Chore: [AEA-6424] - new quality checks (#722)

## Summary

- Routine Change

### Details

- move to new quality checks

Author: anthony-nhs

.devcontainer/devcontainer.json

@@ -6,7 +6,7 @@
     "args": {
       "DOCKER_GID": "${env:DOCKER_GID:}",
       "IMAGE_NAME": "regression_tests",
-      "IMAGE_VERSION": "v1.2.0",
+      "IMAGE_VERSION": "v1.4.6",
       "USER_UID": "${localEnv:USER_ID:}",
       "USER_GID": "${localEnv:GROUP_ID:}"
     }

.github/CODEOWNERS

@@ -0,0 +1,2 @@
+# restrict access to approving workflow changes
+.github/workflows/ @NHSDigital/eps-administrators

.github/workflows/pull_request.yml

@@ -4,23 +4,32 @@ on:
   pull_request:
     branches: [main]
 
-env:
-  BRANCH_NAME: ${{ github.event.pull_request.head.ref }}
-
+permissions: {}
 jobs:
   dependabot-auto-approve-and-merge:
     needs: quality_checks
     uses: NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
+    permissions:
+      contents: write
+      pull-requests: write
     secrets:
       AUTOMERGE_APP_ID: ${{ secrets.AUTOMERGE_APP_ID }}
       AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }}
   get_config_values:
     uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
+    permissions:
+      attestations: read
+      contents: read
+      packages: read
     with:
       verify_published_from_main_image: false
 
   quality_checks:
     uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711
+    permissions:
+      contents: read
+      id-token: write
+      packages: read
     needs: [get_config_values]
     with:
       pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
@@ -29,9 +38,15 @@ jobs:
 
   pr_title_format_check:
     uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
-
+    permissions:
+      pull-requests: write
   run_basic_regression_test:
     uses: ./.github/workflows/regression_tests.yml
+    permissions:
+      contents: read
+      id-token: write
+      packages: read
+      attestations: read
     with:
       tags: "@ping"
       environment: INTERNAL-DEV
@@ -43,9 +58,9 @@ jobs:
     permissions:
       id-token: write
       contents: write
+      packages: write
     with:
       dry_run: true
       pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
       branch_name: ${{ github.event.pull_request.head.ref }}
       tag_format: ${{ needs.get_config_values.outputs.tag_format }}
-    secrets: inherit

.github/workflows/regression_tests.yml

@@ -78,6 +78,7 @@ on:
         description: "Generate a report for successful test runs"
         default: false
 
+permissions: {}
 jobs:
   regression_tests:
     runs-on: ubuntu-22.04
@@ -121,6 +122,10 @@ jobs:
   get_config_values:
     needs: regression_tests
     uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
+    permissions:
+      attestations: read
+      contents: read
+      packages: read
     with:
       verify_published_from_main_image: false
 
@@ -158,9 +163,10 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           ref: ${{ inputs.github_tag }}
+          persist-credentials: false
 
       - name: Cache Virtualenv
-        uses: actions/cache@v5
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae
         id: cache-venv
         with:
           path: .venv
@@ -321,6 +327,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
+          persist-credentials: false
           ref: ${{ inputs.github_tag }}
       - name: Cache Virtualenv
         uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb

.github/workflows/release.yml

@@ -4,18 +4,25 @@ on:
   push:
     branches: [main]
 
-env:
-  BRANCH_NAME: ${{ github.event.ref.BRANCH_NAME }}
+permissions: {}
 
 jobs:
   get_config_values:
     uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
+    permissions:
+      attestations: read
+      contents: read
+      packages: read
     with:
       verify_published_from_main_image: true
 
   quality_checks:
     needs: [get_config_values]
     uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711
+    permissions:
+      contents: read
+      id-token: write
+      packages: read
     with:
       pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
     secrets:
@@ -36,15 +43,17 @@ jobs:
     permissions:
       id-token: write
       contents: write
+      packages: write
     with:
       dry_run: false
       pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
       branch_name: main
       tag_format: ${{ needs.get_config_values.outputs.tag_format }}
-    secrets: inherit
   generate_behave_steps_catalog:
     needs: [quality_checks, get_config_values]
     runs-on: ubuntu-22.04
+    permissions:
+      contents: write
     container:
       image: ${{ needs.get_config_values.outputs.pinned_image }}
       options: --user 1001:1001 --group-add 128
@@ -58,7 +67,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
-          ref: ${{ env.BRANCH_NAME }}
+          persist-credentials: false
           fetch-depth: 0
 
       - name: Cache Virtualenv
@@ -71,11 +80,15 @@ jobs:
       - name: Install python packages
         if: steps.cache-venv.outputs.cache-hit != 'true'
         run: make install
-
+      - name: Checkout gh-pages
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          ref: gh-pages
+          path: gh-pages
+          persist-credentials: true
       - name: Generate Behave steps catalog as HTML
         run: |
           set +H  # Disable history expansion to prevent !DOCTYPE error
-          mkdir -p docs
           {
           echo "<!DOCTYPE html>"
           echo "<html lang='en'>"
@@ -99,11 +112,13 @@ jobs:
           echo "  </pre>"
           echo "</body>"
           echo "</html>"
-          } > docs/index.html
+          } > gh-pages/index.html
 
-      - name: Deploy to GitHub Pages
-        uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e
-        with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          publish_dir: ./docs
-          publish_branch: gh-pages # Change if using another branch
+      - name: Update docs in github pages
+        run: |
+          cd gh-pages
+          git config user.name github-actions
+          git config user.email github-actions@github.com
+          git add "index.html"
+          git commit -m "update behave catalogue"
+          parallel --retries 10 --delay 3 ::: "git pull --rebase && git push"

.github/workflows/sync_copilot.yml

@@ -4,6 +4,7 @@ on:
   workflow_dispatch:
   schedule:
     - cron: "0 6 * * 1"
+permissions: {}
 
 jobs:
   sync-copilot-instructions: