps.find-destination-bucket.outputs.BUCKET_NAME }}
 
     - name: Clear Target Environment
       shell: bash

diff --git a/.github/workflows/cdk_package_code.yml b/.github/workflows/cdk_package_code.yml
@@ -15,7 +15,7 @@ on:
       pinned_image:
         type: string
         required: true
-
+permissions: {}
 jobs:
   package_code:
     runs-on: ubuntu-22.04
@@ -36,7 +36,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
-          ref: ${{ env.BRANCH_NAME }}
+          persist-credentials: false
 
       - name: Setting up .npmrc
         env:
@@ -102,7 +102,7 @@ jobs:
             cdk.json \
             .dependencies
 
-      - uses: actions/upload-artifact@v7
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
         name: upload build artifact
         with:
           name: build_artifact

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -4,18 +4,25 @@ on:
   push:
     branches: [main]
 
-env:
-  BRANCH_NAME: ${{ github.event.ref.BRANCH_NAME }}
+permissions: {}
 
 jobs:
   get_config_values:
     uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
+    permissions:
+      attestations: read
+      contents: read
+      packages: read
     with:
       verify_published_from_main_image: true
 
   quality_checks:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
     needs: [get_config_values]
+    permissions:
+      contents: read
+      id-token: write
+      packages: read
     with:
       pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
     secrets:
@@ -27,6 +34,7 @@ jobs:
     permissions:
       id-token: write
       contents: write
+      packages: write
     with:
       dry_run: true
       pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
@@ -36,6 +44,10 @@ jobs:
   package_code:
     needs: [tag_release, get_config_values]
     uses: ./.github/workflows/cdk_package_code.yml
+    permissions:
+      contents: read
+      id-token: write
+      packages: read
     with:
       STACK_NAME: epsam
       VERSION_NUMBER: ${{ needs.tag_release.outputs.version_tag }}
@@ -45,6 +57,9 @@ jobs:
   release_dev:
     needs: [tag_release, package_code, get_config_values]
     uses: ./.github/workflows/release_all_stacks.yml
+    permissions:
+      contents: write
+      id-token: write
     with:
       pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
       STACK_NAME: epsam
@@ -72,6 +87,9 @@ jobs:
   release_qa:
     needs: [tag_release, package_code, release_dev, get_config_values]
     uses: ./.github/workflows/release_all_stacks.yml
+    permissions:
+      contents: write
+      id-token: write
     with:
       pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
       STACK_NAME: epsam

diff --git a/.github/workflows/create_release_notes.yml b/.github/workflows/create_release_notes.yml
diff --git a/.github/workflows/delete_old_cloudformation_stacks.yml b/.github/workflows/delete_old_cloudformation_stacks.yml
@@ -1,29 +1,25 @@
 name: 'Delete old cloudformation stacks'
 
-# Controls when the action will run - in this case triggered manually
 on:
   workflow_dispatch:
   schedule:
     - cron: "0 2,14 * * *"
   push:
     branches: [main]
 
-# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+permissions: {}
 jobs:
-  # This workflow contains a single job called "combine-prs"
   delete-old-cloudformation-stacks:
-    # The type of runner that the job will run on
     runs-on: ubuntu-22.04
     permissions:
         id-token: write
         contents: read
 
-    # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       - name: Checkout local github scripts
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
-          ref: ${{ env.BRANCH_NAME }}
+          persist-credentials: false
           sparse-checkout: |
             .github/scripts
 

diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
@@ -4,12 +4,15 @@ on:
   pull_request:
     branches: [main]
 
-env:
-  BRANCH_NAME: ${{ github.event.pull_request.head.ref }}
+permissions: {}
 
 jobs:
   get_config_values:
     uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
+    permissions:
+      attestations: read
+      contents: read
+      packages: read
     with:
       verify_published_from_main_image: false
 
@@ -21,16 +24,20 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
         with:
-          ref: ${{ env.BRANCH_NAME }}
+          persist-credentials: false
           fetch-depth: 0
       - name: Get Commit message
         id: commit_message
         run: |
           echo "commit_message=$(git show -s --format=%s)" >> "$GITHUB_OUTPUT"
 
   quality_checks:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
     needs: [get_config_values, get_commit_message]
+    permissions:
+      contents: read
+      id-token: write
+      packages: read
     if: ${{ ! contains(needs.get_commit_message.outputs.commit_message, '#skip-qc') }}
     with:
       pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
@@ -103,12 +110,17 @@ jobs:
   dependabot-auto-approve-and-merge:
     needs: quality_gate
     uses: NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
+    permissions:
+      contents: write
+      pull-requests: write
     secrets:
       AUTOMERGE_APP_ID: ${{ secrets.AUTOMERGE_APP_ID }}
       AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }}
 
   pr_title_format_check:
     uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
+    permissions:
+      pull-requests: write
 
   get_issue_number:
     runs-on: ubuntu-22.04
@@ -143,6 +155,10 @@ jobs:
       ! contains(needs.*.result, 'failure') &&
       ! contains(needs.*.result, 'cancelled')
     uses: ./.github/workflows/cdk_package_code.yml
+    permissions:
+      contents: read
+      id-token: write
+      packages: read
     with:
       STACK_NAME: epsam-pr-${{needs.get_issue_number.outputs.issue_number}}
       VERSION_NUMBER: PR-${{ needs.get_issue_number.outputs.issue_number }}
@@ -156,6 +172,9 @@ jobs:
       ! contains(needs.*.result, 'failure') &&
       ! contains(needs.*.result, 'cancelled')
     uses: ./.github/workflows/release_all_stacks.yml
+    permissions:
+      contents: write
+      id-token: write
     with:
       pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
       STACK_NAME: epsam-pr-${{needs.get_issue_number.outputs.issue_number}}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		# restrict access to approving workflow changes
		.github/workflows/ @NHSDigital/eps-admins