Skip to content

Chore: [AEA-0000] - make action more secure#8

Merged
anthony-nhs merged 1 commit intomainfrom
update_devContainer
Mar 31, 2026
Merged

Chore: [AEA-0000] - make action more secure#8
anthony-nhs merged 1 commit intomainfrom
update_devContainer

Conversation

@anthony-nhs
Copy link
Copy Markdown
Collaborator

@anthony-nhs anthony-nhs commented Mar 31, 2026

Summary

  • Routine Change

Details

  • small changes to make the action more secure

Copilot AI review requested due to automatic review settings March 31, 2026 09:06
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 31, 2026

This PR is linked to a ticket in an NHS Digital JIRA Project. Here's a handy link to the ticket:

AEA-0000

@anthony-nhs anthony-nhs merged commit 304ab2f into main Mar 31, 2026
4 checks passed
Copilot AI reviewed Mar 31, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the repository’s GitHub Action and workflows by reducing credential persistence and limiting secret propagation between reusable workflows.

Changes:

  • Disable credential persistence for actions/checkout in the composite action (persist-credentials: false).
  • Stop inheriting all caller secrets into the tag_release reusable workflow jobs.
  • Update the devcontainer base image version and remove the postAttachCommand that configured git-secrets.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
action.yml Prevents checkout from persisting credentials in the workspace.
.github/workflows/release.yml Removes secrets: inherit from the reusable workflow invocation.
.github/workflows/pull_request.yml Removes secrets: inherit from the reusable workflow invocation.
.github/workflows/ci.yml Removes secrets: inherit from the reusable workflow invocation.
.devcontainer/devcontainer.json Bumps devcontainer image version and removes git-secrets registration on attach.

.devcontainer/devcontainer.json
"USER_GID": "${localEnv:GROUP_ID:}"
},
"updateRemoteUserUID": false
},
Copy link

Copilot AI Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The postAttachCommand that registers git-secrets has been removed, and there doesn’t appear to be any other git-secrets setup in the repo. If the intention is still to have local secret scanning in the devcontainer, please add an equivalent hook elsewhere (e.g., postCreateCommand) or document that this is now handled in the base image; otherwise this change effectively drops that safeguard.

Suggested change
},
},
"postCreateCommand": "if command -v git-secrets >/dev/null 2>&1; then git secrets --install -f && git secrets --register-aws; else echo 'WARNING: git-secrets is not installed in this devcontainer image; local secret scanning hooks were not configured.'; fi",

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@anthony-nhs