Chore: [AEA-0000] - Publish release notes to gh pages (#57)

anthony-nhs · web-flow · commit 0cfdf9b1bf17 · 2026-02-06T08:39:09.000Z
## Summary

- Routine Change

### Details

- publish release notes to gh-pages
diff --git a/.github/workflows/tag-release.yml b/.github/workflows/tag-release.yml
@@ -352,11 +352,52 @@ jobs:
                   id: ${{ steps.get_release.outputs.id }}
                   body: |
                       ## Info
-                      [See code diff](${{ github.event.compare }})
                       [Release workflow run](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) - Workflow ID: ${{ github.run_id }}
 
                       It was initialized by [${{ github.event.sender.login }}](${{ github.event.sender.html_url }})
 
+            - name: Checkout gh-pages branch
+              if: ${{ !inputs.dry_run }}
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+              with:
+                  repository: ${{ github.repository }}
+                  ref: gh-pages
+                  path: gh-pages
+
+            - name: Publish release notes to gh-pages
+              if: ${{ !inputs.dry_run }}
+              working-directory: gh-pages
+              env:
+                  RELEASE_ID: ${{ steps.get_release.outputs.id }}
+                  VERSION_TAG: ${{ steps.output_version_tag.outputs.VERSION_TAG }}
+                  GH_REPO: ${{ github.repository }}
+                  GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+              run: |
+                  set -euo pipefail
+                  notes_dir="release_notes"
+                  mkdir -p "$notes_dir"
+                  note_file="$notes_dir/${VERSION_TAG}.md"
+
+                  gh api "/repos/${GH_REPO}/releases/${RELEASE_ID}" | jq -r '.body // ""' > "$note_file"
+
+                  if [ ! -s "$note_file" ]; then
+                      echo "Release notes are empty; skipping gh-pages update."
+                      exit 0
+                  fi
+
+                  git config user.name "github-actions[bot]"
+                  git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+                  git add -f "$note_file"
+                  if git diff --cached --quiet; then
+                      echo "No changes detected in release notes; skipping commit."
+                      exit 0
+                  fi
+
+                  git commit -m "docs: add release notes for ${VERSION_TAG}"
+                  parallel --retries 10 --delay 3 ::: "git pull --rebase && git push"
+
             - name: Output Change Set Version
               id: output_change_set_version
               shell: bash
diff --git a/.trivyignore.yaml b/.trivyignore.yaml
@@ -7,3 +7,9 @@ vulnerabilities:
   - id: CVE-2026-25128
     statement: fast-xml-parser vulnerability accepted as risk - dependency of aws-sdk/client-dynamodb
     expired_at: 2026-03-01
+  - id: CVE-2026-25547
+    statement: isaacs/brace-expansion vulnerability accepted as risk - dependency of semantic-release
+    expired_at: 2026-03-01
+  - id: CVE-2026-0775 
+    statement: npm vulnerability accepted as risk - dependency of semantic-release
+    expired_at: 2026-03-01
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -17,10 +17,12 @@ repository = "https://github.com/NHSDigital/eps-common-workflows"
 
 [tool.poetry.dependencies]
 python = "^3.14"
-pre-commit = "^4.5.1"
 requests = "^2.32.5"
 
-[tool.poetry.group.dev.dependencies]
-pip-licenses = "^5.0.0"
-
 [tool.poetry.scripts]
+
+
+[dependency-groups]
+dev = [
+    "pre-commit (>=4.5.1,<5.0.0)"
+]
