From 733ec9ea73ed663b987c60d04d8b9a108435cfed Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 13 Feb 2026 16:24:14 +0000 Subject: [PATCH 01/31] use published dev container --- .devcontainer/Dockerfile | 55 ++------------ .devcontainer/devcontainer.json | 13 +--- .github/workflows/pull_request.yml | 1 + .github/workflows/quality-checks.yml | 105 +++------------------------ .github/workflows/release.yml | 1 + .tool-versions | 6 +- 6 files changed, 27 insertions(+), 154 deletions(-) diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index f519b68..db31d46 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -1,53 +1,14 @@ -FROM mcr.microsoft.com/devcontainers/base:ubuntu - -# provide DOCKER_GID via build args if you need to force group id to match host -ARG DOCKER_GID +FROM ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:v1.0.0 +USER root # specify DOCKER_GID to force container docker group id to match host RUN if [ -n "${DOCKER_GID}" ]; then \ - if ! getent group docker; then \ - groupadd -g ${DOCKER_GID} docker; \ - else \ - groupmod -g ${DOCKER_GID} docker; \ - fi && \ - usermod -aG docker vscode; \ + if ! getent group docker; then \ + groupadd -g ${DOCKER_GID} docker; \ + else \ + groupmod -g ${DOCKER_GID} docker; \ + fi && \ + usermod -aG docker vscode; \ fi -# Anticipate and resolve potential permission issues with apt -RUN mkdir -p /tmp && chmod 1777 /tmp - -RUN apt-get update \ - && export DEBIAN_FRONTEND=noninteractive \ - && apt-get -y dist-upgrade \ - && apt-get -y install --no-install-recommends htop vim curl git build-essential \ - libffi-dev libssl-dev libxml2-dev libxslt1-dev libjpeg8-dev libbz2-dev \ - zlib1g-dev unixodbc unixodbc-dev libsecret-1-0 libsecret-1-dev libsqlite3-dev \ - jq apt-transport-https ca-certificates gnupg-agent \ - software-properties-common bash-completion python3-pip make libbz2-dev \ - libreadline-dev libsqlite3-dev wget llvm libncurses5-dev libncursesw5-dev \ - xz-utils tk-dev liblzma-dev netcat-traditional libyaml-dev - USER vscode - -# Install ASDF -RUN git clone https://github.com/asdf-vm/asdf.git ~/.asdf --branch v0.11.3 && \ - echo '. $HOME/.asdf/asdf.sh' >> ~/.bashrc && \ - echo '. $HOME/.asdf/completions/asdf.bash' >> ~/.bashrc - -ENV PATH="$PATH:/home/vscode/.asdf/bin/:/workspaces/eps-prescription-tracker-ui/node_modules/.bin:/workspaces/eps-common-workflows/.venv/bin" - -# Install ASDF plugins# -RUN asdf plugin add nodejs https://github.com/asdf-vm/asdf-nodejs.git && \ - asdf plugin add actionlint && \ - asdf plugin add shellcheck https://github.com/luizm/asdf-shellcheck.git && \ - asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git && \ - asdf plugin add python - -WORKDIR /workspaces/eps-common-workflows - -ADD .tool-versions /workspaces/eps-common-workflows/.tool-versions -ADD .tool-versions /home/vscode/.tool-versions - -RUN asdf install python && \ - asdf install && \ - asdf reshim nodejs diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index fe626eb..b18823e 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -14,21 +14,14 @@ "source=${env:HOME}${env:USERPROFILE}/.aws,target=/home/vscode/.aws,type=bind", "source=${env:HOME}${env:USERPROFILE}/.ssh,target=/home/vscode/.ssh,type=bind", "source=${env:HOME}${env:USERPROFILE}/.gnupg,target=/home/vscode/.gnupg,type=bind", - "source=${env:HOME}${env:USERPROFILE}/.npmrc,target=/home/vscode/.npmrc,type=bind" + "source=${env:HOME}${env:USERPROFILE}/.npmrc,target=/home/vscode/.npmrc,type=bind", + "source=${env:HOME}${env:USERPROFILE}/.gitconfig,target=/home/vscode/.gitconfig,type=bind" ], "containerUser": "vscode", "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" }, - "postAttachCommand": "docker build -f /workspaces/eps-common-workflows/dockerfiles/nhsd-git-secrets.dockerfile -t git-secrets . && pre-commit install --install-hooks -f", - "features": { - "ghcr.io/devcontainers/features/github-cli:1": {}, - "ghcr.io/devcontainers/features/docker-outside-of-docker:1": { - "version": "latest", - "moby": "true", - "installDockerBuildx": "true" - } - }, + "features": {}, "customizations": { "vscode": { "extensions": [ diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index f606e1f..aa97d2b 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -38,6 +38,7 @@ jobs: needs: [get_asdf_version] with: asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }} + runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:v1.0.0" secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} tag_release: diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index faef2de..dc2f259 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -33,10 +33,15 @@ on: description: comma separated list of docker image references to scan when docker scanning is enabled. default: "" required: false + runtime_docker_image: + type: string + required: true jobs: quality_checks: runs-on: ubuntu-22.04 + container: + image: ${{ inputs.runtime_docker_image }} steps: - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 if: ${{ inputs.install_java }} @@ -50,70 +55,10 @@ jobs: with: ref: ${{ env.BRANCH_NAME }} fetch-depth: 0 - - # Must be done before anything installs, or it will check dependencies for secrets too. - - name: Ensure .gitallowed exists, for secret scanning - run: | - if [ ! -f ".gitallowed" ]; then - echo "Creating empty .gitallowed file" - touch .gitallowed - fi - echo "./nhsd-rules-deny.txt:10" >> .gitallowed - echo "Allowing the following regex patterns:" - cat .gitallowed - - - name: Install git-secrets - run: | - sudo apt-get update - sudo apt-get install -y git curl - git clone https://github.com/awslabs/git-secrets.git /tmp/git-secrets - cd /tmp/git-secrets - sudo make install - - - name: Download regex patterns - run: | - curl -L https://raw.githubusercontent.com/NHSDigital/software-engineering-quality-framework/main/tools/nhsd-git-secrets/nhsd-rules-deny.txt -o nhsd-rules-deny.txt - - - name: Configure git-secrets - run: | - git-secrets --register-aws - git-secrets --add-provider -- cat nhsd-rules-deny.txt - - name: Run secrets scan run: | git-secrets --scan-history . - # using git commit sha for version of action to ensure we have stable version - - &install_asdf - name: Install asdf - uses: asdf-vm/actions/setup@b7bcd026f18772e44fe1026d729e1611cc435d47 - with: - asdf_version: ${{ inputs.asdfVersion }} - - - &cache_asdf - name: Cache asdf - uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb - with: - path: ~/.asdf - key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}-${{ inputs.asdfVersion }} - - - &install_asdf_deps - name: Install asdf dependencies in .tool-versions - uses: asdf-vm/actions/install@b7bcd026f18772e44fe1026d729e1611cc435d47 - with: - asdf_version: ${{ inputs.asdfVersion }} - env: - PYTHON_CONFIGURE_OPTS: --enable-shared - - - &reinstall_poetry - name: Reinstall poetry - if: ${{ inputs.reinstall_poetry }} - run: | - poetry_tool_version=$(cat .tool-versions | grep poetry) - poetry_version=${poetry_tool_version//"poetry "} - asdf uninstall poetry "$poetry_version" - asdf install poetry - - &setup_npmrc name: Setting up .npmrc env: @@ -356,6 +301,8 @@ jobs: outputs: docker_images: ${{ steps.normalized_docker_images.outputs.images }} runs-on: ubuntu-22.04 + container: + image: ${{ inputs.runtime_docker_image }} steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd @@ -420,6 +367,8 @@ jobs: docker_vulnerability_scan: runs-on: ubuntu-22.04 + container: + image: ghcr.io/nhsdigital/eps-devcontainers/fhir_facade_api:v1.0.0 needs: get_docker_images_to_scan if: ${{ inputs.run_docker_scan == true }} strategy: @@ -431,36 +380,6 @@ jobs: with: ref: ${{ env.BRANCH_NAME }} fetch-depth: 0 - # using git commit sha for version of action to ensure we have stable version - - name: Install asdf - uses: asdf-vm/actions/setup@b7bcd026f18772e44fe1026d729e1611cc435d47 - with: - asdf_version: ${{ inputs.asdfVersion }} - - - name: Cache asdf - uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb - with: - path: | - ~/.asdf - key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}-${{ inputs.asdfVersion }} - restore-keys: | - ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}-${{ inputs.asdfVersion }} - - - name: Install asdf dependencies in .tool-versions - uses: asdf-vm/actions/install@b7bcd026f18772e44fe1026d729e1611cc435d47 - with: - asdf_version: ${{ inputs.asdfVersion }} - env: - PYTHON_CONFIGURE_OPTS: --enable-shared - - - name: Reinstall poetry - if: ${{ inputs.reinstall_poetry }} - run: | - poetry_tool_version=$(cat .tool-versions | grep poetry) - poetry_version=${poetry_tool_version//"poetry "} - asdf uninstall poetry "$poetry_version" - asdf install poetry - - name: Setting up .npmrc env: NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -508,12 +427,10 @@ jobs: IaC-validation: runs-on: ubuntu-22.04 + container: + image: ${{ inputs.runtime_docker_image }} steps: - *checkout - - *install_asdf - - *cache_asdf - - *install_asdf_deps - - *reinstall_poetry - name: Check for SAM templates id: check_sam_templates diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c4cc00a..d7884fa 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -30,6 +30,7 @@ jobs: uses: ./.github/workflows/quality-checks.yml with: asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }} + runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:v1.0.0" secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} tag_release: diff --git a/.tool-versions b/.tool-versions index 8605e6e..d3c826a 100644 --- a/.tool-versions +++ b/.tool-versions @@ -1,5 +1,5 @@ -nodejs 24.12.0 +nodejs 24.13.0 actionlint 1.7.10 shellcheck 0.11.0 -python 3.14.2 -poetry 2.2.1 +python 3.14.3 +poetry 2.3.2 From 704eedb885629868e6901194998c5cdeaf611d71 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 13 Feb 2026 16:48:45 +0000 Subject: [PATCH 02/31] use new image --- .devcontainer/Dockerfile | 2 +- .github/workflows/pull_request.yml | 2 +- .github/workflows/release.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index db31d46..a07ebbc 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -1,4 +1,4 @@ -FROM ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:v1.0.0 +FROM ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:pr-15-a1b9b25 USER root # specify DOCKER_GID to force container docker group id to match host diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index aa97d2b..d994c2c 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -38,7 +38,7 @@ jobs: needs: [get_asdf_version] with: asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }} - runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:v1.0.0" + runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:pr-15-a1b9b25" secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} tag_release: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d7884fa..6147569 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -30,7 +30,7 @@ jobs: uses: ./.github/workflows/quality-checks.yml with: asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }} - runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:v1.0.0" + runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:pr-15-a1b9b25" secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} tag_release: From 08472c0e31768ba7d0b5cbf63c72d9df4a7c35c2 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 13 Feb 2026 17:26:27 +0000 Subject: [PATCH 03/31] use old image --- .github/workflows/pull_request.yml | 2 +- .github/workflows/quality-checks.yml | 3 +++ .github/workflows/release.yml | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index d994c2c..aa97d2b 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -38,7 +38,7 @@ jobs: needs: [get_asdf_version] with: asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }} - runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:pr-15-a1b9b25" + runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:v1.0.0" secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} tag_release: diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index dc2f259..b79dbe2 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -42,6 +42,7 @@ jobs: runs-on: ubuntu-22.04 container: image: ${{ inputs.runtime_docker_image }} + options: --user 0 steps: - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 if: ${{ inputs.install_java }} @@ -303,6 +304,7 @@ jobs: runs-on: ubuntu-22.04 container: image: ${{ inputs.runtime_docker_image }} + options: --user 0 steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd @@ -429,6 +431,7 @@ jobs: runs-on: ubuntu-22.04 container: image: ${{ inputs.runtime_docker_image }} + options: --user 0 steps: - *checkout diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6147569..d7884fa 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -30,7 +30,7 @@ jobs: uses: ./.github/workflows/quality-checks.yml with: asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }} - runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:pr-15-a1b9b25" + runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:v1.0.0" secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} tag_release: From 54d444af81b7e47d29e8c1a67d5841b42daccf43 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 13 Feb 2026 18:28:55 +0000 Subject: [PATCH 04/31] fix it --- .devcontainer/Dockerfile | 3 +- .devcontainer/devcontainer.json | 67 ++++++++++++++-------------- .github/workflows/pull_request.yml | 2 +- .github/workflows/quality-checks.yml | 2 +- .github/workflows/release.yml | 2 +- 5 files changed, 38 insertions(+), 38 deletions(-) diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index a07ebbc..6f9e404 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -1,4 +1,5 @@ -FROM ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:pr-15-a1b9b25 +ARG IMAGE_VERSION=latest +FROM ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:${IMAGE_VERSION} USER root # specify DOCKER_GID to force container docker group id to match host diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index b18823e..7ec5ffa 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -7,40 +7,39 @@ "dockerfile": "Dockerfile", "context": "..", "args": { - "DOCKER_GID": "${env:DOCKER_GID:}" - } - }, - "mounts": [ - "source=${env:HOME}${env:USERPROFILE}/.aws,target=/home/vscode/.aws,type=bind", - "source=${env:HOME}${env:USERPROFILE}/.ssh,target=/home/vscode/.ssh,type=bind", - "source=${env:HOME}${env:USERPROFILE}/.gnupg,target=/home/vscode/.gnupg,type=bind", - "source=${env:HOME}${env:USERPROFILE}/.npmrc,target=/home/vscode/.npmrc,type=bind", - "source=${env:HOME}${env:USERPROFILE}/.gitconfig,target=/home/vscode/.gitconfig,type=bind" - ], - "containerUser": "vscode", - "remoteEnv": { - "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" - }, - "features": {}, - "customizations": { - "vscode": { - "extensions": [ - "AmazonWebServices.aws-toolkit-vscode", - "redhat.vscode-yaml", - "eamodio.gitlens", - "github.vscode-pull-request-github", - "streetsidesoftware.code-spell-checker", - "timonwong.shellcheck", - "github.vscode-github-actions" - ], - "settings": { - "cSpell.words": [ - "fhir", - "Formik", - "pino", - "serialisation" - ] + "DOCKER_GID": "${env:DOCKER_GID:}", + "IMAGE_VERSION": "pr-15-c27cba7" // This arg is used in the Dockerfile to specify the base image version } + }, + "mounts": [ + "source=${env:HOME}${env:USERPROFILE}/.aws,target=/home/vscode/.aws,type=bind", + "source=${env:HOME}${env:USERPROFILE}/.ssh,target=/home/vscode/.ssh,type=bind", + "source=${env:HOME}${env:USERPROFILE}/.gnupg,target=/home/vscode/.gnupg,type=bind", + "source=${env:HOME}${env:USERPROFILE}/.npmrc,target=/home/vscode/.npmrc,type=bind" + ], + "containerUser": "vscode", + "remoteEnv": { + "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" + }, + "features": {}, + "customizations": { + "vscode": { + "extensions": [ + "AmazonWebServices.aws-toolkit-vscode", + "redhat.vscode-yaml", + "eamodio.gitlens", + "github.vscode-pull-request-github", + "streetsidesoftware.code-spell-checker", + "timonwong.shellcheck", + "github.vscode-github-actions" + ], + "settings": { + "cSpell.words": [ + "fhir", + "Formik", + "pino", + "serialisation" + ] + } } } } -} diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index aa97d2b..0ee0ae8 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -38,7 +38,7 @@ jobs: needs: [get_asdf_version] with: asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }} - runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:v1.0.0" + runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:pr-15-c27cba7" secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} tag_release: diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index b79dbe2..d3a2940 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -431,7 +431,7 @@ jobs: runs-on: ubuntu-22.04 container: image: ${{ inputs.runtime_docker_image }} - options: --user 0 + options: --user 1001:1001 steps: - *checkout diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d7884fa..e6aeed8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -30,7 +30,7 @@ jobs: uses: ./.github/workflows/quality-checks.yml with: asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }} - runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:v1.0.0" + runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:pr-15-c27cba7" secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} tag_release: From 577d8e775071b3391e723728226920c2d3b3af09 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 13 Feb 2026 18:32:46 +0000 Subject: [PATCH 05/31] fix user --- .github/workflows/quality-checks.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index d3a2940..a8b984e 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -301,6 +301,7 @@ jobs: get_docker_images_to_scan: outputs: docker_images: ${{ steps.normalized_docker_images.outputs.images }} + options: --user 1001:1001 runs-on: ubuntu-22.04 container: image: ${{ inputs.runtime_docker_image }} @@ -370,7 +371,7 @@ jobs: docker_vulnerability_scan: runs-on: ubuntu-22.04 container: - image: ghcr.io/nhsdigital/eps-devcontainers/fhir_facade_api:v1.0.0 + image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} needs: get_docker_images_to_scan if: ${{ inputs.run_docker_scan == true }} strategy: From 556712a87d442249a6c41da6a5cdd475c6855576 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 13 Feb 2026 18:34:31 +0000 Subject: [PATCH 06/31] debug --- .github/workflows/quality-checks.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index a8b984e..293c6ce 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -42,7 +42,7 @@ jobs: runs-on: ubuntu-22.04 container: image: ${{ inputs.runtime_docker_image }} - options: --user 0 + options: --user 1001:1001 steps: - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 if: ${{ inputs.install_java }} @@ -77,6 +77,7 @@ jobs: - name: make install run: | + id make install - name: Check language tools used and setup trivy config From 415a828b6bad32b3ab0136f64f50435cd013c45e Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 13 Feb 2026 19:34:15 +0000 Subject: [PATCH 07/31] use new tag --- .devcontainer/devcontainer.json | 2 +- .github/workflows/pull_request.yml | 2 +- .github/workflows/release.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 7ec5ffa..000cb65 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -8,7 +8,7 @@ "context": "..", "args": { "DOCKER_GID": "${env:DOCKER_GID:}", - "IMAGE_VERSION": "pr-15-c27cba7" // This arg is used in the Dockerfile to specify the base image version } + "IMAGE_VERSION": "v1.0.1" // This arg is used in the Dockerfile to specify the base image version } }, "mounts": [ "source=${env:HOME}${env:USERPROFILE}/.aws,target=/home/vscode/.aws,type=bind", diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 0ee0ae8..cba36b7 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -38,7 +38,7 @@ jobs: needs: [get_asdf_version] with: asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }} - runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:pr-15-c27cba7" + runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:v1.0.1" secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} tag_release: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e6aeed8..fa70885 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -30,7 +30,7 @@ jobs: uses: ./.github/workflows/quality-checks.yml with: asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }} - runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:pr-15-c27cba7" + runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:v1.0.1" secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} tag_release: From 97767c6807acceeec76df72f8d4bb91ae3924906 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 13 Feb 2026 19:36:35 +0000 Subject: [PATCH 08/31] try different user --- .github/workflows/quality-checks.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 293c6ce..00e840f 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -42,7 +42,7 @@ jobs: runs-on: ubuntu-22.04 container: image: ${{ inputs.runtime_docker_image }} - options: --user 1001:1001 + options: --user 1000:1000 steps: - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 if: ${{ inputs.install_java }} @@ -302,11 +302,10 @@ jobs: get_docker_images_to_scan: outputs: docker_images: ${{ steps.normalized_docker_images.outputs.images }} - options: --user 1001:1001 runs-on: ubuntu-22.04 container: image: ${{ inputs.runtime_docker_image }} - options: --user 0 + options: --user 1000:1000 steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd @@ -433,7 +432,7 @@ jobs: runs-on: ubuntu-22.04 container: image: ${{ inputs.runtime_docker_image }} - options: --user 1001:1001 + options: --user 1000:1000 steps: - *checkout From a8d306bebd71642594f1814833690ec933f822a4 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sat, 14 Feb 2026 16:22:19 +0000 Subject: [PATCH 09/31] new one --- .devcontainer/Dockerfile | 9 ++++++++- .devcontainer/devcontainer.json | 8 ++++---- .github/workflows/pull_request.yml | 16 +++++++++------- .github/workflows/quality-checks.yml | 18 ------------------ .github/workflows/release.yml | 16 +++++++++------- 5 files changed, 30 insertions(+), 37 deletions(-) diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index 6f9e404..f258f70 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -1,5 +1,6 @@ ARG IMAGE_VERSION=latest -FROM ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:${IMAGE_VERSION} +ARG IMAGE=node_24_python_3_14 +FROM ghcr.io/nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} USER root # specify DOCKER_GID to force container docker group id to match host @@ -12,4 +13,10 @@ RUN if [ -n "${DOCKER_GID}" ]; then \ usermod -aG docker vscode; \ fi +# fix vscode user back to 1000 +RUN usermod -u 1000 vscode; \ + groupmod -g 1000 vscode; \ + chown -R vscode:vscode /home/vscode + +RUN rm -rf /home/vscode/.ssh USER vscode diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 000cb65..6414ab0 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -1,15 +1,14 @@ -// For format details, see https://aka.ms/devcontainer.json. For config options, see the -// README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu { "name": "Ubuntu", - // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile "build": { "dockerfile": "Dockerfile", "context": "..", "args": { "DOCKER_GID": "${env:DOCKER_GID:}", - "IMAGE_VERSION": "v1.0.1" // This arg is used in the Dockerfile to specify the base image version } + "IMAGE_VERSION": "pr-16-69b4bfb", + "IMAGE": "node_24_python_3_14" }, + "postAttachCommand": "git-secrets --register-aws; git-secrets --add-provider -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt", "mounts": [ "source=${env:HOME}${env:USERPROFILE}/.aws,target=/home/vscode/.aws,type=bind", "source=${env:HOME}${env:USERPROFILE}/.ssh,target=/home/vscode/.ssh,type=bind", @@ -43,3 +42,4 @@ } } } +} diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index cba36b7..1090984 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -16,11 +16,12 @@ jobs: AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }} pr_title_format_check: uses: ./.github/workflows/pr_title_check.yml - get_asdf_version: + get_config_values: runs-on: ubuntu-22.04 outputs: asdf_version: ${{ steps.asdf-version.outputs.version }} tag_format: ${{ steps.load-config.outputs.TAG_FORMAT }} + devcontainer_version: ${{ steps.load-config.outputs.DEVCONTAINER_VERSION }} steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd @@ -32,21 +33,22 @@ jobs: id: load-config run: | TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml) + DEVCONTAINER_VERSION=$(jq -r '.build.args.IMAGE_VERSION' .devcontainer/devcontainer.json) echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT" + echo "DEVCONTAINER_VERSION=$DEVCONTAINER_VERSION" >> "$GITHUB_OUTPUT" quality_checks: uses: ./.github/workflows/quality-checks.yml - needs: [get_asdf_version] + needs: [get_config_values] with: - asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }} - runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:v1.0.1" + runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:${{ needs.get_config_values.outputs.devcontainer_version }}" secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} tag_release: - needs: [quality_checks, get_asdf_version] + needs: [quality_checks, get_config_values] uses: ./.github/workflows/tag-release.yml with: dry_run: true - asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }} + asdfVersion: ${{ needs.get_config_values.outputs.asdf_version }} branch_name: ${{ github.event.pull_request.head.ref }} - tag_format: ${{ needs.get_asdf_version.outputs.tag_format }} + tag_format: ${{ needs.get_config_values.outputs.tag_format }} secrets: inherit diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 00e840f..dbb8136 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -6,23 +6,11 @@ on: SONAR_TOKEN: required: false inputs: - install_java: - type: boolean - description: "If true, the action will install java into the runner, separately from ASDF." - default: false - required: false run_sonar: type: boolean description: Toggle to run sonar code analyis on this repository. default: true required: false - asdfVersion: - type: string - required: true - reinstall_poetry: - type: boolean - description: Toggle to reinstall poetry on top of python version installed by asdf. - default: false run_docker_scan: type: boolean description: Toggle to run docker vulnerability scan on this repository. @@ -44,12 +32,6 @@ jobs: image: ${{ inputs.runtime_docker_image }} options: --user 1000:1000 steps: - - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 - if: ${{ inputs.install_java }} - with: - java-version: "21" - distribution: "corretto" - - &checkout name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fa70885..dce12be 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,11 +8,12 @@ env: BRANCH_NAME: ${{ github.event.ref.BRANCH_NAME }} jobs: - get_asdf_version: + get_config_values: runs-on: ubuntu-22.04 outputs: asdf_version: ${{ steps.asdf-version.outputs.version }} tag_format: ${{ steps.load-config.outputs.TAG_FORMAT }} + devcontainer_version: ${{ steps.load-config.outputs.DEVCONTAINER_VERSION }} steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd @@ -24,21 +25,22 @@ jobs: id: load-config run: | TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml) + DEVCONTAINER_VERSION=$(jq -r '.build.args.IMAGE_VERSION' .devcontainer/devcontainer.json) echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT" + echo "DEVCONTAINER_VERSION=$DEVCONTAINER_VERSION" >> "$GITHUB_OUTPUT" quality_checks: - needs: [get_asdf_version] + needs: [get_config_values] uses: ./.github/workflows/quality-checks.yml with: - asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }} - runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:v1.0.1" + runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:${{ needs.get_config_values.outputs.devcontainer_version }}" secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} tag_release: - needs: [quality_checks, get_asdf_version] + needs: [quality_checks, get_config_values] uses: ./.github/workflows/tag-release.yml with: dry_run: false - asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }} + asdfVersion: ${{ needs.get_config_values.outputs.asdf_version }} branch_name: main - tag_format: ${{ needs.get_asdf_version.outputs.tag_format }} + tag_format: ${{ needs.get_config_values.outputs.tag_format }} secrets: inherit From 2e2d45656d97e6539c662dc83be48dd03785721e Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sat, 14 Feb 2026 16:23:40 +0000 Subject: [PATCH 10/31] new user --- .github/workflows/quality-checks.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index dbb8136..4a244e4 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -30,7 +30,7 @@ jobs: runs-on: ubuntu-22.04 container: image: ${{ inputs.runtime_docker_image }} - options: --user 1000:1000 + options: --user 1001:1001 steps: - &checkout name: Checkout code @@ -287,7 +287,7 @@ jobs: runs-on: ubuntu-22.04 container: image: ${{ inputs.runtime_docker_image }} - options: --user 1000:1000 + options: --user 1001:1001 steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd @@ -414,7 +414,7 @@ jobs: runs-on: ubuntu-22.04 container: image: ${{ inputs.runtime_docker_image }} - options: --user 1000:1000 + options: --user 1001:1001 steps: - *checkout From c6a3dc956c047caf2a1f520e0f66ee5c1b28a012 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sat, 14 Feb 2026 16:26:00 +0000 Subject: [PATCH 11/31] add asdf install --- .github/workflows/quality-checks.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 4a244e4..414ebe9 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -60,6 +60,7 @@ jobs: - name: make install run: | id + asdf install make install - name: Check language tools used and setup trivy config From 967dab764016e76fc1e46a366bf927d48f82af1d Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sat, 14 Feb 2026 16:28:22 +0000 Subject: [PATCH 12/31] debug --- .github/workflows/quality-checks.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 414ebe9..35278da 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -60,7 +60,9 @@ jobs: - name: make install run: | id - asdf install + echo "running asdf plugin list" + asdf plugin list + echo "running make install" make install - name: Check language tools used and setup trivy config From ec7e2a907a6961dbb8084097c01c0c9338b99ec0 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sat, 14 Feb 2026 16:32:28 +0000 Subject: [PATCH 13/31] more debug --- .github/workflows/quality-checks.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 35278da..efc5590 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -59,7 +59,11 @@ jobs: - name: make install run: | + echo "Running id" id + echo "Running pwd" + pwd + echo "home is $HOME" echo "running asdf plugin list" asdf plugin list echo "running make install" From 9c8a2a0b3a9e799b22d81c3015c192020bd42d71 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sat, 14 Feb 2026 16:34:30 +0000 Subject: [PATCH 14/31] set home --- .github/workflows/quality-checks.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index efc5590..33e2608 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -30,6 +30,8 @@ jobs: runs-on: ubuntu-22.04 container: image: ${{ inputs.runtime_docker_image }} + env: + HOME: /home/vscode options: --user 1001:1001 steps: - &checkout From 3219587532771a47006fc82aa28e8c0f45df99fb Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sat, 14 Feb 2026 17:46:20 +0000 Subject: [PATCH 15/31] new image --- .devcontainer/devcontainer.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 6414ab0..44d3e6b 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -5,7 +5,7 @@ "context": "..", "args": { "DOCKER_GID": "${env:DOCKER_GID:}", - "IMAGE_VERSION": "pr-16-69b4bfb", + "IMAGE_VERSION": "pr-16-f22b31d", "IMAGE": "node_24_python_3_14" }, "postAttachCommand": "git-secrets --register-aws; git-secrets --add-provider -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt", From d570e15efacb484bd64f4a324ffdec85ba457d95 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sat, 14 Feb 2026 17:54:54 +0000 Subject: [PATCH 16/31] set ASDF_DATA_DIR --- .github/workflows/quality-checks.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 33e2608..575903c 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -31,7 +31,7 @@ jobs: container: image: ${{ inputs.runtime_docker_image }} env: - HOME: /home/vscode + ASDF_DATA_DIR: /home/vscode/.asdf options: --user 1001:1001 steps: - &checkout From 273b9f794b8fe44b14d5236a26108d960b13dfca Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 11:36:53 +0000 Subject: [PATCH 17/31] use container step --- .devcontainer/Dockerfile | 8 - .devcontainer/devcontainer.json | 2 +- .github/workflows/quality-checks.yml | 289 +++++++++++++++++---------- 3 files changed, 184 insertions(+), 115 deletions(-) diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index f258f70..2ef3eba 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -12,11 +12,3 @@ RUN if [ -n "${DOCKER_GID}" ]; then \ fi && \ usermod -aG docker vscode; \ fi - -# fix vscode user back to 1000 -RUN usermod -u 1000 vscode; \ - groupmod -g 1000 vscode; \ - chown -R vscode:vscode /home/vscode - -RUN rm -rf /home/vscode/.ssh -USER vscode diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 44d3e6b..36382ff 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -5,7 +5,7 @@ "context": "..", "args": { "DOCKER_GID": "${env:DOCKER_GID:}", - "IMAGE_VERSION": "pr-16-f22b31d", + "IMAGE_VERSION": "pr-16-d9eab88", "IMAGE": "node_24_python_3_14" }, "postAttachCommand": "git-secrets --register-aws; git-secrets --add-provider -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt", diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 575903c..dc6244f 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -28,11 +28,6 @@ on: jobs: quality_checks: runs-on: ubuntu-22.04 - container: - image: ${{ inputs.runtime_docker_image }} - env: - ASDF_DATA_DIR: /home/vscode/.asdf - options: --user 1001:1001 steps: - &checkout name: Checkout code @@ -60,16 +55,24 @@ jobs: key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} - name: make install - run: | - echo "Running id" - id - echo "Running pwd" - pwd - echo "home is $HOME" - echo "running asdf plugin list" - asdf plugin list - echo "running make install" - make install + uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 + with: + registry: gcr.io + image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + options: > + -v ${{ github.workspace }}:/work + -u vscode + run: | + cd /work + echo "Running id" + id + echo "Running pwd" + pwd + echo "home is $HOME" + echo "running asdf plugin list" + asdf plugin list + echo "running make install" + make install - name: Check language tools used and setup trivy config id: check_languages @@ -125,22 +128,38 @@ jobs: cmd: yq -i '.pkg.include-dev-deps = true' 'trivy.yaml' - name: convert python dependencies to requirements.txt if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} - run: | - POETRY_VERSION=$(poetry --version | awk '{print $3}') - - if [[ "$(printf '%s\n' "2.0.0" "$POETRY_VERSION" "3.0.0" | sort -V | head -n1)" == "2.0.0" ]] \ - && [[ "$(printf '%s\n' "$POETRY_VERSION" "3.0.0" | sort -V | head -n1)" == "$POETRY_VERSION" ]]; then - echo "Poetry version $POETRY_VERSION is >=2.0.0 and <3.0.0 - installing plugin-export" - poetry self add poetry-plugin-export - else - echo "Poetry version $POETRY_VERSION is outside the required range so not installing plugin-export" - fi - poetry export -f requirements.txt --with dev --without-hashes --output=requirements.txt + uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 + with: + registry: gcr.io + image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + options: > + -v ${{ github.workspace }}:/work + -u vscode + run: | + cd /work + POETRY_VERSION=$(poetry --version | awk '{print $3}') + + if [[ "$(printf '%s\n' "2.0.0" "$POETRY_VERSION" "3.0.0" | sort -V | head -n1)" == "2.0.0" ]] \ + && [[ "$(printf '%s\n' "$POETRY_VERSION" "3.0.0" | sort -V | head -n1)" == "$POETRY_VERSION" ]]; then + echo "Poetry version $POETRY_VERSION is >=2.0.0 and <3.0.0 - installing plugin-export" + poetry self add poetry-plugin-export + else + echo "Poetry version $POETRY_VERSION is outside the required range so not installing plugin-export" + fi + poetry export -f requirements.txt --with dev --without-hashes --output=requirements.txt - name: download go dependencies if: ${{ steps.check_languages.outputs.uses_go == 'true' }} - run: | - cd src - go mod vendor + uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 + with: + registry: gcr.io + image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + options: > + -v ${{ github.workspace }}:/work + -u vscode + run: | + cd /work + cd src + go mod vendor - name: Check licenses uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: @@ -171,7 +190,16 @@ jobs: cat license_scan.txt fi - name: Run code lint - run: make lint + uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 + with: + registry: gcr.io + image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + options: > + -v ${{ github.workspace }}:/work + -u vscode + run: | + cd /work + make lint - name: Run ShellCheck uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 @@ -183,7 +211,16 @@ jobs: .git - name: Run unit tests - run: make test + uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 + with: + registry: gcr.io + image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + options: > + -v ${{ github.workspace }}:/work + -u vscode + run: | + cd /work + make test - name: Generate SBOM uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: @@ -294,9 +331,6 @@ jobs: outputs: docker_images: ${{ steps.normalized_docker_images.outputs.images }} runs-on: ubuntu-22.04 - container: - image: ${{ inputs.runtime_docker_image }} - options: --user 1001:1001 steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd @@ -361,8 +395,6 @@ jobs: docker_vulnerability_scan: runs-on: ubuntu-22.04 - container: - image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} needs: get_docker_images_to_scan if: ${{ inputs.run_docker_scan == true }} strategy: @@ -421,9 +453,6 @@ jobs: IaC-validation: runs-on: ubuntu-22.04 - container: - image: ${{ inputs.runtime_docker_image }} - options: --user 1001:1001 steps: - *checkout @@ -474,102 +503,150 @@ jobs: - name: Run cfn-lint if: steps.check_sam_templates.outputs.sam_exists == 'true' || steps.check_cf_templates.outputs.cf_exists == 'true' - run: | - pip install cfn-lint - cfn-lint -I "cloudformation/**/*.y*ml" 2>&1 | awk '/Run scan/ { print } /^[EW][0-9]/ { print; getline; print }' - cfn-lint -I "SAMtemplates/**/*.y*ml" 2>&1 | awk '/Run scan/ { print } /^[EW][0-9]/ { print; getline; print }' + uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 + with: + registry: gcr.io + image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + options: > + -v ${{ github.workspace }}:/work + -u vscode + run: | + cd /work + pip install cfn-lint + cfn-lint -I "cloudformation/**/*.y*ml" 2>&1 | awk '/Run scan/ { print } /^[EW][0-9]/ { print; getline; print }' + cfn-lint -I "SAMtemplates/**/*.y*ml" 2>&1 | awk '/Run scan/ { print } /^[EW][0-9]/ { print; getline; print }' - *cache_npm - *setup_npmrc - name: make install NodeJS if: steps.check_cdk.outputs.cdk_exists == 'true' - run: | - make install-node && make compile + uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 + with: + registry: gcr.io + image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + options: > + -v ${{ github.workspace }}:/work + -u vscode + run: | + cd /work + make install-node && make compile - name: Run cdk-synth if: steps.check_cdk.outputs.cdk_exists == 'true' - run: | - make cdk-synth + uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 + with: + registry: gcr.io + image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + options: > + -v ${{ github.workspace }}:/work + -u vscode + run: | + cd /work + make cdk-synth - - name: Install AWS SAM CLI - if: steps.check_sam_templates.outputs.sam_exists == 'true' - run: | - pip install aws-sam-cli - name: Init cfn-guard - run: | - #!/usr/bin/env bash - set -eou pipefail + uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 + with: + registry: gcr.io + image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + options: > + -v ${{ github.workspace }}:/work + -u vscode + run: | + cd /work + set -eou pipefail - rm -rf /tmp/ruleset - rm -rf cfn_guard_output + rm -rf /tmp/ruleset + rm -rf cfn_guard_output - wget -O /tmp/ruleset.zip https://github.com/aws-cloudformation/aws-guard-rules-registry/releases/download/1.0.2/ruleset-build-v1.0.2.zip >/dev/null 2>&1 - unzip /tmp/ruleset.zip -d /tmp/ruleset/ >/dev/null 2>&1 + wget -O /tmp/ruleset.zip https://github.com/aws-cloudformation/aws-guard-rules-registry/releases/download/1.0.2/ruleset-build-v1.0.2.zip >/dev/null 2>&1 + unzip /tmp/ruleset.zip -d /tmp/ruleset/ >/dev/null 2>&1 - curl --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/aws-cloudformation/cloudformation-guard/main/install-guard.sh | sh >/dev/null 2>&1 + curl --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/aws-cloudformation/cloudformation-guard/main/install-guard.sh | sh >/dev/null 2>&1 - mkdir -p cfn_guard_output + mkdir -p cfn_guard_output - name: Run cfn-guard script for sam templates if: steps.check_sam_templates.outputs.sam_exists == 'true' - run: | - #!/usr/bin/env bash - set -eou pipefail - - declare -a rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar") - for ruleset in "${rulesets[@]}" - do - while IFS= read -r -d '' file + uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 + with: + registry: gcr.io + image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + options: > + -v ${{ github.workspace }}:/work + -u vscode + run: | + cd /work + set -eou pipefail + + declare -a rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar") + for ruleset in "${rulesets[@]}" do - echo "checking SAM template $file with ruleset $ruleset" - mkdir -p "$(dirname cfn_guard_output/"$file")" - - # Transform the SAM template to CloudFormation and then run through cfn-guard - SAM_OUTPUT=$(sam validate -t "$file" --region eu-west-2 --debug 2>&1 | \ - grep -Pazo '(?s)AWSTemplateFormatVersion.*\n\/' | tr -d '\0') - echo "${SAM_OUTPUT::-1}" | ~/.guard/bin/cfn-guard validate \ - --rules "/tmp/ruleset/output/$ruleset.guard" \ - --show-summary fail \ - > "cfn_guard_output/${file}_${ruleset}.txt" + while IFS= read -r -d '' file + do + echo "checking SAM template $file with ruleset $ruleset" + mkdir -p "$(dirname cfn_guard_output/"$file")" + + # Transform the SAM template to CloudFormation and then run through cfn-guard + SAM_OUTPUT=$(sam validate -t "$file" --region eu-west-2 --debug 2>&1 | \ + grep -Pazo '(?s)AWSTemplateFormatVersion.*\n\/' | tr -d '\0') + echo "${SAM_OUTPUT::-1}" | ~/.guard/bin/cfn-guard validate \ + --rules "/tmp/ruleset/output/$ruleset.guard" \ + --show-summary fail \ + > "cfn_guard_output/${file}_${ruleset}.txt" - done < <(find ./SAMtemplates -name '*.y*ml' -print0) - done + done < <(find ./SAMtemplates -name '*.y*ml' -print0) + done - name: Run cfn-guard script for cloudformation templates if: steps.check_cf_templates.outputs.cf_exists == 'true' - run: | - #!/usr/bin/env bash - - declare -a rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar") - for ruleset in "${rulesets[@]}" - do - echo "Checking all templates in cloudformation folder with ruleset $ruleset" + uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 + with: + registry: gcr.io + image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + options: > + -v ${{ github.workspace }}:/work + -u vscode + run: | + cd /work + + declare -a rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar") + for ruleset in "${rulesets[@]}" + do + echo "Checking all templates in cloudformation folder with ruleset $ruleset" - ~/.guard/bin/cfn-guard validate \ - --data cloudformation \ - --rules "/tmp/ruleset/output/$ruleset.guard" \ - --show-summary fail \ - > "cfn_guard_output/cloudformation_$ruleset.txt" - done + ~/.guard/bin/cfn-guard validate \ + --data cloudformation \ + --rules "/tmp/ruleset/output/$ruleset.guard" \ + --show-summary fail \ + > "cfn_guard_output/cloudformation_$ruleset.txt" + done - name: Run cfn-guard script for cdk templates if: steps.check_cdk.outputs.cdk_exists == 'true' - run: | - #!/usr/bin/env bash - - declare -a rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar") - for ruleset in "${rulesets[@]}" - do - echo "Checking all templates in cdk.out folder with ruleset $ruleset" + uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 + with: + registry: gcr.io + image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + options: > + -v ${{ github.workspace }}:/work + -u vscode + run: | + cd /work + + declare -a rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar") + for ruleset in "${rulesets[@]}" + do + echo "Checking all templates in cdk.out folder with ruleset $ruleset" - ~/.guard/bin/cfn-guard validate \ - --data cdk.out \ - --rules "/tmp/ruleset/output/$ruleset.guard" \ - --show-summary fail \ - > "cfn_guard_output/cdk.out_$ruleset.txt" - done + ~/.guard/bin/cfn-guard validate \ + --data cdk.out \ + --rules "/tmp/ruleset/output/$ruleset.guard" \ + --show-summary fail \ + > "cfn_guard_output/cdk.out_$ruleset.txt" + done - name: Download terraform plans uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 From d0191e7cbe992146c0a754882d104b82868798c4 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 11:37:57 +0000 Subject: [PATCH 18/31] use container step --- .github/workflows/quality-checks.yml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index dc6244f..ae22b8a 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -36,8 +36,16 @@ jobs: ref: ${{ env.BRANCH_NAME }} fetch-depth: 0 - name: Run secrets scan - run: | - git-secrets --scan-history . + uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 + with: + registry: gcr.io + image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + options: > + -v ${{ github.workspace }}:/work + -u vscode + run: | + cd /work + git-secrets --scan-history . - &setup_npmrc name: Setting up .npmrc From de720fc2b47e9a9596ca12f0c0ccd198148abbb7 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 11:40:26 +0000 Subject: [PATCH 19/31] fix image --- .github/workflows/quality-checks.yml | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index ae22b8a..476da44 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -39,7 +39,7 @@ jobs: uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: registry: gcr.io - image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -66,7 +66,7 @@ jobs: uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: registry: gcr.io - image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -139,7 +139,7 @@ jobs: uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: registry: gcr.io - image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -160,7 +160,7 @@ jobs: uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: registry: gcr.io - image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -201,7 +201,7 @@ jobs: uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: registry: gcr.io - image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -222,7 +222,7 @@ jobs: uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: registry: gcr.io - image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -514,7 +514,7 @@ jobs: uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: registry: gcr.io - image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -532,7 +532,7 @@ jobs: uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: registry: gcr.io - image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -545,7 +545,7 @@ jobs: uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: registry: gcr.io - image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -558,7 +558,7 @@ jobs: uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: registry: gcr.io - image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -581,7 +581,7 @@ jobs: uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: registry: gcr.io - image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -613,7 +613,7 @@ jobs: uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: registry: gcr.io - image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -637,7 +637,7 @@ jobs: uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: registry: gcr.io - image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode From 0864610ccb65a8519655295e5f9eee0481afa7d2 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 11:43:26 +0000 Subject: [PATCH 20/31] really fix image --- .github/workflows/quality-checks.yml | 39 ++++++++++------------------ 1 file changed, 13 insertions(+), 26 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 476da44..ea1f91f 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -38,8 +38,7 @@ jobs: - name: Run secrets scan uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - registry: gcr.io - image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -65,8 +64,7 @@ jobs: - name: make install uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - registry: gcr.io - image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -138,8 +136,7 @@ jobs: if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - registry: gcr.io - image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -159,8 +156,7 @@ jobs: if: ${{ steps.check_languages.outputs.uses_go == 'true' }} uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - registry: gcr.io - image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -200,8 +196,7 @@ jobs: - name: Run code lint uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - registry: gcr.io - image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -221,8 +216,7 @@ jobs: - name: Run unit tests uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - registry: gcr.io - image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -513,8 +507,7 @@ jobs: if: steps.check_sam_templates.outputs.sam_exists == 'true' || steps.check_cf_templates.outputs.cf_exists == 'true' uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - registry: gcr.io - image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -531,8 +524,7 @@ jobs: if: steps.check_cdk.outputs.cdk_exists == 'true' uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - registry: gcr.io - image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -544,8 +536,7 @@ jobs: if: steps.check_cdk.outputs.cdk_exists == 'true' uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - registry: gcr.io - image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -557,8 +548,7 @@ jobs: - name: Init cfn-guard uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - registry: gcr.io - image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -580,8 +570,7 @@ jobs: if: steps.check_sam_templates.outputs.sam_exists == 'true' uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - registry: gcr.io - image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -612,8 +601,7 @@ jobs: if: steps.check_cf_templates.outputs.cf_exists == 'true' uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - registry: gcr.io - image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -636,8 +624,7 @@ jobs: if: steps.check_cdk.outputs.cdk_exists == 'true' uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - registry: gcr.io - image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode From 8001f53457da8a21957a252516cb6aafcd620963 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 11:44:54 +0000 Subject: [PATCH 21/31] really really fix image --- .github/workflows/pull_request.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 1090984..4c45059 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -40,7 +40,7 @@ jobs: uses: ./.github/workflows/quality-checks.yml needs: [get_config_values] with: - runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:${{ needs.get_config_values.outputs.devcontainer_version }}" + runtime_docker_image: "node_24_python_3_14:${{ needs.get_config_values.outputs.devcontainer_version }}" secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} tag_release: From cb42b4649250273cb76b0692c1ee0de59d68557d Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 12:19:40 +0000 Subject: [PATCH 22/31] really really really fix image --- .github/workflows/quality-checks.yml | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index ea1f91f..fdbc132 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -38,7 +38,7 @@ jobs: - name: Run secrets scan uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -64,7 +64,7 @@ jobs: - name: make install uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -136,7 +136,7 @@ jobs: if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -156,7 +156,7 @@ jobs: if: ${{ steps.check_languages.outputs.uses_go == 'true' }} uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -196,7 +196,7 @@ jobs: - name: Run code lint uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -216,7 +216,7 @@ jobs: - name: Run unit tests uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -507,7 +507,7 @@ jobs: if: steps.check_sam_templates.outputs.sam_exists == 'true' || steps.check_cf_templates.outputs.cf_exists == 'true' uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -524,7 +524,7 @@ jobs: if: steps.check_cdk.outputs.cdk_exists == 'true' uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -536,7 +536,7 @@ jobs: if: steps.check_cdk.outputs.cdk_exists == 'true' uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -548,7 +548,7 @@ jobs: - name: Init cfn-guard uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -570,7 +570,7 @@ jobs: if: steps.check_sam_templates.outputs.sam_exists == 'true' uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -601,7 +601,7 @@ jobs: if: steps.check_cf_templates.outputs.cf_exists == 'true' uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -624,7 +624,7 @@ jobs: if: steps.check_cdk.outputs.cdk_exists == 'true' uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode From 826ee6c1ead729314e0a615184d7fa738fcb892c Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 13:11:00 +0000 Subject: [PATCH 23/31] use image that can write to /work --- .devcontainer/devcontainer.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 36382ff..612a1be 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -5,7 +5,7 @@ "context": "..", "args": { "DOCKER_GID": "${env:DOCKER_GID:}", - "IMAGE_VERSION": "pr-16-d9eab88", + "IMAGE_VERSION": "pr-16-03d6189", "IMAGE": "node_24_python_3_14" }, "postAttachCommand": "git-secrets --register-aws; git-secrets --add-provider -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt", From 2e61b9b33b17afdd732071343e5c977ff1ea58f5 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 14:12:47 +0000 Subject: [PATCH 24/31] use new image --- .devcontainer/devcontainer.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 612a1be..69d3eb6 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -5,7 +5,7 @@ "context": "..", "args": { "DOCKER_GID": "${env:DOCKER_GID:}", - "IMAGE_VERSION": "pr-16-03d6189", + "IMAGE_VERSION": "pr-16-37cee2e", "IMAGE": "node_24_python_3_14" }, "postAttachCommand": "git-secrets --register-aws; git-secrets --add-provider -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt", From 183175a152e45bb258f0acf1fdfb39579ab97ad9 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 14:20:29 +0000 Subject: [PATCH 25/31] more debug --- .github/workflows/quality-checks.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index fdbc132..c72d1d0 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -77,6 +77,8 @@ jobs: echo "home is $HOME" echo "running asdf plugin list" asdf plugin list + echo "Checking mount" + ls -l / echo "running make install" make install From 1e98d6e1fab5689f71733f607f325e789b4083c9 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 16:14:54 +0000 Subject: [PATCH 26/31] new image --- .devcontainer/devcontainer.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 69d3eb6..dbf6f72 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -5,7 +5,7 @@ "context": "..", "args": { "DOCKER_GID": "${env:DOCKER_GID:}", - "IMAGE_VERSION": "pr-16-37cee2e", + "IMAGE_VERSION": "pr-16-c2726ad", "IMAGE": "node_24_python_3_14" }, "postAttachCommand": "git-secrets --register-aws; git-secrets --add-provider -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt", From a06cf2eced143b3c53385581944e8d964783b7b7 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 16:16:25 +0000 Subject: [PATCH 27/31] dont change user --- .github/workflows/quality-checks.yml | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index c72d1d0..e1152d2 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -41,7 +41,6 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work - -u vscode run: | cd /work git-secrets --scan-history . @@ -67,7 +66,6 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work - -u vscode run: | cd /work echo "Running id" @@ -141,7 +139,6 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work - -u vscode run: | cd /work POETRY_VERSION=$(poetry --version | awk '{print $3}') @@ -161,7 +158,6 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work - -u vscode run: | cd /work cd src @@ -201,7 +197,6 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work - -u vscode run: | cd /work make lint @@ -221,7 +216,6 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work - -u vscode run: | cd /work make test @@ -512,7 +506,6 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work - -u vscode run: | cd /work pip install cfn-lint @@ -529,7 +522,6 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work - -u vscode run: | cd /work make install-node && make compile @@ -541,7 +533,6 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work - -u vscode run: | cd /work make cdk-synth @@ -553,7 +544,6 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work - -u vscode run: | cd /work set -eou pipefail @@ -575,7 +565,6 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work - -u vscode run: | cd /work set -eou pipefail @@ -606,7 +595,6 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work - -u vscode run: | cd /work @@ -629,7 +617,6 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work - -u vscode run: | cd /work From c75e255dd7525a4e59a5c6d85e3048c80c137658 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 16:19:50 +0000 Subject: [PATCH 28/31] set user 1001 --- .github/workflows/quality-checks.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index e1152d2..01cecdc 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -41,6 +41,7 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work + -u 1001:1001 run: | cd /work git-secrets --scan-history . @@ -66,6 +67,7 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work + -u 1001:1001 run: | cd /work echo "Running id" @@ -139,6 +141,7 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work + -u 1001:1001 run: | cd /work POETRY_VERSION=$(poetry --version | awk '{print $3}') @@ -158,6 +161,7 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work + -u 1001:1001 run: | cd /work cd src @@ -197,6 +201,7 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work + -u 1001:1001 run: | cd /work make lint @@ -216,6 +221,7 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work + -u 1001:1001 run: | cd /work make test @@ -506,6 +512,7 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work + -u 1001:1001 run: | cd /work pip install cfn-lint @@ -522,6 +529,7 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work + -u 1001:1001 run: | cd /work make install-node && make compile @@ -533,6 +541,7 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work + -u 1001:1001 run: | cd /work make cdk-synth @@ -544,6 +553,7 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work + -u 1001:1001 run: | cd /work set -eou pipefail @@ -565,6 +575,7 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work + -u 1001:1001 run: | cd /work set -eou pipefail @@ -595,6 +606,7 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work + -u 1001:1001 run: | cd /work @@ -617,6 +629,7 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work + -u 1001:1001 run: | cd /work From 3f50c134d19dc0cdf4c96001ffce5b2c2d6be632 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 18:06:23 +0000 Subject: [PATCH 29/31] use newer image --- .devcontainer/devcontainer.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index dbf6f72..9067d93 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -5,7 +5,7 @@ "context": "..", "args": { "DOCKER_GID": "${env:DOCKER_GID:}", - "IMAGE_VERSION": "pr-16-c2726ad", + "IMAGE_VERSION": "pr-16-85d8bf7", "IMAGE": "node_24_python_3_14" }, "postAttachCommand": "git-secrets --register-aws; git-secrets --add-provider -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt", From 979b094354bc2c9edb87cfc31453c013d77c428f Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 18:09:47 +0000 Subject: [PATCH 30/31] fix path --- .github/workflows/quality-checks.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 01cecdc..69e4049 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -79,6 +79,8 @@ jobs: asdf plugin list echo "Checking mount" ls -l / + echo $PATH + export PATH="$HOME/.asdf/shims:$PATH" echo "running make install" make install From 24784857cab74fc588ac93ac86365572a279ce15 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 18:54:57 +0000 Subject: [PATCH 31/31] new image --- .devcontainer/Dockerfile | 5 +++++ .devcontainer/devcontainer.json | 2 +- .github/workflows/quality-checks.yml | 1 - 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index 2ef3eba..d1c13bb 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -12,3 +12,8 @@ RUN if [ -n "${DOCKER_GID}" ]; then \ fi && \ usermod -aG docker vscode; \ fi + +# fix vscode user back to 1000 +RUN usermod -u 1000 vscode; \ + groupmod -g 1000 vscode; \ + chown -R vscode:vscode /home/vscode diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 9067d93..a2ce53e 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -5,7 +5,7 @@ "context": "..", "args": { "DOCKER_GID": "${env:DOCKER_GID:}", - "IMAGE_VERSION": "pr-16-85d8bf7", + "IMAGE_VERSION": "pr-16-36dcbc3", "IMAGE": "node_24_python_3_14" }, "postAttachCommand": "git-secrets --register-aws; git-secrets --add-provider -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt", diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 69e4049..89f9661 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -548,7 +548,6 @@ jobs: cd /work make cdk-synth - - name: Init cfn-guard uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: