From 641fc9bd0dda9ec79d1fe5957cb24575c602302f Mon Sep 17 00:00:00 2001
From: Phil Gee <originalphil@gmail.com>
Date: Wed, 4 Mar 2026 16:29:46 +0000
Subject: [PATCH 1/8] AEA-5986 Conditionally add pypi plugin.

---
 release.config.cjs | 186 +++++++++++++++++++++++----------------------
 1 file changed, 96 insertions(+), 90 deletions(-)

diff --git a/release.config.cjs b/release.config.cjs
index 8a64634..590bfe5 100644
--- a/release.config.cjs
+++ b/release.config.cjs
@@ -8,100 +8,106 @@ const mainBranch = process.env.MAIN_BRANCH || "main"
 const pypiPublish = process.env.PYPI_PUBLISH?.toLowerCase() === 'true' || false
 const pypiToken = process.env.PYPI_TOKEN
 
-module.exports = {
-    branches: [
+const pypiPlugin = [
+    "semantic-release-pypi",
+    {
+        repoToken: pypiToken
+    }
+]
+
+const plugins = [
+    [
+        "@semantic-release/commit-analyzer",
         {
-            name: mainBranch
+            preset: "eslint",
+            releaseRules: [
+                {
+                    tag: "Fix",
+                    release: "patch"
+                },
+                {
+                    tag: "Update",
+                    release: "patch"
+                },
+                {
+                    tag: "New",
+                    release: "minor"
+                },
+                {
+                    tag: "Breaking",
+                    release: "major"
+                },
+                {
+                    tag: "Docs",
+                    release: "patch"
+                },
+                {
+                    tag: "Build",
+                    release: false
+                },
+                {
+                    tag: "Upgrade",
+                    release: "patch"
+                },
+                {
+                    tag: "Chore",
+                    release: "patch"
+                }
+            ]
         }
     ],
-    plugins: [
-        [
-            "@semantic-release/commit-analyzer",
-            {
-                preset: "eslint",
-                releaseRules: [
-                    {
-                        tag: "Fix",
-                        release: "patch"
-                    },
-                    {
-                        tag: "Update",
-                        release: "patch"
-                    },
-                    {
-                        tag: "New",
-                        release: "minor"
-                    },
-                    {
-                        tag: "Breaking",
-                        release: "major"
-                    },
-                    {
-                        tag: "Docs",
-                        release: "patch"
-                    },
-                    {
-                        tag: "Build",
-                        release: false
-                    },
-                    {
-                        tag: "Upgrade",
-                        release: "patch"
-                    },
-                    {
-                        tag: "Chore",
-                        release: "patch"
-                    }
-                ]
-            }
-        ],
-        [
-            "@semantic-release/release-notes-generator",
-            {
-                preset: "eslint",
-                writerOpts: {
-                    commitPartial: commitTemplate
-                }
-            }
-        ],
-        [
-            "@semantic-release/changelog",
-            {
-                changelogFile: "CHANGELOG.md"
-            }
-        ],
-        ...publish_packages.map(subpackage => [
-            "@semantic-release/npm",
-            {
-                pkgRoot: subpackage
-            }
-        ]),
-        [
-            "semantic-release-pypi",
-            {
-                pypiPublish: pypiPublish,
-                repoToken: pypiToken
+    [
+        "@semantic-release/release-notes-generator",
+        {
+            preset: "eslint",
+            writerOpts: {
+                commitPartial: commitTemplate
             }
-        ],
-        [
-            "@semantic-release/github",
-            {
-                assets: [
+        }
+    ],
+    [
+        "@semantic-release/changelog",
+        {
+            changelogFile: "CHANGELOG.md"
+        }
+    ],
+    ...publish_packages.map(subpackage => [
+        "@semantic-release/npm",
+        {
+            pkgRoot: subpackage
+        }
+    ]),
+    [
+        "@semantic-release/github",
+        {
+            assets: [
+                {
+                    path: "CHANGELOG.md",
+                    label: "CHANGELOG.md"
+                },
+                ...(process.env.EXTRA_ASSET ? [
                     {
-                        path: "CHANGELOG.md",
-                        label: "CHANGELOG.md"
-                    },
-                    ...(process.env.EXTRA_ASSET ? [
-                        {
-                            path: process.env.EXTRA_ASSET,
-                            label: process.env.EXTRA_ASSET
-                        }
-                    ] : [])
-                ],
-                successComment: false,
-                failComment: false,
-                failTitle: false
-            }
-        ]
+                        path: process.env.EXTRA_ASSET,
+                        label: process.env.EXTRA_ASSET
+                    }
+                ] : [])
+            ],
+            successComment: false,
+            failComment: false,
+            failTitle: false
+        }
     ]
+]
+
+if (pypiPublish) {
+    plugins.push(pypiPlugin)
+}
+
+module.exports = {
+    branches: [
+        {
+            name: mainBranch
+        }
+    ],
+    plugins: plugins
 }

From f217aaa9077a7a3575d160ec10887e73eeabf95d Mon Sep 17 00:00:00 2001
From: Phil Gee <originalphil@gmail.com>
Date: Wed, 4 Mar 2026 16:50:33 +0000
Subject: [PATCH 2/8] AEA-5986 Use spread operator for elegance.

---
 release.config.cjs | 185 ++++++++++++++++++++++-----------------------
 1 file changed, 90 insertions(+), 95 deletions(-)

diff --git a/release.config.cjs b/release.config.cjs
index 590bfe5..5d6fc50 100644
--- a/release.config.cjs
+++ b/release.config.cjs
@@ -8,106 +8,101 @@ const mainBranch = process.env.MAIN_BRANCH || "main"
 const pypiPublish = process.env.PYPI_PUBLISH?.toLowerCase() === 'true' || false
 const pypiToken = process.env.PYPI_TOKEN
 
-const pypiPlugin = [
-    "semantic-release-pypi",
-    {
-        repoToken: pypiToken
-    }
-]
-
-const plugins = [
-    [
-        "@semantic-release/commit-analyzer",
+module.exports = {
+    branches: [
         {
-            preset: "eslint",
-            releaseRules: [
-                {
-                    tag: "Fix",
-                    release: "patch"
-                },
-                {
-                    tag: "Update",
-                    release: "patch"
-                },
-                {
-                    tag: "New",
-                    release: "minor"
-                },
-                {
-                    tag: "Breaking",
-                    release: "major"
-                },
-                {
-                    tag: "Docs",
-                    release: "patch"
-                },
-                {
-                    tag: "Build",
-                    release: false
-                },
-                {
-                    tag: "Upgrade",
-                    release: "patch"
-                },
-                {
-                    tag: "Chore",
-                    release: "patch"
-                }
-            ]
+            name: mainBranch
         }
     ],
-    [
-        "@semantic-release/release-notes-generator",
-        {
-            preset: "eslint",
-            writerOpts: {
-                commitPartial: commitTemplate
+    plugins: [
+        [
+            "@semantic-release/commit-analyzer",
+            {
+                preset: "eslint",
+                releaseRules: [
+                    {
+                        tag: "Fix",
+                        release: "patch"
+                    },
+                    {
+                        tag: "Update",
+                        release: "patch"
+                    },
+                    {
+                        tag: "New",
+                        release: "minor"
+                    },
+                    {
+                        tag: "Breaking",
+                        release: "major"
+                    },
+                    {
+                        tag: "Docs",
+                        release: "patch"
+                    },
+                    {
+                        tag: "Build",
+                        release: false
+                    },
+                    {
+                        tag: "Upgrade",
+                        release: "patch"
+                    },
+                    {
+                        tag: "Chore",
+                        release: "patch"
+                    }
+                ]
             }
-        }
-    ],
-    [
-        "@semantic-release/changelog",
-        {
-            changelogFile: "CHANGELOG.md"
-        }
-    ],
-    ...publish_packages.map(subpackage => [
-        "@semantic-release/npm",
-        {
-            pkgRoot: subpackage
-        }
-    ]),
-    [
-        "@semantic-release/github",
-        {
-            assets: [
+        ],
+        [
+            "@semantic-release/release-notes-generator",
+            {
+                preset: "eslint",
+                writerOpts: {
+                    commitPartial: commitTemplate
+                }
+            }
+        ],
+        [
+            "@semantic-release/changelog",
+            {
+                changelogFile: "CHANGELOG.md"
+            }
+        ],
+        ...publish_packages.map(subpackage => [
+            "@semantic-release/npm",
+            {
+                pkgRoot: subpackage
+            }
+        ]),
+        ...(pypiPublish ? [
+            [
+                "semantic-release-pypi",
                 {
-                    path: "CHANGELOG.md",
-                    label: "CHANGELOG.md"
-                },
-                ...(process.env.EXTRA_ASSET ? [
+                    repoToken: pypiToken
+                }
+            ]
+        ] : []),
+        [
+            "@semantic-release/github",
+            {
+                assets: [
                     {
-                        path: process.env.EXTRA_ASSET,
-                        label: process.env.EXTRA_ASSET
-                    }
-                ] : [])
-            ],
-            successComment: false,
-            failComment: false,
-            failTitle: false
-        }
+                        path: "CHANGELOG.md",
+                        label: "CHANGELOG.md"
+                    },
+                    ...(process.env.EXTRA_ASSET ? [
+                        {
+                            path: process.env.EXTRA_ASSET,
+                            label: process.env.EXTRA_ASSET
+                        }
+                    ] : [])
+                ],
+                successComment: false,
+                failComment: false,
+                failTitle: false
+            }
+        ]
     ]
-]
-
-if (pypiPublish) {
-    plugins.push(pypiPlugin)
-}
-
-module.exports = {
-    branches: [
-        {
-            name: mainBranch
-        }
-    ],
-    plugins: plugins
 }

From 8b033e493ed8e1c559110e04987628c59fcfdb64 Mon Sep 17 00:00:00 2001
From: Phil Gee <originalphil@gmail.com>
Date: Thu, 5 Mar 2026 09:42:49 +0000
Subject: [PATCH 3/8] AEA-5986 Remove plugin from config to test.

---
 release.config.cjs | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/release.config.cjs b/release.config.cjs
index 5d6fc50..d378796 100644
--- a/release.config.cjs
+++ b/release.config.cjs
@@ -76,14 +76,6 @@ module.exports = {
                 pkgRoot: subpackage
             }
         ]),
-        ...(pypiPublish ? [
-            [
-                "semantic-release-pypi",
-                {
-                    repoToken: pypiToken
-                }
-            ]
-        ] : []),
         [
             "@semantic-release/github",
             {

From d142f726d7a5330f597c719416c526f51e16917c Mon Sep 17 00:00:00 2001
From: Phil Gee <originalphil@gmail.com>
Date: Thu, 5 Mar 2026 09:47:45 +0000
Subject: [PATCH 4/8] AEA-5986 Re-add plugin to config.

---
 release.config.cjs | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/release.config.cjs b/release.config.cjs
index d378796..5d6fc50 100644
--- a/release.config.cjs
+++ b/release.config.cjs
@@ -76,6 +76,14 @@ module.exports = {
                 pkgRoot: subpackage
             }
         ]),
+        ...(pypiPublish ? [
+            [
+                "semantic-release-pypi",
+                {
+                    repoToken: pypiToken
+                }
+            ]
+        ] : []),
         [
             "@semantic-release/github",
             {

From 49a9a3ab7a8422b612517bbb382bd7e9cc1c9b50 Mon Sep 17 00:00:00 2001
From: Phil Gee <originalphil@gmail.com>
Date: Thu, 5 Mar 2026 09:54:38 +0000
Subject: [PATCH 5/8] AEA-5986 Re-add ref to config checkout step.

---
 .github/workflows/tag-release.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/tag-release.yml b/.github/workflows/tag-release.yml
index 1b3e7cd..4f205cd 100644
--- a/.github/workflows/tag-release.yml
+++ b/.github/workflows/tag-release.yml
@@ -79,6 +79,7 @@ jobs:
               uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
               with:
                   repository: NHSDigital/eps-common-workflows
+                  ref: aea-5986-fix-publish-fame-library
                   sparse-checkout-cone-mode: false
                   sparse-checkout: |
                       package.json

From 858b5c7d3a11409d09a973d2a488af1bc9ef1b08 Mon Sep 17 00:00:00 2001
From: Phil Gee <originalphil@gmail.com>
Date: Thu, 5 Mar 2026 10:16:00 +0000
Subject: [PATCH 6/8] AEA-5986 Remove ref from config checkout step.

---
 .github/workflows/tag-release.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/tag-release.yml b/.github/workflows/tag-release.yml
index 4f205cd..1b3e7cd 100644
--- a/.github/workflows/tag-release.yml
+++ b/.github/workflows/tag-release.yml
@@ -79,7 +79,6 @@ jobs:
               uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
               with:
                   repository: NHSDigital/eps-common-workflows
-                  ref: aea-5986-fix-publish-fame-library
                   sparse-checkout-cone-mode: false
                   sparse-checkout: |
                       package.json

From 7d55ea8bcc045b85fb1337482b9f2ddd1fd4857d Mon Sep 17 00:00:00 2001
From: Phil Gee <originalphil@gmail.com>
Date: Thu, 5 Mar 2026 10:21:59 +0000
Subject: [PATCH 7/8] AEA-5986 Add tar to trivy ignore.

---
 .trivyignore.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.trivyignore.yaml b/.trivyignore.yaml
index e51078a..7dcbd71 100644
--- a/.trivyignore.yaml
+++ b/.trivyignore.yaml
@@ -25,3 +25,6 @@ vulnerabilities:
   - id: CVE-2026-26960
     statement: tar vulnerability accepted as risk
     expired_at: 2026-06-01
+  - id: GHSA-qffp-2rhf-9h96
+    statement: tar vulnerability accepted as risk - dependency of npm (multiple)
+    expired_at: 2026-06-01

From 658fec4ca1329dfc4b9d9f2614d3b9aab113c114 Mon Sep 17 00:00:00 2001
From: Phil Gee <originalphil@gmail.com>
Date: Thu, 5 Mar 2026 10:29:55 +0000
Subject: [PATCH 8/8] AEA-5986 Remove old entries from trivy ignore.

---
 .trivyignore.yaml | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/.trivyignore.yaml b/.trivyignore.yaml
index 7dcbd71..eb821d1 100644
--- a/.trivyignore.yaml
+++ b/.trivyignore.yaml
@@ -4,15 +4,6 @@ vulnerabilities:
       - "package-lock.json"
     statement: downstream dependency for tar - waiting for new npm release
     expired_at: 2026-06-01
-  - id: CVE-2026-25128
-    statement: fast-xml-parser vulnerability accepted as risk - dependency of aws-sdk/client-dynamodb
-    expired_at: 2026-03-01
-  - id: CVE-2026-25547
-    statement: isaacs/brace-expansion vulnerability accepted as risk - dependency of semantic-release
-    expired_at: 2026-03-01
-  - id: CVE-2026-0775
-    statement: npm vulnerability accepted as risk - dependency of semantic-release
-    expired_at: 2026-03-01
   - id: CVE-2026-26996
     statement: minimatch vulnerability accepted as risk
     expired_at: 2026-06-01