Merge pull request #6677 from NHSDigital/next

Version 8.1.0

Author: thomasleese

.github/workflows/build-and-push-image.yml

@@ -41,7 +41,7 @@ jobs:
         steps.check-prod-image.outputs.ops-build-needed }}
     steps:
       - name: Configure AWS Dev Credentials
-        uses: aws-actions/configure-aws-credentials@v6
+        uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0
         with:
           role-to-assume: arn:aws:iam::393416225559:role/GithubDeployECSService
           aws-region: eu-west-2
@@ -57,7 +57,7 @@ jobs:
           fi
       - name: Configure AWS Production credentials
         if: env.PUSH_IMAGE_TO_PRODUCTION == 'true'
-        uses: aws-actions/configure-aws-credentials@v6
+        uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0
         with:
           role-to-assume: arn:aws:iam::820242920762:role/GithubDeployECSService
           aws-region: eu-west-2
@@ -102,25 +102,25 @@ jobs:
         aws-role: ${{ fromJSON(needs.define-matrix.outputs.aws-roles) }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ env.git_ref }}
       - name: Write build SHA
         run: git rev-parse HEAD > public/sha
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v6
+        uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0
         with:
           role-to-assume: ${{ matrix.aws-role }}
           aws-region: eu-west-2
       - name: Login to ECR
         id: login-ecr
-        uses: aws-actions/amazon-ecr-login@v2
+        uses: aws-actions/amazon-ecr-login@376925c9d111252e87ae59691e5a442dd100ef6a # v2.1.3
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
         # yamllint disable rule:line-length
       - name: Build and push webapp image
         if: needs.check-image-presence.outputs.webapp-build-needed == 'true'
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
         with:
           context: .
           push: true
@@ -132,7 +132,7 @@ jobs:
             }}/mavis/webapp:buildcache,mode=max,image-manifest=true,oci-mediatypes=true
       - name: Build and push ops image
         if: needs.check-image-presence.outputs.ops-build-needed == 'true'
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
         with:
           context: .
           file: ops.Dockerfile

.github/workflows/call-end-to-end-tests.yml

@@ -3,7 +3,10 @@ name: Call end-to-end tests
 on:
   workflow_call:
     inputs:
-      cross_service_tests:
+      fhir_api_tests:
+        required: true
+        type: boolean
+      reporting_tests:
         required: true
         type: boolean
       endpoint:
@@ -31,7 +34,8 @@ jobs:
     # yamllint disable-line rule:line-length
     uses: NHSDigital/manage-vaccinations-in-schools-testing/.github/workflows/end-to-end-tests.yaml@main
     with:
-      cross_service_tests: ${{ inputs.cross_service_tests }}
+      fhir_api_tests: ${{ inputs.fhir_api_tests }}
+      reporting_tests: ${{ inputs.reporting_tests }}
       github_ref: ${{ inputs.github_ref }}
       endpoint: ${{ inputs.endpoint }}
     secrets:

.github/workflows/continuous-deployment.yml

@@ -28,7 +28,8 @@ jobs:
     uses: ./.github/workflows/call-end-to-end-tests.yml
     secrets: inherit
     with:
-      cross_service_tests: true
+      fhir_api_tests: true
+      reporting_tests: true
       endpoint: https://qa.mavistesting.com
       github_ref: main
   slack-notification:

.github/workflows/create_dockerized_db.yml

@@ -29,11 +29,11 @@ jobs:
       RAILS_MASTER_KEY: intentionally-insecure-dev-key00
       SKIP_TEST_DATABASE: true
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ inputs.github_ref || github.ref_name == 'next' && 'next' || github.ref_name }}
           repository: nhsuk/manage-vaccinations-in-schools
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version-file: .tool-versions
           cache: yarn
@@ -56,7 +56,7 @@ jobs:
               sleep 2
             done
                 '
-      - uses: ruby/setup-ruby@v1
+      - uses: ruby/setup-ruby@60ecfba8750476ff216b59eee3b88218bb5111cc # v1.303.0
         with:
           bundler-cache: true
       - name: Populate database for testing
@@ -65,13 +65,13 @@ jobs:
           bin/rails feature_flags:enable_for_development
           bin/mavis gias import --input-file=spec/fixtures/dfe-schools.zip
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v6
+        uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0
         with:
           role-to-assume: arn:aws:iam::393416225559:role/GitHubAssuranceTestRole
           aws-region: eu-west-2
       - name: Login to ECR
         id: login-ecr
-        uses: aws-actions/amazon-ecr-login@v2
+        uses: aws-actions/amazon-ecr-login@376925c9d111252e87ae59691e5a442dd100ef6a # v2.1.3
       # yamllint disable rule:line-length
       - name: get github ref short
         id: github-ref

.github/workflows/data-replication-pipeline.yml

@@ -70,7 +70,7 @@ jobs:
       git-sha: ${{ steps.get-git-sha.outputs.git-sha }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ env.git_ref_to_deploy }}
       - name: Get git sha
@@ -93,11 +93,11 @@ jobs:
       id-token: write
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ env.git_ref_to_deploy }}
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v6
+        uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0
         with:
           role-to-assume: ${{ env.aws_role }}
           aws-region: eu-west-2
@@ -125,7 +125,7 @@ jobs:
           } >> "$GITHUB_OUTPUT"
       - name: Populate web task definition
         id: create-task-definition
-        uses: aws-actions/amazon-ecs-render-task-definition@v1
+        uses: aws-actions/amazon-ecs-render-task-definition@77954e213ba1f9f9cb016b86a1d4f6fcdea0d57e # v1.8.4
         with:
           task-definition-family:
             mavis-data-replication-task-definition-${{ inputs.environment }}-template
@@ -140,7 +140,7 @@ jobs:
           mv ${{ steps.create-task-definition.outputs.task-definition }} ${{ runner.temp
           }}/data-replication-task-definition.json
       - name: Upload artifact for data-replication task definition
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: ${{ inputs.environment }}-data-replication-task-definition
           path: ${{ runner.temp }}/data-replication-task-definition.json
@@ -189,12 +189,12 @@ jobs:
       id-token: write
     steps:
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v6
+        uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0
         with:
           role-to-assume: ${{ env.aws_role }}
           aws-region: eu-west-2
       - name: Download data-replication task definition artifact
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           path: ${{ runner.temp }}
           name: ${{ inputs.environment }}-data-replication-task-definition
@@ -205,7 +205,7 @@ jobs:
           jq --arg f "$family_name" '.family = $f' "$file_path" > tmpfile && mv tmpfile "$file_path"
       - name: Deploy data-replication service
         id: ecs-deploy
-        uses: aws-actions/amazon-ecs-deploy-task-definition@v2
+        uses: aws-actions/amazon-ecs-deploy-task-definition@fc8fc60f3a60ffd500fcb13b209c59d221ac8c8c # v2.6.1
         with:
           task-definition: ${{ runner.temp }}/data-replication-task-definition.json
           cluster: mavis-${{ inputs.environment }}-data-replication

.github/workflows/deploy-documentation.yml

@@ -18,16 +18,16 @@ jobs:
       cancel-in-progress: true
 
     steps:
-      - uses: actions/checkout@v6
-      - uses: ruby/setup-ruby@v1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: ruby/setup-ruby@60ecfba8750476ff216b59eee3b88218bb5111cc # v1.303.0
         with:
           bundler-cache: true
 
       - name: Generate Documentation
         run: bundle exec rake rdoc:generate
 
       - name: Deploy to GitHub Pages
-        uses: JamesIves/github-pages-deploy-action@v4
+        uses: JamesIves/github-pages-deploy-action@d92aa235d04922e8f08b40ce78cc5442fcfbfa2f # v4.8.0
         with:
           branch: gh-pages
           folder: docs/rdoc

.github/workflows/deploy.yml

@@ -80,7 +80,7 @@ jobs:
             fi
           fi
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ inputs.git_ref_to_deploy || github.sha }}
       - name: Get git sha
@@ -109,12 +109,12 @@ jobs:
       repository_name: ${{ matrix.service == 'ops' && 'mavis/ops' || 'mavis/webapp' }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         id: checkout-code
         with:
           ref: ${{ needs.validate-and-resolve-sha.outputs.git-sha }}
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v6
+        uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0
         with:
           role-to-assume: arn:aws:iam::${{ env.aws_account_id }}:role/GithubDeployECSService
           aws-region: eu-west-2
@@ -131,7 +131,7 @@ jobs:
           echo "digest=$digest" >> "$GITHUB_OUTPUT"
       - name: Populate task definition
         id: create-task-definition
-        uses: aws-actions/amazon-ecs-render-task-definition@v1
+        uses: aws-actions/amazon-ecs-render-task-definition@77954e213ba1f9f9cb016b86a1d4f6fcdea0d57e # v1.8.4
         with:
           task-definition-family:
             mavis-${{ matrix.service }}-task-definition-${{ inputs.environment }}-template
@@ -147,7 +147,7 @@ jobs:
           mv ${{ steps.create-task-definition.outputs.task-definition }} ${{ runner.temp }}/${{
           matrix.service }}-task-definition.json
       - name: Upload artifact for ${{ matrix.service }} task definition
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: ${{ inputs.environment }}-${{ matrix.service }}-task-definition
           path: ${{ runner.temp }}/${{ matrix.service }}-task-definition.json
@@ -196,14 +196,14 @@ jobs:
       id-token: write
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v6
+        uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0
         with:
           role-to-assume: arn:aws:iam::${{ env.aws_account_id }}:role/GithubDeployECSService
           aws-region: eu-west-2
       - name: Download ops task definition artifact
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           path: ${{ runner.temp }}
           name: ${{ inputs.environment }}-ops-task-definition
@@ -332,12 +332,12 @@ jobs:
           fromJSON(format('["{0}"]', inputs.server_types)) }}
     steps:
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v6
+        uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0
         with:
           role-to-assume: arn:aws:iam::${{ env.aws_account_id }}:role/GithubDeployECSService
           aws-region: eu-west-2
       - name: Download ${{ matrix.service }} task definition artifact
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           path: ${{ runner.temp }}
           name: ${{ inputs.environment }}-${{ matrix.service }}-task-definition
@@ -348,7 +348,7 @@ jobs:
           jq --arg f "$family_name" '.family = $f' "$file_path" > tmpfile && mv tmpfile "$file_path"
       - name: Deploy ${{ matrix.service }} service
         id: ecs-deploy
-        uses: aws-actions/amazon-ecs-deploy-task-definition@v2
+        uses: aws-actions/amazon-ecs-deploy-task-definition@fc8fc60f3a60ffd500fcb13b209c59d221ac8c8c # v2.6.1
         with:
           task-definition: ${{ runner.temp }}/${{ matrix.service }}-task-definition.json
           cluster: ${{ env.cluster_name }}
@@ -376,14 +376,14 @@ jobs:
       id-token: write
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v6
+        uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0
         with:
           role-to-assume: arn:aws:iam::${{ env.aws_account_id }}:role/GithubDeployECSService
           aws-region: eu-west-2
       - name: Download ops task definition artifact
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           path: ${{ runner.temp }}
           name: ${{ inputs.environment }}-ops-task-definition

.github/workflows/draft-new-release.yml

@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
       - name: Generate release notes