NHSDigital · anthony-nhs · Apr 13, 2026 · Apr 13, 2026 · Apr 13, 2026 · Apr 13, 2026
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -6,7 +6,7 @@
     "args": {
       "DOCKER_GID": "${env:DOCKER_GID:}",
       "IMAGE_NAME": "node_24_python_3_14",
-      "IMAGE_VERSION": "v1.2.0",
+      "IMAGE_VERSION": "v1.4.4",
       "USER_UID": "${localEnv:USER_ID:}",
       "USER_GID": "${localEnv:GROUP_ID:}"
     }

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1,2 @@
+# restrict access to approving workflow changes
+.github/workflows/ @NHSDigital/eps-admins
diff --git a/.github/workflows/cdk_package_code.yml b/.github/workflows/cdk_package_code.yml
@@ -7,6 +7,8 @@ on:
         type: string
         required: true
 
+permissions: {}
+
 jobs:
   package_code:
     runs-on: ubuntu-22.04
@@ -27,7 +29,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
-          ref: ${{ env.BRANCH_NAME }}
+          persist-credentials: false
       - name: Setting up .npmrc
         env:
           NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

diff --git a/.github/workflows/cdk_release_code.yml b/.github/workflows/cdk_release_code.yml
@@ -38,7 +38,8 @@ on:
         required: false
       DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE:
         required: false
-
+permissions: {}
+
 jobs:
 
   release_code:
@@ -92,22 +93,26 @@ jobs:
 
       - name: Checkout gh-pages
         if: ${{ !startsWith(inputs.STACK_NAME, 'lambda-resources-pr-') }}
-        uses: actions/checkout@v6.0.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           ref: gh-pages
           path: gh-pages
+          persist-credentials: true
 
       - name: update release tag in github pages
         if: ${{ inputs.TARGET_ENVIRONMENT != 'dev-pr' }}
         run: |
           cd gh-pages
           NOW=$(date +'%Y-%m-%dT%H:%M:%S')
-          echo "tag,release_datetime" > _data/${{ inputs.TARGET_ENVIRONMENT }}_latest.csv
-          echo "${{ inputs.VERSION_NUMBER }},${NOW}" >> _data/${{ inputs.TARGET_ENVIRONMENT }}_latest.csv
-          echo "${{ inputs.VERSION_NUMBER }},${NOW}" >> _data/${{ inputs.TARGET_ENVIRONMENT }}_deployments.csv
+          echo "tag,release_datetime" > "_data/${TARGET_ENVIRONMENT}_latest.csv"
+          echo "${VERSION_NUMBER},${NOW}" >> "_data/${TARGET_ENVIRONMENT}_latest.csv"
+          echo "${VERSION_NUMBER},${NOW}" >> "_data/${TARGET_ENVIRONMENT}_deployments.csv"
           git config user.name github-actions
           git config user.email github-actions@github.com
-          git add _data/${{ inputs.TARGET_ENVIRONMENT }}_latest.csv
-          git add _data/${{ inputs.TARGET_ENVIRONMENT }}_deployments.csv
-          git commit -m 'update releases for ${{ inputs.TARGET_ENVIRONMENT }}'
+          git add "_data/${TARGET_ENVIRONMENT}_latest.csv"
+          git add "_data/${TARGET_ENVIRONMENT}_deployments.csv"
+          git commit -m "update releases for ${TARGET_ENVIRONMENT}"
           parallel --retries 10 --delay 3 ::: "git pull --rebase && git push"
+        env:
+          TARGET_ENVIRONMENT: ${{ inputs.TARGET_ENVIRONMENT }}
+          VERSION_NUMBER: ${{ inputs.VERSION_NUMBER }}
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -4,17 +4,24 @@ on:
   push:
     branches: [main]
 
-env:
-  BRANCH_NAME: ${{ github.event.ref.BRANCH_NAME }}
+permissions: {}
 
 jobs:
   get_config_values:
     uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
+    permissions:
+      attestations: read
+      contents: read
+      packages: read
     with:
       verify_published_from_main_image: true
   quality_checks:
     uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@f3d19a678a725917a5c59cae4d76db621bb7c9c7
     needs: [get_config_values]
+    permissions:
+      contents: read
+      id-token: write
+      packages: read
     with:
       pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
     secrets:
@@ -36,22 +43,29 @@ jobs:
     permissions:
       id-token: 'write'
       contents: 'write'
+      packages: write
     with:
       dry_run: true
       pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
       branch_name: main
       tag_format: ${{ needs.get_config_values.outputs.tag_format }}
-    secrets: inherit
 
   package_code:
     needs: [tag_release, get_config_values]
     uses: ./.github/workflows/cdk_package_code.yml
+    permissions:
+      contents: read
+      id-token: write
+      packages: read
     with:
       pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
 
   release_dev:
     needs: [tag_release, package_code, get_commit_id, get_config_values]
     uses: ./.github/workflows/cdk_release_code.yml
+    permissions:
+      contents: write
+      id-token: write
     with:
       pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
       ARTIFACT_BUCKET_PREFIX: ${{needs.tag_release.outputs.version_tag}}
@@ -71,6 +85,9 @@ jobs:
   release_qa:
     needs: [tag_release, release_dev, package_code, get_commit_id, get_config_values]
     uses: ./.github/workflows/cdk_release_code.yml
+    permissions:
+      contents: write
+      id-token: write
     with:
       pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
       ARTIFACT_BUCKET_PREFIX: ${{needs.tag_release.outputs.version_tag}}

diff --git a/.github/workflows/delete_old_cloudformation_stacks.yml b/.github/workflows/delete_old_cloudformation_stacks.yml
@@ -1,27 +1,23 @@
 name: 'Delete old cloudformation stacks'
 
-# Controls when the action will run - in this case triggered manually
 on:
   workflow_dispatch:
   schedule:
     - cron: "0 2,14 * * *"
 
-# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+permissions: {}
 jobs:
-  # This workflow contains a single job called "combine-prs"
   delete-old-cloudformation-stacks:
-    # The type of runner that the job will run on
     runs-on: ubuntu-22.04
     permissions:
         id-token: write
         contents: read
 
-    # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       - name: Checkout local github scripts
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
-          ref: ${{ env.BRANCH_NAME }}
+          persist-credentials: false
           sparse-checkout: |
             .github/scripts
 

diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
@@ -3,38 +3,47 @@ name: deploy_pr
 on:
   pull_request:
     branches: [main]
-  merge_group:
-    branches: [main]
 
-env:
-  BRANCH_NAME: ${{ github.event.pull_request.head.ref }}
+permissions: {}
 
 jobs:
   get_config_values:
     uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
+    permissions:
+      attestations: read
+      contents: read
+      packages: read
     with:
       verify_published_from_main_image: false
 
   dependabot-auto-approve-and-merge:
     uses: NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
+    permissions:
+      contents: write
+      pull-requests: write
     secrets:
       AUTOMERGE_APP_ID: ${{ secrets.AUTOMERGE_APP_ID }}
       AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }}
 
   quality_checks:
     uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@f3d19a678a725917a5c59cae4d76db621bb7c9c7
+    permissions:
+      contents: read
+      id-token: write
+      packages: read
     needs: [get_config_values]
     with:
       pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
     secrets:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
   pr_title_format_check:
-    if: github.event_name != 'merge_group'
     uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
-
+    permissions:
+      pull-requests: write
   get_issue_number:
     runs-on: ubuntu-22.04
+    needs: quality_checks
     outputs:
       issue_number: ${{steps.get_issue_number.outputs.result}}
 
@@ -43,55 +52,34 @@ jobs:
         name: get issue number
         id: get_issue_number
         with:
-          result-encoding: string
           script: |
-            // 1. Normal pull_request event
-            if (context.eventName === 'pull_request' && context.payload.pull_request) {
-              return context.payload.pull_request.number;
-            }
-
-            // 2. merge_group event
-            if (context.eventName === 'merge_group') {
-              const queueRef = context.ref; // refs/heads/gh-readonly-queue/main/pr-142-abc
-              const match = queueRef.match(/pr-(\d+)/);
-
-              if (match) {
-                return String(match[1]);
-              }
-
-              // Fallback to commit association using the synthetic SHA
-              const sha = context.payload.merge_group.head_sha;
-
-              const { data } =
+            if (context.issue.number) {
+              // Return issue number if present
+              return context.issue.number;
+            } else {
+              // Otherwise return issue number from commit
+              return (
                 await github.rest.repos.listPullRequestsAssociatedWithCommit({
+                  commit_sha: context.sha,
                   owner: context.repo.owner,
                   repo: context.repo.repo,
-                  commit_sha: sha,
-                });
-
-              if (!data.length) {
-                core.setFailed(`No PR associated with commit ${sha}`);
-              }
-
-              // Strict match: PR head SHA must match original PR head
-              const pr = data.find(pr => pr.head.sha === data[0].head.sha);
-
-              return String(pr.number);
+                })
+              ).data[0].number;
             }
+          result-encoding: string
 
   tag_release:
-    if: github.event_name != 'merge_group'
     needs: [get_config_values]
     uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@f3d19a678a725917a5c59cae4d76db621bb7c9c7
     permissions:
       id-token: 'write'
       contents: 'write'
+      packages: write
     with:
       dry_run: true
       pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
       branch_name: ${{ github.event.pull_request.head.ref }}
       tag_format: ${{ needs.get_config_values.outputs.tag_format }}
-    secrets: inherit
 
   get_commit_id:
     runs-on: ubuntu-22.04
@@ -106,6 +94,10 @@ jobs:
   package_code:
     uses: ./.github/workflows/cdk_package_code.yml
     needs: [get_config_values]
+    permissions:
+      contents: read
+      id-token: write
+      packages: read
     with:
       pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
   release_code:
@@ -118,6 +110,9 @@ jobs:
         get_config_values,
       ]
     uses: ./.github/workflows/cdk_release_code.yml
+    permissions:
+      contents: write
+      id-token: write
     with:
       pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
       STACK_NAME: dashboards-pr-${{needs.get_issue_number.outputs.issue_number}}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		# restrict access to approving workflow changes
		.github/workflows/ @NHSDigital/eps-admins