Chore: [AEA-6242] - move to new quality checks#997
Merged
anthony-nhs merged 6 commits intomainfrom Apr 13, 2026
Merged
Conversation
There was a problem hiding this comment.
Pull request overview
Moves the repository onto the updated “quality checks” approach by updating GitHub Actions workflows and related tooling/config to align with the new shared workflow revisions and security posture.
Changes:
- Update CI/PR/release workflows to use newer
eps-common-workflowsrevisions and adopt explicitpermissionsblocks. - Add Zizmor configuration and a local Grype pre-commit scan; remove Trivy config/ignore files.
- Bump devcontainer base image version and ignore generated SBOM output.
Reviewed changes
Copilot reviewed 12 out of 13 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
zizmor.yml |
Adds Zizmor rule config and ignores for specific unpinned-image findings. |
trivy.yaml |
Removes Trivy ignorefile configuration. |
.trivyignore.yaml |
Removes Trivy vulnerability ignore list. |
.pre-commit-config.yaml |
Adds a local grype-scan-local hook. |
.gitignore |
Ignores .sbom/ artifacts. |
.github/workflows/sync_copilot.yml |
Locks down default permissions. |
.github/workflows/release.yml |
Updates shared workflow refs + introduces explicit permissions model. |
.github/workflows/pull_request.yml |
Updates shared workflow refs + introduces explicit permissions model. |
.github/workflows/ci.yml |
Updates shared workflow refs + introduces explicit permissions model. |
.github/workflows/cdk_release_code.yml |
Locks down default permissions and adjusts checkout credential persistence for pushes. |
.github/workflows/cdk_package_code.yml |
Locks down default permissions and adjusts checkout behavior. |
.github/CODEOWNERS |
Adds CODEOWNERS restriction for workflow changes. |
.devcontainer/devcontainer.json |
Updates devcontainer image version. |
|
|
||
| env: | ||
| BRANCH_NAME: ${{ github.event.ref.BRANCH_NAME }} | ||
| permissions: {} |
|
|
||
| env: | ||
| BRANCH_NAME: ${{ github.event.ref.BRANCH_NAME }} | ||
| permissions: {} |
|
|
||
| env: | ||
| BRANCH_NAME: ${{ github.event.pull_request.head.ref }} | ||
| permissions: {} |
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Details