chore: update CI workflows versions (#79)

mwirikia · web-flow · commit cd032e680ca2 · 2026-06-25T10:05:11.000+01:00
* chore: update action versions in CI workflows for consistency and megalinter to v 9.5.0

* add GITHUB_TOKEN MegaLinter config

* add false persistance

* update files to resolve errors

* linting scan updates

* update dep and lock

* check mkdocs update work

* rm team_usage.md

* Nav update

* remove unnecessary persist-credentials option from checkout step

* update after lint

* permissions update

* update lint

* add yamllint config

* resolve push issues

* rm branch info

* crypograph update to 49 or later

* json config
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -22,12 +22,14 @@ jobs:
         python-version: ["3.12"]
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
       - name: Install Poetry
         run: pipx install poetry==1.7.1
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: ${{ matrix.python-version }}
           cache: poetry
diff --git a/.github/workflows/deploy_mkdocs.yml b/.github/workflows/deploy_mkdocs.yml
@@ -11,16 +11,19 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
       - name: Configure Git Credentials
         run: |
           git config user.name github-actions[bot]
           git config user.email 41898282+github-actions[bot]@users.noreply.github.com
-      - uses: actions/setup-python@v5
+          git remote set-url origin https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: 3.x
       - run: echo "cache_id=$(date --utc '+%V')" >> $GITHUB_ENV
-      - uses: actions/cache@v4
+      - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
         with:
           key: mkdocs-material-${{ env.cache_id }}
           path: .cache
diff --git a/.github/workflows/megalinter.yml b/.github/workflows/megalinter.yml
@@ -66,9 +66,10 @@ jobs:
     steps:
       # Git Checkout
       - name: Checkout Code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
+          persist-credentials: false
 
           # If you use VALIDATE_ALL_CODEBASE = true, you can remove this line to
           # improve performance
@@ -85,8 +86,8 @@ jobs:
 
         # You can override MegaLinter flavor used to have faster performances
         # More info at https://megalinter.io/latest/flavors/
-        # The below commit hash is v8.8.0
-        uses: oxsecurity/megalinter@e08c2b05e3dbc40af4c23f41172ef1e068a7d651
+        # The below commit hash is v9.5.0
+        uses: oxsecurity/megalinter@0e3ce9b9c8c10effb9b269509cc47ca17cae31c7
 
         id: ml
 
@@ -114,7 +115,7 @@ jobs:
 
       # Upload MegaLinter artifacts
       - name: Archive production artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         if: success() || failure()
         with:
           name: MegaLinter reports
@@ -158,9 +159,12 @@ jobs:
             github.event.pull_request.head.repo.full_name == github.repository
           ) &&
           !contains(github.event.head_commit.message, 'skip fix')
+        env:
+          PR_NUMBER: ${{ steps.cpr.outputs.pull-request-number }}
+          PR_URL: ${{ steps.cpr.outputs.pull-request-url }}
         run: |
-          echo "PR Number - ${{ steps.cpr.outputs.pull-request-number }}"
-          echo "PR URL - ${{ steps.cpr.outputs.pull-request-url }}"
+          echo "PR Number - $PR_NUMBER"
+          echo "PR URL - $PR_URL"
 
       # Push new commit if applicable
       # (for now works only on PR from same repository, not from forks)
diff --git a/.markdownlint.jsonc b/.markdownlint.jsonc
diff --git a/.mega-linter.yml b/.mega-linter.yml
@@ -9,6 +9,9 @@ APPLY_FIXES: all
 
 FORMATTERS_DISABLE_ERRORS: false
 
+ACTION_ZIZMOR_UNSECURED_ENV_VARIABLES:
+  - GITHUB_TOKEN
+
 # If you use ENABLE variable, all other languages/formats/tooling-formats will
 # be disabled by default
 # ENABLE:
diff --git a/.yamllint.yml b/.yamllint.yml
@@ -0,0 +1,11 @@
+---
+extends: default
+
+rules:
+  # 80 chars should be enough, but don't fail if a line is longer
+  line-length:
+    max: 80
+    level: warning
+
+  # don't bother me with this rule
+  indentation: enable
diff --git a/README.md b/README.md
@@ -97,37 +97,37 @@ To run the Lambda function outside of a container, we need to execute the `handl
 
 2. Sign in with AWS SSO, and export the correct profile for this service:
 
-    ```bash
-    aws sso login
+   ```bash
+   aws sso login
 
-    export AWS_PROFILE=github-copilot-usage-lambda
-    ```
+   export AWS_PROFILE=github-copilot-usage-lambda
+   ```
 
-    This allows you to assume the AWS IAM role for the service, enabling the most secure development experience. This also means you will have limited permissions until you exit out of the profile.
+   This allows you to assume the AWS IAM role for the service, enabling the most secure development experience. This also means you will have limited permissions until you exit out of the profile.
 
-    **Note:** See the Developer Onboarding Guide on the "Using AWS SSO for Local Development" page on Confluence to set up service profile selection on your local machine.
+   **Note:** See the Developer Onboarding Guide on the "Using AWS SSO for Local Development" page on Confluence to set up service profile selection on your local machine.
 
 3. Export the required environment variables:
 
-    ```bash
-    export AWS_DEFAULT_REGION=eu-west-2
-    export AWS_SECRET_NAME=<aws_secret_name>
-    export AWS_ACCOUNT_NAME=<sdp-dev/sdp-prod>
-    export GITHUB_ORG=ONSDigital
-    export GITHUB_APP_CLIENT_ID=<github_app_client_id>
-    ```
+   ```bash
+   export AWS_DEFAULT_REGION=eu-west-2
+   export AWS_SECRET_NAME=<aws_secret_name>
+   export AWS_ACCOUNT_NAME=<sdp-dev/sdp-prod>
+   export GITHUB_ORG=ONSDigital
+   export GITHUB_APP_CLIENT_ID=<github_app_client_id>
+   ```
 
 4. Run the script.
 
-    ```bash
-    python3 src/main.py
-    ```
+   ```bash
+   python3 src/main.py
+   ```
 
 5. To exit the profile:
 
-    ```bash
-    unset AWS_PROFILE
-    ```
+   ```bash
+   unset AWS_PROFILE
+   ```
 
 ### Running in a container
 
diff --git a/concourse/scripts/terraform_infra.sh b/concourse/scripts/terraform_infra.sh
@@ -22,6 +22,7 @@ github_org=$(echo "$secrets" | jq -r .github_org)
 export AWS_ACCESS_KEY_ID="$aws_access_key_id"
 export AWS_SECRET_ACCESS_KEY="$aws_secret_access_key"
 
+# kingfisher:ignore
 git config --global url."https://x-access-token:$github_access_token@github.com/".insteadOf "https://github.com/"
 
 if [ "${env}" != "prod" ]; then
diff --git a/mkdocs.yml b/mkdocs.yml
@@ -7,7 +7,9 @@ repo_name: GitHub Copilot Usage Lambda
 nav:
   - Home: "index.md"
   - Documentation: "documentation.md"
-  - Team Usage: "team_usage.md"
+  - Technical Documentation:
+      - Overview: "technical_documentation/overview.md"
+      - Configuration: "technical_documentation/configuration.md"
 theme:
   name: material
   language: en
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
