NHSDigital · alexhawdon · Jun 2, 2026 · May 15, 2026 · May 15, 2026 · May 19, 2026
diff --git a/.gitallowed b/.gitallowed
@@ -11,4 +11,6 @@
 
 String token = _validateToken
 token = token
-token = find.byKey\(const Key\('token'\)\)
+token = find.byKey\(const Key\('token'\)\)
+
+\.github/workflows/dependabot-auto-merge\.yaml:[0-9]+:[[:space:]]+github-token:[[:space:]]+\$\{\{ secrets\.GITHUB_TOKEN \}\}
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,27 @@
+version: 2
+updates:
+  - package-ecosystem: "pub"
+    directory: "/"
+    commit-message:
+      prefix: "MESH-2092 "
+    schedule:
+      interval: "daily"
+    cooldown:
+      default-days: 7
+    groups:
+      dependencies:
+        patterns:
+          - "*"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    commit-message:
+      prefix: "MESH-2092 "
+    schedule:
+      interval: "daily"
+    cooldown:
+      default-days: 7
+    groups:
+      dependencies:
+        patterns:
+          - "*"
diff --git a/.github/workflows/dependabot-auto-merge.yaml b/.github/workflows/dependabot-auto-merge.yaml
@@ -0,0 +1,46 @@
+name: Auto-merge Dependabot PRs
+
+on:
+  pull_request:
+    types:
+      - opened
+      - reopened
+      - synchronize
+      - ready_for_review
+      - labeled
+
+jobs:
+  enable-automerge:
+    # Only run on Dependabot PRs
+    if: github.actor == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+
+    steps:
+      - name: Generate token from GitHub App
+        id: generate-token
+        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+        with:
+          client-id: ${{ secrets.SHARED_MERGE_AND_WRITEBACK_APP_ID }}
+          private-key: ${{ secrets.SHARED_MERGE_AND_WRITEBACK_APP_PRIVATE_KEY }}
+
+      - name: Fetch Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3.1.0
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Auto-approve Dependabot PR
+        if: steps.metadata.outcome == 'success' && contains(fromJSON('["version-update:semver-minor", "version-update:semver-patch"]'), steps.metadata.outputs.update-type)
+        uses: hmarr/auto-approve-action@8f929096a962e83ccdfa8afcf855f39f12d4dac7 # v4
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Enable auto-merge for Dependabot PRs
+        if: steps.metadata.outcome == 'success' && contains(fromJSON('["version-update:semver-minor", "version-update:semver-patch"]'), steps.metadata.outputs.update-type)
+        run: gh pr merge --auto --squash "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml
@@ -10,11 +10,11 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository == 'NHSDigital/mesh_validate_auth_header'
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
 
-      - uses: subosito/flutter-action@v2
+      - uses: subosito/flutter-action@1a449444c387b1966244ae4d4f8c696479add0b2 # v2.23.0
         with:
           channel: 'stable'
 
@@ -24,10 +24,42 @@ jobs:
 
       - run: make check-secrets
       - run: flutter analyze
-      - run: flutter test -r expanded
+      - run: flutter test --coverage -r expanded
 
-      - name: SonarCloud Scan
-        uses: SonarSource/sonarcloud-github-action@master
+      - name: SonarQube Scan
+        uses: SonarSource/sonarqube-scan-action@7006c4492b2e0ee0f816d36501671557c97f5995 # v8.1.0
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+
+  slack-notification:
+    runs-on: ubuntu-latest
+    needs:
+      - check
+    if: ${{ always() && github.actor == 'dependabot[bot]' && contains(needs.*.result, 'failure') }}
+    steps:
+      - name: Slack Notification
+        uses: slackapi/slack-github-action@45a88b9581bfab2566dc881e2cd66d334e621e2c # v3.0.3
+        with:
+          webhook: ${{ secrets.DEPENDABOT_SLACK_WEBHOOK_URL }}
+          webhook-type: incoming-webhook
+          payload: |
+            {
+              "blocks": [
+                {
+                  "type": "header",
+                  "text": {
+                    "type": "plain_text",
+                    "text": ":alarm: DEPENDABOT PR FAILED :alarm:",
+                    "emoji": true
+                  }
+                },
+                {
+                  "type": "section",
+                  "text": {
+                    "type": "mrkdwn",
+                    "text": "Checks failed for ${{ github.repository }}:${{ github.ref }} in <https://github.com/${{ github.repository }}/pull/${{ github.event.number }}|PR #${{ github.event.number }}>"
+                  }
+                }
+              ]
+            }
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -12,9 +12,9 @@ jobs:
       RELEASE_VERSION: ${{ steps.release_version.outputs.RELEASE_VERSION }}
       RELEASE_URL: ${{ steps.upload_url.outputs.RELEASE_URL }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - run: echo RELEASE_VERSION="$(grep 'version:' pubspec.yaml | sed -En 's/^version:\s(.*)\+.*$/\1/p')+${{github.run_number}}" >> $GITHUB_ENV
-      - uses: actions/create-release@v1
+      - uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1.1.4
         id: create_release
         continue-on-error: false
         env:
@@ -32,10 +32,10 @@ jobs:
     if: github.repository == 'NHSDigital/mesh_validate_auth_header'
     needs: create_release
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
-      - uses: subosito/flutter-action@v2
+      - uses: subosito/flutter-action@1a449444c387b1966244ae4d4f8c696479add0b2 # v2.23.0
         with:
           channel: 'stable'
 
@@ -51,16 +51,15 @@ jobs:
           zip -r "${{ env.ZIP_NAME }}" .
 
       - name: upload bundle
-        uses: actions/upload-release-asset@v1
+        uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           upload_url: ${{needs.create_release.outputs.RELEASE_URL}}
           asset_name: ${{ env.ZIP_NAME }}
           asset_path: build/linux/x64/release/bundle/${{ env.ZIP_NAME }}
           asset_content_type: application/zip
-
-      - uses: fregante/setup-git-user@v1
+      - uses: fregante/setup-git-user@024bc0b8e177d7e77203b48dab6fb45666854b35 # v2.0.2
       - run: git checkout github-pages
       - run: git merge develop
       - run: rm -rf ./docs
@@ -70,15 +69,38 @@ jobs:
       - run: git commit -m "publish-web"
       - run: git push
 
+  sonar-scan:
+    runs-on: ubuntu-latest
+    if: github.repository == 'NHSDigital/mesh_validate_auth_header'
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+
+      - uses: subosito/flutter-action@1a449444c387b1966244ae4d4f8c696479add0b2 # v2.23.0
+        with:
+          channel: 'stable'
+
+      - run: |
+          sudo apt-get update -y
+          sudo apt-get install -y ninja-build libgtk-3-dev
+
+      - run: flutter test --coverage -r expanded
+
+      - name: SonarQube Scan
+        uses: SonarSource/sonarqube-scan-action@7006c4492b2e0ee0f816d36501671557c97f5995 # v8.1.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
   windows-build:
     runs-on: windows-latest
     if: github.repository == 'NHSDigital/mesh_validate_auth_header'
     needs: create_release
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - uses: subosito/flutter-action@v2
+      - uses: subosito/flutter-action@1a449444c387b1966244ae4d4f8c696479add0b2 # v2.23.0
         with:
           channel: 'stable'
 
@@ -87,14 +109,14 @@ jobs:
       - run: echo ZIP_NAME="mesh-validate-auth-windows-${{needs.create_release.outputs.RELEASE_VERSION}}.zip" >> $GITHUB_ENV
         shell: bash
 
-      - uses: thedoctor0/zip-release@main
+      - uses: thedoctor0/zip-release@b57d897cb5d60cb78b51a507f63fa184cfe35554 # 0.7.6
         with:
           directory: 'build/windows/runner/Release'
           type: 'zip'
           filename: ${{ env.ZIP_NAME }}
 
       - name: upload bundle
-        uses: actions/upload-release-asset@v1
+        uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:

diff --git a/.github/workflows/scheduled-combine-dependabot-prs.yaml b/.github/workflows/scheduled-combine-dependabot-prs.yaml
@@ -25,7 +25,7 @@ jobs:
     steps:
       - name: combine-prs
         id: combine-prs
-        uses: github/combine-prs@v5.0.0
+        uses: github/combine-prs@2909f404763c3177a456e052bdb7f2e85d3a7cb3 # v5.2.0
         with:
           ci_required: ${{ inputs.ci_required == 'YES' }}
           labels: dependencies

diff --git a/.gitignore b/.gitignore
@@ -38,6 +38,9 @@ app.*.symbols
 # Obfuscation related
 app.*.map.json
 
+# Coverage reports
+coverage/
+
 # Android Studio will place build artifacts here
 /android/app/debug
 /android/app/profile