Skip to content

[PRM-495] Added dispatch to workflows#256

Merged
oliverbeumkes-nhs merged 2 commits intomainfrom
PRM-495-PHFIX
Sep 19, 2025
Merged

[PRM-495] Added dispatch to workflows#256
oliverbeumkes-nhs merged 2 commits intomainfrom
PRM-495-PHFIX

Conversation

@oliverbeumkes-nhs
Copy link
Copy Markdown
Contributor

@oliverbeumkes-nhs oliverbeumkes-nhs commented Sep 19, 2025

No description provided.

github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 19, 2025
View reviewed changes
.github/workflows/e2e.yml
Comment on lines +28 to +32
runs-on: ubuntu-latest
environment: ${{ inputs.environment }}
steps:
- name: Hello World
run: echo "Hello, world!"

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 6 months ago

To fix the problem, explicitly specify the minimal necessary workflow permissions using the permissions key. Since the workflow appears only to echo "Hello, world!" and does not interact with the repository or GitHub resources, it is safe to restrict all permissions (permissions: {};), or as GitHub recommends, set contents: read at the top level. The best practice is to add the permissions block at the workflow root (directly under the name field, before on:), which applies it to all jobs in the workflow unless overridden.

  • Edit .github/workflows/e2e.yml
  • Add the following block after name: e2e and before on:: 
    permissions:
  contents: read
    (alternatively, permissions: {} is an even stricter minimal baseline, but contents: read is more typically recommended)
  • No additional imports or definitions are necessary.
Suggested changeset 1
.github/workflows/e2e.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -1,4 +1,6 @@
 name: e2e
+permissions:
+  contents: read
 on:
   workflow_dispatch:
     inputs:
EOF
@@ -1,4 +1,6 @@
name: e2e
permissions:
contents: read
on:
workflow_dispatch:
inputs:
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/ehr-repo-build-and-publish.yml
Comment on lines +28 to +32
runs-on: ubuntu-latest
environment: ${{ inputs.environment }}
steps:
- name: Hello World
run: echo "Hello, world!"

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 6 months ago

The best approach is to explicitly define a permissions block that grants only the minimal rights required by this workflow. Since the current workflow only prints a message and does not use the GITHUB_TOKEN for any operations (read or write), the most restrictive and therefore safest configuration is permissions: {} at either the workflow or job level.

Recommended: Add the following at the top level (just after the name: and before or after on:):

permissions: {}

Alternatively, for jobs that do require some permissions (e.g., pushing to the repository), you would set only those specific permissions. But in this case, since no permission is required, {} suffices.

What to change:

  • Add a permissions: {} block after the name: line (line 1), or before the jobs: block (after line 25), or (less optimal) under each job. The most common and clear place is immediately after name: ... so it acts as a workflow-global default.
  • No extra imports or methods are necessary.
Suggested changeset 1
.github/workflows/ehr-repo-build-and-publish.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/ehr-repo-build-and-publish.yml b/.github/workflows/ehr-repo-build-and-publish.yml
--- a/.github/workflows/ehr-repo-build-and-publish.yml
+++ b/.github/workflows/ehr-repo-build-and-publish.yml
@@ -1,4 +1,5 @@
 name: ehr-repo-build-and-publish
+permissions: {}
 on:
   workflow_dispatch:
     inputs:
EOF
@@ -1,4 +1,5 @@
name: ehr-repo-build-and-publish
permissions: {}
on:
workflow_dispatch:
inputs:
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/test-ehr-repo.yml
Comment on lines +28 to +32
runs-on: ubuntu-latest
environment: ${{ inputs.environment }}
steps:
- name: Hello World
run: echo "Hello, world!"

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium test

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 6 months ago

To fix this issue, you should add a permissions block to the workflow. The preferred location is at the root level, just below the workflow name and triggers, which sets the permissions for all jobs unless overridden. Since this workflow does not perform any sensitive repository actions, you should specify the most restrictive permissible setting: contents: read (which allows reading repository content, not writing), or even none if nothing at all is needed. However, for many simple jobs, contents: read is recommended as a safe default. The change should be made at the top of .github/workflows/test-ehr-repo.yml, just below the workflow name (name: test-ehr-repo and before the on: block).

Suggested changeset 1
.github/workflows/test-ehr-repo.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/test-ehr-repo.yml b/.github/workflows/test-ehr-repo.yml
--- a/.github/workflows/test-ehr-repo.yml
+++ b/.github/workflows/test-ehr-repo.yml
@@ -1,4 +1,6 @@
 name: test-ehr-repo
+permissions:
+  contents: read
 on:
   workflow_dispatch:
     inputs:
EOF
@@ -1,4 +1,6 @@
name: test-ehr-repo
permissions:
contents: read
on:
workflow_dispatch:
inputs:
Copilot is powered by AI and may make mistakes. Always verify output.
@github-actions
Copy link
Copy Markdown

github-actions bot commented Sep 19, 2025

Report for environment: pre-prod

Terraform Format and Style 🖌success

Format Output

Terraform Initialization ⚙️success

Initialization Output 

Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing provider plugins...
- Finding hashicorp/aws versions matching "~> 4.0"...
- Installing hashicorp/aws v4.67.0...
- Installed hashicorp/aws v4.67.0 (signed by HashiCorp)
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan (0 to add, 1 to change, 0 to destroy) 


Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aws_alb.alb-internal will be updated in-place
  ~ resource "aws_alb" "alb-internal" {
        id                                          = "arn:aws:elasticloadbalancing:eu-west-2:108148468272:loadbalancer/app/pre-prod-ehr-repo-alb-int/bd71a8cf0838769b"
        name                                        = "pre-prod-ehr-repo-alb-int"
        tags                                        = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "pre-prod"
        }
        # (23 unchanged attributes hidden)

      ~ access_logs {
          ~ bucket  = (sensitive value)
          - prefix  = "ehr-repository" -> null
            # (1 unchanged attribute hidden)
        }

        # (3 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

@github-actions
Copy link
Copy Markdown

github-actions bot commented Sep 19, 2025

Report for environment: prod

Terraform Format and Style 🖌success

Format Output

Terraform Initialization ⚙️success

Initialization Output 

Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing provider plugins...
- Finding hashicorp/aws versions matching "~> 4.0"...
- Installing hashicorp/aws v4.67.0...
- Installed hashicorp/aws v4.67.0 (signed by HashiCorp)
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan (1 to add, 8 to change, 1 to destroy) 


Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # aws_alb.alb-internal will be updated in-place
  ~ resource "aws_alb" "alb-internal" {
        id                                          = "arn:aws:elasticloadbalancing:eu-west-2:535760944720:loadbalancer/app/prod-ehr-repo-alb-int/b96ab86d7636d0e4"
        name                                        = "prod-ehr-repo-alb-int"
        tags                                        = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "prod"
        }
        # (23 unchanged attributes hidden)

      ~ access_logs {
          - prefix  = "ehr-repository" -> null
            # (2 unchanged attributes hidden)
        }

        # (3 unchanged blocks hidden)
    }

  # aws_ecs_service.ecs-service will be updated in-place
  ~ resource "aws_ecs_service" "ecs-service" {
        id                                 = "arn:aws:ecs:eu-west-2:535760944720:service/prod-ehr-repo-ecs-cluster/prod-ehr-repo-service"
        name                               = "prod-ehr-repo-service"
        tags                               = {}
      ~ task_definition                    = "arn:aws:ecs:eu-west-2:535760944720:task-definition/ehr-repo:21" -> (known after apply)
        # (15 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

  # aws_ecs_task_definition.task must be replaced
-/+ resource "aws_ecs_task_definition" "task" {
      ~ arn                      = "arn:aws:ecs:eu-west-2:535760944720:task-definition/ehr-repo:21" -> (known after apply)
      ~ arn_without_revision     = "arn:aws:ecs:eu-west-2:535760944720:task-definition/ehr-repo" -> (known after apply)
      ~ container_definitions    = (sensitive value) # forces replacement
      ~ id                       = "ehr-repo" -> (known after apply)
      ~ revision                 = 21 -> (known after apply)
        tags                     = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "prod"
        }
        # (11 unchanged attributes hidden)
    }

  # aws_s3_bucket_policy.ehr_repo_permit_developer_to_see_access_logs_policy[0] will be updated in-place
  ~ resource "aws_s3_bucket_policy" "ehr_repo_permit_developer_to_see_access_logs_policy" {
        id     = "prod-ehr-repo-access-logs"
      ~ policy = jsonencode(
          ~ {
              ~ Statement = [
                    # (1 unchanged element hidden)
                    {
                        Action    = [
                            "s3:Get*",
                            "s3:ListBucket",
                        ]
                        Condition = {
                            Bool = {
                                "aws:SecureTransport" = "false"
                            }
                        }
                        Effect    = "Allow"
                        Principal = {
                            AWS = "arn:aws:iam::535760944720:role/RepoDeveloper"
                        }
                        Resource  = [
                            "arn:aws:s3:::prod-ehr-repo-access-logs",
                            "arn:aws:s3:::prod-ehr-repo-access-logs/*",
                        ]
                        Sid       = "S3PermitDeveloperAccessLogsPolicy"
                    },
                  + {
                      + Action    = "s3:*"
                      + Condition = {
                          + Bool = {
                              + "aws:SecureTransport" = "false"
                            }
                        }
                      + Effect    = "Deny"
                      + Principal = "*"
                      + Resource  = [
                          + "arn:aws:s3:::prod-ehr-repo-access-logs",
                          + "arn:aws:s3:::prod-ehr-repo-access-logs/*",
                        ]
                      + Sid       = "S3EnforceHTTPSPolicy"
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
        # (1 unchanged attribute hidden)
    }

  # aws_security_group.alb_to_ehr_repo_ecs will be updated in-place
  ~ resource "aws_security_group" "alb_to_ehr_repo_ecs" {
        id                     = "sg-091d2c37cedc98276"
        name                   = "prod-alb-to-ehr-repo-ecr"
      + revoke_rules_on_delete = false
        tags                   = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "prod"
            "Name"        = "prod-alb-to-ehr-repo-ecs"
        }
        # (8 unchanged attributes hidden)

      - timeouts {}
    }

  # aws_security_group.ehr_repo_alb will be updated in-place
  ~ resource "aws_security_group" "ehr_repo_alb" {
        id                     = "sg-07e5606b3bcd4649d"
        name                   = "prod-alb-ehr-repo"
      + revoke_rules_on_delete = false
        tags                   = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "prod"
            "Name"        = "prod-alb-ehr-repo"
        }
        # (8 unchanged attributes hidden)

      - timeouts {}
    }

  # aws_security_group.gocd_to_ehr_repo will be updated in-place
  ~ resource "aws_security_group" "gocd_to_ehr_repo" {
        id                     = "sg-03ac6aa886cc858a1"
      ~ ingress                = (sensitive value)
        name                   = "prod-gocd-to-ehr-repo"
        tags                   = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "prod"
            "Name"        = "prod-gocd-to-ehr-repo-sg"
        }
        # (8 unchanged attributes hidden)

      - timeouts {}
    }

  # aws_security_group.service_to_ehr_repo will be updated in-place
  ~ resource "aws_security_group" "service_to_ehr_repo" {
        id                     = "sg-0843b1d0b553c2023"
        name                   = "prod-service-to-ehr-repo"
      + revoke_rules_on_delete = false
        tags                   = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "prod"
            "Name"        = "prod-service-to-ehr-repo-sg"
        }
        # (8 unchanged attributes hidden)

      - timeouts {}
    }

  # aws_security_group.vpn_to_ehr_repo will be updated in-place
  ~ resource "aws_security_group" "vpn_to_ehr_repo" {
        id                     = "sg-0b1fbb458ed13a742"
        name                   = "prod-vpn-to-ehr-repo"
      + revoke_rules_on_delete = false
        tags                   = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "prod"
            "Name"        = "prod-vpn-to-ehr-repo-sg"
        }
        # (8 unchanged attributes hidden)

      - timeouts {}
    }

Plan: 1 to add, 8 to change, 1 to destroy.

@github-actions
Copy link
Copy Markdown

github-actions bot commented Sep 19, 2025

Report for environment: test

Terraform Format and Style 🖌success

Format Output

Terraform Initialization ⚙️success

Initialization Output 

Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing provider plugins...
- Finding hashicorp/aws versions matching "~> 4.0"...
- Installing hashicorp/aws v4.67.0...
- Installed hashicorp/aws v4.67.0 (signed by HashiCorp)
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan (0 to add, 1 to change, 0 to destroy) 


Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aws_alb.alb-internal will be updated in-place
  ~ resource "aws_alb" "alb-internal" {
        id                                          = "arn:aws:elasticloadbalancing:eu-west-2:005235525306:loadbalancer/app/test-ehr-repo-alb-int/44d32f86b879ef3f"
        name                                        = "test-ehr-repo-alb-int"
        tags                                        = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "test"
        }
        # (23 unchanged attributes hidden)

      ~ access_logs {
          ~ bucket  = (sensitive value)
          - prefix  = "ehr-repository" -> null
            # (1 unchanged attribute hidden)
        }

        # (2 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

@github-actions
Copy link
Copy Markdown

github-actions bot commented Sep 19, 2025

Report for environment: dev

Terraform Format and Style 🖌success

Format Output

Terraform Initialization ⚙️success

Initialization Output 

Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing provider plugins...
- Finding hashicorp/aws versions matching "~> 4.0"...
- Installing hashicorp/aws v4.67.0...
- Installed hashicorp/aws v4.67.0 (signed by HashiCorp)
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan (no changes) 


No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.

@oliverbeumkes-nhs oliverbeumkes-nhs merged commit e212795 into main Sep 19, 2025
9 checks passed
@oliverbeumkes-nhs oliverbeumkes-nhs deleted the PRM-495-PHFIX branch September 19, 2025 13:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@steph-torres-nhs steph-torres-nhs steph-torres-nhs approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@oliverbeumkes-nhs @steph-torres-nhs