OpenReferralUK · jeffcumpsty-tpx · Feb 26, 2026 · Feb 13, 2026 · Feb 16, 2026 · Feb 16, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -90,7 +90,7 @@ jobs:
           dotnet-version: ${{ env.DOTNET_VERSION }}
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4.32.2
+        uses: github/codeql-action/init@v4.32.4
         with:
           languages: ${{ matrix.language }}
           build-mode: manual
@@ -101,7 +101,7 @@ jobs:
           dotnet build OpenReferralApi.sln --configuration Release --no-restore --verbosity normal
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4.32.2
+        uses: github/codeql-action/analyze@v4.32.4
 
   security-scan-fs:
     name: Trivy Filesystem Scan
@@ -113,7 +113,7 @@ jobs:
         uses: actions/checkout@v6.0.2
 
       - name: Run Trivy (filesystem)
-        uses: aquasecurity/trivy-action@0.33.1
+        uses: aquasecurity/trivy-action@0.34.1
         with:
           scan-type: 'fs'
           scan-ref: '.'
@@ -122,7 +122,7 @@ jobs:
           severity: 'CRITICAL,HIGH,MEDIUM,UNKNOWN'
 
       - name: Upload Trivy FS SARIF
-        uses: github/codeql-action/upload-sarif@v4.32.2
+        uses: github/codeql-action/upload-sarif@v4.32.4
         if: always()
         with:
           sarif_file: trivy-fs-results.sarif
@@ -199,7 +199,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Run Trivy on built image
-        uses: aquasecurity/trivy-action@0.33.1
+        uses: aquasecurity/trivy-action@0.34.1
         continue-on-error: true
         with:
           image-ref: ${{ needs.docker-build.outputs.image_ref }}
@@ -246,7 +246,7 @@ jobs:
           fi
 
       - name: Upload Trivy Image SARIF
-        uses: github/codeql-action/upload-sarif@v4.32.2
+        uses: github/codeql-action/upload-sarif@v4.32.4
         if: steps.trivy_sarif.outputs.present == 'true'
         with:
           sarif_file: trivy-image-results.sarif

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -27,7 +27,7 @@ jobs:
 
     # 2. Initialize CodeQL
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v4.32.2
+      uses: github/codeql-action/init@v4.32.4
       with:
         languages: csharp
         queries: security-and-quality
@@ -41,4 +41,4 @@ jobs:
 
     # 4. Perform Analysis
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v4.32.2
+      uses: github/codeql-action/analyze@v4.32.4
diff --git a/.github/workflows/staging-to-main.yml b/.github/workflows/staging-to-main.yml
@@ -12,13 +12,15 @@ permissions:
 
 jobs:
   check-source-branch:
+    name: staging-to-main-only
     runs-on: ubuntu-latest
     steps:
       - name: Fail if PR is not from staging
-        if: github.head_ref != 'staging'
+        if: github.head_ref != 'staging' && github.actor != 'dependabot[bot]'
         run: |
           echo "Error: Merges into 'main' are only allowed from the 'staging' branch."
           echo "Current source branch: ${{ github.head_ref }}"
+          echo "Current actor: ${{ github.actor }}"
           exit 1
 
       - name: Success status (from staging)
@@ -62,4 +64,4 @@ jobs:
                 '',
                 'Current source branch: **${{ github.head_ref }}**'
               ].join('\n')
-            });
+            });
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -19,7 +19,7 @@ jobs:
         uses: actions/checkout@v6.0.2
 
       - name: Run Trivy vulnerability scanner (Config & Dependency)
-        uses: aquasecurity/trivy-action@0.33.1 # Use the latest version
+        uses: aquasecurity/trivy-action@0.34.1 # Use the latest version
         with:
           scan-type: 'fs' # Scans the file system
           scan-ref: '.'
@@ -29,7 +29,7 @@ jobs:
           # Trivy will ignore these checks if you have a .trivyignore file
 
       - name: Upload Trivy scan results to GitHub Security
-        uses: github/codeql-action/upload-sarif@v4.32.2
+        uses: github/codeql-action/upload-sarif@v4.32.4
         if: always() # Upload results even if vulnerabilities are found
         with:
           sarif_file: 'trivy-results.sarif'
diff --git a/.gitignore b/.gitignore
@@ -65,4 +65,5 @@ OpenReferralApi.sln.DotSettings.user
 results*.json
 
 # AI-generated documentation
-docs/
+docs/
+logs/
diff --git a/OpenReferralApi.Core/Services/SchemaResolverService.cs b/OpenReferralApi.Core/Services/SchemaResolverService.cs
@@ -661,7 +661,7 @@ public async Task<JSchema> CreateSchemaFromJsonAsync(string schemaJson, string?
       // Set base URI for any remaining reference resolution if provided
       if (!string.IsNullOrEmpty(documentUri))
       {
-        _logger.LogDebug("Loading schema with base URI: {DocumentUri}", documentUri);
+        _logger.LogDebug("Loading schema with base URI: {DocumentUri}", SanitizeUrlForLogging(documentUri));
         settings.BaseUri = new Uri(documentUri);
       }
 
@@ -673,7 +673,7 @@ public async Task<JSchema> CreateSchemaFromJsonAsync(string schemaJson, string?
     }
     catch (Exception ex)
     {
-      _logger.LogError(ex, "Failed to create JSON schema from JSON with resolver. DocumentUri: {DocumentUri}", documentUri ?? "none");
+      _logger.LogError(ex, "Failed to create JSON schema from JSON with resolver. DocumentUri: {DocumentUri}", documentUri != null ? SanitizeUrlForLogging(documentUri) : "none");
       throw;
     }
   }

diff --git a/OpenReferralApi.Tests/OpenReferralApi.Tests.csproj b/OpenReferralApi.Tests/OpenReferralApi.Tests.csproj
@@ -10,8 +10,8 @@
     </PropertyGroup>
 
     <ItemGroup>
-        <PackageReference Include="coverlet.collector" Version="6.0.4" />
-        <PackageReference Include="Microsoft.NET.Test.Sdk" Version="18.0.1" />
+        <PackageReference Include="coverlet.collector" Version="8.0.0" />
+        <PackageReference Include="Microsoft.NET.Test.Sdk" Version="18.3.0" />
         <PackageReference Include="Moq" Version="4.20.72" />
         <PackageReference Include="NUnit" Version="4.4.0" />
         <PackageReference Include="NUnit.Analyzers" Version="4.11.2" />

diff --git a/OpenReferralApi/OpenReferralApi.csproj b/OpenReferralApi/OpenReferralApi.csproj
@@ -18,7 +18,7 @@
         <PackageReference Include="AspNetCore.HealthChecks.Uris" Version="9.0.0" />
         <PackageReference Include="FluentResults" Version="4.0.0" />
         <PackageReference Include="GitHubJwt" Version="0.0.6" />
-        <PackageReference Include="JsonSchema.Net" Version="9.1.0" />
+        <PackageReference Include="JsonSchema.Net" Version="9.1.1" />
         <PackageReference Include="Microsoft.AspNetCore.OpenApi" Version="10.0.3" />
         <PackageReference Include="MongoDB.Driver" Version="3.6.0" />
         <PackageReference Include="Newtonsoft.Json.Schema" Version="4.0.1" />
@@ -28,10 +28,10 @@
         <PackageReference Include="OpenTelemetry.Extensions.Hosting" Version="1.15.0" />
         <PackageReference Include="OpenTelemetry.Instrumentation.AspNetCore" Version="1.15.0" />
         <PackageReference Include="OpenTelemetry.Instrumentation.Http" Version="1.15.0" />
-        <PackageReference Include="Serilog.AspNetCore" Version="8.0.3" />
-        <PackageReference Include="Serilog.Sinks.File" Version="6.0.0" />
-        <PackageReference Include="Swashbuckle.AspNetCore" Version="10.1.2" />
-        <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="8.15.0" />
+        <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="8.16.0" />
+        <PackageReference Include="Serilog.AspNetCore" Version="10.0.0" />
+        <PackageReference Include="Serilog.Sinks.File" Version="7.0.0" />
+        <PackageReference Include="Swashbuckle.AspNetCore" Version="10.1.4" />
     </ItemGroup>
 
     <ItemGroup>
-Original file line number
+Diff line change
@@ Expand Up / @@ -65,4 +65,5 @@ OpenReferralApi.sln.DotSettings.user @@
     results*.json
     # AI-generated documentation
-    docs/
+    docs/
+    logs/