Chore: [AEA-0000] - add pre-commit hooks, update docs, tighten security on workflows#9
Chore: [AEA-0000] - add pre-commit hooks, update docs, tighten security on workflows#9anthony-nhs merged 3 commits intomainfrom
Conversation
|
This PR is linked to a ticket in an NHS Digital JIRA Project. Here's a handy link to the ticket: AEA-0000 |
There was a problem hiding this comment.
Pull request overview
This PR introduces local development tooling (Poetry + pre-commit) and tightens GitHub Actions permissions to follow a least-privilege posture, alongside a small README workflow example update.
Changes:
- Add Poetry configuration/lockfile and wire
make installto install pre-commit hooks. - Add a pre-commit configuration for basic repo hygiene checks plus local lint/security hooks.
- Restrict GitHub Actions default token permissions via
permissions: {}and explicit per-job permissions.
Reviewed changes
Copilot reviewed 10 out of 11 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| README.md | Updates the example workflow YAML to use an explicit permissions: {} default. |
| pyproject.toml | Adds Poetry project configuration and pre-commit as a dev dependency. |
| poetry.toml | Configures Poetry virtualenv behavior (in-project, prefer active Python). |
| poetry.lock | Locks the dev dependency set (pre-commit and transitive deps). |
| Makefile | Updates install flow to run poetry install and install pre-commit hooks. |
| .pre-commit-config.yaml | Adds pre-commit hooks (pre-commit-hooks, flake8, local system hooks). |
| .github/workflows/release.yml | Adds restrictive default permissions and job-level permissions. |
| .github/workflows/pull_request.yml | Adds restrictive default permissions and job-level permissions. |
| .github/workflows/ci.yml | Adds restrictive default permissions and job-level permissions. |
| .gitallowed | Adds an allowlist file intended for secret-scanning tooling. |
| [project] | ||
| python = "^3.14" | ||
| name = "eps-copilot-instructions" | ||
|
|
There was a problem hiding this comment.
In PEP 621 metadata, [project] does not support a python key. If you intend to publish/validate metadata, this should be requires-python (e.g. requires-python = ">=3.14") or the entire [project] table should be removed so Poetry’s [tool.poetry.dependencies].python remains the single source of truth.
| [project] | |
| python = "^3.14" | |
| name = "eps-copilot-instructions" |
| @@ -1,8 +1,11 @@ | |||
| .PHONY: install install-node compile lint test | |||
There was a problem hiding this comment.
.PHONY doesn’t include the newly added install-python and install-hooks targets. If files/directories with those names ever exist, make may treat them as up-to-date and skip running the recipes; add them to .PHONY to keep behavior consistent.
| .PHONY: install install-node compile lint test | |
| .PHONY: install install-node install-python install-hooks compile lint test |
| - id: check-yaml | ||
| name: Check pipelines configuration | ||
| files: ^(.github) | ||
|
|
||
| - repo: https://github.com/pycqa/flake8 | ||
| rev: "7ef0350a439c93166bc8ba89fcc3de6a9a664e6c" | ||
| hooks: | ||
| - id: flake8 | ||
|
|
||
| - repo: local | ||
| hooks: | ||
| - id: zizmor-action | ||
| name: Check action.yml | ||
| entry: zizmor | ||
| args: ["action.yml"] | ||
| language: system | ||
| files: action.yml | ||
| pass_filenames: false | ||
|
|
||
| - id: lint-githubactions | ||
| name: Lint github actions | ||
| entry: make | ||
| args: ["actionlint"] | ||
| language: system | ||
| files: ^.github | ||
| types_or: [yaml] | ||
| pass_filenames: false | ||
|
|
||
| - id: lint-githubaction-scripts | ||
| name: Lint github action scripts | ||
| entry: make | ||
| args: ["shellcheck"] | ||
| language: system | ||
| files: ^.github/scripts | ||
| types_or: [sh, shell] | ||
| pass_filenames: false |
There was a problem hiding this comment.
The files: regexes for .github paths use an unescaped . (e.g. ^.github), which matches any character. Escaping the dot and anchoring to a slash (e.g. ^\.github/) will avoid unintended matches outside the .github/ directory.
| - repo: local | ||
| hooks: | ||
| - id: zizmor-action | ||
| name: Check action.yml | ||
| entry: zizmor | ||
| args: ["action.yml"] | ||
| language: system | ||
| files: action.yml | ||
| pass_filenames: false | ||
|
|
There was a problem hiding this comment.
The local hooks zizmor and git-secrets use language: system, but neither tool is installed via poetry install (they’re not in pyproject.toml/poetry.lock) and the Makefile install flow doesn’t install them either. This will make pre-commit fail on fresh setups unless the tools are preinstalled; consider adding installation steps (or switching to pre-commit-managed hooks / documenting the required system dependencies).
Summary
Details