ONS-Innovation · mwirikia · Jun 9, 2026 · Jun 9, 2026 · Jun 9, 2026 · Jun 10, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -22,12 +22,14 @@ jobs:
         python-version: ["3.12"]
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
       - name: Install Poetry
         run: pipx install poetry==1.7.1
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: ${{ matrix.python-version }}
           cache: poetry

diff --git a/.github/workflows/deploy_mkdocs.yml b/.github/workflows/deploy_mkdocs.yml
@@ -5,22 +5,25 @@ on:
   push:
     branches:
       - main
+      - KEH-2326_zizmor_update
 permissions:
   contents: write
 jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
       - name: Configure Git Credentials
         run: |
           git config user.name github-actions[bot]
           git config user.email 41898282+github-actions[bot]@users.noreply.github.com
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: 3.x
       - run: echo "cache_id=$(date --utc '+%V')" >> $GITHUB_ENV
-      - uses: actions/cache@v4
+      - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
         with:
           key: mkdocs-material-${{ env.cache_id }}
           path: .cache

diff --git a/.github/workflows/megalinter.yml b/.github/workflows/megalinter.yml
@@ -66,9 +66,10 @@ jobs:
     steps:
       # Git Checkout
       - name: Checkout Code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
+          persist-credentials: false
 
           # If you use VALIDATE_ALL_CODEBASE = true, you can remove this line to
           # improve performance
@@ -85,8 +86,8 @@ jobs:
 
         # You can override MegaLinter flavor used to have faster performances
         # More info at https://megalinter.io/latest/flavors/
-        # The below commit hash is v8.8.0
-        uses: oxsecurity/megalinter@e08c2b05e3dbc40af4c23f41172ef1e068a7d651
+        # The below commit hash is v9.5.0
+        uses: oxsecurity/megalinter@0e3ce9b9c8c10effb9b269509cc47ca17cae31c7
 
         id: ml
 
@@ -114,7 +115,7 @@ jobs:
 
       # Upload MegaLinter artifacts
       - name: Archive production artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         if: success() || failure()
         with:
           name: MegaLinter reports
@@ -158,9 +159,12 @@ jobs:
             github.event.pull_request.head.repo.full_name == github.repository
           ) &&
           !contains(github.event.head_commit.message, 'skip fix')
+        env:
+          PR_NUMBER: ${{ steps.cpr.outputs.pull-request-number }}
+          PR_URL: ${{ steps.cpr.outputs.pull-request-url }}
         run: |
-          echo "PR Number - ${{ steps.cpr.outputs.pull-request-number }}"
-          echo "PR URL - ${{ steps.cpr.outputs.pull-request-url }}"
+          echo "PR Number - $PR_NUMBER"
+          echo "PR URL - $PR_URL"
 
       # Push new commit if applicable
       # (for now works only on PR from same repository, not from forks)

diff --git a/.mega-linter.yml b/.mega-linter.yml
@@ -9,6 +9,9 @@ APPLY_FIXES: all
 
 FORMATTERS_DISABLE_ERRORS: false
 
+ACTION_ZIZMOR_UNSECURED_ENV_VARIABLES:
+  - GITHUB_TOKEN
+
 # If you use ENABLE variable, all other languages/formats/tooling-formats will
 # be disabled by default
 # ENABLE:

diff --git a/README.md b/README.md
@@ -97,37 +97,37 @@ To run the Lambda function outside of a container, we need to execute the `handl
 
 2. Sign in with AWS SSO, and export the correct profile for this service:
 
-    ```bash
-    aws sso login
+   ```bash
+   aws sso login
 
-    export AWS_PROFILE=github-copilot-usage-lambda
-    ```
+   export AWS_PROFILE=github-copilot-usage-lambda
+   ```
 
-    This allows you to assume the AWS IAM role for the service, enabling the most secure development experience. This also means you will have limited permissions until you exit out of the profile.
+   This allows you to assume the AWS IAM role for the service, enabling the most secure development experience. This also means you will have limited permissions until you exit out of the profile.
 
-    **Note:** See the Developer Onboarding Guide on the "Using AWS SSO for Local Development" page on Confluence to set up service profile selection on your local machine.
+   **Note:** See the Developer Onboarding Guide on the "Using AWS SSO for Local Development" page on Confluence to set up service profile selection on your local machine.
 
 3. Export the required environment variables:
 
-    ```bash
-    export AWS_DEFAULT_REGION=eu-west-2
-    export AWS_SECRET_NAME=<aws_secret_name>
-    export AWS_ACCOUNT_NAME=<sdp-dev/sdp-prod>
-    export GITHUB_ORG=ONSDigital
-    export GITHUB_APP_CLIENT_ID=<github_app_client_id>
-    ```
+   ```bash
+   export AWS_DEFAULT_REGION=eu-west-2
+   export AWS_SECRET_NAME=<aws_secret_name>
+   export AWS_ACCOUNT_NAME=<sdp-dev/sdp-prod>
+   export GITHUB_ORG=ONSDigital
+   export GITHUB_APP_CLIENT_ID=<github_app_client_id>
+   ```
 
 4. Run the script.
 
-    ```bash
-    python3 src/main.py
-    ```
+   ```bash
+   python3 src/main.py
+   ```
 
 5. To exit the profile:
 
-    ```bash
-    unset AWS_PROFILE
-    ```
+   ```bash
+   unset AWS_PROFILE
+   ```
 
 ### Running in a container
 

diff --git a/concourse/scripts/terraform_infra.sh b/concourse/scripts/terraform_infra.sh
@@ -22,6 +22,7 @@ github_org=$(echo "$secrets" | jq -r .github_org)
 export AWS_ACCESS_KEY_ID="$aws_access_key_id"
 export AWS_SECRET_ACCESS_KEY="$aws_secret_access_key"
 
+# kingfisher:ignore
 git config --global url."https://x-access-token:$github_access_token@github.com/".insteadOf "https://github.com/"
 
 if [ "${env}" != "prod" ]; then

diff --git a/mkdocs.yml b/mkdocs.yml
@@ -7,7 +7,9 @@ repo_name: GitHub Copilot Usage Lambda
 nav:
   - Home: "index.md"
   - Documentation: "documentation.md"
-  - Team Usage: "team_usage.md"
+  - Technical Documentation:
+    - Overview: "technical_documentation/overview.md"
+    - Configuration: "technical_documentation/configuration.md"
 theme:
   name: material
   language: en

diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -28,15 +28,15 @@ urllib3 = "^2.7.0"
 ruff = "^0.6.5"
 pylint = "^3.2.7"
 mypy = "^1.11.2"
-pytest = "^8.4.1"
+pytest = "^9.0.3"
 pytest-cov = "^6.2.1"
 pytest-xdist = "^3.8.0"
 black = "^26.3.1"
 
 [tool.poetry.group.docs.dependencies]
 mkdocs = "^1.6.0"
-mkdocs-material = "^9.5.29"
-mkdocstrings-python = "^1.16.12"
+mkdocs-material = "^9.7.6"
+mkdocstrings-python = "^2.0.4"
 
 [build-system]
 requires = ["poetry-core"]