NHSDigital · originalphil · Mar 4, 2026 · Feb 27, 2026 · Mar 2, 2026 · Mar 2, 2026
diff --git a/.github/workflows/tag-release.yml b/.github/workflows/tag-release.yml
@@ -46,6 +46,11 @@ on:
                 description: "An repository for the extra artifact"
                 required: false
                 type: string
+            pypi_publish:
+                description: "Whether to publish to PyPI"
+                required: false
+                type: boolean
+                default: false
         outputs:
             version_tag:
                 value: ${{ jobs.tag_release.outputs.version_tag }}
@@ -59,6 +64,9 @@ on:
             NPM_TOKEN:
                 required: false
                 description: "NPM token to publish packages"
+            PYPI_TOKEN:
+                required: false
+                description: "PyPI token to publish packages"
 jobs:
     install_semantic_release:
         # Install asdf
@@ -231,7 +239,7 @@ jobs:
                   name: config_artifact
 
             - name: Cache asdf
-              if: inputs.publish_packages != ''
+              if: ${{ inputs.publish_packages != '' || inputs.pypi_publish }}
               uses: actions/cache@v5
               with:
                   path: |
@@ -241,15 +249,15 @@ jobs:
                       ${{ runner.os }}-asdf-
 
             - name: Install asdf dependencies in .tool-versions
-              if: inputs.publish_packages != ''
+              if: ${{ inputs.publish_packages != '' || inputs.pypi_publish }}
               uses: asdf-vm/actions/install@b7bcd026f18772e44fe1026d729e1611cc435d47
               with:
                   asdf_version: ${{ inputs.asdfVersion }}
               env:
                   PYTHON_CONFIGURE_OPTS: --enable-shared
 
             - name: Install Dependencies and Build Package
-              if: inputs.publish_packages != ''
+              if: ${{ inputs.publish_packages != '' || inputs.pypi_publish }}
               run: |
                   make install
                   make build
@@ -320,6 +328,8 @@ jobs:
                   NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
                   MAIN_BRANCH: ${{ inputs.main_branch }}
                   EXTRA_ASSET: ${{ inputs.extra_artifact_name }}
+                  PYPI_PUBLISH: ${{ inputs.pypi_publish }}
+                  PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }}
 
             - name: Create semantic release tag
               if: ${{ !inputs.dry_run }}
@@ -330,6 +340,8 @@ jobs:
                   TAG_FORMAT: ${{ inputs.tag_format }}
                   MAIN_BRANCH: ${{ inputs.main_branch }}
                   EXTRA_ASSET: ${{ inputs.extra_artifact_name }}
+                  PYPI_PUBLISH: ${{ inputs.pypi_publish }}
+                  PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }}
               run: |
                   npx semantic-release --tag-format "${TAG_FORMAT}"
 

diff --git a/.trivyignore.yaml b/.trivyignore.yaml
@@ -16,6 +16,12 @@ vulnerabilities:
   - id: CVE-2026-26996
     statement: minimatch vulnerability accepted as risk
     expired_at: 2026-06-01
+  - id: CVE-2026-27903
+    statement: minimatch vulnerability accepted as risk - dependency of npm (multiple)
+    expired_at: 2026-06-01
+  - id: CVE-2026-27904
+    statement: minimatch vulnerability accepted as risk - dependency of npm (multiple)
+    expired_at: 2026-06-01
   - id: CVE-2026-26960
     statement: tar vulnerability accepted as risk
     expired_at: 2026-06-01