NHSDigital · nhs-oliverslater · Jun 19, 2026 · Jun 19, 2026 · Jun 19, 2026
@@ -7,4 +7,4 @@ runs:
       shell: bash
       run: |
         export BRANCH_NAME=origin/${{ github.event.repository.default_branch }}
-        check=branch ./scripts/githooks/check-english-usage.sh
+        check=branch mise run githooks-check-english-usage
@@ -7,4 +7,4 @@ runs:
       shell: bash
       run: |
         export BRANCH_NAME=origin/${{ github.event.repository.default_branch }}
-        check=branch ./scripts/githooks/check-file-format.sh
+        check=branch mise run githooks-check-file-format
@@ -7,4 +7,4 @@ runs:
       shell: bash
       run: |
         export BRANCH_NAME=origin/${{ github.event.repository.default_branch }}
-        check=branch ./scripts/githooks/check-markdown-format.sh
+        check=branch mise run githooks-check-markdown-format
@@ -26,7 +26,7 @@ runs:
       shell: bash
       run: |
         export BUILD_DATETIME=${{ inputs.build_datetime }}
-        ./scripts/reports/create-lines-of-code-report.sh
+        mise run reports-create-lines-of-code
     - name: "Compress CLOC report"
       shell: bash
       run: zip lines-of-code-report.json.zip lines-of-code-report.json

@@ -10,7 +10,7 @@ runs:
     - name: "Check Terraform format"
       shell: bash
       run: |
-        check_only=true scripts/githooks/check-terraform-format.sh
+        check_only=true mise run githooks-check-terraform-format
     - name: "Validate Terraform"
       shell: bash
       run: |

@@ -25,4 +25,4 @@ runs:
         export SONAR_ORGANISATION_KEY=${{ inputs.sonar_organisation_key }}
         export SONAR_PROJECT_KEY=${{ inputs.sonar_project_key }}
         export SONAR_TOKEN=${{ inputs.sonar_token }}
-        ./scripts/reports/perform-static-analysis.sh
+        mise run reports-perform-static-analysis
@@ -26,7 +26,7 @@ runs:
       shell: bash
       run: |
         export BUILD_DATETIME=${{ inputs.build_datetime }}
-        ./scripts/reports/create-sbom-report.sh
+        mise run reports-create-sbom
     - name: "Compress SBOM report"
       shell: bash
       run: zip sbom-repository-report.json.zip sbom-repository-report.json
@@ -41,7 +41,7 @@ runs:
       shell: bash
       run: |
         export BUILD_DATETIME=${{ inputs.build_datetime }}
-        ./scripts/reports/scan-vulnerabilities.sh
+        mise run reports-scan-vulnerabilities
     - name: "Compress vulnerabilities report"
       shell: bash
       run: zip vulnerabilities-repository-report.json.zip vulnerabilities-repository-report.json

@@ -7,4 +7,4 @@ runs:
       shell: bash
       run: |
         # Please do not change this `check=whole-history` setting, as new patterns may be added or history may be rewritten.
-        check=whole-history ./scripts/githooks/scan-secrets.sh
+        check=whole-history mise run githooks-scan-secrets
@@ -66,16 +66,10 @@ module "<resource>" {
 When AWS provider versions change or community modules receive updates:
 
 1. Use the upgrade helper to refresh a single module:
-
-   ```bash
-   ./scripts/terraform/upgrade-module.sh infrastructure/modules/vpc
-   ```
+  `mise run terraform-upgrade-module -- infrastructure/modules/vpc`
 
 2. Or refresh all modules at once:
-
-   ```bash
-   ./scripts/terraform/upgrade-module.sh update-all
-   ```
+  `mise run terraform-upgrade-module -- update-all`
 
 The helper automates three steps:
 
@@ -201,16 +195,14 @@ Module READMEs should include:
 ### When Adding or Modifying a Module
 
 1. **Run the upgrade helper** to regenerate module documentation.
-
-   ```bash
-   ./scripts/terraform/upgrade-module.sh infrastructure/modules/<name>
-   ```
+  `mise run terraform-upgrade-module -- infrastructure/modules/<name>`
 
    This automatically updates the module's `README.md` via `terraform-docs`.
 
 1. **Update the root README.md** if you've added a new module, changed Dependabot automation behaviour, or changed module sourcing/upgrade procedures.
 
 1. **Update relevant user guides** in `docs/user-guides/`.
+
 If you've added/changed a pre-commit hook, update `Pre_commit_hooks_reference.md`. If you've changed upgrade procedures or tooling, update the related guides.
 
 1. **Update `infrastructure/AGENTS.md`** if you've introduced a new pattern/tool, changed naming conventions, or changed quality expectations/validation rules.

@@ -11,13 +11,13 @@ Use this prompt when AWS provider versions change, community modules receive upd
 To refresh a single module with the latest provider versions and update its README:
 
 ```bash
-./scripts/terraform/upgrade-module.sh infrastructure/modules/<module-name>
+mise run terraform-upgrade-module -- infrastructure/modules/<module-name>
 ```
 
 **Example:**
 
 ```bash
-./scripts/terraform/upgrade-module.sh infrastructure/modules/s3-bucket
+mise run terraform-upgrade-module -- infrastructure/modules/s3-bucket
 ```
 
 The script will:
@@ -31,7 +31,7 @@ The script will:
 To refresh every module at once:
 
 ```bash
-./scripts/terraform/upgrade-module.sh update-all
+mise run terraform-upgrade-module -- update-all
 ```
 
 The script will warn before starting and then iterate through all modules under `infrastructure/modules/`, updating each in sequence.
@@ -64,5 +64,5 @@ If the script fails:
 
 1. Ensure `terraform`, `terraform-docs`, and `pre-commit` are installed and on PATH
 2. Check that you're in the repository root directory
-3. Verify that `scripts/terraform/upgrade-module.sh` is executable: `chmod +x scripts/terraform/upgrade-module.sh`
-4. Run with `bash -x` for detailed debugging: `bash -x ./scripts/terraform/upgrade-module.sh infrastructure/modules/vpc`
+3. Verify that the mise task exists: `mise tasks ls | grep terraform-upgrade-module`
+4. Run with shell tracing for detailed debugging: `MISE_TASK_OUTPUT=1 mise run terraform-upgrade-module -- infrastructure/modules/vpc`
@@ -244,7 +244,7 @@ terraform -chdir="infrastructure/modules/s3-bucket" providers lock \
 Or use the helper script:
 
 ```bash
-./scripts/terraform/upgrade-module.sh infrastructure/modules/s3-bucket
+mise run terraform-upgrade-module -- infrastructure/modules/s3-bucket
 ```
 
 **Manual run:**

@@ -21,7 +21,7 @@ Module maintenance ensures that Terraform wrapper modules stay current, secure,
 ### Single Module Upgrade
 
 ```bash
-./scripts/terraform/upgrade-module.sh infrastructure/modules/<name>
+mise run terraform-upgrade-module -- infrastructure/modules/<name>
 ```
 
 This executes:
@@ -37,7 +37,7 @@ This executes:
 ### Repository-Wide Upgrade
 
 ```bash
-./scripts/terraform/upgrade-module.sh update-all
+mise run terraform-upgrade-module -- update-all
 ```
 
 Prompts for confirmation, then upgrades all modules under `infrastructure/modules/` in sequence. Useful for bulk provider version bumps (e.g., AWS provider 6.42 → 6.50).
@@ -141,7 +141,7 @@ If `.terraform.lock.hcl` shows provider version conflicts:
 ```bash
 # Delete and regenerate
 rm infrastructure/modules/*/. terraform.lock.hcl
-./scripts/terraform/upgrade-module.sh update-all
+mise run terraform-upgrade-module -- update-all
 ```
 
 ### Documentation Doesn't Regenerate
@@ -169,7 +169,7 @@ The `.terraform.lock.hcl` file ensures Terraform downloads the correct version f
 
 ## Checklist: Completing a Module Upgrade
 
-- [ ] Run `./scripts/terraform/upgrade-module.sh <module>`
+- [ ] Run `mise run terraform-upgrade-module -- <module>`
 - [ ] Review `git diff` for unexpected changes
 - [ ] Check for upstream breaking changes in release notes
 - [ ] Validate security baseline controls are still enforced

@@ -68,10 +68,10 @@ When AWS providers or upstream community modules receive updates, use the upgrad
 
 ```bash
 # Single module
-./scripts/terraform/upgrade-module.sh infrastructure/modules/s3-bucket
+mise run terraform-upgrade-module -- infrastructure/modules/s3-bucket
 
 # All modules
-./scripts/terraform/upgrade-module.sh update-all
+mise run terraform-upgrade-module -- update-all
 ```
 
 The helper:

@@ -42,7 +42,7 @@ jobs:
         shell: bash
         run: |
           level="${UPGRADE_LEVEL:-patch}"
-          bash scripts/mise/update-tool-versions.sh --upgrade-level "$level"
+          mise run update-tool-versions -- --upgrade-level "$level"
 
       - name: "Create pull request"
         uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
@@ -55,6 +55,7 @@ jobs:
             Updated files:
             - .tool-versions
             - mise.toml
+            - README.md
             - mise.lock
 
             Upgrade level: `${{ github.event.inputs.upgrade_level || 'patch' }}`
@@ -67,4 +68,5 @@ jobs:
           add-paths: |
             .tool-versions
             mise.toml
+            README.md
             mise.lock
@@ -31,8 +31,8 @@ repos:
       - id: generate-terraform-providers
         name: generate-terraform-providers
         require_serial: true
-        entry: ./scripts/githooks/generate-terraform-providers.sh
-        language: script
+        entry: mise run githooks-generate-terraform-providers
+        language: system
         files: \.tf(vars)?$
         pass_filenames: false
 
@@ -51,8 +51,8 @@ repos:
       - id: regenerate-dependabot-config
         name: regenerate-dependabot-config
         require_serial: true
-        entry: ./scripts/githooks/check-dependabot-config.sh
-        language: script
+        entry: mise run githooks-check-dependabot-config
+        language: system
         files: infrastructure/modules/.*/versions\.tf$
         pass_filenames: false
 
@@ -139,7 +139,7 @@ repos:
     hooks:
       - id: shellcheck
         name: shellcheck
-        entry: bash -c 'for f in "$@"; do SHELLCHECK_OPTS="--severity=warning" file="$f" bash scripts/shellscript-linter.sh || exit 1; done' --
+        entry: bash -c 'for f in "$@"; do SHELLCHECK_OPTS="--severity=warning" file="$f" mise run shellscript-linter || exit 1; done' --
         language: system
         types: [shell]
         require_serial: true
@@ -155,34 +155,34 @@ repos:
     hooks:
       - id: check-file-format
         name: check-file-format
-        entry: bash -c 'check=all ./scripts/githooks/check-file-format.sh'
+        entry: bash -c 'check=all mise run githooks-check-file-format'
         language: system
         pass_filenames: false
 
       - id: check-markdown-format
         name: check-markdown-format
-        entry: bash -c 'check=all ./scripts/githooks/check-markdown-format.sh'
+        entry: bash -c 'check=all mise run githooks-check-markdown-format'
         language: system
         files: \.md$
         pass_filenames: false
 
       - id: check-english-usage
         name: check-english-usage
-        entry: bash -c 'check=all ./scripts/githooks/check-english-usage.sh'
+        entry: bash -c 'check=all mise run githooks-check-english-usage'
         language: system
         files: \.md$
         pass_filenames: false
 
       - id: check-terraform-format
         name: check-terraform-format
-        entry: bash -c 'check_only=true ./scripts/githooks/check-terraform-format.sh'
+        entry: bash -c 'check_only=true mise run githooks-check-terraform-format'
         language: system
         files: \.tf(vars)?$
         pass_filenames: false
 
       - id: scan-secrets
         name: scan-secrets
-        entry: bash -c 'check=whole-history ./scripts/githooks/scan-secrets.sh'
+        entry: bash -c 'check=whole-history mise run githooks-scan-secrets'
         language: system
         pass_filenames: false
 

@@ -1,20 +1,21 @@
 # This file is for you! Please, updated to the versions agreed by your team.
 
-terraform 1.13.5
-tflint 0.62.1
-terraform-docs 0.24.0
+actionlint 1.7.12
+bats 1.13.0
+gitleaks 8.30.1
 go 1.26.4
 go:github.com/hashicorp/terraform-config-inspect latest
+jq 1.8.1
+make 4.4.1
+nodejs 24.16.0
 pre-commit 4.6.0
 python 3.12
-vale 3.6.0
-gitleaks 8.30.1
 shellcheck 0.11.0
-actionlint 1.7.12
-jq 1.8.1
+terraform 1.13.5
+terraform-docs 0.24.0
+tflint 0.62.1
+vale 3.6.0
 yq 4.53.3
-nodejs 24.16.0
-make 4.4.1
 
 # ==============================================================================
 # The section below is reserved for Docker image versions.