From 9e36ebc32ddc8e730d1f8448b77065c28d992b4a Mon Sep 17 00:00:00 2001
From: Valswyn-NHS <valswyn.alfonso1@nhs.net>
Date: Wed, 15 Apr 2026 09:16:39 +0100
Subject: [PATCH] APM-7202-Github-bestpractices

---
 .github/workflows/continuous-integration.yml | 94 ++++++++++----------
 .github/workflows/sbom.yml                   | 17 ++--
 2 files changed, 54 insertions(+), 57 deletions(-)

diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml
index 85ed636..252c8a5 100644
--- a/.github/workflows/continuous-integration.yml
+++ b/.github/workflows/continuous-integration.yml
@@ -3,50 +3,50 @@ name: Build
 on: push
 
 jobs:
-    build:
-        name: build
-        runs-on: ubuntu-latest
-        steps:
-            - name: Checkout
-              uses: actions/checkout@v2
-              with:
-                  fetch-depth: 0  # This causes all history to be fetched, which is required for calculate-version to function
-
-            - name: Install Python 3.10
-              uses: actions/setup-python@v5
-              with:
-                  python-version: "3.10"
-
-            - name: Update apt repositories
-              run: sudo apt update
-
-            - name: Upgrade python packaging tools
-              run: python -m pip install --upgrade pip setuptools wheel
-
-            - name: Install poetry
-              run: pip install poetry
-
-            - name: Cache poetry packages
-              uses: actions/cache@v4
-              with:
-                  path: ~/.cache/pypoetry
-                  key: ${{ runner.os }}-build-cache-poetry-packages-${{ hashFiles('**/poetry.lock') }}
-
-            - name: Install python packages
-              run: poetry install
-
-            - name: Set SPEC_VERSION env var
-              run: echo ::set-env name=SPEC_VERSION::$(poetry run python scripts/calculate_version.py)
-              env:
-                ACTIONS_ALLOW_UNSECURE_COMMANDS: true
-
-            - name: Create release (master only)
-              id: create-release
-              if: github.ref == 'refs/heads/master'
-              uses: actions/create-release@v1
-              continue-on-error: true
-              env:
-                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-              with:
-                  tag_name: ${{ env.SPEC_VERSION }}
-                  release_name: ${{ env.SPEC_VERSION }}
+  build:
+    name: build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0 # This causes all history to be fetched, which is required for calculate-version to function
+
+      - name: Install Python 3.10
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        with:
+          python-version: "3.10"
+
+      - name: Update apt repositories
+        run: sudo apt update
+
+      - name: Upgrade python packaging tools
+        run: python -m pip install --upgrade pip setuptools wheel
+
+      - name: Install poetry
+        run: pip install poetry
+
+      - name: Cache poetry packages
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        with:
+          path: ~/.cache/pypoetry
+          key: ${{ runner.os }}-build-cache-poetry-packages-${{ hashFiles('**/poetry.lock') }}
+
+      - name: Install python packages
+        run: poetry install
+
+      - name: Set SPEC_VERSION env var
+        run: echo ::set-env name=SPEC_VERSION::$(poetry run python scripts/calculate_version.py)
+        env:
+          ACTIONS_ALLOW_UNSECURE_COMMANDS: true
+
+      - name: Create release (master only)
+        id: create-release
+        if: github.ref == 'refs/heads/master'
+        uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1.1.4
+        continue-on-error: true
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: ${{ env.SPEC_VERSION }}
+          release_name: ${{ env.SPEC_VERSION }}
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
index 7b57a5d..341a437 100644
--- a/.github/workflows/sbom.yml
+++ b/.github/workflows/sbom.yml
@@ -24,10 +24,10 @@ jobs:
       contents: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v5        
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Setup Python 3.13
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: "3.13"
 
@@ -56,7 +56,7 @@ jobs:
           chmod +x syft
 
           # Add to PATH for subsequent steps
-          echo "$(pwd)" >> $GITHUB_PATH       
+          echo "$(pwd)" >> $GITHUB_PATH
 
       - name: Create SBOM
         run: bash scripts/create-sbom.sh terraform python tflint
@@ -69,7 +69,7 @@ jobs:
           python .github/scripts/sbom_json_to_csv.py sbom.json SBOM_${REPO_NAME}.csv
 
       - name: Upload SBOM CSV as artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: sbom-csv
           path: SBOM_${{ github.event.repository.name }}.csv
@@ -81,8 +81,6 @@ jobs:
       - name: Scan SBOM for Vulnerabilities (JSON)
         run: |
           grype sbom:sbom.json -o json > grype-report.json
-          
-      
 
       - name: Convert Grype JSON to CSV
         run: |
@@ -90,9 +88,8 @@ jobs:
           REPO_NAME=$(basename $GITHUB_REPOSITORY)
           python .github/scripts/grype_json_to_csv.py grype-report.json grype-report-${REPO_NAME}.csv
 
-
       - name: Upload Vulnerability Report
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: grype-report
           path: grype-report-${{ github.event.repository.name }}.csv
@@ -104,7 +101,7 @@ jobs:
           python .github/scripts/sbom_packages_to_csv.py sbom.json $REPO_NAME
 
       - name: Upload Package Inventory CSV
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: sbom-packages
-          path: sbom-packages-${{ github.event.repository.name }}.csv
\ No newline at end of file
+          path: sbom-packages-${{ github.event.repository.name }}.csv