NHSDigital · bshand · Apr 13, 2026 · Apr 13, 2026
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -20,3 +20,9 @@ updates:
     exclude-paths:
       - "*"
     open-pull-requests-limit: 0 # Disable version updates for npm dependencies
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    cooldown:
+      default-days: 7 # Wait 7 days after publication
diff --git a/.github/workflows/future_proof.yml b/.github/workflows/future_proof.yml
@@ -53,11 +53,11 @@ jobs:
       BUNDLE_WITHOUT: rdc:oracle
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # actions/checkout@v6 see https://github.com/actions/checkout/releases/tag/v6
       - name: Remove Gemfile.lock so we get the latest gems
         run: rm Gemfile.lock
       - name: Set up Ruby + Bundle
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@4c56a21280b36d862b5fc31348f463d60bdc55d5 # ruby/setup-ruby@v1 see https://github.com/ruby/setup-ruby/tree/v1
         with:
           bundler-cache: true
           ruby-version: ${{ matrix.ruby-version }}

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -9,11 +9,11 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # actions/checkout@v6 see https://github.com/actions/checkout/releases/tag/v6
       with:
         fetch-depth: 0 # fetch everything
     - name: Set up Ruby + Bundle
-      uses: ruby/setup-ruby@v1
+      uses: ruby/setup-ruby@4c56a21280b36d862b5fc31348f463d60bdc55d5 # ruby/setup-ruby@v1 see https://github.com/ruby/setup-ruby/tree/v1
       with:
         bundler-cache: true
     - name: Run RuboCop against BASE..HEAD changes

diff --git a/.github/workflows/static_code_analysis.yml b/.github/workflows/static_code_analysis.yml
@@ -8,9 +8,9 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # actions/checkout@v6 see https://github.com/actions/checkout/releases/tag/v6
       - name: Set up Ruby + Bundle
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@4c56a21280b36d862b5fc31348f463d60bdc55d5 # ruby/setup-ruby@v1 see https://github.com/ruby/setup-ruby/tree/v1
         with:
           bundler-cache: true
       - name: Run Brakeman analysis
@@ -20,9 +20,9 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # actions/checkout@v6 see https://github.com/actions/checkout/releases/tag/v6
       - name: Set up Ruby + Bundle
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@4c56a21280b36d862b5fc31348f463d60bdc55d5 # ruby/setup-ruby@v1 see https://github.com/ruby/setup-ruby/tree/v1
         with:
           bundler-cache: true
       - name: Audit the bundle
@@ -34,9 +34,9 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # actions/checkout@v6 see https://github.com/actions/checkout/releases/tag/v6
       - name: Set up Ruby + Bundle
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@4c56a21280b36d862b5fc31348f463d60bdc55d5 # ruby/setup-ruby@v1 see https://github.com/ruby/setup-ruby/tree/v1
         with:
           bundler-cache: true
       - name: Audit the yarn npm packages

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -52,13 +52,13 @@ jobs:
       RAILS_ENV: test
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # actions/checkout@v6 see https://github.com/actions/checkout/releases/tag/v6
       - name: Set timezone to Europe/London
         run: sudo timedatectl set-timezone Europe/London
       - name: Use bundled npm files
         run: printf 'disable-self-update-check true\nyarn-offline-mirror "./vendor/npm-packages-offline-cache"\nyarn-offline-mirror-pruning false\n' > .yarnrc
       - name: Set up Ruby + Bundle
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@4c56a21280b36d862b5fc31348f463d60bdc55d5 # ruby/setup-ruby@v1 see https://github.com/ruby/setup-ruby/tree/v1
         with:
           bundler-cache: true
           ruby-version: ${{ matrix.ruby-version }}
@@ -127,13 +127,13 @@ jobs:
       RAILS_ENV: test
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # actions/checkout@v6 see https://github.com/actions/checkout/releases/tag/v6
       - name: Set timezone to Europe/London
         run: sudo timedatectl set-timezone Europe/London
       - name: Use bundled npm files
         run: printf 'disable-self-update-check true\nyarn-offline-mirror "./vendor/npm-packages-offline-cache"\nyarn-offline-mirror-pruning false\n' > .yarnrc
       - name: Set up Ruby + Bundle
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@4c56a21280b36d862b5fc31348f463d60bdc55d5 # ruby/setup-ruby@v1 see https://github.com/ruby/setup-ruby/tree/v1
         with:
           bundler-cache: true
           ruby-version: ${{ matrix.ruby-version }}

diff --git a/.github/workflows/upload-artifacts.yml b/.github/workflows/upload-artifacts.yml
@@ -15,7 +15,7 @@ jobs:
       AWS_DEFAULT_REGION: eu-west-2
     steps:
       - name: Git checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # actions/checkout@v6 see https://github.com/actions/checkout/releases/tag/v6
 
       - name: Confirm AWS destinations for deployments
         run: echo AWS_GITHUB_ACTIONS_DEPLOY_ROLE="${{ secrets.AWS_GITHUB_ACTIONS_DEPLOY_ROLE }}", AWS_GITHUB_ACTIONS_S3_BUCKET="${{ secrets.AWS_GITHUB_ACTIONS_S3_BUCKET }}"
@@ -26,7 +26,7 @@ jobs:
           AWS_GITHUB_ACTIONS_DEPLOY_ROLE: ${{secrets.AWS_GITHUB_ACTIONS_DEPLOY_ROLE}}
 
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # aws-actions/configure-aws-credentials@v1 see https://github.com/aws-actions/configure-aws-credentials/releases/tag/v1
         with:
           # role-to-assume: arn:aws:iam::[aws-account-id]:role/dms-github-actions-deploy-role
           # To find the role name, login to AWS Openstack Dev IAM and search for
@@ -36,7 +36,7 @@ jobs:
           aws-region: ${{env.AWS_DEFAULT_REGION}}
 
       - name: Zip artifacts
-        uses: thedoctor0/zip-release@master
+        uses: thedoctor0/zip-release@a24011d8d445e4da5935a7e73c1f98e22a439464 # thedoctor0/zip-release@master see https://github.com/TheDoctor0/zip-release/tree/master
         with:
           type: "zip"
           filename: "mbis_app.zip"