From fdba99a9e160179b95decaa9bea4876704f0e795 Mon Sep 17 00:00:00 2001 From: Valswyn-NHS Date: Wed, 15 Apr 2026 16:45:17 +0100 Subject: [PATCH] APM-7202-Github-bestpractices --- .github/workflows/apigee-release-pipeline.yml | 12 ++++---- .../continous-integration-workflow.yaml | 12 ++++---- .github/workflows/pr-lint.yaml | 28 +++++++++---------- .github/workflows/sbom.yml | 17 +++++------ .github/workflows/spec-release-pipeline.yml | 7 ++--- 5 files changed, 35 insertions(+), 41 deletions(-) diff --git a/.github/workflows/apigee-release-pipeline.yml b/.github/workflows/apigee-release-pipeline.yml index 9ae2473d..53988ee7 100644 --- a/.github/workflows/apigee-release-pipeline.yml +++ b/.github/workflows/apigee-release-pipeline.yml @@ -2,8 +2,7 @@ name: apigee-release-pipeline defaults: run: shell: bash # Explicitly sets pipeline to fail if any subprocess fails -on: - push +on: push permissions: contents: read @@ -17,7 +16,7 @@ jobs: PROXYGEN_API_NAME: hello-world steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 @@ -36,7 +35,7 @@ jobs: echo PR number - $pr_number echo "PR_NUMBER=$pr_number" >> $GITHUB_ENV fi - + - name: Set Instance as Temporary if: github.ref != 'refs/heads/master' run: | @@ -63,7 +62,6 @@ jobs: fi echo "TITLE=Hello World API" >> $GITHUB_ENV - - name: Update apt repositories run: sudo apt update @@ -91,7 +89,7 @@ jobs: echo "APIGEE_ACCESS_TOKEN=$token" >> $GITHUB_ENV - name: Install Python 3.10 - uses: actions/setup-python@v6 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: "3.10" @@ -102,7 +100,7 @@ jobs: run: pip install poetry - name: Cache poetry packages - uses: actions/cache@v5 + uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 with: path: ~/.cache/pypoetry key: ${{ runner.os }}-build-cache-poetry-packages-${{ hashFiles('**/poetry.lock') }} diff --git a/.github/workflows/continous-integration-workflow.yaml b/.github/workflows/continous-integration-workflow.yaml index f92d5027..4185340e 100644 --- a/.github/workflows/continous-integration-workflow.yaml +++ b/.github/workflows/continous-integration-workflow.yaml @@ -10,12 +10,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - fetch-depth: 0 # This causes all history to be fetched, which is required for calculate-version to function + fetch-depth: 0 # This causes all history to be fetched, which is required for calculate-version to function - name: Install Python 3.10 - uses: actions/setup-python@v6 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: "3.10" @@ -32,13 +32,13 @@ jobs: run: pip install poetry - name: Cache poetry packages - uses: actions/cache@v5 + uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 with: path: ~/.cache/pypoetry key: ${{ runner.os }}-build-cache-poetry-packages-${{ hashFiles('**/poetry.lock') }} - name: Cache node modules - uses: actions/cache@v5 + uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 with: path: ~/.npm key: ${{ runner.os }}-build-cache-npm-packages-${{ hashFiles('**/package-lock.json') }} @@ -55,7 +55,7 @@ jobs: - name: Create release (master only) id: create-release if: github.ref == 'refs/heads/master' - uses: actions/create-release@v1 + uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1.1.4 continue-on-error: true env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/pr-lint.yaml b/.github/workflows/pr-lint.yaml index 4e94686e..522257b9 100644 --- a/.github/workflows/pr-lint.yaml +++ b/.github/workflows/pr-lint.yaml @@ -11,7 +11,7 @@ jobs: # 1) Validate the branch name without using shell (no user input in `run`) - name: Check ticket name conforms to requirements id: validate-branch - uses: actions/github-script@v7 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | const ref = context.payload.pull_request?.head?.ref || ''; @@ -24,10 +24,10 @@ jobs: - name: Grab ticket name id: ticket if: contains(github.event.pull_request.head.ref, 'apm-') || - contains(github.event.pull_request.head.ref, 'APM-') || - contains(github.event.pull_request.head.ref, 'amb-') || - contains(github.event.pull_request.head.ref, 'AMB-') - uses: actions/github-script@v7 + contains(github.event.pull_request.head.ref, 'APM-') || + contains(github.event.pull_request.head.ref, 'amb-') || + contains(github.event.pull_request.head.ref, 'AMB-') + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: result-encoding: string script: | @@ -38,10 +38,10 @@ jobs: # 3) Comment with link to JIRA ticket, using the safe output (no env mutation) - name: Comment on PR with link to JIRA ticket if: (contains(github.event.pull_request.head.ref, 'apm-') || - contains(github.event.pull_request.head.ref, 'APM-') || - contains(github.event.pull_request.head.ref, 'amb-') || - contains(github.event.pull_request.head.ref, 'AMB-')) && - steps.ticket.outputs.result != '' + contains(github.event.pull_request.head.ref, 'APM-') || + contains(github.event.pull_request.head.ref, 'amb-') || + contains(github.event.pull_request.head.ref, 'AMB-')) && + steps.ticket.outputs.result != '' uses: unsplash/comment-on-pr@master env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -53,11 +53,11 @@ jobs: # 4) Comment with link to Spec (pure expression usage is fine) - name: Comment on PR with link to Spec if: contains(github.event.pull_request.head.ref, 'apm-') || - contains(github.event.pull_request.head.ref, 'APM-') || - contains(github.event.pull_request.head.ref, 'apmspii-') || - contains(github.event.pull_request.head.ref, 'APMSPII-') || - contains(github.event.pull_request.head.ref, 'adz-') || - contains(github.event.pull_request.head.ref, 'ADZ-') + contains(github.event.pull_request.head.ref, 'APM-') || + contains(github.event.pull_request.head.ref, 'apmspii-') || + contains(github.event.pull_request.head.ref, 'APMSPII-') || + contains(github.event.pull_request.head.ref, 'adz-') || + contains(github.event.pull_request.head.ref, 'ADZ-') uses: unsplash/comment-on-pr@master env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index e580d284..44fa1dbc 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -24,10 +24,10 @@ jobs: contents: write steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup Python 3.13 - uses: actions/setup-python@v5 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: "3.13" @@ -56,7 +56,7 @@ jobs: chmod +x syft # Add to PATH for subsequent steps - echo "$(pwd)" >> $GITHUB_PATH + echo "$(pwd)" >> $GITHUB_PATH - name: Create SBOM run: bash scripts/create-sbom.sh terraform python tflint @@ -69,7 +69,7 @@ jobs: python .github/scripts/sbom_json_to_csv.py sbom.json SBOM_${REPO_NAME}.csv - name: Upload SBOM CSV as artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: sbom-csv path: SBOM_${{ github.event.repository.name }}.csv @@ -81,8 +81,6 @@ jobs: - name: Scan SBOM for Vulnerabilities (JSON) run: | grype sbom:sbom.json -o json > grype-report.json - - - name: Convert Grype JSON to CSV run: | @@ -90,9 +88,8 @@ jobs: REPO_NAME=$(basename $GITHUB_REPOSITORY) python .github/scripts/grype_json_to_csv.py grype-report.json grype-report-${REPO_NAME}.csv - - name: Upload Vulnerability Report - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: grype-report path: grype-report-${{ github.event.repository.name }}.csv @@ -104,7 +101,7 @@ jobs: python .github/scripts/sbom_packages_to_csv.py sbom.json $REPO_NAME - name: Upload Package Inventory CSV - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: sbom-packages - path: sbom-packages-${{ github.event.repository.name }}.csv \ No newline at end of file + path: sbom-packages-${{ github.event.repository.name }}.csv diff --git a/.github/workflows/spec-release-pipeline.yml b/.github/workflows/spec-release-pipeline.yml index 4ef5907f..532371fd 100644 --- a/.github/workflows/spec-release-pipeline.yml +++ b/.github/workflows/spec-release-pipeline.yml @@ -2,8 +2,7 @@ name: spec-release-pipeline defaults: run: shell: bash # Explicitly sets pipeline to fail if any subprocess fails -on: - push +on: push permissions: contents: read @@ -17,7 +16,7 @@ jobs: PROXYGEN_API_NAME: hello-world steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 @@ -40,7 +39,7 @@ jobs: fi - name: Install Python 3.10 - uses: actions/setup-python@v6 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: "3.10"