From 001294a050e7c251660500616c46d227822444e5 Mon Sep 17 00:00:00 2001 From: Sathiyakumar Ganesan Date: Thu, 7 May 2026 13:51:32 +0100 Subject: [PATCH 1/4] Update publish step to use ODIC token --- .github/workflows/cd.yml | 30 ++++++++++-------------- .pre-commit-config.yaml | 9 +++++++ scripts/config/pre-commit.yaml | 40 -------------------------------- scripts/githooks/scan-secrets.sh | 0 4 files changed, 21 insertions(+), 58 deletions(-) create mode 100755 .pre-commit-config.yaml delete mode 100755 scripts/config/pre-commit.yaml mode change 100644 => 100755 scripts/githooks/scan-secrets.sh diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index e8a10cd..f5805d6 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -4,30 +4,26 @@ on: branches: - main paths: - - "src/pytest_nhsd_apim/**" - - "pyproject.toml" - - "setup.py" + - 'src/pytest_nhsd_apim/**' + - 'pyproject.toml' + - 'setup.py' + +permissions: + id-token: write + contents: read + jobs: publish: runs-on: ubuntu-latest steps: - name: Checkout current branch - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@v6 - name: Install Python 3.13 - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 + uses: actions/setup-python@v6 with: python-version: 3.13 - - name: install gnome-keyring - run: | - sudo apt-get update - echo "Available versions of gnome-keyring:" - apt-cache policy gnome-keyring - - echo "Installing default candidate version" - sudo apt-get install -y gnome-keyring - - name: install deps run: make install-deps @@ -40,8 +36,6 @@ jobs: - name: check build run: twine check dist/* - - name: set poetry credentials - run: poetry config pypi-token.pypi ${{ secrets.PYPI_TOKEN }} + - name: Publish to PyPI (OIDC) + uses: pypa/gh-action-pypi-publish@release/v1 - - name: publish - run: poetry publish diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100755 index 0000000..482c3be --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,9 @@ +repos: +- repo: local + hooks: + - id: scan-secrets + name: Scan secrets + entry: ./scripts/githooks/scan-secrets.sh + args: ["check=staged-changes"] + language: script + pass_filenames: false diff --git a/scripts/config/pre-commit.yaml b/scripts/config/pre-commit.yaml deleted file mode 100755 index de8831c..0000000 --- a/scripts/config/pre-commit.yaml +++ /dev/null @@ -1,40 +0,0 @@ -repos: -- repo: local - hooks: - - id: scan-secrets - name: Scan secrets - entry: ./scripts/githooks/scan-secrets.sh - args: ["check=staged-changes"] - language: script - pass_filenames: false -- repo: local - hooks: - - id: check-file-format - name: Check file format - entry: ./scripts/githooks/check-file-format.sh - args: ["check=staged-changes"] - language: script - pass_filenames: false -- repo: local - hooks: - - id: check-markdown-format - name: Check Markdown format - entry: ./scripts/githooks/check-markdown-format.sh - args: ["check=staged-changes"] - language: script - pass_filenames: false -- repo: local - hooks: - - id: check-english-usage - name: Check English usage - entry: ./scripts/githooks/check-english-usage.sh - args: ["check=staged-changes"] - language: script - pass_filenames: false -- repo: local - hooks: - - id: lint-terraform - name: Lint Terraform - entry: ./scripts/githooks/check-terraform-format.sh - language: script - pass_filenames: false \ No newline at end of file diff --git a/scripts/githooks/scan-secrets.sh b/scripts/githooks/scan-secrets.sh old mode 100644 new mode 100755 From 6e7d2a19771f480f066a0f87a662a4d4e1571c2a Mon Sep 17 00:00:00 2001 From: Sathiyakumar Ganesan Date: Thu, 7 May 2026 13:54:03 +0100 Subject: [PATCH 2/4] add commit sha for github actions --- .github/workflows/cd.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index f5805d6..634d405 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -17,10 +17,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout current branch - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install Python 3.13 - uses: actions/setup-python@v6 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: 3.13 From 09ecef570eab4479de74c2ac8f95858a6d181e7d Mon Sep 17 00:00:00 2001 From: Sathiyakumar Ganesan Date: Thu, 7 May 2026 14:01:28 +0100 Subject: [PATCH 3/4] use sha for github action --- .github/workflows/cd.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 634d405..0979ade 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -37,5 +37,5 @@ jobs: run: twine check dist/* - name: Publish to PyPI (OIDC) - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 From f80c975a54699642c253f7732eeae8eff8207f92 Mon Sep 17 00:00:00 2001 From: sathiya-nhs Date: Thu, 7 May 2026 14:44:45 +0100 Subject: [PATCH 4/4] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- .pre-commit-config.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 482c3be..f988e0c 100755 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -4,6 +4,7 @@ repos: - id: scan-secrets name: Scan secrets entry: ./scripts/githooks/scan-secrets.sh - args: ["check=staged-changes"] + env: + check: staged-changes language: script pass_filenames: false