Merge pull request #1044 from NHSDigital/feature/axkr1-NRL-1594-sonarcloudorama

axelkrastek1-nhs · web-flow · commit 332110584e08 · 2025-09-26T14:59:07.000+01:00
NRL-1594 sonarcloudorama
diff --git a/.github/workflows/activate-stack.yml b/.github/workflows/activate-stack.yml
@@ -38,7 +38,7 @@ jobs:
           poetry install --no-root
 
       - name: Configure Management Credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
         with:
           aws-region: eu-west-2
           role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
diff --git a/.github/workflows/daily-build.yml b/.github/workflows/daily-build.yml
@@ -42,7 +42,7 @@ jobs:
         run: make build
 
       - name: Configure Management Credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
         with:
           aws-region: eu-west-2
           role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
diff --git a/.github/workflows/persistent-environment.yml b/.github/workflows/persistent-environment.yml
@@ -45,7 +45,7 @@ jobs:
         run: make build
 
       - name: Configure Management Credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
         with:
           aws-region: eu-west-2
           role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
@@ -89,7 +89,7 @@ jobs:
           poetry install --no-root
 
       - name: Configure Management Credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
         with:
           aws-region: eu-west-2
           role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
@@ -121,11 +121,13 @@ jobs:
             terraform -chdir=terraform/infrastructure workspace select ${inactive_stack}
 
       - name: Terraform Plan
+        env:
+          DEPLOY_ROLE_ARN: ${{ secrets.DEPLOY_ROLE_ARN }}
         run: |
           inactive_stack=$(poetry run python ./scripts/get_env_config.py inactive-stack ${{ inputs.environment }})
           terraform -chdir=terraform/infrastructure plan \
             --var-file=etc/${{ vars.ACCOUNT_NAME }}.tfvars \
-            --var assume_role_arn=${{ secrets.DEPLOY_ROLE_ARN }} \
+            --var assume_role_arn=${DEPLOY_ROLE_ARN} \
             --var use_shared_resources=$(poetry run python scripts/are_resources_shared_for_stack.py ${inactive_stack}) \
             -out tfplan
 
@@ -166,7 +168,7 @@ jobs:
           fail-on-cache-miss: true
 
       - name: Configure Management Credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
         with:
           aws-region: eu-west-2
           role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
@@ -219,7 +221,7 @@ jobs:
           poetry install --no-root
 
       - name: Configure Management Credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
         with:
           aws-region: eu-west-2
           role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
@@ -248,7 +250,7 @@ jobs:
           poetry install --no-root
 
       - name: Configure Management Credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
         with:
           aws-region: eu-west-2
           role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
@@ -277,7 +279,7 @@ jobs:
           poetry install --no-root
 
       - name: Configure Management Credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
         with:
           aws-region: eu-west-2
           role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
diff --git a/.github/workflows/pr-env-deploy.yml b/.github/workflows/pr-env-deploy.yml
@@ -67,7 +67,7 @@ jobs:
         run: make build
 
       - name: Configure Management Credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
         with:
           aws-region: eu-west-2
           role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
@@ -121,7 +121,7 @@ jobs:
           poetry install --no-root
 
       - name: Configure Management Credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
         with:
           aws-region: eu-west-2
           role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
@@ -150,10 +150,12 @@ jobs:
           terraform -chdir=terraform/infrastructure workspace select ${{ needs.set-environment-id.outputs.environment_id }}
 
       - name: Terraform Plan
+        env:
+          DEPLOY_ROLE_ARN: ${{ secrets.DEPLOY_ROLE_ARN }}
         run: |
           terraform -chdir=terraform/infrastructure plan \
           --var-file=etc/dev.tfvars \
-          --var assume_role_arn=${{ secrets.DEPLOY_ROLE_ARN }} \
+          --var assume_role_arn=${DEPLOY_ROLE_ARN} \
           --var use_shared_resources=$(poetry run python scripts/are_resources_shared_for_stack.py ${{ needs.set-environment-id.outputs.environment_id }}) \
           -out tfplan
 
@@ -203,7 +205,7 @@ jobs:
           poetry install --no-root
 
       - name: Configure Management Credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
         with:
           aws-region: eu-west-2
           role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
@@ -213,7 +215,7 @@ jobs:
         run: make truststore-pull-client ENV=dev
 
       - name: Configure Dev Account Credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
         with:
           aws-region: eu-west-2
           role-chaining: true
@@ -240,7 +242,7 @@ jobs:
           poetry install --no-root
 
       - name: Configure Management Credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
         with:
           aws-region: eu-west-2
           role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
@@ -275,7 +277,7 @@ jobs:
           poetry install --no-root
 
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
         with:
           aws-region: eu-west-2
           role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
@@ -285,7 +287,9 @@ jobs:
         run: make truststore-pull-client ENV=dev
 
       - name: Configure Dev Account Credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
+        env:
+          DEPLOY_ROLE_ARN: ${{ secrets.DEPLOY_ROLE_ARN }}
         with:
           aws-region: eu-west-2
           role-chaining: true
diff --git a/.github/workflows/pr-env-destroy.yml b/.github/workflows/pr-env-destroy.yml
@@ -61,7 +61,7 @@ jobs:
           poetry install --no-root
 
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
         with:
           aws-region: eu-west-2
           role-to-assume: ${{ secrets.CI_ROLE_NAME }}
@@ -80,10 +80,12 @@ jobs:
         run: make build get-s3-perms
 
       - name: Terraform Destroy
+        env:
+          DEPLOY_ROLE_ARN: ${{ secrets.DEPLOY_ROLE_ARN }}
         run: |
           terraform -chdir=terraform/infrastructure destroy \
             --var-file=etc/dev.tfvars \
-            --var assume_role_arn=${{ secrets.DEPLOY_ROLE_ARN }} \
+            --var assume_role_arn=${DEPLOY_ROLE_ARN} \
             -auto-approve
 
       - name: Cleanup Terraform Workspace
diff --git a/.github/workflows/rollback-stack.yml b/.github/workflows/rollback-stack.yml
@@ -33,7 +33,7 @@ jobs:
           poetry install --no-root
 
       - name: Configure Management Credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
         with:
           aws-region: eu-west-2
           role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
diff --git a/.github/workflows/update-lambda-permissions.yml b/.github/workflows/update-lambda-permissions.yml
@@ -43,7 +43,7 @@ jobs:
           poetry install --no-root
 
       - name: Configure Management Credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
         with:
           aws-region: eu-west-2
           role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
@@ -91,7 +91,7 @@ jobs:
           poetry install --no-root
 
       - name: Configure Management Credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
         with:
           aws-region: eu-west-2
           role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
@@ -122,14 +122,14 @@ jobs:
           ref: ${{ github.ref }}
 
       - name: Configure Management Credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
         with:
           aws-region: eu-west-2
           role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
           role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }}
 
       - name: Configure Account Role
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
         with:
           aws-region: eu-west-2
           role-chaining: true
@@ -180,7 +180,7 @@ jobs:
           fail-on-cache-miss: true
 
       - name: Configure Management Credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
         with:
           aws-region: eu-west-2
           role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
@@ -193,10 +193,12 @@ jobs:
               terraform -chdir=terraform/infrastructure workspace select ${{ inputs.stack_name }}
 
       - name: Terraform Plan
+        env:
+          DEPLOY_ROLE_ARN: ${{ secrets.DEPLOY_ROLE_ARN }}
         run: |
           terraform -chdir=terraform/infrastructure plan \
               --var-file=etc/${{ vars.ACCOUNT_NAME }}.tfvars \
-              --var assume_role_arn=${{ secrets.DEPLOY_ROLE_ARN }} \
+              --var assume_role_arn=${DEPLOY_ROLE_ARN} \
               --var use_shared_resources=$(poetry run python scripts/are_resources_shared_for_stack.py ${{ inputs.stack_name }}) \
               --out tfplan
 
@@ -239,7 +241,7 @@ jobs:
           fail-on-cache-miss: true
 
       - name: Configure Management Credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
         with:
           aws-region: eu-west-2
           role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
