From 22a47f1b88e259a00edb1bc3ddbdb4bb303beeea Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sat, 14 Feb 2026 15:17:05 +0000 Subject: [PATCH 01/18] set correct user --- .github/workflows/build_multi_arch_image.yml | 4 +-- src/base/.devcontainer/Dockerfile | 20 +++++++++++++- src/base/.devcontainer/devcontainer.json | 7 ++--- .../.devcontainer/scripts/root_install.sh | 9 +++---- .../.devcontainer/scripts/vscode_install.sh | 4 --- src/common/Dockerfile | 24 +++++++++++++++++ .../.devcontainer/devcontainer.json | 4 ++- .../.devcontainer/devcontainer.json | 4 ++- .../.devcontainer/devcontainer.json | 4 ++- .../.devcontainer/scripts/root_install.sh | 4 +++ .../.devcontainer/devcontainer.json | 4 ++- .../fhir_facade_api/.devcontainer/Dockerfile | 27 +++++++++++++++++++ .../.devcontainer/devcontainer.json | 4 ++- 13 files changed, 97 insertions(+), 22 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index d12e767..04e4c86 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -82,13 +82,11 @@ jobs: env: ARCHITECTURE: '${{ matrix.arch }}' - DOCKER_TAG: '${{ inputs.docker_tag }}' CONTAINER_NAME: '${{ inputs.container_name }}' + DOCKER_TAG: '${{ inputs.docker_tag }}' BASE_VERSION: ${{ inputs.docker_tag}} IMAGE_TAG: ":${{ inputs.docker_tag }}-${{ matrix.arch }}" BASE_FOLDER: "${{ inputs.base_folder }}" - VSCODE_UID: "1001" - VSCODE_GID: "1001" - name: Check docker vulnerabilities - json output uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 with: diff --git a/src/base/.devcontainer/Dockerfile b/src/base/.devcontainer/Dockerfile index ee1a55c..5bc6fb3 100644 --- a/src/base/.devcontainer/Dockerfile +++ b/src/base/.devcontainer/Dockerfile @@ -4,10 +4,17 @@ ARG BASE_VERSION=latest ARG TARGETARCH ARG SCRIPTS_DIR=/usr/local/share/eps ARG CONTAINER_NAME +ARG DOCKER_TAG +ARG BASE_VERSION +ARG IMAGE_TAG + +ENV BASE_VERSION=${BASE_VERSION} ENV TARGETARCH=${TARGETARCH} -ENV CONTAINER_NAME=${CONTAINER_NAME} ENV SCRIPTS_DIR=${SCRIPTS_DIR} +ENV CONTAINER_NAME=${CONTAINER_NAME} +ENV DOCKER_TAG=${DOCKER_TAG} ENV BASE_VERSION=${BASE_VERSION} +ENV IMAGE_TAG=${IMAGE_TAG} LABEL org.opencontainers.image.source=https://github.com/NHSDigital/eps-devcontainers LABEL org.opencontainers.image.description="EPS base devcontainer" @@ -26,3 +33,14 @@ COPY --chown=vscode:vscode .tool-versions /home/vscode/.tool-versions ENV PATH="/home/vscode/.asdf/shims/:$PATH" WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} RUN ./vscode_install.sh + +USER root +# store version info in VERSION.txt for reference +RUN echo "[[ ${CONTAINER_NAME} ]]" > "${SCRIPTS_DIR}/VERSION.txt" && \ + echo "BASE_VERSION=${BASE_VERSION}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ + echo "DOCKER_TAG=${DOCKER_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ + echo "IMAGE_TAG=${IMAGE_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ + echo "" >> "${SCRIPTS_DIR}/VERSION.txt" + +USER vscode +WORKDIR /home/vscode diff --git a/src/base/.devcontainer/devcontainer.json b/src/base/.devcontainer/devcontainer.json index 27c98ce..0ca0fe2 100644 --- a/src/base/.devcontainer/devcontainer.json +++ b/src/base/.devcontainer/devcontainer.json @@ -6,9 +6,10 @@ "build": { "dockerfile": "Dockerfile", "args": { - "CONTAINER_NAME": "eps_devcontainer_base", - "VSCODE_UID": "${localEnv:VSCODE_UID}", - "VSCODE_GID": "${localEnv:VSCODE_GID}" + "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", + "DOCKER_TAG": "${localEnv:DOCKER_TAG}", + "BASE_VERSION": "${localEnv:BASE_VERSION}", + "IMAGE_TAG": "${localEnv:IMAGE_TAG}" } }, "runArgs": [ diff --git a/src/base/.devcontainer/scripts/root_install.sh b/src/base/.devcontainer/scripts/root_install.sh index d8720d0..9b6d7c1 100755 --- a/src/base/.devcontainer/scripts/root_install.sh +++ b/src/base/.devcontainer/scripts/root_install.sh @@ -67,14 +67,11 @@ mkdir -p /usr/share/secrets-scanner chmod 755 /usr/share/secrets-scanner curl -L https://raw.githubusercontent.com/NHSDigital/software-engineering-quality-framework/main/tools/nhsd-git-secrets/nhsd-rules-deny.txt -o /usr/share/secrets-scanner/nhsd-rules-deny.txt -# fix user and group ids for vscode user to match host, and ensure vscode owns their home directory -requested_uid="${VSCODE_UID:-1000}" -requested_gid="${VSCODE_GID:-1000}" +# fix user and group ids for vscode user to be 1001 so it can be used by github actions +requested_uid=1001 +requested_gid=1001 current_uid="$(id -u vscode)" current_gid="$(id -g vscode)" if [ "${current_gid}" != "${requested_gid}" ]; then groupmod -g "${requested_gid}" vscode; fi if [ "${current_uid}" != "${requested_uid}" ]; then usermod -u "${requested_uid}" -g "${requested_gid}" vscode; fi chown -R vscode:vscode /home/vscode - -# store base version in VERSION.txt for reference -echo "VERSION=${BASE_VERSION}" > "${SCRIPTS_DIR}/VERSION.txt" diff --git a/src/base/.devcontainer/scripts/vscode_install.sh b/src/base/.devcontainer/scripts/vscode_install.sh index 8c118d9..5f1a123 100755 --- a/src/base/.devcontainer/scripts/vscode_install.sh +++ b/src/base/.devcontainer/scripts/vscode_install.sh @@ -24,7 +24,3 @@ asdf plugin add yq https://github.com/sudermanjr/asdf-yq.git # install base asdf versions of common tools cd /home/vscode asdf install - -# setup gitsecrets -git-secrets --register-aws --global -git-secrets --add-provider --global -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt diff --git a/src/common/Dockerfile b/src/common/Dockerfile index 7b2cc33..49c3a92 100644 --- a/src/common/Dockerfile +++ b/src/common/Dockerfile @@ -2,8 +2,21 @@ ARG BASE_VERSION=latest FROM ghcr.io/nhsdigital/eps-devcontainers/base:${BASE_VERSION} +ARG BASE_VERSION=latest +ARG TARGETARCH +ARG SCRIPTS_DIR=/usr/local/share/eps ARG CONTAINER_NAME +ARG DOCKER_TAG +ARG BASE_VERSION +ARG IMAGE_TAG + +ENV BASE_VERSION=${BASE_VERSION} +ENV TARGETARCH=${TARGETARCH} +ENV SCRIPTS_DIR=${SCRIPTS_DIR} ENV CONTAINER_NAME=${CONTAINER_NAME} +ENV DOCKER_TAG=${DOCKER_TAG} +ENV BASE_VERSION=${BASE_VERSION} +ENV IMAGE_TAG=${IMAGE_TAG} LABEL org.opencontainers.image.source=https://github.com/NHSDigital/eps-devcontainers LABEL org.opencontainers.image.description="EPS ${CONTAINER_NAME} devcontainer" @@ -19,6 +32,17 @@ USER vscode WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} COPY .tool-versions /tmp/.tool-versions RUN cat /tmp/.tool-versions >> /home/vscode/.tool-versions +ENV PATH="/home/vscode/.asdf/shims/:$PATH" RUN ./vscode_install.sh + +USER root +# store version info in VERSION.txt for reference +RUN echo "[[ ${CONTAINER_NAME} ]]" >> "${SCRIPTS_DIR}/VERSION.txt" && \ + echo "BASE_VERSION=${BASE_VERSION}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ + echo "DOCKER_TAG=${DOCKER_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ + echo "IMAGE_TAG=${IMAGE_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ + echo "" >> "${SCRIPTS_DIR}/VERSION.txt" + +USER vscode WORKDIR /home/vscode diff --git a/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json b/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json index fe1b068..5348d33 100644 --- a/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json +++ b/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json @@ -6,8 +6,10 @@ "build": { "dockerfile": "../../../common/Dockerfile", "args": { + "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", + "DOCKER_TAG": "${localEnv:DOCKER_TAG}", "BASE_VERSION": "${localEnv:BASE_VERSION}", - "CONTAINER_NAME": "eps_devcontainer_node_24_python_3_13" + "IMAGE_TAG": "${localEnv:IMAGE_TAG}" }, "context": "." }, diff --git a/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json b/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json index fe1b068..5348d33 100644 --- a/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json +++ b/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json @@ -6,8 +6,10 @@ "build": { "dockerfile": "../../../common/Dockerfile", "args": { + "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", + "DOCKER_TAG": "${localEnv:DOCKER_TAG}", "BASE_VERSION": "${localEnv:BASE_VERSION}", - "CONTAINER_NAME": "eps_devcontainer_node_24_python_3_13" + "IMAGE_TAG": "${localEnv:IMAGE_TAG}" }, "context": "." }, diff --git a/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json b/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json index afbfe61..1bf1e6f 100644 --- a/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json +++ b/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json @@ -6,8 +6,10 @@ "build": { "dockerfile": "../../../common/Dockerfile", "args": { + "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", + "DOCKER_TAG": "${localEnv:DOCKER_TAG}", "BASE_VERSION": "${localEnv:BASE_VERSION}", - "CONTAINER_NAME": "eps_devcontainer_node_24_python_3_14" + "IMAGE_TAG": "${localEnv:IMAGE_TAG}" }, "context": "." }, diff --git a/src/languages/node_24_python_3_14/.devcontainer/scripts/root_install.sh b/src/languages/node_24_python_3_14/.devcontainer/scripts/root_install.sh index 0510f2c..a07f052 100755 --- a/src/languages/node_24_python_3_14/.devcontainer/scripts/root_install.sh +++ b/src/languages/node_24_python_3_14/.devcontainer/scripts/root_install.sh @@ -1,2 +1,6 @@ #!/usr/bin/env bash set -e + +# store version info in VERSION.txt for reference +echo "VERSION=${BASE_VERSION}" > "${SCRIPTS_DIR}/VERSION.txt" +echo "CONTAINER_NAME=${CONTAINER_NAME}" >> "${SCRIPTS_DIR}/VERSION.txt" diff --git a/src/languages/python_3_10/.devcontainer/devcontainer.json b/src/languages/python_3_10/.devcontainer/devcontainer.json index fe1b068..5348d33 100644 --- a/src/languages/python_3_10/.devcontainer/devcontainer.json +++ b/src/languages/python_3_10/.devcontainer/devcontainer.json @@ -6,8 +6,10 @@ "build": { "dockerfile": "../../../common/Dockerfile", "args": { + "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", + "DOCKER_TAG": "${localEnv:DOCKER_TAG}", "BASE_VERSION": "${localEnv:BASE_VERSION}", - "CONTAINER_NAME": "eps_devcontainer_node_24_python_3_13" + "IMAGE_TAG": "${localEnv:IMAGE_TAG}" }, "context": "." }, diff --git a/src/projects/fhir_facade_api/.devcontainer/Dockerfile b/src/projects/fhir_facade_api/.devcontainer/Dockerfile index a24639d..dbe7bd2 100644 --- a/src/projects/fhir_facade_api/.devcontainer/Dockerfile +++ b/src/projects/fhir_facade_api/.devcontainer/Dockerfile @@ -2,6 +2,22 @@ ARG BASE_VERSION=latest FROM ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_13:${BASE_VERSION} +ARG BASE_VERSION=latest +ARG TARGETARCH +ARG SCRIPTS_DIR=/usr/local/share/eps +ARG CONTAINER_NAME +ARG DOCKER_TAG +ARG BASE_VERSION +ARG IMAGE_TAG + +ENV BASE_VERSION=${BASE_VERSION} +ENV TARGETARCH=${TARGETARCH} +ENV SCRIPTS_DIR=${SCRIPTS_DIR} +ENV CONTAINER_NAME=${CONTAINER_NAME} +ENV DOCKER_TAG=${DOCKER_TAG} +ENV BASE_VERSION=${BASE_VERSION} +ENV IMAGE_TAG=${IMAGE_TAG} + LABEL org.opencontainers.image.source=https://github.com/NHSDigital/eps-devcontainers LABEL org.opencontainers.image.description="EPS fhir facade devcontainer" LABEL org.opencontainers.image.licenses=MIT @@ -18,3 +34,14 @@ COPY .tool-versions /tmp/.tool-versions RUN cat /tmp/.tool-versions >> /home/vscode/.tool-versions RUN ./vscode_install.sh + +USER root +# store version info in VERSION.txt for reference +RUN echo "[[ ${CONTAINER_NAME} ]]" >> "${SCRIPTS_DIR}/VERSION.txt" && \ + echo "BASE_VERSION=${BASE_VERSION}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ + echo "DOCKER_TAG=${DOCKER_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ + echo "IMAGE_TAG=${IMAGE_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ + echo "" >> "${SCRIPTS_DIR}/VERSION.txt" + +USER vscode +WORKDIR /home/vscode diff --git a/src/projects/fhir_facade_api/.devcontainer/devcontainer.json b/src/projects/fhir_facade_api/.devcontainer/devcontainer.json index da3a820..fcf3f37 100644 --- a/src/projects/fhir_facade_api/.devcontainer/devcontainer.json +++ b/src/projects/fhir_facade_api/.devcontainer/devcontainer.json @@ -6,8 +6,10 @@ "build": { "dockerfile": "Dockerfile", "args": { + "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", + "DOCKER_TAG": "${localEnv:DOCKER_TAG}", "BASE_VERSION": "${localEnv:BASE_VERSION}", - "CONTAINER_NAME": "fhir_facade_api" + "IMAGE_TAG": "${localEnv:IMAGE_TAG}" }, "context": "." }, From 69b4bfb46790e26dd83c746d6585179cfbd37328 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sat, 14 Feb 2026 15:48:27 +0000 Subject: [PATCH 02/18] clear ssh dir --- src/base/.devcontainer/Dockerfile | 1 + src/common/Dockerfile | 1 + src/projects/fhir_facade_api/.devcontainer/Dockerfile | 1 + 3 files changed, 3 insertions(+) diff --git a/src/base/.devcontainer/Dockerfile b/src/base/.devcontainer/Dockerfile index 5bc6fb3..2e3a4ca 100644 --- a/src/base/.devcontainer/Dockerfile +++ b/src/base/.devcontainer/Dockerfile @@ -33,6 +33,7 @@ COPY --chown=vscode:vscode .tool-versions /home/vscode/.tool-versions ENV PATH="/home/vscode/.asdf/shims/:$PATH" WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} RUN ./vscode_install.sh +RUN rm -rf /home/vscode/.ssh USER root # store version info in VERSION.txt for reference diff --git a/src/common/Dockerfile b/src/common/Dockerfile index 49c3a92..8591c36 100644 --- a/src/common/Dockerfile +++ b/src/common/Dockerfile @@ -35,6 +35,7 @@ RUN cat /tmp/.tool-versions >> /home/vscode/.tool-versions ENV PATH="/home/vscode/.asdf/shims/:$PATH" RUN ./vscode_install.sh +RUN rm -rf /home/vscode/.ssh USER root # store version info in VERSION.txt for reference diff --git a/src/projects/fhir_facade_api/.devcontainer/Dockerfile b/src/projects/fhir_facade_api/.devcontainer/Dockerfile index dbe7bd2..ce7a965 100644 --- a/src/projects/fhir_facade_api/.devcontainer/Dockerfile +++ b/src/projects/fhir_facade_api/.devcontainer/Dockerfile @@ -34,6 +34,7 @@ COPY .tool-versions /tmp/.tool-versions RUN cat /tmp/.tool-versions >> /home/vscode/.tool-versions RUN ./vscode_install.sh +RUN rm -rf /home/vscode/.ssh USER root # store version info in VERSION.txt for reference From 82b374ad3149e746c16ef3cddd91e3fef1258e96 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sat, 14 Feb 2026 15:58:01 +0000 Subject: [PATCH 03/18] fix setting version --- .../node_24_python_3_14/.devcontainer/scripts/root_install.sh | 4 ---- 1 file changed, 4 deletions(-) diff --git a/src/languages/node_24_python_3_14/.devcontainer/scripts/root_install.sh b/src/languages/node_24_python_3_14/.devcontainer/scripts/root_install.sh index a07f052..0510f2c 100755 --- a/src/languages/node_24_python_3_14/.devcontainer/scripts/root_install.sh +++ b/src/languages/node_24_python_3_14/.devcontainer/scripts/root_install.sh @@ -1,6 +1,2 @@ #!/usr/bin/env bash set -e - -# store version info in VERSION.txt for reference -echo "VERSION=${BASE_VERSION}" > "${SCRIPTS_DIR}/VERSION.txt" -echo "CONTAINER_NAME=${CONTAINER_NAME}" >> "${SCRIPTS_DIR}/VERSION.txt" From 8402b54e04171c7de2364ec17fc36b042d2ceb44 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sat, 14 Feb 2026 16:11:43 +0000 Subject: [PATCH 04/18] more info to container --- .github/workflows/build_multi_arch_image.yml | 4 ++-- src/base/.devcontainer/Dockerfile | 7 ++++--- src/common/Dockerfile | 19 +++++++++---------- .../.devcontainer/devcontainer.json | 2 +- .../.devcontainer/devcontainer.json | 2 +- .../.devcontainer/devcontainer.json | 2 +- .../.devcontainer/devcontainer.json | 4 ++-- .../fhir_facade_api/.devcontainer/Dockerfile | 19 +++++++++---------- .../.devcontainer/devcontainer.json | 2 +- 9 files changed, 30 insertions(+), 31 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 04e4c86..384f30b 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -83,8 +83,8 @@ jobs: env: ARCHITECTURE: '${{ matrix.arch }}' CONTAINER_NAME: '${{ inputs.container_name }}' - DOCKER_TAG: '${{ inputs.docker_tag }}' - BASE_VERSION: ${{ inputs.docker_tag}} + MULTI_ARCH_TAG: '${{ inputs.docker_tag }}' + BASE_VERSION_TAG: ${{ inputs.docker_tag}} IMAGE_TAG: ":${{ inputs.docker_tag }}-${{ matrix.arch }}" BASE_FOLDER: "${{ inputs.base_folder }}" - name: Check docker vulnerabilities - json output diff --git a/src/base/.devcontainer/Dockerfile b/src/base/.devcontainer/Dockerfile index 2e3a4ca..ecdc972 100644 --- a/src/base/.devcontainer/Dockerfile +++ b/src/base/.devcontainer/Dockerfile @@ -4,7 +4,7 @@ ARG BASE_VERSION=latest ARG TARGETARCH ARG SCRIPTS_DIR=/usr/local/share/eps ARG CONTAINER_NAME -ARG DOCKER_TAG +ARG MULTI_ARCH_TAG ARG BASE_VERSION ARG IMAGE_TAG @@ -12,7 +12,7 @@ ENV BASE_VERSION=${BASE_VERSION} ENV TARGETARCH=${TARGETARCH} ENV SCRIPTS_DIR=${SCRIPTS_DIR} ENV CONTAINER_NAME=${CONTAINER_NAME} -ENV DOCKER_TAG=${DOCKER_TAG} +ENV MULTI_ARCH_TAG=${MULTI_ARCH_TAG} ENV BASE_VERSION=${BASE_VERSION} ENV IMAGE_TAG=${IMAGE_TAG} @@ -39,8 +39,9 @@ USER root # store version info in VERSION.txt for reference RUN echo "[[ ${CONTAINER_NAME} ]]" > "${SCRIPTS_DIR}/VERSION.txt" && \ echo "BASE_VERSION=${BASE_VERSION}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ - echo "DOCKER_TAG=${DOCKER_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ + echo "MULTI_ARCH_TAG=${MULTI_ARCH_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ echo "IMAGE_TAG=${IMAGE_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ + echo "BUILD_TIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ")" >> "${SCRIPTS_DIR}/VERSION.txt" && \ echo "" >> "${SCRIPTS_DIR}/VERSION.txt" USER vscode diff --git a/src/common/Dockerfile b/src/common/Dockerfile index 8591c36..51618f6 100644 --- a/src/common/Dockerfile +++ b/src/common/Dockerfile @@ -1,21 +1,19 @@ -ARG BASE_VERSION=latest +ARG BASE_VERSION_TAG=latest -FROM ghcr.io/nhsdigital/eps-devcontainers/base:${BASE_VERSION} +FROM ghcr.io/nhsdigital/eps-devcontainers/base:${BASE_VERSION_TAG} -ARG BASE_VERSION=latest +ARG BASE_VERSION_TAG=latest ARG TARGETARCH ARG SCRIPTS_DIR=/usr/local/share/eps ARG CONTAINER_NAME -ARG DOCKER_TAG -ARG BASE_VERSION +ARG MULTI_ARCH_TAG ARG IMAGE_TAG -ENV BASE_VERSION=${BASE_VERSION} +ENV BASE_VERSION_TAG=${BASE_VERSION_TAG} ENV TARGETARCH=${TARGETARCH} ENV SCRIPTS_DIR=${SCRIPTS_DIR} ENV CONTAINER_NAME=${CONTAINER_NAME} -ENV DOCKER_TAG=${DOCKER_TAG} -ENV BASE_VERSION=${BASE_VERSION} +ENV MULTI_ARCH_TAG=${MULTI_ARCH_TAG} ENV IMAGE_TAG=${IMAGE_TAG} LABEL org.opencontainers.image.source=https://github.com/NHSDigital/eps-devcontainers @@ -40,9 +38,10 @@ RUN rm -rf /home/vscode/.ssh USER root # store version info in VERSION.txt for reference RUN echo "[[ ${CONTAINER_NAME} ]]" >> "${SCRIPTS_DIR}/VERSION.txt" && \ - echo "BASE_VERSION=${BASE_VERSION}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ - echo "DOCKER_TAG=${DOCKER_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ + echo "BASE_VERSION_TAG=${BASE_VERSION_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ + echo "MULTI_ARCH_TAG=${MULTI_ARCH_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ echo "IMAGE_TAG=${IMAGE_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ + echo "BUILD_TIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ")" >> "${SCRIPTS_DIR}/VERSION.txt" && \ echo "" >> "${SCRIPTS_DIR}/VERSION.txt" USER vscode diff --git a/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json b/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json index 5348d33..6a24af7 100644 --- a/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json +++ b/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json @@ -8,7 +8,7 @@ "args": { "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", "DOCKER_TAG": "${localEnv:DOCKER_TAG}", - "BASE_VERSION": "${localEnv:BASE_VERSION}", + "BASE_VERSION_TAG": "${localEnv:BASE_VERSION_TAG}", "IMAGE_TAG": "${localEnv:IMAGE_TAG}" }, "context": "." diff --git a/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json b/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json index 5348d33..6a24af7 100644 --- a/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json +++ b/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json @@ -8,7 +8,7 @@ "args": { "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", "DOCKER_TAG": "${localEnv:DOCKER_TAG}", - "BASE_VERSION": "${localEnv:BASE_VERSION}", + "BASE_VERSION_TAG": "${localEnv:BASE_VERSION_TAG}", "IMAGE_TAG": "${localEnv:IMAGE_TAG}" }, "context": "." diff --git a/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json b/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json index 1bf1e6f..d6d4b88 100644 --- a/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json +++ b/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json @@ -8,7 +8,7 @@ "args": { "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", "DOCKER_TAG": "${localEnv:DOCKER_TAG}", - "BASE_VERSION": "${localEnv:BASE_VERSION}", + "BASE_VERSION_TAG": "${localEnv:BASE_VERSION_TAG}", "IMAGE_TAG": "${localEnv:IMAGE_TAG}" }, "context": "." diff --git a/src/languages/python_3_10/.devcontainer/devcontainer.json b/src/languages/python_3_10/.devcontainer/devcontainer.json index 5348d33..250871c 100644 --- a/src/languages/python_3_10/.devcontainer/devcontainer.json +++ b/src/languages/python_3_10/.devcontainer/devcontainer.json @@ -1,14 +1,14 @@ // For format details, see https://aka.ms/devcontainer.json. For config options, see the // README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu { - "name": "EPS Devcontainer node_24 python_3.13", + "name": "EPS Devcontainer node_24 python_3.10", // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile "build": { "dockerfile": "../../../common/Dockerfile", "args": { "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", "DOCKER_TAG": "${localEnv:DOCKER_TAG}", - "BASE_VERSION": "${localEnv:BASE_VERSION}", + "BASE_VERSION_TAG": "${localEnv:BASE_VERSION_TAG}", "IMAGE_TAG": "${localEnv:IMAGE_TAG}" }, "context": "." diff --git a/src/projects/fhir_facade_api/.devcontainer/Dockerfile b/src/projects/fhir_facade_api/.devcontainer/Dockerfile index ce7a965..346eca7 100644 --- a/src/projects/fhir_facade_api/.devcontainer/Dockerfile +++ b/src/projects/fhir_facade_api/.devcontainer/Dockerfile @@ -1,21 +1,19 @@ -ARG BASE_VERSION=latest +ARG BASE_VERSION_TAG=latest -FROM ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_13:${BASE_VERSION} +FROM ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_13:${BASE_VERSION_TAG} -ARG BASE_VERSION=latest +ARG BASE_VERSION_TAG=latest ARG TARGETARCH ARG SCRIPTS_DIR=/usr/local/share/eps ARG CONTAINER_NAME -ARG DOCKER_TAG -ARG BASE_VERSION +ARG MULTI_ARCH_TAG ARG IMAGE_TAG -ENV BASE_VERSION=${BASE_VERSION} +ENV BASE_VERSION_TAG=${BASE_VERSION_TAG} ENV TARGETARCH=${TARGETARCH} ENV SCRIPTS_DIR=${SCRIPTS_DIR} ENV CONTAINER_NAME=${CONTAINER_NAME} -ENV DOCKER_TAG=${DOCKER_TAG} -ENV BASE_VERSION=${BASE_VERSION} +ENV MULTI_ARCH_TAG=${MULTI_ARCH_TAG} ENV IMAGE_TAG=${IMAGE_TAG} LABEL org.opencontainers.image.source=https://github.com/NHSDigital/eps-devcontainers @@ -39,9 +37,10 @@ RUN rm -rf /home/vscode/.ssh USER root # store version info in VERSION.txt for reference RUN echo "[[ ${CONTAINER_NAME} ]]" >> "${SCRIPTS_DIR}/VERSION.txt" && \ - echo "BASE_VERSION=${BASE_VERSION}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ - echo "DOCKER_TAG=${DOCKER_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ + echo "BASE_VERSION_TAG=${BASE_VERSION_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ + echo "MULTI_ARCH_TAG=${MULTI_ARCH_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ echo "IMAGE_TAG=${IMAGE_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ + echo "BUILD_TIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ")" >> "${SCRIPTS_DIR}/VERSION.txt" && \ echo "" >> "${SCRIPTS_DIR}/VERSION.txt" USER vscode diff --git a/src/projects/fhir_facade_api/.devcontainer/devcontainer.json b/src/projects/fhir_facade_api/.devcontainer/devcontainer.json index fcf3f37..d97eaa1 100644 --- a/src/projects/fhir_facade_api/.devcontainer/devcontainer.json +++ b/src/projects/fhir_facade_api/.devcontainer/devcontainer.json @@ -8,7 +8,7 @@ "args": { "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", "DOCKER_TAG": "${localEnv:DOCKER_TAG}", - "BASE_VERSION": "${localEnv:BASE_VERSION}", + "BASE_VERSION_TAG": "${localEnv:BASE_VERSION_TAG}", "IMAGE_TAG": "${localEnv:IMAGE_TAG}" }, "context": "." From c8571d65ac62b68a71d894d6b2f933da360f686a Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sat, 14 Feb 2026 16:40:40 +0000 Subject: [PATCH 05/18] fix homedir --- src/base/.devcontainer/scripts/root_install.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/base/.devcontainer/scripts/root_install.sh b/src/base/.devcontainer/scripts/root_install.sh index 9b6d7c1..f02b783 100755 --- a/src/base/.devcontainer/scripts/root_install.sh +++ b/src/base/.devcontainer/scripts/root_install.sh @@ -75,3 +75,8 @@ current_gid="$(id -g vscode)" if [ "${current_gid}" != "${requested_gid}" ]; then groupmod -g "${requested_gid}" vscode; fi if [ "${current_uid}" != "${requested_uid}" ]; then usermod -u "${requested_uid}" -g "${requested_gid}" vscode; fi chown -R vscode:vscode /home/vscode + +# link /home/vscode to /github/home for github actions to be able to access files in the container, and set permissions +mkdir -p /github +ln -s /home/vscode /github/home +chown -R vscode:vscode /github/home From f22b31d69387747f184772ed496b225336ef8067 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sat, 14 Feb 2026 17:07:32 +0000 Subject: [PATCH 06/18] fix var --- Makefile | 2 +- src/base/.devcontainer/devcontainer.json | 4 ++-- .../node_24_python_3_12/.devcontainer/devcontainer.json | 2 +- .../node_24_python_3_13/.devcontainer/devcontainer.json | 2 +- .../node_24_python_3_14/.devcontainer/devcontainer.json | 2 +- src/languages/python_3_10/.devcontainer/devcontainer.json | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Makefile b/Makefile index 00443cc..bbcba6b 100644 --- a/Makefile +++ b/Makefile @@ -21,7 +21,7 @@ install-node: install-hooks: install-python poetry run pre-commit install --install-hooks --overwrite -build-image: guard-CONTAINER_NAME guard-BASE_VERSION guard-BASE_FOLDER +build-image: guard-CONTAINER_NAME guard-BASE_VERSION_TAG guard-BASE_FOLDER npx devcontainer build \ --workspace-folder ./src/$${BASE_FOLDER}/$${CONTAINER_NAME} \ --push false \ diff --git a/src/base/.devcontainer/devcontainer.json b/src/base/.devcontainer/devcontainer.json index 0ca0fe2..7faa350 100644 --- a/src/base/.devcontainer/devcontainer.json +++ b/src/base/.devcontainer/devcontainer.json @@ -7,8 +7,8 @@ "dockerfile": "Dockerfile", "args": { "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", - "DOCKER_TAG": "${localEnv:DOCKER_TAG}", - "BASE_VERSION": "${localEnv:BASE_VERSION}", + "MULTI_ARCH_TAG": "${localEnv:MULTI_ARCH_TAG}", + "BASE_VERSION_TAG": "${localEnv:BASE_VERSION_TAG}", "IMAGE_TAG": "${localEnv:IMAGE_TAG}" } }, diff --git a/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json b/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json index 6a24af7..3c8fb35 100644 --- a/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json +++ b/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json @@ -7,7 +7,7 @@ "dockerfile": "../../../common/Dockerfile", "args": { "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", - "DOCKER_TAG": "${localEnv:DOCKER_TAG}", + "MULTI_ARCH_TAG": "${localEnv:MULTI_ARCH_TAG}", "BASE_VERSION_TAG": "${localEnv:BASE_VERSION_TAG}", "IMAGE_TAG": "${localEnv:IMAGE_TAG}" }, diff --git a/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json b/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json index 6a24af7..3c8fb35 100644 --- a/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json +++ b/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json @@ -7,7 +7,7 @@ "dockerfile": "../../../common/Dockerfile", "args": { "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", - "DOCKER_TAG": "${localEnv:DOCKER_TAG}", + "MULTI_ARCH_TAG": "${localEnv:MULTI_ARCH_TAG}", "BASE_VERSION_TAG": "${localEnv:BASE_VERSION_TAG}", "IMAGE_TAG": "${localEnv:IMAGE_TAG}" }, diff --git a/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json b/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json index d6d4b88..7d1b3e9 100644 --- a/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json +++ b/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json @@ -7,7 +7,7 @@ "dockerfile": "../../../common/Dockerfile", "args": { "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", - "DOCKER_TAG": "${localEnv:DOCKER_TAG}", + "MULTI_ARCH_TAG": "${localEnv:MULTI_ARCH_TAG}", "BASE_VERSION_TAG": "${localEnv:BASE_VERSION_TAG}", "IMAGE_TAG": "${localEnv:IMAGE_TAG}" }, diff --git a/src/languages/python_3_10/.devcontainer/devcontainer.json b/src/languages/python_3_10/.devcontainer/devcontainer.json index 250871c..aa03d36 100644 --- a/src/languages/python_3_10/.devcontainer/devcontainer.json +++ b/src/languages/python_3_10/.devcontainer/devcontainer.json @@ -7,7 +7,7 @@ "dockerfile": "../../../common/Dockerfile", "args": { "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", - "DOCKER_TAG": "${localEnv:DOCKER_TAG}", + "MULTI_ARCH_TAG": "${localEnv:MULTI_ARCH_TAG}", "BASE_VERSION_TAG": "${localEnv:BASE_VERSION_TAG}", "IMAGE_TAG": "${localEnv:IMAGE_TAG}" }, From 35c76238328a509c046c4c41e5309a244e284107 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 10:22:57 +0000 Subject: [PATCH 07/18] fix tags --- README.md | 6 ++--- src/base/.devcontainer/Dockerfile | 25 ++++++------------ src/common/Dockerfile | 26 +++++++------------ .../fhir_facade_api/.devcontainer/Dockerfile | 26 +++++++------------ .../.devcontainer/devcontainer.json | 2 +- 5 files changed, 32 insertions(+), 53 deletions(-) diff --git a/README.md b/README.md index 5d5e41a..37aca91 100644 --- a/README.md +++ b/README.md @@ -86,21 +86,21 @@ You can use these commands to build images Base image ``` CONTAINER_NAME=base \ - BASE_VERSION=latest \ + BASE_VERSION_TAG=latest \ BASE_FOLDER=. \ make build-image ``` Language images ``` CONTAINER_NAME=node_24_python_3_12 \ - BASE_VERSION=latest \ + BASE_VERSION_TAG=latest \ BASE_FOLDER=languages \ make build-image ``` Project images ``` CONTAINER_NAME=fhir_facade_api \ - BASE_VERSION=latest \ + BASE_VERSION_TAG=latest \ BASE_FOLDER=projects \ make build-image ``` diff --git a/src/base/.devcontainer/Dockerfile b/src/base/.devcontainer/Dockerfile index ecdc972..8457c94 100644 --- a/src/base/.devcontainer/Dockerfile +++ b/src/base/.devcontainer/Dockerfile @@ -1,24 +1,25 @@ FROM mcr.microsoft.com/devcontainers/base:ubuntu-22.04 -ARG BASE_VERSION=latest -ARG TARGETARCH ARG SCRIPTS_DIR=/usr/local/share/eps ARG CONTAINER_NAME ARG MULTI_ARCH_TAG -ARG BASE_VERSION +ARG BASE_VERSION_TAG ARG IMAGE_TAG +ARG TARGETARCH -ENV BASE_VERSION=${BASE_VERSION} -ENV TARGETARCH=${TARGETARCH} ENV SCRIPTS_DIR=${SCRIPTS_DIR} ENV CONTAINER_NAME=${CONTAINER_NAME} ENV MULTI_ARCH_TAG=${MULTI_ARCH_TAG} -ENV BASE_VERSION=${BASE_VERSION} +ENV BASE_VERSION_TAG=${BASE_VERSION_TAG} ENV IMAGE_TAG=${IMAGE_TAG} +ENV TARGETARCH=${TARGETARCH} LABEL org.opencontainers.image.source=https://github.com/NHSDigital/eps-devcontainers LABEL org.opencontainers.image.description="EPS base devcontainer" LABEL org.opencontainers.image.licenses=MIT +LABEL org.opencontainers.image.version=${IMAGE_TAG} +LABEL org.opencontainers.image.containerName=${CONTAINER_NAME} + COPY .tool-versions.asdf ${SCRIPTS_DIR}/${CONTAINER_NAME}/.tool-versions.asdf COPY --chmod=755 scripts ${SCRIPTS_DIR}/${CONTAINER_NAME} @@ -33,16 +34,6 @@ COPY --chown=vscode:vscode .tool-versions /home/vscode/.tool-versions ENV PATH="/home/vscode/.asdf/shims/:$PATH" WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} RUN ./vscode_install.sh -RUN rm -rf /home/vscode/.ssh +# Switch back to root to install the devcontainer CLI globally USER root -# store version info in VERSION.txt for reference -RUN echo "[[ ${CONTAINER_NAME} ]]" > "${SCRIPTS_DIR}/VERSION.txt" && \ - echo "BASE_VERSION=${BASE_VERSION}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ - echo "MULTI_ARCH_TAG=${MULTI_ARCH_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ - echo "IMAGE_TAG=${IMAGE_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ - echo "BUILD_TIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ")" >> "${SCRIPTS_DIR}/VERSION.txt" && \ - echo "" >> "${SCRIPTS_DIR}/VERSION.txt" - -USER vscode -WORKDIR /home/vscode diff --git a/src/common/Dockerfile b/src/common/Dockerfile index 51618f6..3d67193 100644 --- a/src/common/Dockerfile +++ b/src/common/Dockerfile @@ -1,24 +1,28 @@ ARG BASE_VERSION_TAG=latest +ARG BASE_IMAGE=ghcr.io/nhsdigital/eps-devcontainers/base:${BASE_VERSION_TAG} -FROM ghcr.io/nhsdigital/eps-devcontainers/base:${BASE_VERSION_TAG} +FROM ${BASE_IMAGE} -ARG BASE_VERSION_TAG=latest -ARG TARGETARCH ARG SCRIPTS_DIR=/usr/local/share/eps ARG CONTAINER_NAME ARG MULTI_ARCH_TAG +ARG BASE_VERSION_TAG ARG IMAGE_TAG +ARG TARGETARCH -ENV BASE_VERSION_TAG=${BASE_VERSION_TAG} -ENV TARGETARCH=${TARGETARCH} ENV SCRIPTS_DIR=${SCRIPTS_DIR} ENV CONTAINER_NAME=${CONTAINER_NAME} ENV MULTI_ARCH_TAG=${MULTI_ARCH_TAG} +ENV BASE_VERSION_TAG=${BASE_VERSION_TAG} ENV IMAGE_TAG=${IMAGE_TAG} +ENV TARGETARCH=${TARGETARCH} LABEL org.opencontainers.image.source=https://github.com/NHSDigital/eps-devcontainers LABEL org.opencontainers.image.description="EPS ${CONTAINER_NAME} devcontainer" LABEL org.opencontainers.image.licenses=MIT +LABEL org.opencontainers.image.version=${IMAGE_TAG} +LABEL org.opencontainers.image.baseImage=${BASE_IMAGE} +LABEL org.opencontainers.image.containerName=${CONTAINER_NAME} USER root COPY --chmod=755 scripts ${SCRIPTS_DIR}/${CONTAINER_NAME} @@ -33,16 +37,6 @@ RUN cat /tmp/.tool-versions >> /home/vscode/.tool-versions ENV PATH="/home/vscode/.asdf/shims/:$PATH" RUN ./vscode_install.sh -RUN rm -rf /home/vscode/.ssh +# Switch back to root to install the devcontainer CLI globally USER root -# store version info in VERSION.txt for reference -RUN echo "[[ ${CONTAINER_NAME} ]]" >> "${SCRIPTS_DIR}/VERSION.txt" && \ - echo "BASE_VERSION_TAG=${BASE_VERSION_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ - echo "MULTI_ARCH_TAG=${MULTI_ARCH_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ - echo "IMAGE_TAG=${IMAGE_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ - echo "BUILD_TIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ")" >> "${SCRIPTS_DIR}/VERSION.txt" && \ - echo "" >> "${SCRIPTS_DIR}/VERSION.txt" - -USER vscode -WORKDIR /home/vscode diff --git a/src/projects/fhir_facade_api/.devcontainer/Dockerfile b/src/projects/fhir_facade_api/.devcontainer/Dockerfile index 346eca7..1765df0 100644 --- a/src/projects/fhir_facade_api/.devcontainer/Dockerfile +++ b/src/projects/fhir_facade_api/.devcontainer/Dockerfile @@ -1,24 +1,28 @@ ARG BASE_VERSION_TAG=latest +ARG BASE_IMAGE=ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_13:${BASE_VERSION_TAG} -FROM ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_13:${BASE_VERSION_TAG} +FROM ${BASE_IMAGE} -ARG BASE_VERSION_TAG=latest -ARG TARGETARCH ARG SCRIPTS_DIR=/usr/local/share/eps ARG CONTAINER_NAME ARG MULTI_ARCH_TAG +ARG BASE_VERSION_TAG ARG IMAGE_TAG +ARG TARGETARCH -ENV BASE_VERSION_TAG=${BASE_VERSION_TAG} -ENV TARGETARCH=${TARGETARCH} ENV SCRIPTS_DIR=${SCRIPTS_DIR} ENV CONTAINER_NAME=${CONTAINER_NAME} ENV MULTI_ARCH_TAG=${MULTI_ARCH_TAG} +ENV BASE_VERSION_TAG=${BASE_VERSION_TAG} ENV IMAGE_TAG=${IMAGE_TAG} +ENV TARGETARCH=${TARGETARCH} LABEL org.opencontainers.image.source=https://github.com/NHSDigital/eps-devcontainers LABEL org.opencontainers.image.description="EPS fhir facade devcontainer" LABEL org.opencontainers.image.licenses=MIT +LABEL org.opencontainers.image.version=${IMAGE_TAG} +LABEL org.opencontainers.image.baseImage=${BASE_IMAGE} +LABEL org.opencontainers.image.containerName=${CONTAINER_NAME} USER root COPY --chmod=755 scripts ${SCRIPTS_DIR}/${CONTAINER_NAME} @@ -32,16 +36,6 @@ COPY .tool-versions /tmp/.tool-versions RUN cat /tmp/.tool-versions >> /home/vscode/.tool-versions RUN ./vscode_install.sh -RUN rm -rf /home/vscode/.ssh +# Switch back to root to install the devcontainer CLI globally USER root -# store version info in VERSION.txt for reference -RUN echo "[[ ${CONTAINER_NAME} ]]" >> "${SCRIPTS_DIR}/VERSION.txt" && \ - echo "BASE_VERSION_TAG=${BASE_VERSION_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ - echo "MULTI_ARCH_TAG=${MULTI_ARCH_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ - echo "IMAGE_TAG=${IMAGE_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ - echo "BUILD_TIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ")" >> "${SCRIPTS_DIR}/VERSION.txt" && \ - echo "" >> "${SCRIPTS_DIR}/VERSION.txt" - -USER vscode -WORKDIR /home/vscode diff --git a/src/projects/fhir_facade_api/.devcontainer/devcontainer.json b/src/projects/fhir_facade_api/.devcontainer/devcontainer.json index d97eaa1..6b10ee8 100644 --- a/src/projects/fhir_facade_api/.devcontainer/devcontainer.json +++ b/src/projects/fhir_facade_api/.devcontainer/devcontainer.json @@ -7,7 +7,7 @@ "dockerfile": "Dockerfile", "args": { "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", - "DOCKER_TAG": "${localEnv:DOCKER_TAG}", + "MULTI_ARCH_TAG": "${localEnv:MULTI_ARCH_TAG}", "BASE_VERSION_TAG": "${localEnv:BASE_VERSION_TAG}", "IMAGE_TAG": "${localEnv:IMAGE_TAG}" }, From d9eab88291dc165d83d509420e105af86e5707e0 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 10:25:05 +0000 Subject: [PATCH 08/18] go back to user 1000 --- src/base/.devcontainer/scripts/root_install.sh | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/src/base/.devcontainer/scripts/root_install.sh b/src/base/.devcontainer/scripts/root_install.sh index f02b783..372b37e 100755 --- a/src/base/.devcontainer/scripts/root_install.sh +++ b/src/base/.devcontainer/scripts/root_install.sh @@ -67,16 +67,4 @@ mkdir -p /usr/share/secrets-scanner chmod 755 /usr/share/secrets-scanner curl -L https://raw.githubusercontent.com/NHSDigital/software-engineering-quality-framework/main/tools/nhsd-git-secrets/nhsd-rules-deny.txt -o /usr/share/secrets-scanner/nhsd-rules-deny.txt -# fix user and group ids for vscode user to be 1001 so it can be used by github actions -requested_uid=1001 -requested_gid=1001 -current_uid="$(id -u vscode)" -current_gid="$(id -g vscode)" -if [ "${current_gid}" != "${requested_gid}" ]; then groupmod -g "${requested_gid}" vscode; fi -if [ "${current_uid}" != "${requested_uid}" ]; then usermod -u "${requested_uid}" -g "${requested_gid}" vscode; fi chown -R vscode:vscode /home/vscode - -# link /home/vscode to /github/home for github actions to be able to access files in the container, and set permissions -mkdir -p /github -ln -s /home/vscode /github/home -chown -R vscode:vscode /github/home From 03d618984d2eb63a3e20a6cbafc34f17e1a337e8 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 12:47:57 +0000 Subject: [PATCH 09/18] fix work dir --- src/base/.devcontainer/Dockerfile | 2 +- src/base/.devcontainer/scripts/root_install.sh | 2 ++ src/common/Dockerfile | 5 ++++- src/projects/fhir_facade_api/.devcontainer/Dockerfile | 2 +- 4 files changed, 8 insertions(+), 3 deletions(-) diff --git a/src/base/.devcontainer/Dockerfile b/src/base/.devcontainer/Dockerfile index 8457c94..a2785e2 100644 --- a/src/base/.devcontainer/Dockerfile +++ b/src/base/.devcontainer/Dockerfile @@ -15,7 +15,7 @@ ENV IMAGE_TAG=${IMAGE_TAG} ENV TARGETARCH=${TARGETARCH} LABEL org.opencontainers.image.source=https://github.com/NHSDigital/eps-devcontainers -LABEL org.opencontainers.image.description="EPS base devcontainer" +LABEL org.opencontainers.image.description="EPS devcontainer ${CONTAINER_NAME}${IMAGE_TAG}" LABEL org.opencontainers.image.licenses=MIT LABEL org.opencontainers.image.version=${IMAGE_TAG} LABEL org.opencontainers.image.containerName=${CONTAINER_NAME} diff --git a/src/base/.devcontainer/scripts/root_install.sh b/src/base/.devcontainer/scripts/root_install.sh index 372b37e..d9c6975 100755 --- a/src/base/.devcontainer/scripts/root_install.sh +++ b/src/base/.devcontainer/scripts/root_install.sh @@ -68,3 +68,5 @@ chmod 755 /usr/share/secrets-scanner curl -L https://raw.githubusercontent.com/NHSDigital/software-engineering-quality-framework/main/tools/nhsd-git-secrets/nhsd-rules-deny.txt -o /usr/share/secrets-scanner/nhsd-rules-deny.txt chown -R vscode:vscode /home/vscode +mkdir -p /work +chown -R vscode:vscode /work diff --git a/src/common/Dockerfile b/src/common/Dockerfile index 3d67193..df35cef 100644 --- a/src/common/Dockerfile +++ b/src/common/Dockerfile @@ -3,6 +3,8 @@ ARG BASE_IMAGE=ghcr.io/nhsdigital/eps-devcontainers/base:${BASE_VERSION_TAG} FROM ${BASE_IMAGE} +ARG BASE_VERSION_TAG=latest +ARG BASE_IMAGE=ghcr.io/nhsdigital/eps-devcontainers/base:${BASE_VERSION_TAG} ARG SCRIPTS_DIR=/usr/local/share/eps ARG CONTAINER_NAME ARG MULTI_ARCH_TAG @@ -10,6 +12,7 @@ ARG BASE_VERSION_TAG ARG IMAGE_TAG ARG TARGETARCH +ENV BASE_IMAGE=${BASE_IMAGE} ENV SCRIPTS_DIR=${SCRIPTS_DIR} ENV CONTAINER_NAME=${CONTAINER_NAME} ENV MULTI_ARCH_TAG=${MULTI_ARCH_TAG} @@ -18,7 +21,7 @@ ENV IMAGE_TAG=${IMAGE_TAG} ENV TARGETARCH=${TARGETARCH} LABEL org.opencontainers.image.source=https://github.com/NHSDigital/eps-devcontainers -LABEL org.opencontainers.image.description="EPS ${CONTAINER_NAME} devcontainer" +LABEL org.opencontainers.image.description="EPS devcontainer ${CONTAINER_NAME}${IMAGE_TAG}" LABEL org.opencontainers.image.licenses=MIT LABEL org.opencontainers.image.version=${IMAGE_TAG} LABEL org.opencontainers.image.baseImage=${BASE_IMAGE} diff --git a/src/projects/fhir_facade_api/.devcontainer/Dockerfile b/src/projects/fhir_facade_api/.devcontainer/Dockerfile index 1765df0..d736b73 100644 --- a/src/projects/fhir_facade_api/.devcontainer/Dockerfile +++ b/src/projects/fhir_facade_api/.devcontainer/Dockerfile @@ -18,7 +18,7 @@ ENV IMAGE_TAG=${IMAGE_TAG} ENV TARGETARCH=${TARGETARCH} LABEL org.opencontainers.image.source=https://github.com/NHSDigital/eps-devcontainers -LABEL org.opencontainers.image.description="EPS fhir facade devcontainer" +LABEL org.opencontainers.image.description="EPS devcontainer ${CONTAINER_NAME}${IMAGE_TAG}" LABEL org.opencontainers.image.licenses=MIT LABEL org.opencontainers.image.version=${IMAGE_TAG} LABEL org.opencontainers.image.baseImage=${BASE_IMAGE} From 0102c0d646ebba5accc5ba2efe07790889884475 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 13:31:54 +0000 Subject: [PATCH 10/18] make /work writable by all --- .github/workflows/build_multi_arch_image.yml | 20 ++++++++++++++++--- Makefile | 5 ++--- README.md | 1 + src/base/.devcontainer/Dockerfile | 2 +- .../.devcontainer/scripts/root_install.sh | 1 + src/common/Dockerfile | 2 +- .../fhir_facade_api/.devcontainer/Dockerfile | 2 +- 7 files changed, 24 insertions(+), 9 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 384f30b..a26901e 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -85,7 +85,7 @@ jobs: CONTAINER_NAME: '${{ inputs.container_name }}' MULTI_ARCH_TAG: '${{ inputs.docker_tag }}' BASE_VERSION_TAG: ${{ inputs.docker_tag}} - IMAGE_TAG: ":${{ inputs.docker_tag }}-${{ matrix.arch }}" + IMAGE_TAG: "${{ inputs.docker_tag }}-${{ matrix.arch }}" BASE_FOLDER: "${{ inputs.base_folder }}" - name: Check docker vulnerabilities - json output uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 @@ -131,6 +131,11 @@ jobs: run: | echo "Pushing image..." docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" + BUILD_TIMESTAMP=$(date -u +"%Y-%m-%dT%H:%M:%SZ") + export BUILD_TIMESTAMP + docker buildx imagetools create \ + --annotation "index:org.opencontainers.image.created=${BUILD_TIMESTAMP}" \ + "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" env: DOCKER_TAG: ${{ inputs.docker_tag }} CONTAINER_NAME: '${{ inputs.container_name }}' @@ -164,10 +169,19 @@ jobs: - name: Push multi-arch tagged image run: | - docker buildx imagetools create -t "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}" \ + BUILD_TIMESTAMP=$(date -u +"%Y-%m-%dT%H:%M:%SZ") + export BUILD_TIMESTAMP + docker buildx imagetools create \ + --annotation "index:org.opencontainers.image.source=https://github.com/NHSDigital/eps-devcontainers" \ + --annotation "index:org.opencontainers.image.description=EPS devcontainer ${CONTAINER_NAME}:${DOCKER_TAG}" \ + --annotation "index:org.opencontainers.image.licenses=MIT" \ + --annotation "index:org.opencontainers.image.version=${DOCKER_TAG}" \ + --annotation "index:org.opencontainers.image.containerName=${CONTAINER_NAME}" \ + --annotation "index:org.opencontainers.image.created=${BUILD_TIMESTAMP}" \ + --tag "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}" \ "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-amd64" \ "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-arm64" - echo "## PUSHED IMAGE : ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}" >> "$GITHUB_STEP_SUMMARY" + echo "## PUSHED IMAGE : ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}" >> "$GITHUB_STEP_SUMMARY" env: DOCKER_TAG: ${{ inputs.docker_tag }} CONTAINER_NAME: '${{ inputs.container_name }}' diff --git a/Makefile b/Makefile index bbcba6b..4621127 100644 --- a/Makefile +++ b/Makefile @@ -21,13 +21,12 @@ install-node: install-hooks: install-python poetry run pre-commit install --install-hooks --overwrite -build-image: guard-CONTAINER_NAME guard-BASE_VERSION_TAG guard-BASE_FOLDER +build-image: guard-CONTAINER_NAME guard-BASE_VERSION_TAG guard-BASE_FOLDER guard-IMAGE_TAG npx devcontainer build \ --workspace-folder ./src/$${BASE_FOLDER}/$${CONTAINER_NAME} \ --push false \ --cache-from "${CONTAINER_PREFIX}$${CONTAINER_NAME}:latest" \ - --label "org.opencontainers.image.revision=$$DOCKER_TAG" \ - --image-name "${CONTAINER_PREFIX}$${CONTAINER_NAME}${IMAGE_TAG}" + --image-name "${CONTAINER_PREFIX}$${CONTAINER_NAME}:${IMAGE_TAG}" scan-image: guard-CONTAINER_NAME guard-BASE_FOLDER @combined="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore_combined.yaml"; \ diff --git a/README.md b/README.md index 37aca91..cdb4d80 100644 --- a/README.md +++ b/README.md @@ -88,6 +88,7 @@ Base image CONTAINER_NAME=base \ BASE_VERSION_TAG=latest \ BASE_FOLDER=. \ + IMAGE_TAG=local-build \ make build-image ``` Language images diff --git a/src/base/.devcontainer/Dockerfile b/src/base/.devcontainer/Dockerfile index a2785e2..85f5a94 100644 --- a/src/base/.devcontainer/Dockerfile +++ b/src/base/.devcontainer/Dockerfile @@ -15,7 +15,7 @@ ENV IMAGE_TAG=${IMAGE_TAG} ENV TARGETARCH=${TARGETARCH} LABEL org.opencontainers.image.source=https://github.com/NHSDigital/eps-devcontainers -LABEL org.opencontainers.image.description="EPS devcontainer ${CONTAINER_NAME}${IMAGE_TAG}" +LABEL org.opencontainers.image.description="EPS devcontainer ${CONTAINER_NAME}:${IMAGE_TAG}" LABEL org.opencontainers.image.licenses=MIT LABEL org.opencontainers.image.version=${IMAGE_TAG} LABEL org.opencontainers.image.containerName=${CONTAINER_NAME} diff --git a/src/base/.devcontainer/scripts/root_install.sh b/src/base/.devcontainer/scripts/root_install.sh index d9c6975..1c6e20e 100755 --- a/src/base/.devcontainer/scripts/root_install.sh +++ b/src/base/.devcontainer/scripts/root_install.sh @@ -70,3 +70,4 @@ curl -L https://raw.githubusercontent.com/NHSDigital/software-engineering-qualit chown -R vscode:vscode /home/vscode mkdir -p /work chown -R vscode:vscode /work +chmod -R 777 /work diff --git a/src/common/Dockerfile b/src/common/Dockerfile index df35cef..6e8d1c0 100644 --- a/src/common/Dockerfile +++ b/src/common/Dockerfile @@ -21,7 +21,7 @@ ENV IMAGE_TAG=${IMAGE_TAG} ENV TARGETARCH=${TARGETARCH} LABEL org.opencontainers.image.source=https://github.com/NHSDigital/eps-devcontainers -LABEL org.opencontainers.image.description="EPS devcontainer ${CONTAINER_NAME}${IMAGE_TAG}" +LABEL org.opencontainers.image.description="EPS devcontainer ${CONTAINER_NAME}:${IMAGE_TAG}" LABEL org.opencontainers.image.licenses=MIT LABEL org.opencontainers.image.version=${IMAGE_TAG} LABEL org.opencontainers.image.baseImage=${BASE_IMAGE} diff --git a/src/projects/fhir_facade_api/.devcontainer/Dockerfile b/src/projects/fhir_facade_api/.devcontainer/Dockerfile index d736b73..474753d 100644 --- a/src/projects/fhir_facade_api/.devcontainer/Dockerfile +++ b/src/projects/fhir_facade_api/.devcontainer/Dockerfile @@ -18,7 +18,7 @@ ENV IMAGE_TAG=${IMAGE_TAG} ENV TARGETARCH=${TARGETARCH} LABEL org.opencontainers.image.source=https://github.com/NHSDigital/eps-devcontainers -LABEL org.opencontainers.image.description="EPS devcontainer ${CONTAINER_NAME}${IMAGE_TAG}" +LABEL org.opencontainers.image.description="EPS devcontainer ${CONTAINER_NAME}:${IMAGE_TAG}" LABEL org.opencontainers.image.licenses=MIT LABEL org.opencontainers.image.version=${IMAGE_TAG} LABEL org.opencontainers.image.baseImage=${BASE_IMAGE} From 37cee2e3a094d493de939b6140fea3b137737470 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 13:50:36 +0000 Subject: [PATCH 11/18] try it this way --- .github/workflows/build_multi_arch_image.yml | 2 ++ src/base/.devcontainer/Dockerfile | 3 +++ src/common/Dockerfile | 4 +--- src/projects/fhir_facade_api/.devcontainer/Dockerfile | 4 +--- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index a26901e..e7b5d52 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -135,6 +135,7 @@ jobs: export BUILD_TIMESTAMP docker buildx imagetools create \ --annotation "index:org.opencontainers.image.created=${BUILD_TIMESTAMP}" \ + --tag "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" \ "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" env: DOCKER_TAG: ${{ inputs.docker_tag }} @@ -178,6 +179,7 @@ jobs: --annotation "index:org.opencontainers.image.version=${DOCKER_TAG}" \ --annotation "index:org.opencontainers.image.containerName=${CONTAINER_NAME}" \ --annotation "index:org.opencontainers.image.created=${BUILD_TIMESTAMP}" \ + --annotation "index:org.opencontainers.image.authors=NHS England EPS Team" \ --tag "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}" \ "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-amd64" \ "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-arm64" diff --git a/src/base/.devcontainer/Dockerfile b/src/base/.devcontainer/Dockerfile index 85f5a94..b3b4d74 100644 --- a/src/base/.devcontainer/Dockerfile +++ b/src/base/.devcontainer/Dockerfile @@ -19,6 +19,9 @@ LABEL org.opencontainers.image.description="EPS devcontainer ${CONTAINER_NAME}:$ LABEL org.opencontainers.image.licenses=MIT LABEL org.opencontainers.image.version=${IMAGE_TAG} LABEL org.opencontainers.image.containerName=${CONTAINER_NAME} +LABEL org.opencontainers.image.authors="NHS England EPS Team" +LABEL org.opencontainers.image.base.image="mcr.microsoft.com/devcontainers/base:ubuntu-22.04" + COPY .tool-versions.asdf ${SCRIPTS_DIR}/${CONTAINER_NAME}/.tool-versions.asdf diff --git a/src/common/Dockerfile b/src/common/Dockerfile index 6e8d1c0..3a7473f 100644 --- a/src/common/Dockerfile +++ b/src/common/Dockerfile @@ -20,11 +20,9 @@ ENV BASE_VERSION_TAG=${BASE_VERSION_TAG} ENV IMAGE_TAG=${IMAGE_TAG} ENV TARGETARCH=${TARGETARCH} -LABEL org.opencontainers.image.source=https://github.com/NHSDigital/eps-devcontainers LABEL org.opencontainers.image.description="EPS devcontainer ${CONTAINER_NAME}:${IMAGE_TAG}" -LABEL org.opencontainers.image.licenses=MIT LABEL org.opencontainers.image.version=${IMAGE_TAG} -LABEL org.opencontainers.image.baseImage=${BASE_IMAGE} +LABEL org.opencontainers.image.base.name=${BASE_IMAGE} LABEL org.opencontainers.image.containerName=${CONTAINER_NAME} USER root diff --git a/src/projects/fhir_facade_api/.devcontainer/Dockerfile b/src/projects/fhir_facade_api/.devcontainer/Dockerfile index 474753d..8226af2 100644 --- a/src/projects/fhir_facade_api/.devcontainer/Dockerfile +++ b/src/projects/fhir_facade_api/.devcontainer/Dockerfile @@ -17,11 +17,9 @@ ENV BASE_VERSION_TAG=${BASE_VERSION_TAG} ENV IMAGE_TAG=${IMAGE_TAG} ENV TARGETARCH=${TARGETARCH} -LABEL org.opencontainers.image.source=https://github.com/NHSDigital/eps-devcontainers LABEL org.opencontainers.image.description="EPS devcontainer ${CONTAINER_NAME}:${IMAGE_TAG}" -LABEL org.opencontainers.image.licenses=MIT LABEL org.opencontainers.image.version=${IMAGE_TAG} -LABEL org.opencontainers.image.baseImage=${BASE_IMAGE} +LABEL org.opencontainers.image.base.name=${BASE_IMAGE} LABEL org.opencontainers.image.containerName=${CONTAINER_NAME} USER root From c2726ade3a11959cef613c5b0ca88c3ff71d6577 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 14:43:49 +0000 Subject: [PATCH 12/18] add user 1001 --- src/base/.devcontainer/Dockerfile | 7 +++++++ src/base/.devcontainer/scripts/root_install.sh | 6 ++++-- src/common/Dockerfile | 7 +++++++ src/projects/fhir_facade_api/.devcontainer/Dockerfile | 7 +++++++ 4 files changed, 25 insertions(+), 2 deletions(-) diff --git a/src/base/.devcontainer/Dockerfile b/src/base/.devcontainer/Dockerfile index b3b4d74..17e583a 100644 --- a/src/base/.devcontainer/Dockerfile +++ b/src/base/.devcontainer/Dockerfile @@ -40,3 +40,10 @@ RUN ./vscode_install.sh # Switch back to root to install the devcontainer CLI globally USER root + +RUN cp -R /home/vscode/.asdf /home/githubrunner/.asdf && \ + cp /home/vscode/.tool-versions.asdf /home/githubrunner/.tool-versions.asdf && \ + cp /home/vscode/.tool-versions /home/githubrunner/.tool-versions && \ + cp -R /home/vscode/.config /home/githubrunner/.config && \ + cp -R /home/vscode/.local /home/githubrunner/.local && \ + chown -R githubrunner:githubrunner /home/githubrunner/ diff --git a/src/base/.devcontainer/scripts/root_install.sh b/src/base/.devcontainer/scripts/root_install.sh index 1c6e20e..140ff4a 100755 --- a/src/base/.devcontainer/scripts/root_install.sh +++ b/src/base/.devcontainer/scripts/root_install.sh @@ -69,5 +69,7 @@ curl -L https://raw.githubusercontent.com/NHSDigital/software-engineering-qualit chown -R vscode:vscode /home/vscode mkdir -p /work -chown -R vscode:vscode /work -chmod -R 777 /work + +addgroup githubrunner -gid 1001 +adduser githubrunner -uid 1001 -gid 1001 --shell /bin/bash --disabled-password -c "Githubrunner user" +echo "githubrunner ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers diff --git a/src/common/Dockerfile b/src/common/Dockerfile index 3a7473f..111efce 100644 --- a/src/common/Dockerfile +++ b/src/common/Dockerfile @@ -41,3 +41,10 @@ RUN ./vscode_install.sh # Switch back to root to install the devcontainer CLI globally USER root + +RUN cp -R /home/vscode/.asdf /home/githubrunner/.asdf && \ + cp /home/vscode/.tool-versions.asdf /home/githubrunner/.tool-versions.asdf && \ + cp /home/vscode/.tool-versions /home/githubrunner/.tool-versions && \ + cp -R /home/vscode/.config /home/githubrunner/.config && \ + cp -R /home/vscode/.local /home/githubrunner/.local && \ + chown -R githubrunner:githubrunner /home/githubrunner/ diff --git a/src/projects/fhir_facade_api/.devcontainer/Dockerfile b/src/projects/fhir_facade_api/.devcontainer/Dockerfile index 8226af2..3698a8b 100644 --- a/src/projects/fhir_facade_api/.devcontainer/Dockerfile +++ b/src/projects/fhir_facade_api/.devcontainer/Dockerfile @@ -37,3 +37,10 @@ RUN ./vscode_install.sh # Switch back to root to install the devcontainer CLI globally USER root + +RUN cp -R /home/vscode/.asdf /home/githubrunner/.asdf && \ + cp /home/vscode/.tool-versions.asdf /home/githubrunner/.tool-versions.asdf && \ + cp /home/vscode/.tool-versions /home/githubrunner/.tool-versions && \ + cp -R /home/vscode/.config /home/githubrunner/.config && \ + cp -R /home/vscode/.local /home/githubrunner/.local && \ + chown -R githubrunner:githubrunner /home/githubrunner/ From 6a483563722a1be96c3688acece6d6a74cb3145b Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 16:34:25 +0000 Subject: [PATCH 13/18] fix tag --- Makefile | 8 ++++---- README.md | 6 ++++-- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/Makefile b/Makefile index 4621127..fe68b5d 100644 --- a/Makefile +++ b/Makefile @@ -26,7 +26,7 @@ build-image: guard-CONTAINER_NAME guard-BASE_VERSION_TAG guard-BASE_FOLDER guard --workspace-folder ./src/$${BASE_FOLDER}/$${CONTAINER_NAME} \ --push false \ --cache-from "${CONTAINER_PREFIX}$${CONTAINER_NAME}:latest" \ - --image-name "${CONTAINER_PREFIX}$${CONTAINER_NAME}:${IMAGE_TAG}" + --image-name "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" scan-image: guard-CONTAINER_NAME guard-BASE_FOLDER @combined="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore_combined.yaml"; \ @@ -40,7 +40,7 @@ scan-image: guard-CONTAINER_NAME guard-BASE_FOLDER --config src/${BASE_FOLDER}/${CONTAINER_NAME}/trivy.yaml \ --scanners vuln \ --exit-code 1 \ - --format table "${CONTAINER_PREFIX}$${CONTAINER_NAME}" + --format table "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" scan-image-json: guard-CONTAINER_NAME guard-BASE_FOLDER @combined="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore_combined.yaml"; \ @@ -56,11 +56,11 @@ scan-image-json: guard-CONTAINER_NAME guard-BASE_FOLDER --scanners vuln \ --exit-code 1 \ --format json \ - --output .out/scan_results_docker.json "${CONTAINER_PREFIX}$${CONTAINER_NAME}" + --output .out/scan_results_docker.json "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" shell-image: guard-CONTAINER_NAME docker run -it \ - "${CONTAINER_PREFIX}$${CONTAINER_NAME}${IMAGE_TAG}" \ + "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" \ bash lint: lint-githubactions diff --git a/README.md b/README.md index cdb4d80..924a88d 100644 --- a/README.md +++ b/README.md @@ -94,15 +94,17 @@ CONTAINER_NAME=base \ Language images ``` CONTAINER_NAME=node_24_python_3_12 \ - BASE_VERSION_TAG=latest \ + BASE_VERSION_TAG=local-build \ BASE_FOLDER=languages \ + IMAGE_TAG=local-build \ make build-image ``` Project images ``` CONTAINER_NAME=fhir_facade_api \ - BASE_VERSION_TAG=latest \ + BASE_VERSION_TAG=local-build \ BASE_FOLDER=projects \ + IMAGE_TAG=local-build \ make build-image ``` From 85d8bf70c21c0b095fe8d7e814f874f9ef2af212 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 17:38:09 +0000 Subject: [PATCH 14/18] fix copy --- src/base/.devcontainer/Dockerfile | 6 +++--- src/common/Dockerfile | 6 +++--- src/projects/fhir_facade_api/.devcontainer/Dockerfile | 6 +++--- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/src/base/.devcontainer/Dockerfile b/src/base/.devcontainer/Dockerfile index 17e583a..23a3b74 100644 --- a/src/base/.devcontainer/Dockerfile +++ b/src/base/.devcontainer/Dockerfile @@ -41,9 +41,9 @@ RUN ./vscode_install.sh # Switch back to root to install the devcontainer CLI globally USER root -RUN cp -R /home/vscode/.asdf /home/githubrunner/.asdf && \ +RUN cp -R /home/vscode/.asdf /home/githubrunner/ && \ cp /home/vscode/.tool-versions.asdf /home/githubrunner/.tool-versions.asdf && \ cp /home/vscode/.tool-versions /home/githubrunner/.tool-versions && \ - cp -R /home/vscode/.config /home/githubrunner/.config && \ - cp -R /home/vscode/.local /home/githubrunner/.local && \ + cp -R /home/vscode/.config /home/githubrunner/ && \ + cp -R /home/vscode/.local /home/githubrunner/ && \ chown -R githubrunner:githubrunner /home/githubrunner/ diff --git a/src/common/Dockerfile b/src/common/Dockerfile index 111efce..5669b7e 100644 --- a/src/common/Dockerfile +++ b/src/common/Dockerfile @@ -42,9 +42,9 @@ RUN ./vscode_install.sh # Switch back to root to install the devcontainer CLI globally USER root -RUN cp -R /home/vscode/.asdf /home/githubrunner/.asdf && \ +RUN cp -R /home/vscode/.asdf /home/githubrunner/ && \ cp /home/vscode/.tool-versions.asdf /home/githubrunner/.tool-versions.asdf && \ cp /home/vscode/.tool-versions /home/githubrunner/.tool-versions && \ - cp -R /home/vscode/.config /home/githubrunner/.config && \ - cp -R /home/vscode/.local /home/githubrunner/.local && \ + cp -R /home/vscode/.config /home/githubrunner/ && \ + cp -R /home/vscode/.local /home/githubrunner/ && \ chown -R githubrunner:githubrunner /home/githubrunner/ diff --git a/src/projects/fhir_facade_api/.devcontainer/Dockerfile b/src/projects/fhir_facade_api/.devcontainer/Dockerfile index 3698a8b..34adbcb 100644 --- a/src/projects/fhir_facade_api/.devcontainer/Dockerfile +++ b/src/projects/fhir_facade_api/.devcontainer/Dockerfile @@ -38,9 +38,9 @@ RUN ./vscode_install.sh # Switch back to root to install the devcontainer CLI globally USER root -RUN cp -R /home/vscode/.asdf /home/githubrunner/.asdf && \ +RUN cp -R /home/vscode/.asdf /home/githubrunner/ && \ cp /home/vscode/.tool-versions.asdf /home/githubrunner/.tool-versions.asdf && \ cp /home/vscode/.tool-versions /home/githubrunner/.tool-versions && \ - cp -R /home/vscode/.config /home/githubrunner/.config && \ - cp -R /home/vscode/.local /home/githubrunner/.local && \ + cp -R /home/vscode/.config /home/githubrunner/ && \ + cp -R /home/vscode/.local /home/githubrunner/ && \ chown -R githubrunner:githubrunner /home/githubrunner/ From e287e899ccbc0455bd4cc6a02f9ecabb09e2d0c7 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 17:43:21 +0000 Subject: [PATCH 15/18] more debug --- .github/workflows/build_multi_arch_image.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index e7b5d52..d2c1ee0 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -131,6 +131,7 @@ jobs: run: | echo "Pushing image..." docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" + echo "Tagging image with build timestamp annotation..." BUILD_TIMESTAMP=$(date -u +"%Y-%m-%dT%H:%M:%SZ") export BUILD_TIMESTAMP docker buildx imagetools create \ From 36dcbc3f4cc0d6508e6c9a325cd985fffe6ce812 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 18:36:08 +0000 Subject: [PATCH 16/18] go back to 1001 --- src/base/.devcontainer/Dockerfile | 9 --------- src/base/.devcontainer/scripts/root_install.sh | 13 ++++++++----- src/common/Dockerfile | 8 -------- .../fhir_facade_api/.devcontainer/Dockerfile | 7 ------- 4 files changed, 8 insertions(+), 29 deletions(-) diff --git a/src/base/.devcontainer/Dockerfile b/src/base/.devcontainer/Dockerfile index 23a3b74..b9cbafb 100644 --- a/src/base/.devcontainer/Dockerfile +++ b/src/base/.devcontainer/Dockerfile @@ -22,8 +22,6 @@ LABEL org.opencontainers.image.containerName=${CONTAINER_NAME} LABEL org.opencontainers.image.authors="NHS England EPS Team" LABEL org.opencontainers.image.base.image="mcr.microsoft.com/devcontainers/base:ubuntu-22.04" - - COPY .tool-versions.asdf ${SCRIPTS_DIR}/${CONTAINER_NAME}/.tool-versions.asdf COPY --chmod=755 scripts ${SCRIPTS_DIR}/${CONTAINER_NAME} @@ -40,10 +38,3 @@ RUN ./vscode_install.sh # Switch back to root to install the devcontainer CLI globally USER root - -RUN cp -R /home/vscode/.asdf /home/githubrunner/ && \ - cp /home/vscode/.tool-versions.asdf /home/githubrunner/.tool-versions.asdf && \ - cp /home/vscode/.tool-versions /home/githubrunner/.tool-versions && \ - cp -R /home/vscode/.config /home/githubrunner/ && \ - cp -R /home/vscode/.local /home/githubrunner/ && \ - chown -R githubrunner:githubrunner /home/githubrunner/ diff --git a/src/base/.devcontainer/scripts/root_install.sh b/src/base/.devcontainer/scripts/root_install.sh index 140ff4a..e0014fb 100755 --- a/src/base/.devcontainer/scripts/root_install.sh +++ b/src/base/.devcontainer/scripts/root_install.sh @@ -67,9 +67,12 @@ mkdir -p /usr/share/secrets-scanner chmod 755 /usr/share/secrets-scanner curl -L https://raw.githubusercontent.com/NHSDigital/software-engineering-quality-framework/main/tools/nhsd-git-secrets/nhsd-rules-deny.txt -o /usr/share/secrets-scanner/nhsd-rules-deny.txt -chown -R vscode:vscode /home/vscode -mkdir -p /work +# fix user and group ids for vscode user to be 1001 so it can be used by github actions +requested_uid=1001 +requested_gid=1001 +current_uid="$(id -u vscode)" +current_gid="$(id -g vscode)" +if [ "${current_gid}" != "${requested_gid}" ]; then groupmod -g "${requested_gid}" vscode; fi +if [ "${current_uid}" != "${requested_uid}" ]; then usermod -u "${requested_uid}" -g "${requested_gid}" vscode; fi -addgroup githubrunner -gid 1001 -adduser githubrunner -uid 1001 -gid 1001 --shell /bin/bash --disabled-password -c "Githubrunner user" -echo "githubrunner ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers +chown -R vscode:vscode /home/vscode diff --git a/src/common/Dockerfile b/src/common/Dockerfile index 5669b7e..fdf7afd 100644 --- a/src/common/Dockerfile +++ b/src/common/Dockerfile @@ -35,16 +35,8 @@ USER vscode WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} COPY .tool-versions /tmp/.tool-versions RUN cat /tmp/.tool-versions >> /home/vscode/.tool-versions -ENV PATH="/home/vscode/.asdf/shims/:$PATH" RUN ./vscode_install.sh # Switch back to root to install the devcontainer CLI globally USER root - -RUN cp -R /home/vscode/.asdf /home/githubrunner/ && \ - cp /home/vscode/.tool-versions.asdf /home/githubrunner/.tool-versions.asdf && \ - cp /home/vscode/.tool-versions /home/githubrunner/.tool-versions && \ - cp -R /home/vscode/.config /home/githubrunner/ && \ - cp -R /home/vscode/.local /home/githubrunner/ && \ - chown -R githubrunner:githubrunner /home/githubrunner/ diff --git a/src/projects/fhir_facade_api/.devcontainer/Dockerfile b/src/projects/fhir_facade_api/.devcontainer/Dockerfile index 34adbcb..8226af2 100644 --- a/src/projects/fhir_facade_api/.devcontainer/Dockerfile +++ b/src/projects/fhir_facade_api/.devcontainer/Dockerfile @@ -37,10 +37,3 @@ RUN ./vscode_install.sh # Switch back to root to install the devcontainer CLI globally USER root - -RUN cp -R /home/vscode/.asdf /home/githubrunner/ && \ - cp /home/vscode/.tool-versions.asdf /home/githubrunner/.tool-versions.asdf && \ - cp /home/vscode/.tool-versions /home/githubrunner/.tool-versions && \ - cp -R /home/vscode/.config /home/githubrunner/ && \ - cp -R /home/vscode/.local /home/githubrunner/ && \ - chown -R githubrunner:githubrunner /home/githubrunner/ From 423fa2fca225d009e63ba1a7d15fca057337d972 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 18:47:13 +0000 Subject: [PATCH 17/18] fix output --- .github/workflows/build_multi_arch_image.yml | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index d2c1ee0..99d4bc6 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -131,13 +131,7 @@ jobs: run: | echo "Pushing image..." docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" - echo "Tagging image with build timestamp annotation..." - BUILD_TIMESTAMP=$(date -u +"%Y-%m-%dT%H:%M:%SZ") - export BUILD_TIMESTAMP - docker buildx imagetools create \ - --annotation "index:org.opencontainers.image.created=${BUILD_TIMESTAMP}" \ - --tag "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" \ - "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" + echo "## PUSHED IMAGE : ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" >> "$GITHUB_STEP_SUMMARY" env: DOCKER_TAG: ${{ inputs.docker_tag }} CONTAINER_NAME: '${{ inputs.container_name }}' @@ -148,6 +142,7 @@ jobs: docker tag "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-${ARCHITECTURE}" echo "Pushing image..." docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-${ARCHITECTURE}" + echo "## PUSHED IMAGE : ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-${ARCHITECTURE}" >> "$GITHUB_STEP_SUMMARY" env: DOCKER_TAG: ${{ inputs.docker_tag }} CONTAINER_NAME: '${{ inputs.container_name }}' From 92d42df7d95ab26d24f4bcd0fc373a5bff9b33f1 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Mon, 16 Feb 2026 08:56:03 +0000 Subject: [PATCH 18/18] update readme --- Makefile | 4 +-- README.md | 94 +++++++++++++++++++++++++++++++++++++++++++++++-------- 2 files changed, 83 insertions(+), 15 deletions(-) diff --git a/Makefile b/Makefile index fe68b5d..8d9c358 100644 --- a/Makefile +++ b/Makefile @@ -42,7 +42,7 @@ scan-image: guard-CONTAINER_NAME guard-BASE_FOLDER --exit-code 1 \ --format table "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" -scan-image-json: guard-CONTAINER_NAME guard-BASE_FOLDER +scan-image-json: guard-CONTAINER_NAME guard-BASE_FOLDER guard-IMAGE_TAG @combined="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore_combined.yaml"; \ common="src/common/.trivyignore.yaml"; \ specific="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore.yaml"; \ @@ -58,7 +58,7 @@ scan-image-json: guard-CONTAINER_NAME guard-BASE_FOLDER --format json \ --output .out/scan_results_docker.json "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" -shell-image: guard-CONTAINER_NAME +shell-image: guard-CONTAINER_NAME guard-IMAGE_TAG docker run -it \ "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" \ bash diff --git a/README.md b/README.md index 924a88d..b5ba50d 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,8 @@ Images are built using using https://github.com/devcontainers/cli. We build a base image based on mcr.microsoft.com/devcontainers/base:ubuntu-22.04 that other images are then based on +The images have vsocde user setup as user 1001 so that they can be used in github actions + The base image contains - latest os packages - asdf @@ -31,24 +33,80 @@ asdf install and setup for these so they are available globally as vscode user Install and setup git-secrets # Using the images -In each eps project, you can put this in the devcontainer Dockerfile. You should not need to add any features. +In each eps project, this should be the contents of .devcontainer/Dockerfile. + ``` -FROM ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_13: +ARG IMAGE_NAME=node_24_python_3_14 +ARG IMAGE_VERSION=latest +FROM ghcr.io/nhsdigital/eps-devcontainers/${IMAGE_NAME}:${IMAGE_VERSION} USER root # specify DOCKER_GID to force container docker group id to match host RUN if [ -n "${DOCKER_GID}" ]; then \ - if ! getent group docker; then \ - groupadd -g ${DOCKER_GID} docker; \ - else \ - groupmod -g ${DOCKER_GID} docker; \ - fi && \ - usermod -aG docker vscode; \ + if ! getent group docker; then \ + groupadd -g ${DOCKER_GID} docker; \ + else \ + groupmod -g ${DOCKER_GID} docker; \ + fi && \ + usermod -aG docker vscode; \ fi - -USER vscode ``` +And this should be the contents of .devcontainer/devcontainer.json. +This file will be used in github workflows to calculate the version of container to use in builds, so it must be valid JSON (no comments). +The name should be changed to match the name of the project. +IMAGE_NAME and IMAGE_VERSION should be changed as appropriate. +You should not need to add any features as these are already baked into the image +``` +{ + "name": "eps-common-workflows", + "build": { + "dockerfile": "Dockerfile", + "args": { + "DOCKER_GID": "${env:DOCKER_GID:}", + "IMAGE_NAME": "node_24_python_3_14", + "IMAGE_VERSION": "v1.0.1", + "USER_UID": "${localEnv:USER_ID:}", + "USER_GID": "${localEnv:GROUP_ID:}" + }, + "updateRemoteUserUID": false, + "postAttachCommand": "git-secrets --register-aws; git-secrets --add-provider -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt", + "mounts": [ + "source=${env:HOME}${env:USERPROFILE}/.aws,target=/home/vscode/.aws,type=bind", + "source=${env:HOME}${env:USERPROFILE}/.ssh,target=/home/vscode/.ssh,type=bind", + "source=${env:HOME}${env:USERPROFILE}/.gnupg,target=/home/vscode/.gnupg,type=bind", + "source=${env:HOME}${env:USERPROFILE}/.npmrc,target=/home/vscode/.npmrc,type=bind" + ], + "containerUser": "vscode", + "remoteEnv": { + "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" + }, + "features": {}, + "customizations": { + ... add any customisations you want here + } + } +} +``` + +This job should be used in github actions wherever you need to get the dev container name or tag +``` + get_config_values: + runs-on: ubuntu-22.04 + outputs: + devcontainer_image_name: ${{ steps.load-config.outputs.DEVCONTAINER_IMAGE_NAME }} + devcontainer_image_version: ${{ steps.load-config.outputs.DEVCONTAINER_VERSION }} + steps: + - name: Checkout code + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + - name: Load config value + id: load-config + run: | + DEVCONTAINER_IMAGE_NAME=$(jq -r '.build.args.IMAGE_NAME' .devcontainer/devcontainer.json) + DEVCONTAINER_IMAGE_VERSION=$(jq -r '.build.args.IMAGE_VERSION' .devcontainer/devcontainer.json) + echo "DEVCONTAINER_IMAGE_NAME=$DEVCONTAINER_IMAGE_NAME" >> "$GITHUB_OUTPUT" + echo "DEVCONTAINER_IMAGE_VERSION=$DEVCONTAINER_VERSION" >> "$GITHUB_OUTPUT" +``` # Project structure We have 3 types of dev container. These are defined under src @@ -58,9 +116,9 @@ We have 3 types of dev container. These are defined under src Each image to be built contains a .devcontainer folder that defines how the devcontainer should be built. At a minimum, this should contain a devcontainer.json file. See https://containers.dev/implementors/json_reference/ for options for this -Images under languages should point to a dockerfile under src/common that is based off the base image. This also runs `.devcontainer/scripts/root_install.sh` and `.devcontainer/scripts/vscode_install.sh` as vscode user as part of the build +Images under languages should point to a dockerfile under src/common that is based off the base image. This also runs `.devcontainer/scripts/root_install.sh` and `.devcontainer/scripts/vscode_install.sh` as vscode user as part of the build. These files should be in the language specific folder. -We use trivy to scan for vulnerabilities in the built docker images. Known vulnerabilities in the base image are in `src/common/.trivyignore.yaml`. Vulnerabilities in specific images are in `.trivyignore.yaml` file in each images folder. These are combined before running a scan to exclude know vulnerabilities +We use trivy to scan for vulnerabilities in the built docker images. Known vulnerabilities in the base image are in `src/common/.trivyignore.yaml`. Vulnerabilities in specific images are in `.trivyignore.yaml` file in each images folder. These are combined before running a scan to exclude all known vulnerabilities # Pull requests and merge to main process For each pull request, and merge to main, images are built and scanned using trivy, but the images are not pushed to github container registry @@ -72,7 +130,9 @@ The base image is built first, and then language images, and finally project ima Docker images are scanned for vulnerabilities using trivy as part of a build step, and the build fails if vulnerabilities are found not in .trivyignore file. For pull requests, images are tagged with the pr--. -For merges to main, images are tagged with the +For merges to main, images are tagged with the . + +When a pull request is merged to main or closed, all associated images are deleted from the registry using the github workflow delete_old_images # Release workflow There is a release workflow that runs weekly at 18:00 on Thursday and on demand. @@ -114,18 +174,21 @@ Base image ``` CONTAINER_NAME=base \ BASE_FOLDER=. \ + IMAGE_TAG=local-build \ make scan-image ``` Language images ``` CONTAINER_NAME=node_24_python_3_12 \ BASE_FOLDER=languages \ + IMAGE_TAG=local-build \ make scan-image ``` Project images ``` CONTAINER_NAME=fhir_facade_api \ BASE_FOLDER=projects \ + IMAGE_TAG=local-build \ make scan-image ``` @@ -134,19 +197,24 @@ You can use this to start an interactive shell on built images base image ``` CONTAINER_NAME=base \ + IMAGE_TAG=local-build \ make shell-image ``` Language images ``` CONTAINER_NAME=node_24_python_3_12 \ + IMAGE_TAG=local-build \ make shell-image ``` Project images ``` CONTAINER_NAME=fhir_facade_api \ + IMAGE_TAG=local-build \ make shell-image ``` +## Using local or pull request images +You can use local or pull request images by changing IMAGE_VERSION in devcontainer.json ## Generating a .trivyignore file You can generate a .trivyignore file for known vulnerabilities by either downloading the json scan output generated by the build, or by generating it locally using the scanning images commands above with a make target of scan-image-json