Upgrade: [dependabot] - bump NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml from 5.2.9 to 5.2.11 (#277)

dependabot[bot] · anthony-nhs · web-flow · commit ef797c63c90c · 2026-01-09T17:49:39.000Z
Bumps [NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml](https://github.com/nhsdigital/eps-common-workflows) from 5.2.9 to 5.2.11. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/nhsdigital/eps-common-workflows/releases">NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml's releases</a>.</em></p> <blockquote> <h2>v5.2.11</h2> <h2><a href="https://github.com/NHSDigital/eps-common-workflows/compare/v5.2.10...v5.2.11">5.2.11</a> (2026-01-08)</h2> <h3>Fix</h3> <ul> <li>[AEA-6060] - use trivy for sbom and licence scan (<a href="https://redirect.github.com/nhsdigital/eps-common-workflows/issues/41">#41</a>) (<a href="https://github.com/NHSDigital/eps-common-workflows/commit/2fe6bc6cd974efb4d55a2a7b665385f7a2d28950">2fe6bc6</a>)</li> </ul> <h2>Info</h2> <p><a href="https://github.com/NHSDigital/eps-common-workflows/compare/343b01abc9a6...2fe6bc6cd974">See code diff</a> <a href="https://github.com/NHSDigital/eps-common-workflows/actions/runs/20815530676">Release workflow run</a> - Workflow ID: 20815530676</p> <p>It was initialized by <a href="https://github.com/MatthewPopat-NHS">MatthewPopat-NHS</a></p> <h2>v5.2.10</h2> <h2><a href="https://github.com/NHSDigital/eps-common-workflows/compare/v5.2.9...v5.2.10">5.2.10</a> (2026-01-07)</h2> <h3>Chore</h3> <ul> <li>[AEA-0000] - update python and node (<a href="https://redirect.github.com/nhsdigital/eps-common-workflows/issues/42">#42</a>) (<a href="https://github.com/NHSDigital/eps-common-workflows/commit/343b01abc9a63bfe9c34d1e72ae358ce421aa805">343b01a</a>)</li> </ul> <h2>Info</h2> <p><a href="https://github.com/NHSDigital/eps-common-workflows/compare/2b3ddfd1e59d...343b01abc9a6">See code diff</a> <a href="https://github.com/NHSDigital/eps-common-workflows/actions/runs/20791091362">Release workflow run</a> - Workflow ID: 20791091362</p> <p>It was initialized by <a href="https://github.com/anthony-nhs">anthony-nhs</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/NHSDigital/eps-common-workflows/commit/2fe6bc6cd974efb4d55a2a7b665385f7a2d28950"><code>2fe6bc6</code></a> Fix: [AEA-6060] - use trivy for sbom and licence scan (<a href="https://redirect.github.com/nhsdigital/eps-common-workflows/issues/41">#41</a>)</li> <li><a href="https://github.com/NHSDigital/eps-common-workflows/commit/343b01abc9a63bfe9c34d1e72ae358ce421aa805"><code>343b01a</code></a> Chore: [AEA-0000] - update python and node (<a href="https://redirect.github.com/nhsdigital/eps-common-workflows/issues/42">#42</a>)</li> <li>See full diff in <a href="https://github.com/nhsdigital/eps-common-workflows/compare/2b3ddfd1e59daf9905522d0140c6cd08e2547432...2fe6bc6cd974efb4d55a2a7b665385f7a2d28950">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml&package-manager=github_actions&previous-version=5.2.9&new-version=5.2.11)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: anthony-nhs <121869075+anthony-nhs@users.noreply.github.com> Co-authored-by: Anthony Brown <anthony.brown8@nhs.net>
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -28,7 +28,7 @@ jobs:
           echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT"
 
   quality_checks:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@2b3ddfd1e59daf9905522d0140c6cd08e2547432
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@2fe6bc6cd974efb4d55a2a7b665385f7a2d28950
     needs: [get_asdf_version]
     with:
       asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
@@ -33,7 +33,7 @@ jobs:
           echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT"
 
   quality_checks:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@2b3ddfd1e59daf9905522d0140c6cd08e2547432
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@2fe6bc6cd974efb4d55a2a7b665385f7a2d28950
     needs: [get_asdf_version]
     with:
       asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -27,7 +27,7 @@ jobs:
           echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT"
 
   quality_checks:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@2b3ddfd1e59daf9905522d0140c6cd08e2547432
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@2fe6bc6cd974efb4d55a2a7b665385f7a2d28950
     needs: [get_asdf_version]
     with:
       asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}
diff --git a/.gitignore b/.gitignore
@@ -34,3 +34,4 @@ cdk.out
 .requirements_syncKnowledgeBaseFunction
 .local_config/
 .dependencies/
+.poetry/
diff --git a/.trivyignore.yaml b/.trivyignore.yaml
@@ -0,0 +1,16 @@
+vulnerabilities:
+  - id: CVE-2025-66418
+    paths:
+      - "node_modules/@cdklabs/generative-ai-cdk-constructs/lambda/aws-bedrock-batch-stepfn/uv.lock"
+      - "node_modules/@cdklabs/generative-ai-cdk-constructs/lambda/opensearch-serverless-custom-resources/poetry.lock"
+    statement: downstream dependency just used in build stage
+  - id: CVE-2025-66471
+    paths:
+      - "node_modules/@cdklabs/generative-ai-cdk-constructs/lambda/aws-bedrock-batch-stepfn/uv.lock"
+      - "node_modules/@cdklabs/generative-ai-cdk-constructs/lambda/opensearch-serverless-custom-resources/poetry.lock"
+    statement: downstream dependency just used in build stage
+  - id: CVE-2026-21441
+    paths:
+      - "node_modules/@cdklabs/generative-ai-cdk-constructs/lambda/aws-bedrock-batch-stepfn/uv.lock"
+      - "node_modules/@cdklabs/generative-ai-cdk-constructs/lambda/opensearch-serverless-custom-resources/poetry.lock"
+    statement: downstream dependency just used in build stage
diff --git a/Makefile b/Makefile
@@ -65,6 +65,7 @@ clean:
 
 deep-clean: clean
 	rm -rf .venv
+	rm -rf .poetry
 	find . -name 'node_modules' -type d -prune -exec rm -rf '{}' +
 
 check-licenses: check-licenses-node check-licenses-python
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -47,10 +47,3 @@ aws-lambda-powertools = "^3.23.0"
 
 [tool.black]
 line-length = 120
-
-[build-system]
-requires = ["poetry>=0.12"]
-build-backend = "poetry.masonry.api"
-
-[tool.poetry.requires-plugins]
-poetry-plugin-export = ">=1.8"
diff --git a/scripts/run_sync.sh b/scripts/run_sync.sh
@@ -64,8 +64,8 @@ echo "Generating config for ${EPSAM_CONFIG}"
 
 echo "Installing dependencies locally"
 mkdir -p .dependencies
-poetry export --without-hashes --format=requirements.txt --with slackBotFunction > .dependencies/requirements_slackBotFunction
-poetry export --without-hashes --format=requirements.txt --with syncKnowledgeBaseFunction > .dependencies/requirements_syncKnowledgeBaseFunction
+poetry show --only=slackBotFunction | grep -E "^[a-zA-Z]" | awk '{print $1"=="$2}' > .dependencies/requirements_slackBotFunction
+poetry show --only=syncKnowledgeBaseFunction | grep -E "^[a-zA-Z]" | awk '{print $1"=="$2}' > .dependencies/requirements_syncKnowledgeBaseFunction
 pip3 install -r .dependencies/requirements_slackBotFunction -t .dependencies/slackBotFunction/python
 pip3 install -r .dependencies/requirements_syncKnowledgeBaseFunction -t .dependencies/syncKnowledgeBaseFunction/python
 
diff --git a/trivy.yaml b/trivy.yaml
@@ -0,0 +1 @@
+ignorefile: ".trivyignore.yaml"
