CCM-14499: Pin GitHub Actions to SHAs#136
Merged
damientobin1 merged 9 commits intomainfrom Apr 2, 2026
Merged
Conversation
aidenvaines-cgi
approved these changes
Apr 2, 2026
m-houston
pushed a commit
that referenced
this pull request
Apr 14, 2026
* CCM-14499: Pinning all GitHub Actions to SHAs * CCM-14499: Pinning all GitHub Actions to SHAs * CCM-14499: Pinning all GitHub Actions to SHAs * CCM-14499: Pinning all GitHub Actions to SHAs * CCM-14499: Pinning all GitHub Actions to SHAs * CCM-14499: Pinning all GitHub Actions to SHAs * CCM-14499: Correct configure-aws-credentials v4 SHA * CCM-14499: Correct annotated tag SHA pins * CCM-14499: Pin remaining GitHub Actions refs to SHAs
m-houston
added a commit
that referenced
this pull request
Apr 14, 2026
* Bump handlebars from 4.7.8 to 4.7.9 Bumps [handlebars](https://github.com/handlebars-lang/handlebars.js) from 4.7.8 to 4.7.9. - [Release notes](https://github.com/handlebars-lang/handlebars.js/releases) - [Changelog](https://github.com/handlebars-lang/handlebars.js/blob/v4.7.9/release-notes.md) - [Commits](handlebars-lang/handlebars.js@v4.7.8...v4.7.9) --- updated-dependencies: - dependency-name: handlebars dependency-version: 4.7.9 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> * Bump activesupport from 7.1.3.4 to 7.2.3.1 in /docs Bumps [activesupport](https://github.com/rails/rails) from 7.1.3.4 to 7.2.3.1. - [Release notes](https://github.com/rails/rails/releases) - [Changelog](https://github.com/rails/rails/blob/v8.1.2.1/activesupport/CHANGELOG.md) - [Commits](rails/rails@v7.1.3.4...v7.2.3.1) --- updated-dependencies: - dependency-name: activesupport dependency-version: 7.2.3.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> * Bump minimatch and eslint-plugin-sonarjs Bumps [minimatch](https://github.com/isaacs/minimatch) to 3.1.5 and updates ancestor dependencies [minimatch](https://github.com/isaacs/minimatch) and [eslint-plugin-sonarjs](https://github.com/SonarSource/SonarJS). These dependencies need to be updated together. Updates `minimatch` from 3.1.2 to 3.1.5 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v3.1.5) Updates `minimatch` from 9.0.5 to 9.0.9 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v3.1.5) Updates `eslint-plugin-sonarjs` from 3.0.5 to 3.0.7 - [Release notes](https://github.com/SonarSource/SonarJS/releases) - [Commits](https://github.com/SonarSource/SonarJS/commits) --- updated-dependencies: - dependency-name: minimatch dependency-version: 3.1.5 dependency-type: indirect - dependency-name: minimatch dependency-version: 9.0.9 dependency-type: indirect - dependency-name: eslint-plugin-sonarjs dependency-version: 3.0.7 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com> * Bump next from 15.5.7 to 15.5.14 Bumps [next](https://github.com/vercel/next.js) from 15.5.7 to 15.5.14. - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v15.5.7...v15.5.14) --- updated-dependencies: - dependency-name: next dependency-version: 15.5.14 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> * Bump @types/node from 20.19.17 to 24.9.1 Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 20.19.17 to 24.9.1. - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) --- updated-dependencies: - dependency-name: "@types/node" dependency-version: 24.9.1 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * Bump flatted from 3.3.3 to 3.4.2 Bumps [flatted](https://github.com/WebReflection/flatted) from 3.3.3 to 3.4.2. - [Commits](WebReflection/flatted@v3.3.3...v3.4.2) --- updated-dependencies: - dependency-name: flatted dependency-version: 3.4.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> * Bump glob from 10.4.5 to 10.5.0 Bumps [glob](https://github.com/isaacs/node-glob) from 10.4.5 to 10.5.0. - [Changelog](https://github.com/isaacs/node-glob/blob/main/changelog.md) - [Commits](isaacs/node-glob@v10.4.5...v10.5.0) --- updated-dependencies: - dependency-name: glob dependency-version: 10.5.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> * Bump lodash from 4.17.21 to 4.17.23 Bumps [lodash](https://github.com/lodash/lodash) from 4.17.21 to 4.17.23. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.17.23) --- updated-dependencies: - dependency-name: lodash dependency-version: 4.17.23 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> * Bump picomatch from 2.3.1 to 2.3.2 Bumps [picomatch](https://github.com/micromatch/picomatch) from 2.3.1 to 2.3.2. - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@2.3.1...2.3.2) --- updated-dependencies: - dependency-name: picomatch dependency-version: 2.3.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> * CCM-14499: Pin GitHub Actions to SHAs (#136) * CCM-14499: Pinning all GitHub Actions to SHAs * CCM-14499: Pinning all GitHub Actions to SHAs * CCM-14499: Pinning all GitHub Actions to SHAs * CCM-14499: Pinning all GitHub Actions to SHAs * CCM-14499: Pinning all GitHub Actions to SHAs * CCM-14499: Pinning all GitHub Actions to SHAs * CCM-14499: Correct configure-aws-credentials v4 SHA * CCM-14499: Correct annotated tag SHA pins * CCM-14499: Pin remaining GitHub Actions refs to SHAs * CCM-15257: Bumping Node 20 Actions to Node 24 versions (#138) * CCM-14499: Pinning all GitHub Actions to SHAs * CCM-14499: Pinning all GitHub Actions to SHAs * CCM-14499: Pinning all GitHub Actions to SHAs * CCM-14499: Pinning all GitHub Actions to SHAs * CCM-14499: Pinning all GitHub Actions to SHAs * CCM-14499: Pinning all GitHub Actions to SHAs * CCM-14499: Correct configure-aws-credentials v4 SHA * CCM-14499: Correct annotated tag SHA pins * CCM-14499: Pin remaining GitHub Actions refs to SHAs * Bump addressable 2.8.6→2.9.0, nokogiri 1.18.9→1.19.1, public_suffix 5.0.5→7.0.5 in /docs * Bump pip dependencies: PyJWT 2.8.0→2.12.0, requests 2.32.4→2.33.0, Flask 2.3.3→3.1.3, pip 25.2→26.0, Werkzeug 3.0.6→3.1.6, wheel 0.41.1→0.46.2 * Sync upstream repo template changes * Fix package-lock conflict markers after signed-history rebase * Fix package-lock.json conflicts * Fix audit findings Updated npm dependencies across root and workspaces to remediate audit findings, including upgrading eslint-plugin-sonarjs, AWS SDK packages, and @stoplight/spectral-cli, plus adding root overrides for fast-xml-parser and js-yaml. Removed pm2 (no-fix advisory path) from frontend and replaced app:start/app:stop with PID-based shell scripts. Regenerated package-lock.json. Validation completed with npm audit (0 vulnerabilities), pre-commit hooks, and root lint, typecheck, and test:unit runs. AI assistance was used to prepare these changes. --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Damien Tobin <damien.tobin1@nhs.net>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Following the recent barrage of supply chain threats and especially https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup its now recommended all 3rd party actions be referenced using SHA rather than a tag as tags are not immutable but the commits are.
Type of changes
The following actions were pinned by SHA
Checklist
Sensitive Information Declaration
To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including PII (Personal Identifiable Information) / PID (Personal Identifiable Data) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter.