use correct path

anthony-nhs · anthony-nhs · commit e0488279fce2 · 2025-11-21T17:12:47.000Z
diff --git a/.github/actions/get_called_ref/action.yml b/.github/actions/get_called_ref/action.yml
@@ -0,0 +1,27 @@
+name: Get called workflow ref
+
+description: >
+  A workaround to the issue: https://github.com/actions/toolkit/issues/1264.
+  
+  This is needed for the reusable workflow to be able to access its own version (commit hash)
+  that is being called by the caller workflow. This allows for using a proper ref of composite actions
+  inside the reusable workflow.
+inputs:
+  GH_TOKEN_ADMIN:
+    required: true
+    description: 'GitHub token with admin permissions to access workflow run details.'
+
+outputs:
+  caller-ref:
+    description: 'The reference (commit hash or branch) of the called workflow'
+    value: ${{ steps.workflows-ref.outputs.caller-ref }}
+
+runs:
+  using: composite
+  steps:
+    - name: Get workflow reference
+      id: workflows-ref
+      shell: bash
+      run: |
+        ref=$(curl -L -H "Accept: application/vnd.github+json" -H "Authorization: Bearer ${{ inputs.GH_TOKEN_ADMIN }}" -H "X-GitHub-Api-Version: 2022-11-28" https://api.github.com/repos/${{ github.repository }}/actions/runs/${{ github.run_id }} | jq -r '.referenced_workflows[0] | .ref')
+        echo "caller-ref=$ref" >> $GITHUB_OUTPUT
diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml
@@ -39,6 +39,16 @@ on:
         required: false
         default: "dev_container_build"
 jobs:
+  get-called-ref:
+    name: Get called ref
+    runs-on: ubuntu-latest
+    outputs:
+      ref: ${{ steps.get_called_ref.outputs.caller-ref }}
+    steps:
+      - id: get_called_ref
+        uses: NHSDigital/eps-common-workflows/.github/actions/get_called_ref@dev_container_build
+        with: 
+          GH_TOKEN_ADMIN: ${{ secrets.GITHUB_TOKEN }}
   quality_checks:
     runs-on: ubuntu-22.04
     steps:
@@ -421,6 +431,7 @@ jobs:
           path: cfn_guard_output
 
   build_dev_container_x64:
+    needs: [get-called-ref]
     permissions:
       id-token: write
     runs-on: ubuntu-22.04
@@ -434,7 +445,7 @@ jobs:
         env:
           SCRIPT_TAG: ${{ inputs.check_ecr_image_scan_results_script_tag }}
         run: |
-          curl -L "https://raw.githubusercontent.com/NHSDigital/eps-workflow-quality-checks/refs/heads/${SCRIPT_TAG}/.github/scripts/check_ecr_image_scan_results.sh" -o check_ecr_image_scan_results.sh
+          curl -L "https://raw.githubusercontent.com/NHSDigital/eps-common-workflows/${{ needs.get-called-ref.outputs.ref }}/.github/scripts/check_ecr_image_scan_results.sh" -o check_ecr_image_scan_results.sh
           chmod +x check_ecr_image_scan_results.sh
       - name: Build dev container
         run: |
@@ -477,6 +488,7 @@ jobs:
           ./check_ecr_image_scan_results.sh
 
   build_dev_container_arm64:
+    needs: [get-called-ref]
     permissions:
       id-token: write
     runs-on: ubuntu-22.04-arm
@@ -490,7 +502,7 @@ jobs:
         env:
           SCRIPT_TAG: ${{ inputs.check_ecr_image_scan_results_script_tag }}
         run: |
-          curl -L "https://raw.githubusercontent.com/NHSDigital/eps-common-workflows/refs/heads/${SCRIPT_TAG}/.github/scripts/check_ecr_image_scan_results.sh" -o check_ecr_image_scan_results.sh
+          curl -L "https://raw.githubusercontent.com/NHSDigital/eps-common-workflows/${{ needs.get-called-ref.outputs.ref }}/.github/scripts/check_ecr_image_scan_results.sh" -o check_ecr_image_scan_results.sh
           chmod +x check_ecr_image_scan_results.sh
 
       - name: Build dev container
