Chore: [AEA-6242] - use new quality checks#1071
Merged
anthony-nhs merged 3 commits intomainfrom Apr 13, 2026
Merged
Conversation
There was a problem hiding this comment.
Pull request overview
Updates repository security/quality tooling configuration to align with newer checks, tightening GitHub Actions token permissions and switching vulnerability scanning/ignores to newer mechanisms.
Changes:
- Introduces Zizmor config and Grype config; removes legacy Trivy config/ignore files.
- Hardens multiple GitHub Actions workflows by setting default
permissions: {}and adding explicit job permissions. - Updates devcontainer image version and adds CODEOWNERS protection for workflow changes.
Reviewed changes
Copilot reviewed 14 out of 15 changed files in this pull request and generated 13 comments.
Show a summary per file
| File | Description |
|---|---|
zizmor.yml |
Adds Zizmor rule ignores for specific workflow findings. |
trivy.yaml |
Removes legacy Trivy config reference. |
.trivyignore.yaml |
Removes legacy Trivy ignore list. |
.pre-commit-config.yaml |
Adds a local Grype scanning hook. |
.grype.yaml |
Adds Grype ignore configuration. |
.github/workflows/sync_copilot.yml |
Sets default workflow token permissions to none; keeps explicit job permission. |
.github/workflows/release.yml |
Adds explicit permissions per job and updates to newer quality checks workflow ref. |
.github/workflows/pull_request.yml |
Adds explicit permissions per job; removes merge_group trigger. |
.github/workflows/delete_old_cloudformation_stacks.yml |
Adds default permissions: {}; hardens checkout credentials persistence. |
.github/workflows/ci.yml |
Adds explicit permissions per job and updates to newer quality checks workflow ref. |
.github/workflows/cdk_release_code.yml |
Adds default permissions: {} and updates checkout pinning / env usage. |
.github/workflows/cdk_package_code.yml |
Adds default permissions: {} and hardens checkout credentials persistence. |
.github/CODEOWNERS |
Restricts approvals for workflow changes to admins. |
.devcontainer/devcontainer.json |
Bumps devcontainer image version. |
Comments suppressed due to low confidence (1)
.github/workflows/cdk_package_code.yml:25
- This reusable workflow uploads an artifact via
actions/upload-artifact. With top-levelpermissions: {}, thepackage_codejob likely needs explicitactions: writepermission for artifact upload; otherwise the upload step may be denied.
permissions: {}
jobs:
package_code:
runs-on: ubuntu-22.04
container:
image: ${{ inputs.pinned_image }}
options: --user 1001:1001 --group-add 128
defaults:
run:
shell: bash
permissions:
id-token: write
contents: read
packages: read
steps:
Comment on lines
+41
to
45
| permissions: {} | ||
|
|
||
| jobs: | ||
|
|
||
| release_code: |
Comment on lines
56
to
63
| package_code: | ||
| needs: [tag_release, get_config_values] | ||
| uses: ./.github/workflows/cdk_package_code.yml | ||
| permissions: | ||
| contents: read | ||
| id-token: write | ||
| packages: read | ||
| with: |
Comment on lines
66
to
72
| release_dev: | ||
| needs: [tag_release, package_code, get_commit_id, get_config_values] | ||
| uses: ./.github/workflows/cdk_release_code.yml | ||
| permissions: | ||
| contents: write | ||
| id-token: write | ||
| with: |
Comment on lines
3
to
8
| on: | ||
| pull_request: | ||
| branches: [main] | ||
| merge_group: | ||
| branches: [main] | ||
|
|
||
| env: | ||
| BRANCH_NAME: ${{ github.event.pull_request.head.ref }} | ||
| permissions: {} | ||
|
|
Comment on lines
115
to
123
| package_code: | ||
| uses: ./.github/workflows/cdk_package_code.yml | ||
| needs: [get_config_values] | ||
| permissions: | ||
| contents: read | ||
| id-token: write | ||
| packages: read | ||
| with: | ||
| pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} |
Comment on lines
85
to
91
| release_qa: | ||
| needs: [tag_release, release_dev, package_code, get_commit_id, get_config_values] | ||
| uses: ./.github/workflows/cdk_release_code.yml | ||
| permissions: | ||
| contents: write | ||
| id-token: write | ||
| with: |
Comment on lines
88
to
94
| release_ref: | ||
| needs: [tag_release, release_dev, package_code, get_commit_id, get_config_values] | ||
| uses: ./.github/workflows/cdk_release_code.yml | ||
| permissions: | ||
| contents: write | ||
| id-token: write | ||
| with: |
Comment on lines
105
to
111
| release_qa: | ||
| needs: [tag_release, release_dev, package_code, get_commit_id, get_config_values] | ||
| uses: ./.github/workflows/cdk_release_code.yml | ||
| permissions: | ||
| contents: write | ||
| id-token: write | ||
| with: |
Comment on lines
123
to
129
| release_int: | ||
| needs: [tag_release, release_qa, package_code, get_commit_id, get_config_values] | ||
| uses: ./.github/workflows/cdk_release_code.yml | ||
| permissions: | ||
| contents: write | ||
| id-token: write | ||
| with: |
Comment on lines
145
to
151
| release_prod: | ||
| needs: [tag_release, release_int, package_code, get_commit_id, get_config_values] | ||
| uses: ./.github/workflows/cdk_release_code.yml | ||
| permissions: | ||
| contents: write | ||
| id-token: write | ||
| with: |
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Details