From 4fcfac53e3dd7e90f6e5dbdfb4aa1d17a832de59 Mon Sep 17 00:00:00 2001
From: tstephen-nhs <231503406+tstephen-nhs@users.noreply.github.com>
Date: Mon, 16 Feb 2026 18:03:41 +0000
Subject: [PATCH 1/2] chore: migrate curl to gh for optised and robust download

---
 Makefile | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/Makefile b/Makefile
index 5253232cd..d4b3f1d6b 100644
--- a/Makefile
+++ b/Makefile
@@ -118,9 +118,16 @@ compile: compile-node compile-specification
 compile-specification:
 	npm run compile --workspace packages/specification
 
-download-get-secrets-layer:
+gh-auth:
+	@gh auth status > /dev/null 2>&1 || gh auth login --scopes "read:packages"
+
+download-get-secrets-layer: gh-auth
 	mkdir -p packages/getSecretLayer/lib
-	curl -LJ https://github.com/NHSDigital/electronic-prescription-service-get-secrets/releases/download/$$(curl -s "https://api.github.com/repos/NHSDigital/electronic-prescription-service-get-secrets/releases/latest" | jq -r .tag_name)/get-secrets-layer.zip -o packages/getSecretLayer/lib/get-secrets-layer.zip
+	gh release download \
+		--repo NHSDigital/electronic-prescription-service-get-secrets \
+		--pattern 'get-secrets-layer.zip' \
+		--dir packages/getSecretLayer/lib \
+		--skip-existing
 
 lint-node: compile-node
 	npm run lint --workspace packages/capabilityStatement
@@ -201,7 +208,6 @@ aws-login:
 cfn-guard:
 	./scripts/run_cfn_guard.sh
 
-create-npmrc:
-	gh auth login --scopes "read:packages"; \
+create-npmrc: gh-auth
 	echo "//npm.pkg.github.com/:_authToken=$$(gh auth token)" > .npmrc
 	echo "@nhsdigital:registry=https://npm.pkg.github.com" >> .npmrc

From 1d4f22d4802de731fa18205753ce29d432d0ca53 Mon Sep 17 00:00:00 2001
From: tstephen-nhs <231503406+tstephen-nhs@users.noreply.github.com>
Date: Tue, 17 Feb 2026 11:10:01 +0000
Subject: [PATCH 2/2] chore: conditionalise gh auth

---
 Makefile | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/Makefile b/Makefile
index d4b3f1d6b..e1c71604b 100644
--- a/Makefile
+++ b/Makefile
@@ -121,6 +121,11 @@ compile-specification:
 gh-auth:
 	@gh auth status > /dev/null 2>&1 || gh auth login --scopes "read:packages"
 
+gh-auth-ci:
+	@if [ -z "$$GITHUB_TOKEN" ]; then \
+		gh auth status > /dev/null 2>&1 || { echo "Error: Not authenticated and GITHUB_TOKEN not set"; exit 1; }; \
+	fi
+
 download-get-secrets-layer: gh-auth
 	mkdir -p packages/getSecretLayer/lib
 	gh release download \