NHSDigital
diff --git a/‎.github/dependabot.yml‎
Lines changed: 46 additions & 0 deletions b/‎.github/dependabot.yml‎
Lines changed: 46 additions & 0 deletions
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/release.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/security.yml‎
Lines changed: 105 additions & 0 deletions b/‎.github/workflows/security.yml‎
Lines changed: 105 additions & 0 deletions
diff --git a/‎.github/workflows/spc-exports-snapshot.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/spc-exports-snapshot.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/spc-parity.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/spc-parity.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/spc-publish.yml‎
Lines changed: 0 additions & 50 deletions b/‎.github/workflows/spc-publish.yml‎
Lines changed: 0 additions & 50 deletions
diff --git a/‎.github/workflows/spc-validate.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/spc-validate.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/visual-testing.yml‎
Lines changed: 4 additions & 4 deletions b/‎.github/workflows/visual-testing.yml‎
Lines changed: 4 additions & 4 deletions
@@ -0,0 +1,46 @@
+version: 2
+updates:
+  # Enable version updates for npm
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+    # Limit number of open PRs to avoid overwhelming maintainers
+    open-pull-requests-limit: 10
+    # Add labels for easy filtering
+    labels:
+      - "dependencies"
+      - "automated"
+    # Group minor and patch updates together to reduce PR noise
+    groups:
+      development-dependencies:
+        dependency-type: "development"
+        update-types:
+          - "minor"
+          - "patch"
+      production-dependencies:
+        dependency-type: "production"
+        update-types:
+          - "patch"
+    # Assign PRs to maintainer
+    assignees:
+      - "fergusbisset"
+    # Increase pull request limit for security updates
+    # Security updates are always created separately
+    versioning-strategy: increase
+    # Allow Dependabot to rebase PRs
+    rebase-strategy: "auto"
+
+  # Monitor GitHub Actions for updates
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    labels:
+      - "dependencies"
+      - "github-actions"
+    assignees:
+      - "fergusbisset"
@@ -26,10 +26,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup Node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version: 20
           registry-url: https://npm.pkg.github.com
 
@@ -0,0 +1,105 @@
+name: Security Scanning
+
+on:
+  push:
+    branches: [ main, master ]
+  pull_request:
+    branches: [ main, master ]
+  schedule:
+    # Run security scan every Monday at 9am UTC
+    - cron: '0 9 * * 1'
+  workflow_dispatch:
+
+jobs:
+  npm-audit:
+    name: NPM Security Audit
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: '20'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run npm audit
+        run: |
+          echo "## NPM Security Audit Results" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+
+          # Run audit and capture output
+          if npm audit --audit-level=moderate 2>&1 | tee audit.txt; then
+            echo "✅ No vulnerabilities found!" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "⚠️ Vulnerabilities detected - see details below" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
+            cat audit.txt >> $GITHUB_STEP_SUMMARY
+            echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
+            exit 1
+          fi
+
+      - name: Check for outdated dependencies
+        run: |
+          echo "## Outdated Dependencies" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
+          npm outdated >> $GITHUB_STEP_SUMMARY || true
+          echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
+        continue-on-error: true
+
+  codeql:
+    name: CodeQL Security Analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      actions: read
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'javascript' ]
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4
+        with:
+          languages: ${{ matrix.language }}
+          # Optional: Add custom queries
+          # queries: security-extended,security-and-quality
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v4
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v4
+        with:
+          category: "/language:${{matrix.language}}"
+
+  dependency-review:
+    name: Dependency Review
+    runs-on: ubuntu-latest
+    # Only run on pull requests
+    if: github.event_name == 'pull_request'
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      - name: Dependency Review
+        uses: actions/dependency-review-action@v4
+        with:
+          # Fail the build if vulnerabilities are found
+          fail-on-severity: moderate
+          # Add comment to PR with results
+          comment-summary-in-pr: always
@@ -14,9 +14,9 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - name: Setup Node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version: 22
           cache: 'npm'
 
@@ -21,9 +21,9 @@ jobs:
     timeout-minutes: 10
     continue-on-error: true # Allow-fail initially; tighten later
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - name: Setup Node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version: 22
           cache: 'npm'
 
@@ -20,9 +20,9 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 15
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - name: Setup Node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
             node-version: 22
             cache: 'npm'
 
@@ -16,12 +16,12 @@ jobs:
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@v6
       with:
         fetch-depth: 0
 
     - name: Setup Node.js
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@v6
       with:
         node-version: '24'
         cache: 'npm'
@@ -44,7 +44,7 @@ jobs:
       run: npm run test:ssr-components
 
     - name: Publish to Chromatic
-      uses: chromaui/action@v1
+      uses: chromaui/action@v13
       with:
         projectToken: ${{ secrets.CHROMATIC_PROJECT_TOKEN }}
         buildScriptName: build-storybook
@@ -54,7 +54,7 @@ jobs:
 
     - name: Upload multi-render logs and reports (always)
       if: always()
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v5
       with:
         name: multi-render-artifacts
         if-no-files-found: ignore