Skip to content

Update alphagov references to govuk-forms#1110

Merged
cadmiumcat merged 1 commit intomainfrom
trasfer-forms-deploy-repo
Apr 14, 2026
Merged

Update alphagov references to govuk-forms#1110
cadmiumcat merged 1 commit intomainfrom
trasfer-forms-deploy-repo

Conversation

@cadmiumcat
Copy link
Copy Markdown
Contributor

@cadmiumcat cadmiumcat commented Mar 30, 2026

What problem does this pull request solve?

We have transferred all repos to govuk-forms

Trello card:

Things to consider when reviewing

  • Does it work when run on your machine?
  • Is it clear what the code is doing?
  • Do the commit messages explain why the changes were made?
  • Are there all the unit tests needed?
  • Do the end to end tests need updating before these changes will pass?
  • Has all relevant documentation been updated?

github-advanced-security[bot]
github-advanced-security AI found potential problems Mar 30, 2026
View reviewed changes
Comment thread .github/workflows/docker_build.yml
jobs:
build-image:
uses: alphagov/forms-deploy/.github/workflows/reusable-build-image.yml@main
uses: govuk-forms/forms-deploy/.github/workflows/reusable-build-image.yml@main

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 20 days ago

In general, the fix is to add an explicit permissions block to the workflow (either at the root level or within the specific job) that grants only the minimal permissions required. For a typical build-only workflow that just checks out code and builds a Docker image, read-only access to repository contents (contents: read) is usually sufficient. If the reusable workflow needs more (e.g., to push images or create releases), those scopes can be added there; but given the information available, the minimal safe baseline is to set contents: read at the job level.

The best change with minimal impact is to add a permissions block under the build-image job in .github/workflows/docker_build.yml. That way, we constrain the GITHUB_TOKEN used for this job (and therefore for the called reusable workflow) without altering the triggering conditions or job structure. Concretely, in .github/workflows/docker_build.yml, under jobs:, inside build-image:, we will insert:

permissions:
  contents: read

with proper indentation, just before the existing uses: line. No additional methods, imports, or definitions are needed, as this is pure workflow configuration.

Suggested changeset 1
.github/workflows/docker_build.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/docker_build.yml b/.github/workflows/docker_build.yml
--- a/.github/workflows/docker_build.yml
+++ b/.github/workflows/docker_build.yml
@@ -8,4 +8,6 @@
     types: [checks_requested]
 jobs:
   build-image:
+    permissions:
+      contents: read
     uses: govuk-forms/forms-deploy/.github/workflows/reusable-build-image.yml@main
EOF
@@ -8,4 +8,6 @@
types: [checks_requested]
jobs:
build-image:
permissions:
contents: read
uses: govuk-forms/forms-deploy/.github/workflows/reusable-build-image.yml@main
Copilot is powered by AI and may make mistakes. Always verify output.
Comment thread .github/workflows/lint-workflows.yml
jobs:
lint-workflows:
uses: alphagov/forms-deploy/.github/workflows/reusable-lint-workflows.yml@main
uses: govuk-forms/forms-deploy/.github/workflows/reusable-lint-workflows.yml@main

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 20 days ago

In general, the fix is to add an explicit permissions block that grants only the minimal required scopes for GITHUB_TOKEN. For a workflow that just lints workflow files (no pushing, no status writes beyond what GitHub itself does, no issue manipulation), contents: read is typically sufficient at the workflow level.

For this specific file (.github/workflows/lint-workflows.yml), the best, non-functional change is to add a root-level permissions block applying to all jobs. It should go between the on: block and the jobs: block to follow common style and avoid altering the job definition. The block will be:

permissions:
  contents: read

No additional imports or dependencies are needed; this is purely a configuration change in the workflow YAML. Only the shown snippet needs editing: insert the permissions section after line 9 and before line 10.

Suggested changeset 1
.github/workflows/lint-workflows.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/lint-workflows.yml b/.github/workflows/lint-workflows.yml
--- a/.github/workflows/lint-workflows.yml
+++ b/.github/workflows/lint-workflows.yml
@@ -7,6 +7,9 @@
       - '.github/workflows/*.yml'
       - '.github/workflows/*.yaml'
 
+permissions:
+  contents: read
+
 jobs:
   lint-workflows:
     uses: govuk-forms/forms-deploy/.github/workflows/reusable-lint-workflows.yml@main
EOF
@@ -7,6 +7,9 @@
- '.github/workflows/*.yml'
- '.github/workflows/*.yaml'

permissions:
contents: read

jobs:
lint-workflows:
uses: govuk-forms/forms-deploy/.github/workflows/reusable-lint-workflows.yml@main
Copilot is powered by AI and may make mistakes. Always verify output.
@cadmiumcat cadmiumcat force-pushed the trasfer-forms-deploy-repo branch from 84e4258 to e7942e2 Compare April 14, 2026 11:11
@cadmiumcat cadmiumcat marked this pull request as ready for review April 14, 2026 11:16
@stephencdaly
Copy link
Copy Markdown
Contributor

stephencdaly commented Apr 14, 2026

I think the SHA pinning check is failing because you missed updating alphagov -> govuk-forms in .github/workflows/review_apps_on_pr_close.yml

@cadmiumcat cadmiumcat requested a review from a team April 14, 2026 12:04
@cadmiumcat
Update alphagov references to govuk-forms
9bcb8cf 
We have transferred all repos to govuk-forms
@cadmiumcat cadmiumcat force-pushed the trasfer-forms-deploy-repo branch from e7942e2 to 9bcb8cf Compare April 14, 2026 12:17
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 14, 2026

🎉 A review copy of this PR has been deployed! You can reach it at: https://pr-1110.www.review.forms.service.gov.uk/

It may take 5 minutes or so for the application to be fully deployed and working. If it still isn't ready
after 5 minutes, there may be something wrong with the ECS task. You will need to go to the integration AWS account
to debug, or otherwise ask an infrastructure person.

For the sign in details and more information, see the review apps wiki page.

@cadmiumcat cadmiumcat enabled auto-merge April 14, 2026 12:24
@cadmiumcat cadmiumcat added this pull request to the merge queue Apr 14, 2026
Merged via the queue into main with commit 1cc3f3c Apr 14, 2026
10 of 11 checks passed
@cadmiumcat cadmiumcat deleted the trasfer-forms-deploy-repo branch April 14, 2026 13:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stephencdaly stephencdaly stephencdaly approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cadmiumcat @stephencdaly @github-advanced-security