NHSDigital · anthony-nhs · Feb 24, 2026 · Feb 24, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -27,63 +27,43 @@ jobs:
           echo "commit_id=${{ github.sha }}" >> "$GITHUB_OUTPUT"
           echo "sha_short=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT"
   get_config_values:
-    runs-on: ubuntu-22.04
-    outputs:
-      tag_format: ${{ steps.load-config.outputs.TAG_FORMAT }}
-      devcontainer_version: ${{ steps.load-config.outputs.DEVCONTAINER_VERSION }}
-      devcontainer_image: ${{ steps.load-config.outputs.DEVCONTAINER_IMAGE }}
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-
-      - name: Load config value
-        id: load-config
-        run: |
-          TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml)
-          DEVCONTAINER_IMAGE=$(jq -r '.build.args.IMAGE_NAME' .devcontainer/devcontainer.json)
-          DEVCONTAINER_VERSION=$(jq -r '.build.args.IMAGE_VERSION' .devcontainer/devcontainer.json)
-          {
-            echo "TAG_FORMAT=$TAG_FORMAT" 
-            echo "DEVCONTAINER_IMAGE=$DEVCONTAINER_IMAGE"
-            echo "DEVCONTAINER_VERSION=$DEVCONTAINER_VERSION"
-          } >> "$GITHUB_OUTPUT"
+    uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@8404cf6e3a61ac8de4d1644e175e288aa4965815
+    with:
+      verify_published_from_main_image: true
   quality_checks:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@36677e1d6bfaa010d7b78942a1ade12fbefecb80
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@8404cf6e3a61ac8de4d1644e175e288aa4965815
     needs: [get_config_values, get_commit_id]
     with:
-      runtime_docker_image: "${{ needs.get_config_values.outputs.devcontainer_image }}:githubactions-${{ needs.get_config_values.outputs.devcontainer_version }}"
+      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
       run_docker_scan: true
       docker_images: "eps-cdk-utils"
     secrets:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
   tag_release:
     needs: [quality_checks, get_commit_id, get_config_values]
-    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@36677e1d6bfaa010d7b78942a1ade12fbefecb80
+    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@8404cf6e3a61ac8de4d1644e175e288aa4965815
     with:
       dry_run: true
-      runtime_docker_image: "${{ needs.get_config_values.outputs.devcontainer_image }}:githubactions-${{ needs.get_config_values.outputs.devcontainer_version }}"
+      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
       branch_name: main
       publish_packages: packages/cdkConstructs,packages/deploymentUtils
       tag_format: ${{ needs.get_config_values.outputs.tag_format }}
-      verify_published_from_main_image: true
     secrets: inherit
 
   package_code:
     needs: [tag_release, quality_checks, get_commit_id, get_config_values]
     uses: ./.github/workflows/docker_image_build.yml
     with:
-      runtime_docker_image: "${{ needs.get_config_values.outputs.devcontainer_image }}:githubactions-${{ needs.get_config_values.outputs.devcontainer_version }}"
-      verify_published_from_main_image: true
+      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
       VERSION_NUMBER: pre-release-${{ needs.get_commit_id.outputs.sha_short }}
       COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }}
 
   release_dev:
     needs: [tag_release, package_code, get_commit_id, get_config_values]
     uses: ./.github/workflows/docker_image_upload.yml
     with:
-      runtime_docker_image: "${{ needs.get_config_values.outputs.devcontainer_image }}:githubactions-${{ needs.get_config_values.outputs.devcontainer_version }}"
-      verify_published_from_main_image: true
+      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
       AWS_ENVIRONMENT: dev
       VERSION_NUMBER: pre-release-${{ needs.get_commit_id.outputs.sha_short }}
       COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }}
@@ -97,8 +77,7 @@ jobs:
       [tag_release, release_dev, package_code, get_commit_id, get_config_values]
     uses: ./.github/workflows/docker_image_upload.yml
     with:
-      runtime_docker_image: "${{ needs.get_config_values.outputs.devcontainer_image }}:githubactions-${{ needs.get_config_values.outputs.devcontainer_version }}"
-      verify_published_from_main_image: true
+      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
       AWS_ENVIRONMENT: qa
       VERSION_NUMBER: pre-release-${{ needs.get_commit_id.outputs.sha_short }}
       COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }}
@@ -112,8 +91,7 @@ jobs:
       [tag_release, release_dev, package_code, get_commit_id, get_config_values]
     uses: ./.github/workflows/docker_image_upload.yml
     with:
-      runtime_docker_image: "${{ needs.get_config_values.outputs.devcontainer_image }}:githubactions-${{ needs.get_config_values.outputs.devcontainer_version }}"
-      verify_published_from_main_image: true
+      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
       AWS_ENVIRONMENT: ref
       VERSION_NUMBER: pre-release-${{ needs.get_commit_id.outputs.sha_short }}
       COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }}
@@ -126,5 +104,4 @@ jobs:
     needs: [quality_checks, get_commit_id, get_config_values]
     uses: ./.github/workflows/package_npm_code.yml
     with:
-      runtime_docker_image: "${{ needs.get_config_values.outputs.devcontainer_image }}:githubactions-${{ needs.get_config_values.outputs.devcontainer_version }}"
-      verify_published_from_main_image: true
+      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
diff --git a/.github/workflows/docker_image_build.yml b/.github/workflows/docker_image_build.yml
@@ -9,24 +9,15 @@ on:
       COMMIT_ID:
         required: true
         type: string
-      runtime_docker_image:
+      pinned_image:
         type: string
         required: true
-      verify_published_from_main_image:
-        type: boolean
-        required: true
 
 jobs:
-  verify_attestation:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/verify-attestation.yml@36677e1d6bfaa010d7b78942a1ade12fbefecb80
-    with:
-      runtime_docker_image: "${{ inputs.runtime_docker_image }}"
-      verify_published_from_main_image: ${{ inputs.verify_published_from_main_image }}
   docker_image_build:
     runs-on: ubuntu-22.04
-    needs: verify_attestation
     container:
-      image: ${{ needs.verify_attestation.outputs.pinned_image }}
+      image: ${{ inputs.pinned_image }}
       options: --user 1001:1001 --group-add 128
     defaults:
       run:

diff --git a/.github/workflows/docker_image_upload.yml b/.github/workflows/docker_image_upload.yml
@@ -18,27 +18,18 @@ on:
       DOCKER_IMAGE_TAG:
         required: true
         type: string
-      runtime_docker_image:
+      pinned_image:
         type: string
         required: true
-      verify_published_from_main_image:
-        type: boolean
-        required: true
     secrets:
       CDK_PUSH_IMAGE_ROLE:
         required: true
 
 jobs:
-  verify_attestation:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/verify-attestation.yml@36677e1d6bfaa010d7b78942a1ade12fbefecb80
-    with:
-      runtime_docker_image: "${{ inputs.runtime_docker_image }}"
-      verify_published_from_main_image: ${{ inputs.verify_published_from_main_image }}
   upload_docker_image:
-    needs: verify_attestation
     runs-on: ubuntu-22.04
     container:
-      image: ${{ needs.verify_attestation.outputs.pinned_image }}
+      image: ${{ inputs.pinned_image }}
       options: --user 1001:1001 --group-add 128
     defaults:
       run:

diff --git a/.github/workflows/package_npm_code.yml b/.github/workflows/package_npm_code.yml
@@ -3,24 +3,15 @@ name: docker image build
 on:
     workflow_call:
         inputs:
-            runtime_docker_image:
+            pinned_image:
                 type: string
                 required: true
-            verify_published_from_main_image:
-                type: boolean
-                required: true
 
 jobs:
-    verify_attestation:
-        uses: NHSDigital/eps-common-workflows/.github/workflows/verify-attestation.yml@36677e1d6bfaa010d7b78942a1ade12fbefecb80
-        with:
-            runtime_docker_image: "${{ inputs.runtime_docker_image }}"
-            verify_published_from_main_image: ${{ inputs.verify_published_from_main_image }}
     package_npm_code:
         runs-on: ubuntu-22.04
-        needs: [verify_attestation]
         container:
-            image: ${{ needs.verify_attestation.outputs.pinned_image }}
+            image: ${{ inputs.pinned_image }}
             options: --user 1001:1001 --group-add 128
         defaults:
             run:

diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
@@ -9,26 +9,9 @@ env:
 
 jobs:
   get_config_values:
-    runs-on: ubuntu-22.04
-    outputs:
-      tag_format: ${{ steps.load-config.outputs.TAG_FORMAT }}
-      devcontainer_version: ${{ steps.load-config.outputs.DEVCONTAINER_VERSION }}
-      devcontainer_image: ${{ steps.load-config.outputs.DEVCONTAINER_IMAGE }}
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-
-      - name: Load config value
-        id: load-config
-        run: |
-          TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml)
-          DEVCONTAINER_IMAGE=$(jq -r '.build.args.IMAGE_NAME' .devcontainer/devcontainer.json)
-          DEVCONTAINER_VERSION=$(jq -r '.build.args.IMAGE_VERSION' .devcontainer/devcontainer.json)
-          {
-            echo "TAG_FORMAT=$TAG_FORMAT" 
-            echo "DEVCONTAINER_IMAGE=$DEVCONTAINER_IMAGE"
-            echo "DEVCONTAINER_VERSION=$DEVCONTAINER_VERSION"
-          } >> "$GITHUB_OUTPUT"
+    uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@8404cf6e3a61ac8de4d1644e175e288aa4965815
+    with:
+      verify_published_from_main_image: false
   dependabot-auto-approve-and-merge:
     needs: quality_checks
     uses: NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@d215f841eb18b803e339e4ed597ed1f30e086e17
@@ -38,10 +21,10 @@ jobs:
   pr_title_format_check:
     uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@d215f841eb18b803e339e4ed597ed1f30e086e17
   quality_checks:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@36677e1d6bfaa010d7b78942a1ade12fbefecb80
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@8404cf6e3a61ac8de4d1644e175e288aa4965815
     needs: [get_config_values, get_commit_id]
     with:
-      runtime_docker_image: "${{ needs.get_config_values.outputs.devcontainer_image }}:githubactions-${{ needs.get_config_values.outputs.devcontainer_version }}"
+      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
       run_docker_scan: true
       docker_images: "eps-cdk-utils"
 
@@ -97,15 +80,13 @@ jobs:
     with:
       VERSION_NUMBER: PR-${{ needs.get_issue_number.outputs.issue_number }}
       COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }}
-      runtime_docker_image: "${{ needs.get_config_values.outputs.devcontainer_image }}:githubactions-${{ needs.get_config_values.outputs.devcontainer_version }}"
-      verify_published_from_main_image: false
+      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
 
   package_npm_code:
     needs: [quality_checks, get_commit_id, get_config_values]
     uses: ./.github/workflows/package_npm_code.yml
     with:
-      runtime_docker_image: "${{ needs.get_config_values.outputs.devcontainer_image }}:githubactions-${{ needs.get_config_values.outputs.devcontainer_version }}"
-      verify_published_from_main_image: false
+      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
 
   release_docker_image:
     needs:
@@ -117,18 +98,16 @@ jobs:
       COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }}
       TAG_LATEST: false
       DOCKER_IMAGE_TAG: PR-${{ needs.get_issue_number.outputs.issue_number }}-${{ needs.get_commit_id.outputs.sha_short }}
-      runtime_docker_image: "${{ needs.get_config_values.outputs.devcontainer_image }}:githubactions-${{ needs.get_config_values.outputs.devcontainer_version }}"
-      verify_published_from_main_image: false
+      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
     secrets:
       CDK_PUSH_IMAGE_ROLE: ${{ secrets.DEV_CDK_PUSH_IMAGE_ROLE }}
 
   tag_release:
     needs: [get_commit_id, get_config_values]
-    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@36677e1d6bfaa010d7b78942a1ade12fbefecb80
+    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@8404cf6e3a61ac8de4d1644e175e288aa4965815
     with:
       dry_run: true
-      runtime_docker_image: "${{ needs.get_config_values.outputs.devcontainer_image }}:githubactions-${{ needs.get_config_values.outputs.devcontainer_version }}"
-      verify_published_from_main_image: false
+      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
       branch_name: ${{ github.event.pull_request.head.ref }}
       publish_packages: packages/cdkConstructs,packages/deploymentUtils
       tag_format: ${{ needs.get_config_values.outputs.tag_format }}

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -10,26 +10,9 @@ env:
 
 jobs:
   get_config_values:
-    runs-on: ubuntu-22.04
-    outputs:
-      tag_format: ${{ steps.load-config.outputs.TAG_FORMAT }}
-      devcontainer_version: ${{ steps.load-config.outputs.DEVCONTAINER_VERSION }}
-      devcontainer_image: ${{ steps.load-config.outputs.DEVCONTAINER_IMAGE }}
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-
-      - name: Load config value
-        id: load-config
-        run: |
-          TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml)
-          DEVCONTAINER_IMAGE=$(jq -r '.build.args.IMAGE_NAME' .devcontainer/devcontainer.json)
-          DEVCONTAINER_VERSION=$(jq -r '.build.args.IMAGE_VERSION' .devcontainer/devcontainer.json)
-          {
-            echo "TAG_FORMAT=$TAG_FORMAT" 
-            echo "DEVCONTAINER_IMAGE=$DEVCONTAINER_IMAGE"
-            echo "DEVCONTAINER_VERSION=$DEVCONTAINER_VERSION"
-          } >> "$GITHUB_OUTPUT"
+    uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@8404cf6e3a61ac8de4d1644e175e288aa4965815
+    with:
+      verify_published_from_main_image: true
   get_commit_id:
     runs-on: ubuntu-22.04
     outputs:
@@ -49,25 +32,24 @@ jobs:
           echo "commit_id=${{ github.sha }}" >> "$GITHUB_OUTPUT"
           echo "sha_short=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT"
   quality_checks:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@36677e1d6bfaa010d7b78942a1ade12fbefecb80
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@8404cf6e3a61ac8de4d1644e175e288aa4965815
     needs: [get_config_values, get_commit_id]
     with:
-      runtime_docker_image: "${{ needs.get_config_values.outputs.devcontainer_image }}:githubactions-${{ needs.get_config_values.outputs.devcontainer_version }}"
+      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
       run_docker_scan: true
       docker_images: "eps-cdk-utils"
     secrets:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
   tag_release:
     needs: [quality_checks, get_commit_id, get_config_values]
-    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@36677e1d6bfaa010d7b78942a1ade12fbefecb80
+    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@8404cf6e3a61ac8de4d1644e175e288aa4965815
     with:
       dry_run: false
-      runtime_docker_image: "${{ needs.get_config_values.outputs.devcontainer_image }}:githubactions-${{ needs.get_config_values.outputs.devcontainer_version }}"
+      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
       branch_name: main
       publish_packages: packages/cdkConstructs,packages/deploymentUtils
       tag_format: ${{ needs.get_config_values.outputs.tag_format }}
-      verify_published_from_main_image: true
     secrets: inherit
 
   package_code:
@@ -76,15 +58,13 @@ jobs:
     with:
       VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}}
       COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }}
-      runtime_docker_image: "${{ needs.get_config_values.outputs.devcontainer_image }}:githubactions-${{ needs.get_config_values.outputs.devcontainer_version }}"
-      verify_published_from_main_image: true
+      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
 
   release_dev:
     needs: [tag_release, package_code, get_commit_id, get_config_values]
     uses: ./.github/workflows/docker_image_upload.yml
     with:
-      runtime_docker_image: "${{ needs.get_config_values.outputs.devcontainer_image }}:githubactions-${{ needs.get_config_values.outputs.devcontainer_version }}"
-      verify_published_from_main_image: true
+      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
       AWS_ENVIRONMENT: dev
       VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}}
       COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }}
@@ -98,8 +78,7 @@ jobs:
       [tag_release, release_dev, package_code, get_commit_id, get_config_values]
     uses: ./.github/workflows/docker_image_upload.yml
     with:
-      runtime_docker_image: "${{ needs.get_config_values.outputs.devcontainer_image }}:githubactions-${{ needs.get_config_values.outputs.devcontainer_version }}"
-      verify_published_from_main_image: true
+      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
       AWS_ENVIRONMENT: qa
       VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}}
       COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }}
@@ -113,8 +92,7 @@ jobs:
       [tag_release, release_dev, package_code, get_commit_id, get_config_values]
     uses: ./.github/workflows/docker_image_upload.yml
     with:
-      runtime_docker_image: "${{ needs.get_config_values.outputs.devcontainer_image }}:githubactions-${{ needs.get_config_values.outputs.devcontainer_version }}"
-      verify_published_from_main_image: true
+      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
       AWS_ENVIRONMENT: ref
       VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}}
       COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }}
@@ -128,8 +106,7 @@ jobs:
       [tag_release, release_qa, package_code, get_commit_id, get_config_values]
     uses: ./.github/workflows/docker_image_upload.yml
     with:
-      runtime_docker_image: "${{ needs.get_config_values.outputs.devcontainer_image }}:githubactions-${{ needs.get_config_values.outputs.devcontainer_version }}"
-      verify_published_from_main_image: true
+      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
       AWS_ENVIRONMENT: int
       VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}}
       COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }}
@@ -143,8 +120,7 @@ jobs:
       [tag_release, release_int, package_code, get_commit_id, get_config_values]
     uses: ./.github/workflows/docker_image_upload.yml
     with:
-      runtime_docker_image: "${{ needs.get_config_values.outputs.devcontainer_image }}:githubactions-${{ needs.get_config_values.outputs.devcontainer_version }}"
-      verify_published_from_main_image: true
+      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
       AWS_ENVIRONMENT: prod
       VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}}
       COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }}