From 06caf3308f5df051fcd05c84213ab17a2304c6ba Mon Sep 17 00:00:00 2001
From: NinaTombs <160591290+NinaTombs@users.noreply.github.com>
Date: Wed, 7 Jan 2026 12:44:04 +0000
Subject: [PATCH 1/2] Update summary-care-record.yaml

https://nhsd-jira.digital.nhs.uk/browse/FLAGSAPI-1203
Updated to show that AAL2 is now supported in addition to AAL3.
---
 specification/summary-care-record.yaml | 19 +++++++++----------
 1 file changed, 9 insertions(+), 10 deletions(-)

diff --git a/specification/summary-care-record.yaml b/specification/summary-care-record.yaml
index 25c887da..2c6b1062 100644
--- a/specification/summary-care-record.yaml
+++ b/specification/summary-care-record.yaml
@@ -81,15 +81,15 @@ info:
     This API has two authorisation methods. The first is [user-restricted](https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation#user-restricted-apis), meaning an end user must be present and authenticated to use it.
 
     The end user must be:
-    - a health or care staff providing direct care to patients
-    - strongly authenticated, using either an [NHS smartcard or a modern alternative](https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation/nhs-smartcards-for-developers) available via [NHS Care Identity Service 2 (NHS CIS2)](https://digital.nhs.uk/services/nhs-identity)
+    - a health or care worker providing direct care to patients
+    - strongly authenticated, using either an [NHS smartcard or a modern alternative](https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation/nhs-smartcards-for-developers) available via [CIS2 Authentication](https://digital.nhs.uk/services/care-identity-service/applications-and-services/cis2-authentication)
+    - authenticated to assurance level AAL2 or AAL3
 
-    The API uses OAuth 2.0 to authorise the calling system. It only supports CIS2 combined authentication and authorisation (see link below). Do not use separate authentication and authorisation:
-    - [user-restricted RESTful API - using NHS CIS2 - combined authentication and authorisation](https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation/user-restricted-restful-apis-nhs-cis2-combined-authentication-and-authorisation)
-
-    For more details, see [user-restricted APIs](https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation#user-restricted-apis).
-
-    The second authorisation method is [application-restricted](https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation#application-restricted-apis) (signed JWT authentication), meaning a few specific API calls can be authorised by the application making the requests. This is typically provided so that GPs can perform batch updates of multiple Summary Care Records without having to log in as a specific user.
+    The API uses OAuth 2.0 to authorise the calling system. It supports the following security patterns:
+    - [user-restricted RESTful API - CIS2 - combined authentication and authorisation](https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation/user-restricted-restful-apis-nhs-cis2-combined-authentication-and-authorisation)
+    - [user-restricted RESTful API - CIS2 - seperate authentication and authorisation](https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation/user-restricted-restful-apis-cis2-separate-authentication-and-authorisation)
+    
+    The second authorisation method is [application-restricted](https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation#application-restricted-apis), meaning a few specific API calls can be authorised by the application making the requests. This is typically provided so that GPs can perform batch updates of multiple Summary Care Records without having to log in as a specific user.
     
     The following specific endpoint and method combinations can be used with application-restricted authentication, in addition to user-restricted authentication:
     
@@ -97,8 +97,7 @@ info:
     - GET Bundle
     - POST Bundle
     
-    For more details, see:
-    - [application-restricted APIs](https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation#application-restricted-apis) and 
+    For more details, see the following security pattern:    
     - [application-restricted RESTful APIs - signed with JWT authentication](https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation/application-restricted-restful-apis-signed-jwt-authentication)
 
     ## Environments and testing

From 516906d4c16adf65cc19fd3b2aded8553d24e0e5 Mon Sep 17 00:00:00 2001
From: Sophie Somerville <12125546+gps035@users.noreply.github.com>
Date: Fri, 9 Jan 2026 09:45:05 +0000
Subject: [PATCH 2/2] Remove branch name check on PRs in favour of a check on
 the title

IMO there is no value in requiring branch names to be in a certain format, and just causes people to have to redo work, like would be done here if not for this change
---
 .github/workflows/pr-lint.yaml | 26 ++++++++------------------
 1 file changed, 8 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/pr-lint.yaml b/.github/workflows/pr-lint.yaml
index c6bc45a7..be95d449 100644
--- a/.github/workflows/pr-lint.yaml
+++ b/.github/workflows/pr-lint.yaml
@@ -1,24 +1,14 @@
 name: PR Quality Check
-on: pull_request
+on:
+  pull_request:
+    types: [opened, synchronize, edited, reopened]
 jobs:
   link-ticket:
     runs-on: ubuntu-latest
     steps:
-      - name: Check ticket name conforms to requirements
-        run: echo ${{ github.event.pull_request.head.ref }} | grep -i -E -q "((apm|niad|amb|flagsapi)-[0-9]+)|(dependabot\/)"
-
-      - name: Grab ticket name
-        if: contains(github.event.pull_request.head.ref, 'apm-') || contains(github.event.pull_request.head.ref, 'APM-') || contains(github.event.pull_request.head.ref, 'niad-') || contains(github.event.pull_request.head.ref, 'NIAD-') || contains(github.event.pull_request.head.ref, 'amb-') || contains(github.event.pull_request.head.ref, 'AMB-')
-        run: echo ::set-env name=TICKET_NAME::$(echo ${{ github.event.pull_request.head.ref }} | tr '[:lower:]' '[:upper:]' | grep -i -o '^\(APM\|NIAD\|AMB\)-[0-9]\+')
+      - name: Check PR title starts with Jira reference
         env:
-          ACTIONS_ALLOW_UNSECURE_COMMANDS: true
-
-      - name: Comment on PR
-        if: contains(github.event.pull_request.head.ref, 'apm-') || contains(github.event.pull_request.head.ref, 'APM-') || contains(github.event.pull_request.head.ref, 'niad-') || contains(github.event.pull_request.head.ref, 'NIAD-') || contains(github.event.pull_request.head.ref, 'amb-') || contains(github.event.pull_request.head.ref, 'AMB-')
-        uses: unsplash/comment-on-pr@master
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          msg: |
-            This branch is work on a ticket in the NHS Digital APM JIRA Project. Here's a handy link to the ticket:
-            # [${{ env.TICKET_NAME }}](https://nhsd-jira.digital.nhs.uk/browse/${{ env.TICKET_NAME}})
+          PR_TITLE: ${{ github.event.pull_request.title }}
+        run: |
+          JIRA_REGEX="^(APM|NIAD|AMB|FLAGSAPI)-([[:digit:]]+)"
+          [[ "$PR_TITLE" =~ $JIRA_REGEX ]] && exit 0 || exit 1