Merge branch 'main' into dependabot/maven/fhir.version-8.6.1

Author: anthony-nhs

.gitallowed

@@ -34,3 +34,4 @@ CidrIp: 0\.0\.0\.0/0
 .*\.venv.*
 .*node_modules.*
 pom\.xml
+poetry\.lock

.github/workflows/ci.yml

@@ -26,7 +26,7 @@ jobs:
           TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml)
           echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT"
   quality_checks:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@2b3ddfd1e59daf9905522d0140c6cd08e2547432
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@9791a77de7b005056b4ddfb9789306f5179f53da
     needs: [get_asdf_version]
     secrets:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
@@ -46,7 +46,7 @@ jobs:
 
   tag_release:
     needs: [quality_checks, get_commit_id, get_asdf_version]
-    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml@2b3ddfd1e59daf9905522d0140c6cd08e2547432
+    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml@9791a77de7b005056b4ddfb9789306f5179f53da
     with:
       dry_run: true
       asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}

.github/workflows/pull_request.yml

@@ -10,7 +10,7 @@ env:
 jobs:
   dependabot-auto-approve-and-merge:
     needs: quality_checks
-    uses: NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@2b3ddfd1e59daf9905522d0140c6cd08e2547432
+    uses: NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@9791a77de7b005056b4ddfb9789306f5179f53da
     secrets:
       AUTOMERGE_APP_ID: ${{ secrets.AUTOMERGE_APP_ID }}
       AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }}
@@ -32,7 +32,7 @@ jobs:
           TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml)
           echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT"
   quality_checks:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@2b3ddfd1e59daf9905522d0140c6cd08e2547432
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@9791a77de7b005056b4ddfb9789306f5179f53da
     needs: [get_asdf_version]
     with:
       asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}
@@ -41,7 +41,7 @@ jobs:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
   pr_title_format_check:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@2b3ddfd1e59daf9905522d0140c6cd08e2547432
+    uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@9791a77de7b005056b4ddfb9789306f5179f53da
 
   get_issue_number:
     runs-on: ubuntu-22.04
@@ -72,7 +72,7 @@ jobs:
 
   tag_release:
     needs: [get_asdf_version]
-    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml@2b3ddfd1e59daf9905522d0140c6cd08e2547432
+    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml@9791a77de7b005056b4ddfb9789306f5179f53da
     with:
       dry_run: true
       asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}

.github/workflows/release.yml

@@ -25,7 +25,7 @@ jobs:
           TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml)
           echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT"
   quality_checks:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@2b3ddfd1e59daf9905522d0140c6cd08e2547432
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@9791a77de7b005056b4ddfb9789306f5179f53da
     needs: [get_asdf_version]
     secrets:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
@@ -45,7 +45,7 @@ jobs:
 
   tag_release:
     needs: [quality_checks, get_commit_id, get_asdf_version]
-    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml@2b3ddfd1e59daf9905522d0140c6cd08e2547432
+    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml@9791a77de7b005056b4ddfb9789306f5179f53da
     with:
       dry_run: false
       asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}

.tool-versions

@@ -1,8 +1,7 @@
 maven 3.9.0
 java corretto-21.0.2.14.1
-python 3.12.7
-poetry 1.8.2
+python 3.12.12
+poetry 2.2.1
 shellcheck 0.9.0
 direnv 2.32.2
 actionlint 1.6.26
-nodejs 20.19.0

.trivyignore

@@ -0,0 +1,20 @@
+# various vulnerabilities due to running an old version of hapi-fhir
+CVE-2023-24057
+CVE-2023-28465
+CVE-2024-51132
+CVE-2024-55887
+CVE-2022-42889
+CVE-2024-45294
+CVE-2024-52007
+CVE-2024-45294
+CVE-2024-52007
+CVE-2024-45294
+CVE-2024-52007
+CVE-2024-45294
+CVE-2024-52007
+CVE-2024-45294
+CVE-2024-52007
+CVE-2021-35515
+CVE-2021-35516
+CVE-2021-35517
+CVE-2021-36090

Makefile

@@ -5,14 +5,11 @@ guard-%:
 	fi
 
 # install targets
-install: install-python install-hooks install-node
+install: install-python install-hooks
 
 install-python:
 	poetry install
 
-install-node:
-	npm ci
-
 install-hooks: install-python
 	poetry run pre-commit install --install-hooks --overwrite
 
@@ -36,13 +33,9 @@ lint-githubaction-scripts:
 test: download-dependencies
 	mvn test
 
-check-licenses: check-licenses-python check-licenses-java
-
-check-licenses-python:
-	scripts/check_python_licenses.sh
-
-check-licenses-java:
-	mvn validate
+check-licenses: 
+	echo "not implemented from console"
+	exit 1
 
 show-unused-dependencies:
 	mvn dependency:analyze

SAMtemplates/lambda_resources.yaml

@@ -15,7 +15,6 @@ Parameters:
   SplunkSubscriptionFilterRole:
     Type: String
     Description: Subscription filter role for sending logs to splunk
-    Default: none
   SplunkDeliveryStream:
     Type: String
     Description: Splunk delivery stream