NHSDigital · Valswyn-NHS · Apr 17, 2026 · Apr 17, 2026
diff --git a/.github/workflows/pr-lint.yaml b/.github/workflows/pr-lint.yaml
@@ -5,44 +5,43 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-    - name: Set TICKET_NAME environment variable if branch name references a Jira ticket
-      env:
-        REF: ${{ github.event.pull_request.head.ref }}
-      run: |
-        OUTPUT=$(echo "$REF" | { grep -i -E -q "(apm-[0-9]+)|(apmspii-[0-9]+)|(adz-[0-9]+)|(amb-[0-9]+)|(amp-[0-9]+)|(dependabot\/)" || test $? = 1; })
-        if [ ! -z "$OUTPUT" -a "$OUTPUT" != " " ]; then
-          TICKET_NAME=$(echo $OUTPUT | tr '[:lower:]' '[:upper:]')
-          echo "TICKET_NAME=$TICKET_NAME" >> "$GITHUB_ENV"
-        fi
+      - name: Set TICKET_NAME environment variable if branch name references a Jira ticket
+        env:
+          REF: ${{ github.event.pull_request.head.ref }}
+        run: |
+          OUTPUT=$(echo "$REF" | { grep -i -E -q "(apm-[0-9]+)|(apmspii-[0-9]+)|(adz-[0-9]+)|(amb-[0-9]+)|(amp-[0-9]+)|(dependabot\/)" || test $? = 1; })
+          if [ ! -z "$OUTPUT" -a "$OUTPUT" != " " ]; then
+            TICKET_NAME=$(echo $OUTPUT | tr '[:lower:]' '[:upper:]')
+            echo "TICKET_NAME=$TICKET_NAME" >> "$GITHUB_ENV"
+          fi
 
-    - name: Comment on PR with link to JIRA ticket
-      uses: thollander/actions-comment-pull-request@v2
-      if: ${{ env.TICKET_NAME }}
-      with:
-        message: |
-          This branch is work on a ticket in the NHS England's API Management JIRA Project:
-          # [${{ env.TICKET_NAME }}](https://nhsd-jira.digital.nhs.uk/browse/${{ env.TICKET_NAME}})
-        comment_tag: jira-ticket
+      - name: Comment on PR with link to JIRA ticket
+        uses: thollander/actions-comment-pull-request@v2
+        if: ${{ env.TICKET_NAME }}
+        with:
+          message: |
+            This branch is work on a ticket in the NHS England's API Management JIRA Project:
+            # [${{ env.TICKET_NAME }}](https://nhsd-jira.digital.nhs.uk/browse/${{ env.TICKET_NAME}})
+          comment_tag: jira-ticket
 
-    - name: Add UAT Portal Deployment Instructions to PR
-      uses: thollander/actions-comment-pull-request@v2
-      with:
-        message: |
-          Manually run the [Publish Spec to Bloomreach UAT Portal](https://github.com/NHSDigital/proxygen-api-specification/actions/workflows/publish-uat.yml) to preview specification on the [UAT Portal](https://uat2.nhsd.io/developer/api-catalogue/proxy-generator) (requires VPN).
-        comment_tag: uat-deploy
-
-    - name: Checkout
-      uses: actions/checkout@v3
+      - name: Add UAT Portal Deployment Instructions to PR
+        uses: thollander/actions-comment-pull-request@v2
+        with:
+          message: |
+            Manually run the [Publish Spec to Bloomreach UAT Portal](https://github.com/NHSDigital/proxygen-api-specification/actions/workflows/publish-uat.yml) to preview specification on the [UAT Portal](https://uat2.nhsd.io/developer/api-catalogue/proxy-generator) (requires VPN).
+          comment_tag: uat-deploy
 
-    - name: Cache node modules
-      uses: actions/cache@v4
-      with:
-        path: ~/.npm
-        key: ${{ runner.os }}-build-cache-npm-packages-${{ hashFiles('**/package-lock.json') }}
-
-    - name: Install repo
-      run: make install
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-    - name: Vacuum OpenAPI Spec linter
-      run: make lint
+      - name: Cache node modules
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-build-cache-npm-packages-${{ hashFiles('**/package-lock.json') }}
 
+      - name: Install repo
+        run: make install
+
+      - name: Vacuum OpenAPI Spec linter
+        run: make lint
diff --git a/.github/workflows/publish-uat.yml b/.github/workflows/publish-uat.yml
@@ -6,44 +6,44 @@ jobs:
   publish:
     runs-on: ubuntu-latest
     steps:
-    - name: Checkout
-      uses: actions/checkout@v3
-
-    - name: Set OAS info.version to ${{ github.ref_name}}-${{github.sha}}
-      run: sed -i 's/__VERSION__/${{ github.ref_name}}-${{github.sha}}/g' specification/proxygen.yaml
-
-    - name: Cache node modules
-      uses: actions/cache@v4
-      with:
-        path: ~/.npm
-        key: ${{ runner.os }}-build-cache-npm-packages-${{ hashFiles('**/package-lock.json') }}
-
-    - name: Install repo
-      run: make install
-
-    - name: Vacuum OpenAPI Spec linter
-      run: make lint
-
-    - name: Setup proxygen-cli
-      env:
-        PROXYGEN_PRIVATE_KEY: ${{ secrets.ENCODED_PROXYGEN_PRIVATE_KEY }}
-        PROXYGEN_KID: ${{ secrets.PROXYGEN_KID }}
-        PROXYGEN_CLIENT_ID: ${{ secrets.PROXYGEN_CLIENT_ID }}
-      run: |
-        pipx install proxygen-cli
-        pipx upgrade proxygen-cli
-
-        # Setup proxygen auth and settings
-        mkdir -p ${HOME}/.proxygen
-        echo "$PROXYGEN_PRIVATE_KEY" | base64 --decode > ${HOME}/.proxygen/key
-        envsubst < ./.github/proxygen-credentials-template.yaml > ${HOME}/.proxygen/credentials.yaml
-        envsubst < ./.github/proxygen-settings.yaml > ${HOME}/.proxygen/settings.yaml
-        proxygen status
-
-    - name: Publish spec
-      run: proxygen spec publish specification/proxygen.yaml --uat --no-confirm
-
-    - name: Instructions for viewing UAT Specification
-      run: |
-        echo "View uat spec changes at https://uat2.nhsd.io/developer/api-catalogue/proxy-generator"
-        echo "Remember Bloomreach pulls UAT changes every 5-10 minutes so changes may not appear right away. You must be connected to the VPN."
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Set OAS info.version to ${{ github.ref_name}}-${{github.sha}}
+        run: sed -i 's/__VERSION__/${{ github.ref_name}}-${{github.sha}}/g' specification/proxygen.yaml
+
+      - name: Cache node modules
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-build-cache-npm-packages-${{ hashFiles('**/package-lock.json') }}
+
+      - name: Install repo
+        run: make install
+
+      - name: Vacuum OpenAPI Spec linter
+        run: make lint
+
+      - name: Setup proxygen-cli
+        env:
+          PROXYGEN_PRIVATE_KEY: ${{ secrets.ENCODED_PROXYGEN_PRIVATE_KEY }}
+          PROXYGEN_KID: ${{ secrets.PROXYGEN_KID }}
+          PROXYGEN_CLIENT_ID: ${{ secrets.PROXYGEN_CLIENT_ID }}
+        run: |
+          pipx install proxygen-cli
+          pipx upgrade proxygen-cli
+
+          # Setup proxygen auth and settings
+          mkdir -p ${HOME}/.proxygen
+          echo "$PROXYGEN_PRIVATE_KEY" | base64 --decode > ${HOME}/.proxygen/key
+          envsubst < ./.github/proxygen-credentials-template.yaml > ${HOME}/.proxygen/credentials.yaml
+          envsubst < ./.github/proxygen-settings.yaml > ${HOME}/.proxygen/settings.yaml
+          proxygen status
+
+      - name: Publish spec
+        run: proxygen spec publish specification/proxygen.yaml --uat --no-confirm
+
+      - name: Instructions for viewing UAT Specification
+        run: |
+          echo "View uat spec changes at https://uat2.nhsd.io/developer/api-catalogue/proxy-generator"
+          echo "Remember Bloomreach pulls UAT changes every 5-10 minutes so changes may not appear right away. You must be connected to the VPN."
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -9,54 +9,54 @@ jobs:
   release_and_publish:
     runs-on: ubuntu-latest
     steps:
-    - name: Checkout
-      uses: actions/checkout@v3
-      with:
-        fetch-depth: 0  # Required for calculate_version.py script
-
-    - name: Setup Python environment and dependencies
-      run: |
-        pipx install poetry
-        poetry install
-
-    - name: Calculate version
-      run: echo "SPEC_VERSION=$(poetry run python scripts/calculate_version.py)" >> "$GITHUB_ENV"
-
-    - name: Set OAS info.version to ${{ env.SPEC_VERSION }}
-      run: sed -i 's/__VERSION__/${{ env.SPEC_VERSION }}/g' specification/proxygen.yaml
-
-    - name: Cache node modules
-      uses: actions/cache@v4
-      with:
-        path: ~/.npm
-        key: ${{ runner.os }}-build-cache-npm-packages-${{ hashFiles('**/package-lock.json') }}
-
-    - name: Install repo
-      run: make install
-
-    - name: Vacuum OpenAPI Spec linter
-      run: make lint
-
-    - name: Create Release ${{ env.SPEC_VERSION }}
-      uses: softprops/action-gh-release@v1
-      with:
-        tag_name: ${{ env.SPEC_VERSION }}
-
-    - name: Setup proxygen-cli
-      env:
-        PROXYGEN_PRIVATE_KEY: ${{ secrets.ENCODED_PROXYGEN_PRIVATE_KEY }}
-        PROXYGEN_KID: ${{ secrets.PROXYGEN_KID }}
-        PROXYGEN_CLIENT_ID: ${{ secrets.PROXYGEN_CLIENT_ID }}
-      run: |
-        pipx install proxygen-cli
-        pipx upgrade proxygen-cli
-
-        # Setup proxygen auth and settings
-        mkdir -p ${HOME}/.proxygen
-        echo "$PROXYGEN_PRIVATE_KEY" | base64 --decode > ${HOME}/.proxygen/key
-        envsubst < ./.github/proxygen-credentials-template.yaml > ${HOME}/.proxygen/credentials.yaml
-        envsubst < ./.github/proxygen-settings.yaml > ${HOME}/.proxygen/settings.yaml
-        proxygen status
-
-    - name: Publish spec
-      run: proxygen spec publish specification/proxygen.yaml --no-confirm
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0 # Required for calculate_version.py script
+
+      - name: Setup Python environment and dependencies
+        run: |
+          pipx install poetry
+          poetry install
+
+      - name: Calculate version
+        run: echo "SPEC_VERSION=$(poetry run python scripts/calculate_version.py)" >> "$GITHUB_ENV"
+
+      - name: Set OAS info.version to ${{ env.SPEC_VERSION }}
+        run: sed -i 's/__VERSION__/${{ env.SPEC_VERSION }}/g' specification/proxygen.yaml
+
+      - name: Cache node modules
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-build-cache-npm-packages-${{ hashFiles('**/package-lock.json') }}
+
+      - name: Install repo
+        run: make install
+
+      - name: Vacuum OpenAPI Spec linter
+        run: make lint
+
+      - name: Create Release ${{ env.SPEC_VERSION }}
+        uses: softprops/action-gh-release@v1
+        with:
+          tag_name: ${{ env.SPEC_VERSION }}
+
+      - name: Setup proxygen-cli
+        env:
+          PROXYGEN_PRIVATE_KEY: ${{ secrets.ENCODED_PROXYGEN_PRIVATE_KEY }}
+          PROXYGEN_KID: ${{ secrets.PROXYGEN_KID }}
+          PROXYGEN_CLIENT_ID: ${{ secrets.PROXYGEN_CLIENT_ID }}
+        run: |
+          pipx install proxygen-cli
+          pipx upgrade proxygen-cli
+
+          # Setup proxygen auth and settings
+          mkdir -p ${HOME}/.proxygen
+          echo "$PROXYGEN_PRIVATE_KEY" | base64 --decode > ${HOME}/.proxygen/key
+          envsubst < ./.github/proxygen-credentials-template.yaml > ${HOME}/.proxygen/credentials.yaml
+          envsubst < ./.github/proxygen-settings.yaml > ${HOME}/.proxygen/settings.yaml
+          proxygen status
+
+      - name: Publish spec
+        run: proxygen spec publish specification/proxygen.yaml --no-confirm
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
@@ -24,10 +24,10 @@ jobs:
       contents: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v5        
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Setup Python 3.13
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: "3.13"
 
@@ -56,7 +56,7 @@ jobs:
           chmod +x syft
 
           # Add to PATH for subsequent steps
-          echo "$(pwd)" >> $GITHUB_PATH       
+          echo "$(pwd)" >> $GITHUB_PATH
 
       - name: Create SBOM
         run: bash scripts/create-sbom.sh terraform python tflint
@@ -69,7 +69,7 @@ jobs:
           python .github/scripts/sbom_json_to_csv.py sbom.json SBOM_${REPO_NAME}.csv
 
       - name: Upload SBOM CSV as artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: sbom-csv
           path: SBOM_${{ github.event.repository.name }}.csv
@@ -81,18 +81,15 @@ jobs:
       - name: Scan SBOM for Vulnerabilities (JSON)
         run: |
           grype sbom:sbom.json -o json > grype-report.json
-
-
 
       - name: Convert Grype JSON to CSV
         run: |
           pip install --upgrade pip
           REPO_NAME=$(basename $GITHUB_REPOSITORY)
           python .github/scripts/grype_json_to_csv.py grype-report.json grype-report-${REPO_NAME}.csv
 
-
       - name: Upload Vulnerability Report
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: grype-report
           path: grype-report-${{ github.event.repository.name }}.csv
@@ -104,7 +101,7 @@ jobs:
           python .github/scripts/sbom_packages_to_csv.py sbom.json $REPO_NAME
 
       - name: Upload Package Inventory CSV
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: sbom-packages
-          path: sbom-packages-${{ github.event.repository.name }}.csv
+          path: sbom-packages-${{ github.event.repository.name }}.csv