Merge pull request #1179 from NHSDigital/feature/made14-NRL-1922-use-commit-hashes

mattdean3-nhs · web-flow · commit 2436759a8cf2 · 2026-03-26T14:59:09.000Z
NRL-1922 Use commit hashes for github workflow action versions
diff --git a/.github/workflows/activate-stack.yml b/.github/workflows/activate-stack.yml
@@ -27,7 +27,7 @@ jobs:
 
     steps:
       - name: Git clone - ${{ github.ref }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           ref: ${{ github.ref }}
 
diff --git a/.github/workflows/daily-build.yml b/.github/workflows/daily-build.yml
@@ -26,7 +26,7 @@ jobs:
 
     steps:
       - name: Git clone - ${{ github.ref }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           ref: ${{ github.ref }}
 
@@ -58,7 +58,7 @@ jobs:
           make get-s3-perms ENV=${account} TF_WORKSPACE_NAME=${inactive_stack}
 
       - name: Save Build Artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: build-artifacts
           path: |
@@ -67,7 +67,7 @@ jobs:
             !dist/nrlf_permissions.zip
 
       - name: Save NRLF Permissions cache
-        uses: actions/cache/save@v4
+        uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           key: ${{ github.run_id }}-nrlf-permissions
           path: dist/nrlf_permissions.zip
@@ -81,12 +81,12 @@ jobs:
       contents: read
       actions: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           ref: ${{ github.ref }}
 
       - name: Get build artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           name: build-artifacts
           path: dist
diff --git a/.github/workflows/deploy-account-wide-infra.yml b/.github/workflows/deploy-account-wide-infra.yml
@@ -41,7 +41,7 @@ jobs:
 
     steps:
       - name: Git clone - ${{ inputs.branch_name }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           ref: ${{ inputs.branch_name }}
 
@@ -115,7 +115,7 @@ jobs:
 
     steps:
       - name: Git clone - ${{ inputs.branch_name }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           ref: ${{ inputs.branch_name }}
 
diff --git a/.github/workflows/persistent-environment.yml b/.github/workflows/persistent-environment.yml
@@ -25,7 +25,7 @@ jobs:
 
     steps:
       - name: Git clone - ${{ inputs.branch_name }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           ref: ${{ inputs.branch_name }}
 
@@ -59,15 +59,15 @@ jobs:
           make get-s3-perms ENV=${account} TF_WORKSPACE_NAME=${inactive_stack}
 
       - name: Save Build Artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: build-artifacts
           path: |
             dist/*.zip
             !dist/nrlf_permissions.zip
 
       - name: Save NRLF Permissions cache
-        uses: actions/cache/save@v4
+        uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           key: ${{ github.run_id }}-nrlf-permissions
           path: dist/nrlf_permissions.zip
@@ -84,7 +84,7 @@ jobs:
 
     steps:
       - name: Git clone - ${{ inputs.branch_name }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           ref: ${{ inputs.branch_name }}
 
@@ -108,13 +108,13 @@ jobs:
           make truststore-pull-server ENV=${account}
 
       - name: Download build artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           name: build-artifacts
           path: dist
 
       - name: Restore NRLF permissions cache
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           key: ${{ github.run_id }}-nrlf-permissions
           path: dist/nrlf_permissions.zip
@@ -161,7 +161,7 @@ jobs:
 
     steps:
       - name: Git clone - ${{ inputs.branch_name }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           ref: ${{ inputs.branch_name }}
 
@@ -171,13 +171,13 @@ jobs:
           poetry install --no-root
 
       - name: Download build artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           name: build-artifacts
           path: dist
 
       - name: Restore NRLF permissions cache
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           key: ${{ github.run_id }}-nrlf-permissions
           path: dist/nrlf_permissions.zip
@@ -241,7 +241,7 @@ jobs:
 
     steps:
       - name: Git clone - ${{ inputs.branch_name }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           ref: ${{ inputs.branch_name }}
 
@@ -275,7 +275,7 @@ jobs:
 
     steps:
       - name: Git clone - ${{ inputs.branch_name }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           ref: ${{ inputs.branch_name }}
 
@@ -309,7 +309,7 @@ jobs:
 
     steps:
       - name: Git clone - ${{ inputs.branch_name }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           ref: ${{ inputs.branch_name }}
 
diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml
@@ -16,7 +16,7 @@ jobs:
 
     steps:
       - name: Git clone - ${{ github.ref }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           ref: ${{ github.ref }}
 
@@ -35,7 +35,7 @@ jobs:
         run: make test
 
       - name: Upload build artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: build-artifacts
           path: dist
@@ -49,12 +49,12 @@ jobs:
       contents: read
       actions: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           ref: ${{ github.ref }}
 
       - name: Get build artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           name: build-artifacts
           path: dist
diff --git a/.github/workflows/pr-env-deploy.yml b/.github/workflows/pr-env-deploy.yml
@@ -50,7 +50,7 @@ jobs:
 
     steps:
       - name: Git Clone - ${{ github.event.pull_request.head.ref }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           ref: ${{ github.event.pull_request.head.ref }}
 
@@ -80,21 +80,21 @@ jobs:
           make get-s3-perms ENV=dev
 
       - name: Save Build Artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: build-artifacts
           path: |
             dist/*.zip
             !dist/nrlf_permissions.zip
 
       - name: Save NRLF Permissions cache
-        uses: actions/cache/save@v4
+        uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           key: ${{ github.run_id }}-nrlf-permissions
           path: dist/nrlf_permissions.zip
 
       - name: Add Failure Pull Request Comment
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
         if: ${{ failure() }}
         with:
           script: |
@@ -119,7 +119,7 @@ jobs:
 
     steps:
       - name: Git Clone - ${{ github.event.pull_request.head.ref }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           ref: ${{ github.event.pull_request.head.ref }}
 
@@ -136,13 +136,13 @@ jobs:
           role-session-name: github-actions-ci-${{ needs.set-environment-id.outputs.environment_id }}
 
       - name: Download Artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           name: build-artifacts
           path: dist
 
       - name: Restore NRLF permissions cache
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           key: ${{ github.run_id }}-nrlf-permissions
           path: dist/nrlf_permissions.zip
@@ -172,7 +172,7 @@ jobs:
         run: terraform -chdir=terraform/infrastructure apply tfplan
 
       - name: Add Success Pull Request Comment
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
         if: ${{ success() }}
         with:
           script: |
@@ -184,7 +184,7 @@ jobs:
             })
 
       - name: Add Failure Pull Request Comment
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
         if: ${{ failure() }}
         with:
           script: |
@@ -206,7 +206,7 @@ jobs:
 
     steps:
       - name: Git Clone - ${{ github.event.pull_request.head.ref }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           ref: ${{ github.event.pull_request.head.ref }}
 
@@ -247,7 +247,7 @@ jobs:
 
     steps:
       - name: Git Clone - ${{ github.event.pull_request.head.ref }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           ref: ${{ github.event.pull_request.head.ref }}
 
@@ -286,7 +286,7 @@ jobs:
 
     steps:
       - name: Git Clone - ${{ github.event.pull_request.head.ref }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           ref: ${{ github.event.pull_request.head.ref }}
 
@@ -326,7 +326,7 @@ jobs:
         run: make test-performance-output
 
       - name: Store Performance Test Outputs
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: performance-test-outputs
           path: dist/*.png
diff --git a/.github/workflows/pr-env-destroy.yml b/.github/workflows/pr-env-destroy.yml
@@ -51,7 +51,7 @@ jobs:
 
     steps:
       - name: Git Clone - ${{ github.event.pull_request.head.ref }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           ref: ${{ github.event.pull_request.merged && github.event.pull_request.base.ref || github.event.pull_request.head.ref }}
 
@@ -94,7 +94,7 @@ jobs:
           terraform -chdir=terraform/infrastructure workspace delete ${{ needs.set-environment-id.outputs.environment_id }}
 
       - name: Add Failure Pull Request Comment
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
         if: ${{ failure() }}
         with:
           script: |
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -20,7 +20,7 @@ jobs:
 
     steps:
       - name: Git clone - ${{ github.ref }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           ref: ${{ github.ref }}
 
@@ -70,7 +70,7 @@ jobs:
         run: bash scripts/sbom-create.sh
 
       - name: Upload SBOM artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: sbom-${{ github.sha }}
           path: sbom.spdx.json
diff --git a/.github/workflows/rollback-stack.yml b/.github/workflows/rollback-stack.yml
@@ -22,7 +22,7 @@ jobs:
 
     steps:
       - name: Git clone - ${{ github.ref }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           ref: ${{ github.ref }}
 
diff --git a/.github/workflows/update-lambda-permissions.yml b/.github/workflows/update-lambda-permissions.yml
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
