From 316672f8905a424303108286a952c0de333383c8 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 11:22:28 +0000 Subject: [PATCH 01/64] setup github action --- .github/dependabot.yml | 46 +++++++++++++++ .github/pull_request_template.md | 59 +++++++++++++++++++ .github/workflows/pull_request.yml | 92 ++++++++++++++++++++++++++++++ Makefile | 8 +++ 4 files changed, 205 insertions(+) create mode 100644 .github/dependabot.yml create mode 100644 .github/pull_request_template.md create mode 100644 .github/workflows/pull_request.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..4a87436 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,46 @@ +######################################################################### +# Dependabot configuration file +######################################################################### + +version: 2 + +updates: + - package-ecosystem: "github-actions" + # Workflow files stored in the + # default location of `.github/workflows` + directory: "/" + schedule: + interval: "weekly" + day: "friday" + time: "18:00" # UTC + open-pull-requests-limit: 20 + commit-message: + prefix: "Upgrade: [dependabot] - " + + ################################### + # NPM workspace ################## + ################################### + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + day: "friday" + time: "18:00" + open-pull-requests-limit: 20 + versioning-strategy: increase + commit-message: + prefix: "Upgrade: [dependabot] - " + + ################################### + # Poetry ######################### + ################################### + - package-ecosystem: "pip" + directory: "/" + schedule: + interval: "weekly" + day: "friday" + time: "18:00" + open-pull-requests-limit: 20 + versioning-strategy: increase + commit-message: + prefix: "Upgrade: [dependabot] - " diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 0000000..203df63 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,59 @@ +## Summary + +**Remove items from this list if they are not relevant. Remove this line once this has been done** + +- Routine Change +- :exclamation: Breaking Change +- :robot: Operational or Infrastructure Change +- :sparkles: New Feature +- :warning: Potential issues that might be caused by this change + +### Details + +Add any summary information of what is in the change. **Remove this line if you have nothing to add.** + +## Pull Request Naming + +Pull requests should be named using the following format: + +```text +Tag: [AEA-NNNN] - Short description +``` + +Tag can be one of: + +- `Fix` - for a bug fix. (Patch release) +- `Update` - either for a backwards-compatible enhancement or for a rule change that adds reported problems. (Patch release) +- `New` - implemented a new feature. (Minor release) +- `Breaking` - for a backwards-incompatible enhancement or feature. (Major release) +- `Docs` - changes to documentation only. (Patch release) +- `Build` - changes to build process only. (No release) +- `Upgrade` - for a dependency upgrade. (Patch release) +- `Chore` - for refactoring, adding tests, etc. (anything that isn't user-facing). (Patch release) + +If the current release is x.y.z then +- a patch release increases z by 1 +- a minor release increases y by 1 +- a major release increases x by 1 + +Correct tagging is necessary for our automated versioning and release process. + +The description of your pull request will be used as the commit message for the merge, and also be included in the changelog. Please ensure that your title is sufficiently descriptive. + +### Rerunning Checks + +If you need to rename your pull request, you can restart the checks by either: + +- Closing and reopening the pull request +- pushing an empty commit + ```bash + git commit --allow-empty -m 'trigger build' + git push + ``` +- Amend your last commit and force push to the branch + ```bash + git commit --amend --no-edit + git push --force + ``` + +Rerunning the checks from within the pull request will not use the updated title. diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml new file mode 100644 index 0000000..398dee2 --- /dev/null +++ b/.github/workflows/pull_request.yml @@ -0,0 +1,92 @@ +name: deploy_pr + +on: + pull_request: + branches: [master] + +env: + BRANCH_NAME: ${{ github.event.pull_request.head.ref }} + +jobs: + dependabot-auto-approve-and-merge: + needs: quality_checks + uses: NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@2b3ddfd1e59daf9905522d0140c6cd08e2547432 + secrets: + AUTOMERGE_APP_ID: ${{ secrets.AUTOMERGE_APP_ID }} + AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }} + + get_asdf_version: + runs-on: ubuntu-22.04 + outputs: + asdf_version: ${{ steps.asdf-version.outputs.version }} + tag_format: ${{ steps.load-config.outputs.TAG_FORMAT }} + steps: + - name: Checkout code + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 + + - name: Get asdf version + id: asdf-version + run: echo "version=$(awk '!/^#/ && NF {print $1; exit}' .tool-versions.asdf)" >> "$GITHUB_OUTPUT" + - name: Load config value + id: load-config + run: | + TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml) + echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT" + + quality_checks: + uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@trivy + needs: [get_asdf_version] + with: + asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }} + secrets: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + + pr_title_format_check: + uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@2b3ddfd1e59daf9905522d0140c6cd08e2547432 + + get_issue_number: + runs-on: ubuntu-22.04 + needs: quality_checks + outputs: + issue_number: ${{ steps.get_issue_number.outputs.result }} + version: ${{ steps.get_issue_number.outputs.version_number }} + + steps: + - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd + name: get issue number + id: get_issue_number + with: + script: | + if (context.issue.number) { + // Return issue number if present + return context.issue.number; + } else { + // Otherwise return issue number from commit + return ( + await github.rest.repos.listPullRequestsAssociatedWithCommit({ + commit_sha: context.sha, + owner: context.repo.owner, + repo: context.repo.repo, + }) + ).data[0].number; + } + result-encoding: string + + get_commit_id: + runs-on: ubuntu-22.04 + outputs: + commit_id: ${{ steps.commit_id.outputs.commit_id }} + sha_short: ${{ steps.commit_id.outputs.sha_short }} + + steps: + - name: Checkout code + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 + with: + ref: ${{ env.BRANCH_NAME }} + + - name: Get Commit ID + id: commit_id + run: | + # echo "commit_id=${{ github.sha }}" >> "$GITHUB_ENV" + echo "commit_id=${{ github.sha }}" >> "$GITHUB_OUTPUT" + echo "sha_short=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT" diff --git a/Makefile b/Makefile index 0fc362a..e2a7d48 100644 --- a/Makefile +++ b/Makefile @@ -31,3 +31,11 @@ scan-base-image: --ignorefile .trivyignore.yaml \ --exit-code 1 \ --format table ${IMAGE_NAME} + +lint: lint-githubactions + +test: + echo "Not implemented" + +lint-githubactions: + actionlint From ffbe7b95761a9865dcc0b6f818954fe6e6343c5f Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 11:24:12 +0000 Subject: [PATCH 02/64] fix pull_request action --- .github/workflows/pull_request.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 398dee2..4bc5cb0 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -1,8 +1,8 @@ -name: deploy_pr +name: pull_request on: pull_request: - branches: [master] + branches: [main] env: BRANCH_NAME: ${{ github.event.pull_request.head.ref }} From 6e8825f36a339240f0965f00c591bdf45040dd60 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 11:25:21 +0000 Subject: [PATCH 03/64] set tagformat --- .github/config/settings.yml | 1 + 1 file changed, 1 insertion(+) create mode 100644 .github/config/settings.yml diff --git a/.github/config/settings.yml b/.github/config/settings.yml new file mode 100644 index 0000000..05dbcda --- /dev/null +++ b/.github/config/settings.yml @@ -0,0 +1 @@ +TAG_FORMAT: "v${version}" From fe133a56ba9373d7675190280a48d65aa2ac7c51 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 12:07:33 +0000 Subject: [PATCH 04/64] build the image --- .gitallowed | 1 + .github/workflows/build_multi_arch_image.yml | 35 ++++++++++++++++++++ .github/workflows/pull_request.yml | 5 +++ 3 files changed, 41 insertions(+) create mode 100644 .gitallowed create mode 100644 .github/workflows/build_multi_arch_image.yml diff --git a/.gitallowed b/.gitallowed new file mode 100644 index 0000000..76bb1a8 --- /dev/null +++ b/.gitallowed @@ -0,0 +1 @@ +id-token: write diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml new file mode 100644 index 0000000..324c874 --- /dev/null +++ b/.github/workflows/build_multi_arch_image.yml @@ -0,0 +1,35 @@ +name: Build and push docker image + +on: + workflow_call: + +jobs: + build_image: + permissions: + id-token: write + runs-on: ${{ matrix.runner }} + strategy: + matrix: + include: + - arch: amd64 + runner: ubuntu-22.04 + - arch: arm64 + runner: ubuntu-22.04-arm + steps: + - name: Checkout code + uses: actions/checkout@v5 + with: + fetch-depth: 0 + + - name: Build container + run: | + make build-base-image + docker tag ghcr.io/nhsdigital/eps-devcontainer-base:latest ghcr.io/nhsdigital/eps-devcontainer-base:latest-${{ matrix.arch }} + docker save "ghcr.io/nhsdigital/eps-devcontainer-base:latest-${{ matrix.arch }}" -o eps-devcontainer-base-latest-${{ matrix.arch }}.img + + - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f + name: Upload docker images + with: + name: eps-devcontainer-base-latest-${{ matrix.arch }}.img + path: | + eps-devcontainer-base-latest-${{ matrix.arch }}.img diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 4bc5cb0..ed66650 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -90,3 +90,8 @@ jobs: # echo "commit_id=${{ github.sha }}" >> "$GITHUB_ENV" echo "commit_id=${{ github.sha }}" >> "$GITHUB_OUTPUT" echo "sha_short=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT" + + + package_docker_image: + needs: [get_issue_number, quality_checks, get_commit_id] + uses: ./.github/workflows/build_multi_arch_image.yml From 16938f80350f072f7babc2dfd73ee8a89e9feffb Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 12:10:27 +0000 Subject: [PATCH 05/64] use github token --- .github/workflows/build_multi_arch_image.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 324c874..4d7f212 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -26,7 +26,8 @@ jobs: make build-base-image docker tag ghcr.io/nhsdigital/eps-devcontainer-base:latest ghcr.io/nhsdigital/eps-devcontainer-base:latest-${{ matrix.arch }} docker save "ghcr.io/nhsdigital/eps-devcontainer-base:latest-${{ matrix.arch }}" -o eps-devcontainer-base-latest-${{ matrix.arch }}.img - + env: + GH_TOKEN: ${{ github.token }} - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f name: Upload docker images with: From c14ba96117462de3f9691996a513298d4c03eb68 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 12:18:08 +0000 Subject: [PATCH 06/64] correct script --- scripts/generate_language_version_files.sh | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/scripts/generate_language_version_files.sh b/scripts/generate_language_version_files.sh index b10626f..1e523ae 100755 --- a/scripts/generate_language_version_files.sh +++ b/scripts/generate_language_version_files.sh @@ -1,5 +1,9 @@ #!/usr/bin/env bash +# Get the current directory of the script +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +LANGUAGE_VERSIONS_DIR="${SCRIPT_DIR}/../src/base/.devcontainer/language_versions" + # Define repositories to fetch .tool-versions from REPOS=( "NHSDigital/electronic-prescription-service-clinical-prescription-tracker" @@ -30,12 +34,13 @@ REPOS=( # Define output files -NODEJS_FILE="/workspaces/eps-devcontainers/src/base/.devcontainer/language_versions/nodejs-versions.txt" -PYTHON_FILE="/workspaces/eps-devcontainers/src/base/.devcontainer/language_versions/python-versions.txt" -JAVA_FILE="/workspaces/eps-devcontainers/src/base/.devcontainer/language_versions/java-versions.txt" -TERRAFORM_FILE="/workspaces/eps-devcontainers/src/base/.devcontainer/language_versions/terraform-versions.txt" -GOLANG_FILE="/workspaces/eps-devcontainers/src/base/.devcontainer/language_versions/golang-versions.txt" -ALL_LANGUAGES_FILE="/workspaces/eps-devcontainers/src/base/.devcontainer/language_versions/language-versions.txt" +mkdir -p "${LANGUAGE_VERSIONS_DIR}" +NODEJS_FILE="${LANGUAGE_VERSIONS_DIR}/nodejs-versions.txt" +PYTHON_FILE="${LANGUAGE_VERSIONS_DIR}/python-versions.txt" +JAVA_FILE="${LANGUAGE_VERSIONS_DIR}/java-versions.txt" +TERRAFORM_FILE="${LANGUAGE_VERSIONS_DIR}/terraform-versions.txt" +GOLANG_FILE="${LANGUAGE_VERSIONS_DIR}/golang-versions.txt" +ALL_LANGUAGES_FILE="${LANGUAGE_VERSIONS_DIR}/language-versions.txt" # Clear existing files true > "$NODEJS_FILE" true > "$PYTHON_FILE" From 94adbe2234074b4553bcd4150897e7868876bd39 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 12:27:21 +0000 Subject: [PATCH 07/64] run make install --- .github/workflows/build_multi_arch_image.yml | 45 ++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 4d7f212..8af914e 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -4,10 +4,29 @@ on: workflow_call: jobs: + get_asdf_version: + runs-on: ubuntu-22.04 + outputs: + asdf_version: ${{ steps.asdf-version.outputs.version }} + tag_format: ${{ steps.load-config.outputs.TAG_FORMAT }} + steps: + - name: Checkout code + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 + + - name: Get asdf version + id: asdf-version + run: echo "version=$(awk '!/^#/ && NF {print $1; exit}' .tool-versions.asdf)" >> "$GITHUB_OUTPUT" + - name: Load config value + id: load-config + run: | + TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml) + echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT" + build_image: permissions: id-token: write runs-on: ${{ matrix.runner }} + needs: [get_asdf_version] strategy: matrix: include: @@ -21,6 +40,32 @@ jobs: with: fetch-depth: 0 + # using git commit sha for version of action to ensure we have stable version + - name: Install asdf + uses: asdf-vm/actions/setup@b7bcd026f18772e44fe1026d729e1611cc435d47 + with: + asdf_version: ${{ needs.get_asdf_version.outputs.asdf_version }} + + - name: Cache asdf + uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb + with: + path: | + ~/.asdf + key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }} + restore-keys: | + ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }} + + - name: Install asdf dependencies in .tool-versions + uses: asdf-vm/actions/install@b7bcd026f18772e44fe1026d729e1611cc435d47 + with: + asdf_version: ${{ needs.get_asdf_version.outputs.asdf_version }} + env: + PYTHON_CONFIGURE_OPTS: --enable-shared + + - name: make install + run: | + make install + - name: Build container run: | make build-base-image From d0868cef22a68e684fcc785cab3787eafa0e4626 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 12:32:14 +0000 Subject: [PATCH 08/64] fix build --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index e2a7d48..bee24e6 100644 --- a/Makefile +++ b/Makefile @@ -17,7 +17,7 @@ install-hooks: install-python install-hooks: build-base-image: generate-language-version-files CONTAINER_NAME=$(CONTAINER_NAME) \ - devcontainer build \ + npx devcontainer build \ --workspace-folder ./src/base/ \ --push false \ --image-name "${IMAGE_NAME}" From 57e5cd9decc50827f25f713a23bdd93bc0b9593b Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 12:40:20 +0000 Subject: [PATCH 09/64] use setup-node rather than asdf --- .github/workflows/build_multi_arch_image.yml | 45 +++----------------- 1 file changed, 5 insertions(+), 40 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 8af914e..8a6e635 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -4,29 +4,11 @@ on: workflow_call: jobs: - get_asdf_version: - runs-on: ubuntu-22.04 - outputs: - asdf_version: ${{ steps.asdf-version.outputs.version }} - tag_format: ${{ steps.load-config.outputs.TAG_FORMAT }} - steps: - - name: Checkout code - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 - - - name: Get asdf version - id: asdf-version - run: echo "version=$(awk '!/^#/ && NF {print $1; exit}' .tool-versions.asdf)" >> "$GITHUB_OUTPUT" - - name: Load config value - id: load-config - run: | - TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml) - echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT" build_image: permissions: id-token: write runs-on: ${{ matrix.runner }} - needs: [get_asdf_version] strategy: matrix: include: @@ -36,32 +18,15 @@ jobs: runner: ubuntu-22.04-arm steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 with: fetch-depth: 0 - # using git commit sha for version of action to ensure we have stable version - - name: Install asdf - uses: asdf-vm/actions/setup@b7bcd026f18772e44fe1026d729e1611cc435d47 + # use setup-node rather than asdf so that it works multi-arch + - name: setup node + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f with: - asdf_version: ${{ needs.get_asdf_version.outputs.asdf_version }} - - - name: Cache asdf - uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb - with: - path: | - ~/.asdf - key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }} - restore-keys: | - ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }} - - - name: Install asdf dependencies in .tool-versions - uses: asdf-vm/actions/install@b7bcd026f18772e44fe1026d729e1611cc435d47 - with: - asdf_version: ${{ needs.get_asdf_version.outputs.asdf_version }} - env: - PYTHON_CONFIGURE_OPTS: --enable-shared - + node-version-file: .tool-versions - name: make install run: | make install From 989a38a71403cddca8ed55ea2252d433b89e8962 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 12:45:33 +0000 Subject: [PATCH 10/64] make install node --- .github/workflows/build_multi_arch_image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 8a6e635..036915e 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -29,7 +29,7 @@ jobs: node-version-file: .tool-versions - name: make install run: | - make install + make install-node - name: Build container run: | From 6bdd72b359182c855227b6941a2eac68607b2c1b Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 12:53:42 +0000 Subject: [PATCH 11/64] try different way of building --- .github/workflows/build_multi_arch_image.yml | 1 + .github/workflows/pull_request.yml | 2 +- Makefile | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 036915e..bc62b67 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -38,6 +38,7 @@ jobs: docker save "ghcr.io/nhsdigital/eps-devcontainer-base:latest-${{ matrix.arch }}" -o eps-devcontainer-base-latest-${{ matrix.arch }}.img env: GH_TOKEN: ${{ github.token }} + ARCHITECTURE: ${{ matrix.arch }} - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f name: Upload docker images with: diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index ed66650..2c937f5 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -93,5 +93,5 @@ jobs: package_docker_image: - needs: [get_issue_number, quality_checks, get_commit_id] + needs: [get_issue_number, get_commit_id] uses: ./.github/workflows/build_multi_arch_image.yml diff --git a/Makefile b/Makefile index bee24e6..cf96122 100644 --- a/Makefile +++ b/Makefile @@ -20,6 +20,7 @@ build-base-image: generate-language-version-files npx devcontainer build \ --workspace-folder ./src/base/ \ --push false \ + --platform linux/${ARCHITECTURE} \ --image-name "${IMAGE_NAME}" generate-language-version-files: From 8f16180348cdc167bf7239bc3e51f3a10a715536 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 12:54:37 +0000 Subject: [PATCH 12/64] remove deps --- .github/workflows/pull_request.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 2c937f5..d693dfe 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -93,5 +93,4 @@ jobs: package_docker_image: - needs: [get_issue_number, get_commit_id] uses: ./.github/workflows/build_multi_arch_image.yml From 9d9eca7d29d6487d6bc7a80bba3795f44bdf271c Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 13:03:30 +0000 Subject: [PATCH 13/64] add some debug --- src/base/.devcontainer/scripts/root_install.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/src/base/.devcontainer/scripts/root_install.sh b/src/base/.devcontainer/scripts/root_install.sh index fd3a1ae..833d23d 100755 --- a/src/base/.devcontainer/scripts/root_install.sh +++ b/src/base/.devcontainer/scripts/root_install.sh @@ -14,6 +14,7 @@ rm -rf /var/lib/apt/lists/* # Add amd64 architecture if on arm64 if [ "$TARGETARCH" == "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then + echo "Adding amd64 architecture support" dpkg --add-architecture amd64 fi From 8ffc5b010cd551820e612d7d7d500e2018d1ffdc Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 13:07:53 +0000 Subject: [PATCH 14/64] do not update dist --- src/base/.devcontainer/scripts/root_install.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/src/base/.devcontainer/scripts/root_install.sh b/src/base/.devcontainer/scripts/root_install.sh index 833d23d..f50c163 100755 --- a/src/base/.devcontainer/scripts/root_install.sh +++ b/src/base/.devcontainer/scripts/root_install.sh @@ -24,7 +24,6 @@ apt-get remove -y \ # install necessary libraries for asdf and language runtimes apt-get update export DEBIAN_FRONTEND=noninteractive -apt-get -y dist-upgrade apt-get -y install --no-install-recommends htop vim curl git build-essential \ libffi-dev libssl-dev libxml2-dev libxslt1-dev libjpeg8-dev libbz2-dev \ zlib1g-dev unixodbc unixodbc-dev libsecret-1-0 libsecret-1-dev libsqlite3-dev \ From 3e486dcaa433c20de9ef0d248d118f58444ca757 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 13:16:44 +0000 Subject: [PATCH 15/64] debug --- src/base/.devcontainer/scripts/root_install.sh | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/base/.devcontainer/scripts/root_install.sh b/src/base/.devcontainer/scripts/root_install.sh index f50c163..b59dc9e 100755 --- a/src/base/.devcontainer/scripts/root_install.sh +++ b/src/base/.devcontainer/scripts/root_install.sh @@ -1,5 +1,6 @@ #!/usr/bin/env bash set -e +export DEBIAN_FRONTEND=noninteractive # Install essential packages first apt-get update @@ -16,14 +17,16 @@ rm -rf /var/lib/apt/lists/* if [ "$TARGETARCH" == "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then echo "Adding amd64 architecture support" dpkg --add-architecture amd64 + echo "Running apt-get update for multi-arch" + apt-get update fi # uninstall unnecessary packages +echo "Removing unnecessary packages" apt-get remove -y \ python3 # install necessary libraries for asdf and language runtimes -apt-get update -export DEBIAN_FRONTEND=noninteractive +echo "Installing necessary packages" apt-get -y install --no-install-recommends htop vim curl git build-essential \ libffi-dev libssl-dev libxml2-dev libxslt1-dev libjpeg8-dev libbz2-dev \ zlib1g-dev unixodbc unixodbc-dev libsecret-1-0 libsecret-1-dev libsqlite3-dev \ From 48ab087801c739f2f91f11b391573e11d2f5199b Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 13:20:40 +0000 Subject: [PATCH 16/64] clean --- src/base/.devcontainer/scripts/root_install.sh | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/src/base/.devcontainer/scripts/root_install.sh b/src/base/.devcontainer/scripts/root_install.sh index b59dc9e..d4b4e20 100755 --- a/src/base/.devcontainer/scripts/root_install.sh +++ b/src/base/.devcontainer/scripts/root_install.sh @@ -2,25 +2,14 @@ set -e export DEBIAN_FRONTEND=noninteractive -# Install essential packages first -apt-get update -apt-get install -y \ - curl \ - wget \ - git \ - sudo \ - unzip -apt-get clean -rm -rf /var/lib/apt/lists/* - # Add amd64 architecture if on arm64 if [ "$TARGETARCH" == "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then echo "Adding amd64 architecture support" dpkg --add-architecture amd64 - echo "Running apt-get update for multi-arch" - apt-get update fi +echo "Running apt-get update" +apt-get update # uninstall unnecessary packages echo "Removing unnecessary packages" apt-get remove -y \ From 35fc41bca4cb2ab5ca47f10bef8b0c827204b0a7 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 13:28:12 +0000 Subject: [PATCH 17/64] fix it --- src/base/.devcontainer/scripts/root_install.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/base/.devcontainer/scripts/root_install.sh b/src/base/.devcontainer/scripts/root_install.sh index d4b4e20..c441648 100755 --- a/src/base/.devcontainer/scripts/root_install.sh +++ b/src/base/.devcontainer/scripts/root_install.sh @@ -6,6 +6,14 @@ export DEBIAN_FRONTEND=noninteractive if [ "$TARGETARCH" == "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then echo "Adding amd64 architecture support" dpkg --add-architecture amd64 + + # Update sources.list to include amd64 repositories + echo "Configuring sources.list for amd64 and arm64" + sed -i.bak '/^deb / s|http://ports.ubuntu.com/ubuntu-ports|[arch=arm64] http://ports.ubuntu.com/ubuntu-ports|' /etc/apt/sources.list + # shellcheck disable=SC2129 + echo "deb [arch=amd64] http://archive.ubuntu.com/ubuntu jammy main universe" >> /etc/apt/sources.list + echo "deb [arch=amd64] http://archive.ubuntu.com/ubuntu jammy-updates main universe" >> /etc/apt/sources.list + echo "deb [arch=amd64] http://archive.ubuntu.com/ubuntu jammy-security main universe" >> /etc/apt/sources.list fi echo "Running apt-get update" From e9859604d103473310ec26d42b12431d1ace1b5e Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 13:37:41 +0000 Subject: [PATCH 18/64] less verbose --- .../.devcontainer/scripts/root_install.sh | 21 ++++++++----------- 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/src/base/.devcontainer/scripts/root_install.sh b/src/base/.devcontainer/scripts/root_install.sh index c441648..96d0988 100755 --- a/src/base/.devcontainer/scripts/root_install.sh +++ b/src/base/.devcontainer/scripts/root_install.sh @@ -18,10 +18,7 @@ fi echo "Running apt-get update" apt-get update -# uninstall unnecessary packages -echo "Removing unnecessary packages" -apt-get remove -y \ - python3 + # install necessary libraries for asdf and language runtimes echo "Installing necessary packages" apt-get -y install --no-install-recommends htop vim curl git build-essential \ @@ -35,22 +32,22 @@ apt-get -y install --no-install-recommends htop vim curl git build-essential \ # install aws stuff # Download correct AWS CLI for arch if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then - wget -O /tmp/awscliv2.zip "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip"; \ + wget -O /tmp/awscliv2.zip --no-verbose "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip" else - wget -O /tmp/awscliv2.zip "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip"; \ + wget -O /tmp/awscliv2.zip --no-verbose "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" fi - unzip /tmp/awscliv2.zip -d /tmp/aws-cli + unzip -q /tmp/awscliv2.zip -d /tmp/aws-cli /tmp/aws-cli/aws/install rm /tmp/awscliv2.zip rm -rf /tmp/aws-cli # Download correct SAM CLI for arch if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" = "aarch64" ]; then - wget -O /tmp/aws-sam-cli.zip "https://github.com/aws/aws-sam-cli/releases/latest/download/aws-sam-cli-linux-arm64.zip"; \ + wget -O /tmp/aws-sam-cli.zip --no-verbose "https://github.com/aws/aws-sam-cli/releases/latest/download/aws-sam-cli-linux-arm64.zip" else - wget -O /tmp/aws-sam-cli.zip "https://github.com/aws/aws-sam-cli/releases/latest/download/aws-sam-cli-linux-x86_64.zip"; \ + wget -O /tmp/aws-sam-cli.zip --no-verbose "https://github.com/aws/aws-sam-cli/releases/latest/download/aws-sam-cli-linux-x86_64.zip" fi - unzip /tmp/aws-sam-cli.zip -d /tmp/aws-sam-cli + unzip -q /tmp/aws-sam-cli.zip -d /tmp/aws-sam-cli /tmp/aws-sam-cli/install rm /tmp/aws-sam-cli.zip rm -rf /tmp/aws-sam-cli @@ -58,9 +55,9 @@ if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" = "aarch64" ]; then # Install ASDF ASDF_VERSION=$(awk '!/^#/ && NF {print $1; exit}' /tmp/.tool-versions.asdf) if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then - wget -O /tmp/asdf.tar.gz "https://github.com/asdf-vm/asdf/releases/download/v${ASDF_VERSION}/asdf-v${ASDF_VERSION}-linux-arm64.tar.gz"; \ + wget -O /tmp/asdf.tar.gz --no-verbose "https://github.com/asdf-vm/asdf/releases/download/v${ASDF_VERSION}/asdf-v${ASDF_VERSION}-linux-arm64.tar.gz" else - wget -O /tmp/asdf.tar.gz "https://github.com/asdf-vm/asdf/releases/download/v${ASDF_VERSION}/asdf-v${ASDF_VERSION}-linux-amd64.tar.gz"; \ + wget -O /tmp/asdf.tar.gz --no-verbose "https://github.com/asdf-vm/asdf/releases/download/v${ASDF_VERSION}/asdf-v${ASDF_VERSION}-linux-amd64.tar.gz" fi tar -xzf /tmp/asdf.tar.gz -C /tmp mkdir -p /usr/bin From 54797f445396012e4e65a0d4042b94ac4804fd66 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 19:16:51 +0000 Subject: [PATCH 19/64] do not install java --- src/base/.devcontainer/scripts/root_install.sh | 3 +++ src/base/.devcontainer/scripts/vscode_install.sh | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/src/base/.devcontainer/scripts/root_install.sh b/src/base/.devcontainer/scripts/root_install.sh index 96d0988..0c0d632 100755 --- a/src/base/.devcontainer/scripts/root_install.sh +++ b/src/base/.devcontainer/scripts/root_install.sh @@ -31,6 +31,7 @@ apt-get -y install --no-install-recommends htop vim curl git build-essential \ # install aws stuff # Download correct AWS CLI for arch +echo "Installing aws cli" if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then wget -O /tmp/awscliv2.zip --no-verbose "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip" else @@ -42,6 +43,7 @@ if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then rm -rf /tmp/aws-cli # Download correct SAM CLI for arch +echo "Installing aws-sam cli" if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" = "aarch64" ]; then wget -O /tmp/aws-sam-cli.zip --no-verbose "https://github.com/aws/aws-sam-cli/releases/latest/download/aws-sam-cli-linux-arm64.zip" else @@ -53,6 +55,7 @@ if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" = "aarch64" ]; then rm -rf /tmp/aws-sam-cli # Install ASDF +echo "Installing asdf" ASDF_VERSION=$(awk '!/^#/ && NF {print $1; exit}' /tmp/.tool-versions.asdf) if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then wget -O /tmp/asdf.tar.gz --no-verbose "https://github.com/asdf-vm/asdf/releases/download/v${ASDF_VERSION}/asdf-v${ASDF_VERSION}-linux-arm64.tar.gz" diff --git a/src/base/.devcontainer/scripts/vscode_install.sh b/src/base/.devcontainer/scripts/vscode_install.sh index 0349116..838353a 100755 --- a/src/base/.devcontainer/scripts/vscode_install.sh +++ b/src/base/.devcontainer/scripts/vscode_install.sh @@ -42,9 +42,9 @@ while IFS= read -r version; do done < /tmp/python-versions.txt # Read Java versions from file and install -while IFS= read -r version; do - asdf install java "$version" -done < /tmp/java-versions.txt +# while IFS= read -r version; do +# asdf install java "$version" +# done < /tmp/java-versions.txt # Read Terraform versions from file and install while IFS= read -r version; do From d75d7836a1b933f69f81aca17a351a23f3aa9fa3 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 19:20:57 +0000 Subject: [PATCH 20/64] trigger build From 22fc0e85d4b60583659b84447d67ac5759ab8130 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 19:46:47 +0000 Subject: [PATCH 21/64] push the image --- .github/workflows/build_multi_arch_image.yml | 24 ++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index bc62b67..364999c 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -45,3 +45,27 @@ jobs: name: eps-devcontainer-base-latest-${{ matrix.arch }}.img path: | eps-devcontainer-base-latest-${{ matrix.arch }}.img + + publish_image: + needs: build_image + runs-on: ubuntu-22.04 + permissions: + contents: read + packages: write + attestations: write + id-token: write + steps: + - name: Download amd64 images + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 + with: + name: eps-devcontainer-base-latest-amd64.img + - name: Download arm64 images + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 + with: + name: eps-devcontainer-base-latest-arm64.img + - name: Load and push multi-arch image + run: | + docker load -i eps-devcontainer-base-latest-amd64.img + docker load -i eps-devcontainer-base-latest-arm64.img + docker manifest create ghcr.io/nhsdigital/eps-devcontainer-base:latest ghcr.io/nhsdigital/eps-devcontainer-base:latest-amd64 ghcr.io/nhsdigital/eps-devcontainer-base:latest-arm64 + docker manifest push ghcr.io/nhsdigital/eps-devcontainer-base:latest From 21c4a8e1884eed962271f0450e18cb3144855af9 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 20:19:48 +0000 Subject: [PATCH 22/64] free disk space first --- .github/workflows/build_multi_arch_image.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 364999c..621e0ea 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -55,6 +55,16 @@ jobs: attestations: write id-token: write steps: + - name: Free Disk Space for Docker + uses: endersonmenezes/free-disk-space@e6ed9b02e683a3b55ed0252f1ee469ce3b39a885 + with: + remove_android: true + remove_dotnet: true + remove_haskell: true + remove_tool_cache: true + rm_cmd: "rm" + remove_packages: "azure-cli google-cloud-cli microsoft-edge-stable google-chrome-stable firefox postgresql* temurin-* *llvm* mysql* dotnet-sdk-*" + remove_packages_one_command: true - name: Download amd64 images uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 with: From 2eb89250961923aa800c2c191f5a7c9681d44f3b Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 21:14:17 +0000 Subject: [PATCH 23/64] fix creating manifest --- .github/workflows/build_multi_arch_image.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 621e0ea..82d2125 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -77,5 +77,9 @@ jobs: run: | docker load -i eps-devcontainer-base-latest-amd64.img docker load -i eps-devcontainer-base-latest-arm64.img - docker manifest create ghcr.io/nhsdigital/eps-devcontainer-base:latest ghcr.io/nhsdigital/eps-devcontainer-base:latest-amd64 ghcr.io/nhsdigital/eps-devcontainer-base:latest-arm64 + echo "creating manifest" + docker manifest create ghcr.io/nhsdigital/eps-devcontainer-base:latest \ + --amend ghcr.io/nhsdigital/eps-devcontainer-base:latest-amd64 \ + --amend ghcr.io/nhsdigital/eps-devcontainer-base:latest-arm64 + echo "pushing manifest" docker manifest push ghcr.io/nhsdigital/eps-devcontainer-base:latest From 7b5a8fda3c28ccfab754b948699b960b200c5c25 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 21:45:29 +0000 Subject: [PATCH 24/64] push image --- .github/workflows/build_multi_arch_image.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 82d2125..f27cc76 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -75,8 +75,12 @@ jobs: name: eps-devcontainer-base-latest-arm64.img - name: Load and push multi-arch image run: | + echo "loading images" docker load -i eps-devcontainer-base-latest-amd64.img docker load -i eps-devcontainer-base-latest-arm64.img + echo "pushing images" + docker push ghcr.io/nhsdigital/eps-devcontainer-base:latest-amd64 + docker push ghcr.io/nhsdigital/eps-devcontainer-base:latest-arm64 echo "creating manifest" docker manifest create ghcr.io/nhsdigital/eps-devcontainer-base:latest \ --amend ghcr.io/nhsdigital/eps-devcontainer-base:latest-amd64 \ From 6dd163625e6d6e272836f9bf18d926b0fa82bbc2 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 8 Jan 2026 00:03:01 +0000 Subject: [PATCH 25/64] fix name --- .github/workflows/build_multi_arch_image.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index f27cc76..cbf8fd2 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -34,7 +34,7 @@ jobs: - name: Build container run: | make build-base-image - docker tag ghcr.io/nhsdigital/eps-devcontainer-base:latest ghcr.io/nhsdigital/eps-devcontainer-base:latest-${{ matrix.arch }} + docker tag ghcr.io/nhsdigital/eps-devcontainer-base:latest ghcr.io/nhsdigital/eps-devcontainers:latest-${{ matrix.arch }} docker save "ghcr.io/nhsdigital/eps-devcontainer-base:latest-${{ matrix.arch }}" -o eps-devcontainer-base-latest-${{ matrix.arch }}.img env: GH_TOKEN: ${{ github.token }} @@ -79,11 +79,11 @@ jobs: docker load -i eps-devcontainer-base-latest-amd64.img docker load -i eps-devcontainer-base-latest-arm64.img echo "pushing images" - docker push ghcr.io/nhsdigital/eps-devcontainer-base:latest-amd64 - docker push ghcr.io/nhsdigital/eps-devcontainer-base:latest-arm64 + docker push ghcr.io/nhsdigital/eps-devcontainers:latest-amd64 + docker push ghcr.io/nhsdigital/eps-devcontainers:latest-arm64 echo "creating manifest" - docker manifest create ghcr.io/nhsdigital/eps-devcontainer-base:latest \ - --amend ghcr.io/nhsdigital/eps-devcontainer-base:latest-amd64 \ - --amend ghcr.io/nhsdigital/eps-devcontainer-base:latest-arm64 + docker manifest create ghcr.io/nhsdigital/eps-devcontainers:latest \ + --amend ghcr.io/nhsdigital/eps-devcontainers:latest-amd64 \ + --amend ghcr.io/nhsdigital/eps-devcontainers:latest-arm64 echo "pushing manifest" - docker manifest push ghcr.io/nhsdigital/eps-devcontainer-base:latest + docker manifest push ghcr.io/nhsdigital/eps-devcontainers:latest From 4ed613d5cc9fe8269548f568b5beff8495bcf740 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 8 Jan 2026 07:50:40 +0000 Subject: [PATCH 26/64] fix name --- .github/workflows/build_multi_arch_image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index cbf8fd2..bc74863 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -35,7 +35,7 @@ jobs: run: | make build-base-image docker tag ghcr.io/nhsdigital/eps-devcontainer-base:latest ghcr.io/nhsdigital/eps-devcontainers:latest-${{ matrix.arch }} - docker save "ghcr.io/nhsdigital/eps-devcontainer-base:latest-${{ matrix.arch }}" -o eps-devcontainer-base-latest-${{ matrix.arch }}.img + docker save "ghcr.io/nhsdigital/eps-devcontainers:latest-${{ matrix.arch }}" -o eps-devcontainer-base-latest-${{ matrix.arch }}.img env: GH_TOKEN: ${{ github.token }} ARCHITECTURE: ${{ matrix.arch }} From dc10f7dc7ff26e4c862638531ea391e784414a40 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 8 Jan 2026 08:45:38 +0000 Subject: [PATCH 27/64] auth to github --- .github/workflows/build_multi_arch_image.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index bc74863..b7737e7 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -75,6 +75,7 @@ jobs: name: eps-devcontainer-base-latest-arm64.img - name: Load and push multi-arch image run: | + echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin echo "loading images" docker load -i eps-devcontainer-base-latest-amd64.img docker load -i eps-devcontainer-base-latest-arm64.img From bf02c2a171d13f49b37f7c8f3a7166e75532e72c Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 6 Feb 2026 09:14:46 +0000 Subject: [PATCH 28/64] build only on pull request --- .github/workflows/build_multi_arch_image.yml | 203 +++++++++++-------- .github/workflows/pull_request.yml | 58 +++--- 2 files changed, 146 insertions(+), 115 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index b7737e7..6ad4a57 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -1,90 +1,127 @@ name: Build and push docker image +'on': + workflow_call: + inputs: + publish_image: + required: true + type: boolean +jobs: + build_image: + permissions: + id-token: write + runs-on: '${{ matrix.runner }}' + strategy: + matrix: + include: + - arch: amd64 + runner: ubuntu-22.04 + - arch: arm64 + runner: ubuntu-22.04-arm + steps: + - name: Checkout code + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 + with: + fetch-depth: 0 + - name: setup node + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f + with: + node-version-file: .tool-versions + - name: make install + run: | + make install-node + - name: Build container + run: > + make build-base-image -on: - workflow_call: + docker tag ghcr.io/nhsdigital/eps-devcontainer-base:latest "ghcr.io/nhsdigital/eps-devcontainers:latest-${ARCHITECTURE}" -jobs: + docker save "ghcr.io/nhsdigital/eps-devcontainers:latest-${ARCHITECTURE}" -o "eps-devcontainer-base-latest-${ARCHITECTURE}.img" + env: + GH_TOKEN: '${{ github.token }}' + ARCHITECTURE: '${{ matrix.arch }}' + - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f + name: Upload docker images + with: + name: "eps-devcontainer-base-latest-${{ matrix.arch }}.img" + path: | + eps-devcontainer-base-latest-${{ matrix.arch }}.img + - name: Check docker vulnerabilities + uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 + with: + scan-type: "image" + image-ref: "ghcr.io/nhsdigital/eps-devcontainers:latest-${{ matrix.arch }}" + severity: "CRITICAL,HIGH" + scanners: "vuln" + vuln-type: "os,library" + format: "table" + output: "dependency_results_docker.txt" + exit-code: "1" + trivy-config: trivy.yaml + + - name: Show docker vulnerability output + if: always() + run: | + echo "Scan output for ghcr.io/nhsdigital/eps-devcontainers:latest-${ARCHITECTURE}" + if [ -f dependency_results_docker.txt ]; then + cat dependency_results_docker.txt + fi + env: + ARCHITECTURE: '${{ matrix.arch }}' + + publish_image: + needs: build_image + runs-on: ubuntu-22.04 + if: ${{ inputs.publish_image }} + permissions: + contents: read + packages: write + attestations: write + id-token: write + steps: + - name: Free Disk Space for Docker + uses: >- + endersonmenezes/free-disk-space@e6ed9b02e683a3b55ed0252f1ee469ce3b39a885 + with: + remove_android: true + remove_dotnet: true + remove_haskell: true + remove_tool_cache: true + rm_cmd: rm + remove_packages: >- + azure-cli google-cloud-cli microsoft-edge-stable + google-chrome-stable firefox postgresql* temurin-* *llvm* mysql* + dotnet-sdk-* + remove_packages_one_command: true + - name: Download amd64 images + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 + with: + name: eps-devcontainer-base-latest-amd64.img + - name: Download arm64 images + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 + with: + name: eps-devcontainer-base-latest-arm64.img + - name: Load and push multi-arch image + run: > + echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ + github.actor }} --password-stdin + + echo "loading images" + + docker load -i eps-devcontainer-base-latest-amd64.img + + docker load -i eps-devcontainer-base-latest-arm64.img + + echo "pushing images" + + docker push ghcr.io/nhsdigital/eps-devcontainers:latest-amd64 - build_image: - permissions: - id-token: write - runs-on: ${{ matrix.runner }} - strategy: - matrix: - include: - - arch: amd64 - runner: ubuntu-22.04 - - arch: arm64 - runner: ubuntu-22.04-arm - steps: - - name: Checkout code - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 - with: - fetch-depth: 0 + docker push ghcr.io/nhsdigital/eps-devcontainers:latest-arm64 - # use setup-node rather than asdf so that it works multi-arch - - name: setup node - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f - with: - node-version-file: .tool-versions - - name: make install - run: | - make install-node + echo "creating manifest" - - name: Build container - run: | - make build-base-image - docker tag ghcr.io/nhsdigital/eps-devcontainer-base:latest ghcr.io/nhsdigital/eps-devcontainers:latest-${{ matrix.arch }} - docker save "ghcr.io/nhsdigital/eps-devcontainers:latest-${{ matrix.arch }}" -o eps-devcontainer-base-latest-${{ matrix.arch }}.img - env: - GH_TOKEN: ${{ github.token }} - ARCHITECTURE: ${{ matrix.arch }} - - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f - name: Upload docker images - with: - name: eps-devcontainer-base-latest-${{ matrix.arch }}.img - path: | - eps-devcontainer-base-latest-${{ matrix.arch }}.img + docker manifest create ghcr.io/nhsdigital/eps-devcontainers:latest \ + --amend ghcr.io/nhsdigital/eps-devcontainers:latest-amd64 \ + --amend ghcr.io/nhsdigital/eps-devcontainers:latest-arm64 + echo "pushing manifest" - publish_image: - needs: build_image - runs-on: ubuntu-22.04 - permissions: - contents: read - packages: write - attestations: write - id-token: write - steps: - - name: Free Disk Space for Docker - uses: endersonmenezes/free-disk-space@e6ed9b02e683a3b55ed0252f1ee469ce3b39a885 - with: - remove_android: true - remove_dotnet: true - remove_haskell: true - remove_tool_cache: true - rm_cmd: "rm" - remove_packages: "azure-cli google-cloud-cli microsoft-edge-stable google-chrome-stable firefox postgresql* temurin-* *llvm* mysql* dotnet-sdk-*" - remove_packages_one_command: true - - name: Download amd64 images - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 - with: - name: eps-devcontainer-base-latest-amd64.img - - name: Download arm64 images - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 - with: - name: eps-devcontainer-base-latest-arm64.img - - name: Load and push multi-arch image - run: | - echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin - echo "loading images" - docker load -i eps-devcontainer-base-latest-amd64.img - docker load -i eps-devcontainer-base-latest-arm64.img - echo "pushing images" - docker push ghcr.io/nhsdigital/eps-devcontainers:latest-amd64 - docker push ghcr.io/nhsdigital/eps-devcontainers:latest-arm64 - echo "creating manifest" - docker manifest create ghcr.io/nhsdigital/eps-devcontainers:latest \ - --amend ghcr.io/nhsdigital/eps-devcontainers:latest-amd64 \ - --amend ghcr.io/nhsdigital/eps-devcontainers:latest-arm64 - echo "pushing manifest" - docker manifest push ghcr.io/nhsdigital/eps-devcontainers:latest + docker manifest push ghcr.io/nhsdigital/eps-devcontainers:latest diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index d693dfe..65d67bb 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -1,56 +1,53 @@ name: pull_request - -on: +'on': pull_request: - branches: [main] - + branches: + - main env: - BRANCH_NAME: ${{ github.event.pull_request.head.ref }} - + BRANCH_NAME: '${{ github.event.pull_request.head.ref }}' jobs: dependabot-auto-approve-and-merge: needs: quality_checks - uses: NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@2b3ddfd1e59daf9905522d0140c6cd08e2547432 + uses: >- + NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@2b3ddfd1e59daf9905522d0140c6cd08e2547432 secrets: - AUTOMERGE_APP_ID: ${{ secrets.AUTOMERGE_APP_ID }} - AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }} - + AUTOMERGE_APP_ID: '${{ secrets.AUTOMERGE_APP_ID }}' + AUTOMERGE_PEM: '${{ secrets.AUTOMERGE_PEM }}' get_asdf_version: runs-on: ubuntu-22.04 outputs: - asdf_version: ${{ steps.asdf-version.outputs.version }} - tag_format: ${{ steps.load-config.outputs.TAG_FORMAT }} + asdf_version: '${{ steps.asdf-version.outputs.version }}' + tag_format: '${{ steps.load-config.outputs.TAG_FORMAT }}' steps: - name: Checkout code uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 - - name: Get asdf version id: asdf-version - run: echo "version=$(awk '!/^#/ && NF {print $1; exit}' .tool-versions.asdf)" >> "$GITHUB_OUTPUT" + run: >- + echo "version=$(awk '!/^#/ && NF {print $1; exit}' + .tool-versions.asdf)" >> "$GITHUB_OUTPUT" - name: Load config value id: load-config run: | TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml) echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT" - quality_checks: uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@trivy - needs: [get_asdf_version] + needs: + - get_asdf_version with: - asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }} + asdfVersion: '${{ needs.get_asdf_version.outputs.asdf_version }}' secrets: - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - + SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}' pr_title_format_check: - uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@2b3ddfd1e59daf9905522d0140c6cd08e2547432 - + uses: >- + NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@2b3ddfd1e59daf9905522d0140c6cd08e2547432 get_issue_number: runs-on: ubuntu-22.04 needs: quality_checks outputs: - issue_number: ${{ steps.get_issue_number.outputs.result }} - version: ${{ steps.get_issue_number.outputs.version_number }} - + issue_number: '${{ steps.get_issue_number.outputs.result }}' + version: '${{ steps.get_issue_number.outputs.version_number }}' steps: - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd name: get issue number @@ -71,26 +68,23 @@ jobs: ).data[0].number; } result-encoding: string - get_commit_id: runs-on: ubuntu-22.04 outputs: - commit_id: ${{ steps.commit_id.outputs.commit_id }} - sha_short: ${{ steps.commit_id.outputs.sha_short }} - + commit_id: '${{ steps.commit_id.outputs.commit_id }}' + sha_short: '${{ steps.commit_id.outputs.sha_short }}' steps: - name: Checkout code uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 with: - ref: ${{ env.BRANCH_NAME }} - + ref: '${{ env.BRANCH_NAME }}' - name: Get Commit ID id: commit_id run: | # echo "commit_id=${{ github.sha }}" >> "$GITHUB_ENV" echo "commit_id=${{ github.sha }}" >> "$GITHUB_OUTPUT" echo "sha_short=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT" - - package_docker_image: uses: ./.github/workflows/build_multi_arch_image.yml + with: + publish_image: false From d364522f6a64ac6a3904b30ecaec073dc5ab0048 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 6 Feb 2026 10:08:17 +0000 Subject: [PATCH 29/64] add release workflow --- .github/workflows/build_multi_arch_image.yml | 43 +++++++++++------ .github/workflows/pull_request.yml | 4 ++ .github/workflows/release.yml | 47 +++++++++++++++++++ .../.devcontainer/scripts/root_install.sh | 1 + 4 files changed, 80 insertions(+), 15 deletions(-) create mode 100644 .github/workflows/release.yml diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 6ad4a57..3d5aa48 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -5,12 +5,17 @@ name: Build and push docker image publish_image: required: true type: boolean + docker_tag: + required: true + type: string + jobs: build_image: permissions: id-token: write runs-on: '${{ matrix.runner }}' strategy: + fail-fast: false matrix: include: - arch: amd64 @@ -33,12 +38,13 @@ jobs: run: > make build-base-image - docker tag ghcr.io/nhsdigital/eps-devcontainer-base:latest "ghcr.io/nhsdigital/eps-devcontainers:latest-${ARCHITECTURE}" + docker tag ghcr.io/nhsdigital/eps-devcontainer-base:latest "ghcr.io/nhsdigital/eps-devcontainers:{DOCKER_TAG}-${ARCHITECTURE}" docker save "ghcr.io/nhsdigital/eps-devcontainers:latest-${ARCHITECTURE}" -o "eps-devcontainer-base-latest-${ARCHITECTURE}.img" env: GH_TOKEN: '${{ github.token }}' ARCHITECTURE: '${{ matrix.arch }}' + DOCKER_TAG: '${{ inputs.docker_tag }}' - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f name: Upload docker images with: @@ -49,7 +55,7 @@ jobs: uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: scan-type: "image" - image-ref: "ghcr.io/nhsdigital/eps-devcontainers:latest-${{ matrix.arch }}" + image-ref: "ghcr.io/nhsdigital/eps-devcontainers:${{ inputs.docker_tag }}-${{ matrix.arch }}" severity: "CRITICAL,HIGH" scanners: "vuln" vuln-type: "os,library" @@ -61,7 +67,7 @@ jobs: - name: Show docker vulnerability output if: always() run: | - echo "Scan output for ghcr.io/nhsdigital/eps-devcontainers:latest-${ARCHITECTURE}" + echo "Scan output for ghcr.io/nhsdigital/eps-devcontainers:${{ inputs.docker_tag }}-${ARCHITECTURE}" if [ -f dependency_results_docker.txt ]; then cat dependency_results_docker.txt fi @@ -102,26 +108,33 @@ jobs: name: eps-devcontainer-base-latest-arm64.img - name: Load and push multi-arch image run: > - echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ - github.actor }} --password-stdin - + echo "${GITHUB_TOKEN}" | docker login ghcr.io -u "${GITHUB_ACTOR}" --password-stdin echo "loading images" - docker load -i eps-devcontainer-base-latest-amd64.img - docker load -i eps-devcontainer-base-latest-arm64.img - echo "pushing images" + echo "Tagging latest images" + docker tag "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-amd64" "ghcr.io/nhsdigital/eps-devcontainers:latest-amd64" + docker tag "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-arm64" "ghcr.io/nhsdigital/eps-devcontainers:latest-arm64" + echo "pushing images" + docker push "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-amd64" + docker push "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-arm64" docker push ghcr.io/nhsdigital/eps-devcontainers:latest-amd64 - docker push ghcr.io/nhsdigital/eps-devcontainers:latest-arm64 echo "creating manifest" + docker manifest create "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}" \ + --amend "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-amd64" \ + --amend "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-arm64" + docker manifest create "ghcr.io/nhsdigital/eps-devcontainers:latest" \ + --amend "ghcr.io/nhsdigital/eps-devcontainers:latest-amd64" \ + --amend "ghcr.io/nhsdigital/eps-devcontainers:latest-arm64" - docker manifest create ghcr.io/nhsdigital/eps-devcontainers:latest \ - --amend ghcr.io/nhsdigital/eps-devcontainers:latest-amd64 \ - --amend ghcr.io/nhsdigital/eps-devcontainers:latest-arm64 echo "pushing manifest" - - docker manifest push ghcr.io/nhsdigital/eps-devcontainers:latest + docker manifest push "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}" + docker manifest push "ghcr.io/nhsdigital/eps-devcontainers:latest" + env: + DOCKER_TAG: '${{ inputs.docker_tag }}' + GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}' + GITHUB_ACTOR: '${{ github.actor }}' diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 65d67bb..98a5a94 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -86,5 +86,9 @@ jobs: echo "sha_short=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT" package_docker_image: uses: ./.github/workflows/build_multi_arch_image.yml + needs: + - get_issue_number + - get_commit_id with: publish_image: false + docker_tag: 'pr${{ needs.get_issue_number.outputs.issue_number }}-${{ needs.get_commit_id.outputs.sha_short }}' diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..9ca0141 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,47 @@ +name: merge to main workflow +on: + push: + branches: [main] + +jobs: + get_asdf_version: + runs-on: ubuntu-22.04 + outputs: + asdf_version: '${{ steps.asdf-version.outputs.version }}' + tag_format: '${{ steps.load-config.outputs.TAG_FORMAT }}' + steps: + - name: Checkout code + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 + - name: Get asdf version + id: asdf-version + run: >- + echo "version=$(awk '!/^#/ && NF {print $1; exit}' + .tool-versions.asdf)" >> "$GITHUB_OUTPUT" + - name: Load config value + id: load-config + run: | + TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml) + echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT" + quality_checks: + uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@e31e25273fb87450be4ef763ddbed4f531c45f8e + needs: + - get_asdf_version + with: + asdfVersion: '${{ needs.get_asdf_version.outputs.asdf_version }}' + secrets: + SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}' + tag_release: + needs: [quality_checks, get_asdf_version] + uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml@e31e25273fb87450be4ef763ddbed4f531c45f8e + with: + dry_run: false + asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }} + branch_name: main + tag_format: ${{ needs.get_asdf_version.outputs.tag_format }} + secrets: inherit + package_docker_image: + needs: tag_release + uses: ./.github/workflows/build_multi_arch_image.yml + with: + publish_image: true + docker_tag: '${{ needs.tag_release.outputs.version_tag }}' diff --git a/src/base/.devcontainer/scripts/root_install.sh b/src/base/.devcontainer/scripts/root_install.sh index 0c0d632..bdc0bc6 100755 --- a/src/base/.devcontainer/scripts/root_install.sh +++ b/src/base/.devcontainer/scripts/root_install.sh @@ -18,6 +18,7 @@ fi echo "Running apt-get update" apt-get update +apt-get upgrade -y # install necessary libraries for asdf and language runtimes echo "Installing necessary packages" From 0efc57737296a17d46664e815d16ffcfa7c77f35 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 6 Feb 2026 10:27:03 +0000 Subject: [PATCH 30/64] fix tag --- .github/workflows/build_multi_arch_image.yml | 2 +- scripts/generate_language_version_files.sh | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 3d5aa48..d351476 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -38,7 +38,7 @@ jobs: run: > make build-base-image - docker tag ghcr.io/nhsdigital/eps-devcontainer-base:latest "ghcr.io/nhsdigital/eps-devcontainers:{DOCKER_TAG}-${ARCHITECTURE}" + docker tag ghcr.io/nhsdigital/eps-devcontainer-base:latest "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-${ARCHITECTURE}" docker save "ghcr.io/nhsdigital/eps-devcontainers:latest-${ARCHITECTURE}" -o "eps-devcontainer-base-latest-${ARCHITECTURE}.img" env: diff --git a/scripts/generate_language_version_files.sh b/scripts/generate_language_version_files.sh index 1e523ae..d36fcf7 100755 --- a/scripts/generate_language_version_files.sh +++ b/scripts/generate_language_version_files.sh @@ -25,8 +25,6 @@ REPOS=( "NHSDigital/nhs-fhir-middy-error-handler" "NHSDigital/nhs-eps-spine-client" "NHSDigital/electronic-prescription-service-api-regression-tests" - "NHSDigital/eps-action-sbom" - "NHSDigital/eps-action-cfn-lint" "NHSDigital/eps-common-workflows" "NHSDigital/eps-storage-terraform" "NHSDigital/eps-spine-shared" From 577f940ebd8cde6543d02ed6c02ab9cfd86ffc84 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 6 Feb 2026 10:40:31 +0000 Subject: [PATCH 31/64] get repos from one place --- .github/workflows/build_multi_arch_image.yml | 9 ++++ scripts/generate_language_version_files.sh | 43 ++++++++------------ 2 files changed, 27 insertions(+), 25 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index d351476..5de8819 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -31,6 +31,14 @@ jobs: uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f with: node-version-file: .tool-versions + - name: Generate a token to get details from other repositories + id: generate-token + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf + with: + app-id: ${{ vars.EPS_REPO_STATUS_APP_ID }} + private-key: ${{ secrets.EPS_REPO_STATUS_PEM }} + owner: "NHSDigital" + - name: make install run: | make install-node @@ -45,6 +53,7 @@ jobs: GH_TOKEN: '${{ github.token }}' ARCHITECTURE: '${{ matrix.arch }}' DOCKER_TAG: '${{ inputs.docker_tag }}' + GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }} - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f name: Upload docker images with: diff --git a/scripts/generate_language_version_files.sh b/scripts/generate_language_version_files.sh index d36fcf7..104090c 100755 --- a/scripts/generate_language_version_files.sh +++ b/scripts/generate_language_version_files.sh @@ -1,35 +1,28 @@ #!/usr/bin/env bash +set -e # Get the current directory of the script SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" LANGUAGE_VERSIONS_DIR="${SCRIPT_DIR}/../src/base/.devcontainer/language_versions" -# Define repositories to fetch .tool-versions from -REPOS=( - "NHSDigital/electronic-prescription-service-clinical-prescription-tracker" - "NHSDigital/prescriptionsforpatients" - "NHSDigital/prescriptions-for-patients" - "NHSDigital/electronic-prescription-service-api" - "NHSDigital/electronic-prescription-service-release-notes" - "NHSDigital/electronic-prescription-service-account-resources" - "NHSDigital/eps-prescription-status-update-api" - "NHSDigital/eps-FHIR-validator-lambda" - "NHSDigital/eps-load-test" - "NHSDigital/eps-prescription-tracker-ui" - "NHSDigital/eps-aws-dashboards" - "NHSDigital/eps-cdk-utils" - "NHSDigital/eps-vpc-resources" - "NHSDigital/eps-assist-me" - "NHSDigital/validation-service-fhir-r4" - "NHSDigital/electronic-prescription-service-get-secrets" - "NHSDigital/nhs-fhir-middy-error-handler" - "NHSDigital/nhs-eps-spine-client" - "NHSDigital/electronic-prescription-service-api-regression-tests" - "NHSDigital/eps-common-workflows" - "NHSDigital/eps-storage-terraform" - "NHSDigital/eps-spine-shared" -) +# Check if the user is logged in with GitHub CLI +if ! gh auth status > /dev/null 2>&1; then + echo "You are not logged in to GitHub CLI. Initiating login..." + gh auth login +fi +# Fetch the repos.json file from the eps-repo-status repository using GitHub CLI +REPOS_JSON_PATH="repos/NHSDigital/eps-repo-status/contents/packages/get_repo_status/app/repos.json" +TEMP_REPOS_JSON="/tmp/repos.json" + +# Download the repos.json file +if ! gh api -H 'Accept: application/vnd.github.v3.raw' "$REPOS_JSON_PATH" > "$TEMP_REPOS_JSON"; then + echo "Failed to fetch repos.json using GitHub CLI. Exiting." + exit 1 +fi + +# Parse the repoUrl values from the JSON file +mapfile -t REPOS < <(jq -r '.[].repoUrl' "$TEMP_REPOS_JSON") # Define output files mkdir -p "${LANGUAGE_VERSIONS_DIR}" From 075b2ea6b2c8fd503f4ae7a6a85d9ab180f3a2f9 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 6 Feb 2026 11:04:04 +0000 Subject: [PATCH 32/64] add secret --- .github/workflows/build_multi_arch_image.yml | 3 +++ .github/workflows/pull_request.yml | 2 ++ .github/workflows/release.yml | 2 ++ 3 files changed, 7 insertions(+) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 5de8819..e90d121 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -8,6 +8,9 @@ name: Build and push docker image docker_tag: required: true type: string + secrets: + EPS_REPO_STATUS_PEM: + required: true jobs: build_image: diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 98a5a94..654d25d 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -92,3 +92,5 @@ jobs: with: publish_image: false docker_tag: 'pr${{ needs.get_issue_number.outputs.issue_number }}-${{ needs.get_commit_id.outputs.sha_short }}' + secrets: + EPS_REPO_STATUS_PEM: ${{ secrets.EPS_REPO_STATUS_PEM }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9ca0141..8da9db2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -45,3 +45,5 @@ jobs: with: publish_image: true docker_tag: '${{ needs.tag_release.outputs.version_tag }}' + secrets: + EPS_REPO_STATUS_PEM: ${{ secrets.EPS_REPO_STATUS_PEM }} From b4413b5be0ff6f5114a7b8a41dec5beee2f3e526 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 6 Feb 2026 11:12:27 +0000 Subject: [PATCH 33/64] use token --- .github/workflows/build_multi_arch_image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index e90d121..3ef6674 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -53,7 +53,7 @@ jobs: docker save "ghcr.io/nhsdigital/eps-devcontainers:latest-${ARCHITECTURE}" -o "eps-devcontainer-base-latest-${ARCHITECTURE}.img" env: - GH_TOKEN: '${{ github.token }}' + GH_TOKEN: ${{ steps.generate-token.outputs.token }} ARCHITECTURE: '${{ matrix.arch }}' DOCKER_TAG: '${{ inputs.docker_tag }}' GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }} From 41a14e4f1d942326fddf3bf4b6fea904a0499a01 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 6 Feb 2026 12:15:09 +0000 Subject: [PATCH 34/64] add trivyignore --- .trivyignore.yaml | 471 ++++++++++++++++++++++++++++++++++++++++++++++ trivy.yaml | 1 + 2 files changed, 472 insertions(+) create mode 100644 .trivyignore.yaml create mode 100644 trivy.yaml diff --git a/.trivyignore.yaml b/.trivyignore.yaml new file mode 100644 index 0000000..f9052ce --- /dev/null +++ b/.trivyignore.yaml @@ -0,0 +1,471 @@ +vulnerabilities: + - id: CVE-2026-25547 + statement: "@isaacs/brace-expansion has Uncontrolled Resource Consumption" + purls: + - "pkg:npm/%40isaacs/brace-expansion@5.0.0" + expired_at: 2026-06-01 + - id: CVE-2021-3807 + statement: "nodejs-ansi-regex Regular expression denial of service (ReDoS) matching ANSI escape codes" + purls: + - "pkg:npm/ansi-regex@3.0.0" + expired_at: 2026-06-01 + - id: CVE-2021-3807 + statement: "nodejs-ansi-regex Regular expression denial of service (ReDoS) matching ANSI escape codes" + purls: + - "pkg:npm/ansi-regex@5.0.0" + expired_at: 2026-06-01 + - id: CVE-2025-64756 + statement: "glob glob Command Injection Vulnerability via Malicious Filenames" + purls: + - "pkg:npm/glob@10.4.5" + expired_at: 2026-06-01 + - id: CVE-2025-64756 + statement: "glob glob Command Injection Vulnerability via Malicious Filenames" + purls: + - "pkg:npm/glob@11.0.3" + expired_at: 2026-06-01 + - id: CVE-2022-25881 + statement: "http-cache-semantics Regular Expression Denial of Service (ReDoS) vulnerability" + purls: + - "pkg:npm/http-cache-semantics@4.1.0" + expired_at: 2026-06-01 + - id: CVE-2024-29415 + statement: "node-ip Incomplete fix for CVE-2023-42282" + purls: + - "pkg:npm/ip@1.1.5" + expired_at: 2026-06-01 + - id: CVE-2022-3517 + statement: "nodejs-minimatch ReDoS via the braceExpand function" + purls: + - "pkg:npm/minimatch@3.0.4" + expired_at: 2026-06-01 + - id: CVE-2026-0775 + statement: "npmcli npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability" + purls: + - "pkg:npm/npm@11.6.2" + expired_at: 2026-06-01 + - id: CVE-2022-29244 + statement: "nodejs npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace" + purls: + - "pkg:npm/npm@8.5.0" + expired_at: 2026-06-01 + - id: CVE-2026-0775 + statement: "npmcli npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability" + purls: + - "pkg:npm/npm@8.5.0" + expired_at: 2026-06-01 + - id: CVE-2022-25883 + statement: "nodejs-semver Regular expression denial of service" + purls: + - "pkg:npm/semver@7.3.5" + expired_at: 2026-06-01 + - id: CVE-2026-23745 + statement: "node-tar tar node-tar Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" + purls: + - "pkg:npm/tar@6.1.11" + expired_at: 2026-06-01 + - id: CVE-2026-23950 + statement: "node-tar tar node-tar Arbitrary file overwrite via Unicode path collision race condition" + purls: + - "pkg:npm/tar@6.1.11" + expired_at: 2026-06-01 + - id: CVE-2026-24842 + statement: "node-tar tar node-tar Arbitrary file creation via path traversal bypass in hardlink security check" + purls: + - "pkg:npm/tar@6.1.11" + expired_at: 2026-06-01 + - id: CVE-2026-23745 + statement: "node-tar tar node-tar Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-06-01 + - id: CVE-2026-23950 + statement: "node-tar tar node-tar Arbitrary file overwrite via Unicode path collision race condition" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-06-01 + - id: CVE-2026-24842 + statement: "node-tar tar node-tar Arbitrary file creation via path traversal bypass in hardlink security check" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-06-01 + - id: CVE-2022-40897 + statement: "pypa-setuptools Regular Expression Denial of Service (ReDoS) in package_index.py" + purls: + - "pkg:pypi/setuptools@56.0.0" + expired_at: 2026-06-01 + - id: CVE-2024-6345 + statement: "pypa/setuptools Remote code execution via download functions in the package_index module in pypa/setuptools" + purls: + - "pkg:pypi/setuptools@56.0.0" + expired_at: 2026-06-01 + - id: CVE-2025-47273 + statement: "setuptools Path Traversal Vulnerability in setuptools PackageIndex" + purls: + - "pkg:pypi/setuptools@56.0.0" + expired_at: 2026-06-01 + - id: CVE-2022-40897 + statement: "pypa-setuptools Regular Expression Denial of Service (ReDoS) in package_index.py" + purls: + - "pkg:pypi/setuptools@65.5.0" + expired_at: 2026-06-01 + - id: CVE-2024-6345 + statement: "pypa/setuptools Remote code execution via download functions in the package_index module in pypa/setuptools" + purls: + - "pkg:pypi/setuptools@65.5.0" + expired_at: 2026-06-01 + - id: CVE-2025-47273 + statement: "setuptools Path Traversal Vulnerability in setuptools PackageIndex" + purls: + - "pkg:pypi/setuptools@65.5.0" + expired_at: 2026-06-01 + - id: CVE-2024-49761 + statement: "rexml REXML ReDoS vulnerability" + purls: + - "pkg:gem/rexml@3.2.6" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.25.5" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.25.5" + expired_at: 2026-06-01 + - id: CVE-2025-47907 + statement: "database/sql Postgres Scan Race Condition" + purls: + - "pkg:golang/stdlib@v1.24.4" + expired_at: 2026-06-01 + - id: CVE-2025-58183 + statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" + purls: + - "pkg:golang/stdlib@v1.24.4" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.24.4" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.24.4" + expired_at: 2026-06-01 + - id: CVE-2025-61729 + statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" + purls: + - "pkg:golang/stdlib@v1.24.4" + expired_at: 2026-06-01 + - id: CVE-2025-22874 + statement: "crypto/x509 Usage of ExtKeyUsageAny disables policy validation in crypto/x509" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-47907 + statement: "database/sql Postgres Scan Race Condition" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-58183 + statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-61729 + statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-66564 + statement: "github.com/sigstore/timestamp-authority Sigstore Timestamp Authority Denial of Service via excessive OID or Content-Type header parsing" + purls: + - "pkg:golang/github.com/sigstore/timestamp-authority@v1.2.2" + expired_at: 2026-06-01 + - id: CVE-2025-47907 + statement: "database/sql Postgres Scan Race Condition" + purls: + - "pkg:golang/stdlib@v1.23.4" + expired_at: 2026-06-01 + - id: CVE-2025-58183 + statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" + purls: + - "pkg:golang/stdlib@v1.23.4" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.23.4" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.23.4" + expired_at: 2026-06-01 + - id: CVE-2025-61729 + statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" + purls: + - "pkg:golang/stdlib@v1.23.4" + expired_at: 2026-06-01 + - id: CVE-2023-24538 + statement: "golang html/template backticks not treated as string delimiters" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-24540 + statement: "golang html/template improper handling of JavaScript whitespace" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2024-24790 + statement: "golang net/netip Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-24675 + statement: "golang encoding/pem fix stack overflow in Decode" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-27664 + statement: "golang net/http handle server errors after sending GOAWAY" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-28131 + statement: "golang encoding/xml stack exhaustion in Decoder.Skip" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-28327 + statement: "golang crypto/elliptic panic caused by oversized scalar" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-2879 + statement: "golang archive/tar github.com/vbatts/tar-split unbounded memory consumption when reading headers" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-2880 + statement: "golang net/http/httputil ReverseProxy should not forward unparseable query parameters" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-29804 + statement: "ELSA-2022-17957 ol8addon security update (IMPORTANT)" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30580 + statement: "golang os/exec Code injection in Cmd.Start" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30630 + statement: "golang io/fs stack exhaustion in Glob" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30631 + statement: "golang compress/gzip stack exhaustion in Reader.Read" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30632 + statement: "golang path/filepath stack exhaustion in Glob" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30633 + statement: "golang encoding/xml stack exhaustion in Unmarshal" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30634 + statement: "ELSA-2022-17957 ol8addon security update (IMPORTANT)" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30635 + statement: "golang encoding/gob stack exhaustion in Decoder.Decode" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-32189 + statement: "golang math/big decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41715 + statement: "golang regexp/syntax limit memory used by parsing regexps" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41716 + statement: "Due to unsanitized NUL values, attackers may be able to maliciously se ..." + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41720 + statement: "golang os, net/http avoid escapes from os.DirFS and http.Dir on Windows" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41722 + statement: "golang path/filepath path-filepath filepath.Clean path traversal" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41723 + statement: "golang.org/x/net/http2 avoid quadratic complexity in HPACK decoding" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41724 + statement: "golang crypto/tls large handshake records may cause panics" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41725 + statement: "golang net/http, mime/multipart denial of service from excessive resource consumption" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-24534 + statement: "golang net/http, net/textproto denial of service from excessive memory allocation" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-24536 + statement: "golang net/http, net/textproto, mime/multipart denial of service from excessive resource consumption" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-24537 + statement: "golang go/parser Infinite loop in parsing" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-24539 + statement: "golang html/template improper sanitization of CSS values" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-29400 + statement: "golang html/template improper handling of empty HTML attributes" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-29403 + statement: "golang runtime unexpected behavior of setuid/setgid binaries" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-39325 + statement: "golang net/http, x/net/http2 rapid stream resets can cause excessive work (CVE-2023-44487)" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-45283 + statement: "The filepath package does not recognize paths with a prefix as sp ..." + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-45287 + statement: "golang crypto/tls Timing Side Channel attack in RSA based TLS key exchanges." + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-45288 + statement: "golang net/http, x/net/http2 unlimited number of CONTINUATION frames causes DoS" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2024-34156 + statement: "encoding/gob golang Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2025-47907 + statement: "database/sql Postgres Scan Race Condition" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2025-58183 + statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2025-61729 + statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2024-25621 + statement: "github.com/containerd/containerd containerd local privilege escalation" + purls: + - "pkg:golang/github.com/containerd/containerd/v2@v2.1.4" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.24.9" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.24.9" + expired_at: 2026-06-01 + - id: CVE-2025-61729 + statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" + purls: + - "pkg:golang/stdlib@v1.24.9" + expired_at: 2026-06-01 + - id: CVE-2024-35870 + statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2024-53179 + statement: "kernel: smb: client: fix use-after-free of signing key" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-21780 + statement: "kernel: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-37899 + statement: "kernel: ksmbd: fix use-after-free in session logoff" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-38118 + statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 diff --git a/trivy.yaml b/trivy.yaml new file mode 100644 index 0000000..eb24337 --- /dev/null +++ b/trivy.yaml @@ -0,0 +1 @@ +ignorefile: ".trivyignore.yaml" From aade34cf6de2bb87757da8fd909688dad9fd68f6 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 6 Feb 2026 12:43:34 +0000 Subject: [PATCH 35/64] fix build --- .github/workflows/build_multi_arch_image.yml | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 3ef6674..185eca6 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -51,7 +51,7 @@ jobs: docker tag ghcr.io/nhsdigital/eps-devcontainer-base:latest "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-${ARCHITECTURE}" - docker save "ghcr.io/nhsdigital/eps-devcontainers:latest-${ARCHITECTURE}" -o "eps-devcontainer-base-latest-${ARCHITECTURE}.img" + docker save "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-${ARCHITECTURE}" -o "eps-devcontainer-base-${DOCKER_TAG}-${ARCHITECTURE}.img" env: GH_TOKEN: ${{ steps.generate-token.outputs.token }} ARCHITECTURE: '${{ matrix.arch }}' @@ -60,9 +60,9 @@ jobs: - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f name: Upload docker images with: - name: "eps-devcontainer-base-latest-${{ matrix.arch }}.img" + name: "eps-devcontainer-base-${{ inputs.docker_tag }}-${{ matrix.arch }}.img" path: | - eps-devcontainer-base-latest-${{ matrix.arch }}.img + eps-devcontainer-base-${{ inputs.docker_tag }}-${{ matrix.arch }}.img - name: Check docker vulnerabilities uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: @@ -79,12 +79,13 @@ jobs: - name: Show docker vulnerability output if: always() run: | - echo "Scan output for ghcr.io/nhsdigital/eps-devcontainers:${{ inputs.docker_tag }}-${ARCHITECTURE}" + echo "Scan output for ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-${ARCHITECTURE}" if [ -f dependency_results_docker.txt ]; then cat dependency_results_docker.txt fi env: ARCHITECTURE: '${{ matrix.arch }}' + DOCKER_TAG: '${{ inputs.docker_tag }}' publish_image: needs: build_image @@ -113,17 +114,17 @@ jobs: - name: Download amd64 images uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 with: - name: eps-devcontainer-base-latest-amd64.img + name: eps-devcontainer-base-${{ inputs.docker_tag }}-amd64.img - name: Download arm64 images uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 with: - name: eps-devcontainer-base-latest-arm64.img + name: eps-devcontainer-base-${{ inputs.docker_tag }}-arm64.img - name: Load and push multi-arch image run: > echo "${GITHUB_TOKEN}" | docker login ghcr.io -u "${GITHUB_ACTOR}" --password-stdin echo "loading images" - docker load -i eps-devcontainer-base-latest-amd64.img - docker load -i eps-devcontainer-base-latest-arm64.img + docker load -i "eps-devcontainer-base-${DOCKER_TAG}-amd64.img" + docker load -i "eps-devcontainer-base-${DOCKER_TAG}-arm64.img" echo "Tagging latest images" docker tag "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-amd64" "ghcr.io/nhsdigital/eps-devcontainers:latest-amd64" From 232c86f49e07d40016e4ef6fe73cd9b2e901b3c5 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 6 Feb 2026 12:56:54 +0000 Subject: [PATCH 36/64] use repo list from a different location --- Makefile | 1 + scripts/generate_language_version_files.sh | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index cf96122..454c5bf 100644 --- a/Makefile +++ b/Makefile @@ -30,6 +30,7 @@ scan-base-image: trivy image \ --severity HIGH,CRITICAL \ --ignorefile .trivyignore.yaml \ + --scanners vuln \ --exit-code 1 \ --format table ${IMAGE_NAME} diff --git a/scripts/generate_language_version_files.sh b/scripts/generate_language_version_files.sh index 104090c..7f4821d 100755 --- a/scripts/generate_language_version_files.sh +++ b/scripts/generate_language_version_files.sh @@ -12,7 +12,7 @@ if ! gh auth status > /dev/null 2>&1; then fi # Fetch the repos.json file from the eps-repo-status repository using GitHub CLI -REPOS_JSON_PATH="repos/NHSDigital/eps-repo-status/contents/packages/get_repo_status/app/repos.json" +REPOS_JSON_PATH="repos/NHSDigital/eps-repo-status/contents/repos.json" TEMP_REPOS_JSON="/tmp/repos.json" # Download the repos.json file From fc029d088dcc038419de23cb64aa184fd5785d4b Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 6 Feb 2026 13:25:34 +0000 Subject: [PATCH 37/64] add readme --- README.md | 54 ++++++++++++++++++++++++ src/base/.devcontainer/devcontainer.json | 2 +- 2 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 README.md diff --git a/README.md b/README.md new file mode 100644 index 0000000..883bb6f --- /dev/null +++ b/README.md @@ -0,0 +1,54 @@ +EPS DEV CONTAINERS +================== + +# Introduction +This repo contains code to build a vscode devcontainer that is used as a base image for all EPS projects. +Images are build for amd64 and arm64 and a manifest file created that can be pulled for both architectures. +Images are based on mcr.microsoft.com/devcontainers/base:ubuntu-22.04 +Images contain + - latest os packages + - asdf + - aws cli + - aws sam cli + + It installs the following dev container features + - docker outside of docker + - github cli + +As the vscode user the following also happens + +asdf install and setup for these so they are available globally as vscode user + - shellcheck + - direnv + - actionlint + - ruby (for github pages) + - trivy + +Install asdf plugins for all tools we use +Install asdf versions of node, python, java, terraform, golang used by all EPS projects to speed up initial build of local dev container +Install and setup git-secrets + +# Project structure +The dev container is defined in src/base/.devcontainer folder. This folder contains a Dockerfile and a devcontainer.json file which is used to build the container + +The dev container is built using https://github.com/devcontainers/cli + +The script `scripts/generate_language_version_files.sh` gets the version of node, python, java and terraform from all EPS repositories. It uses the list of repos from https://github.com/NHSDigital/eps-repo-status/blob/main/repos.json to find all EPS repos. + +# Build process +Docker images are built for each pull request, and on merges to main + +Docker images are scanned for vulnerabilities using trivy as part of a build step, and the build fails if vulnerabilities are found not in .trivyignore file. + +On merges to main, a new release is created and the images are pushed to github. The images are tagged with `latest` and the version of the release. + +# Local testing +For local testing, you can run +``` +ARCHITECTURE=amd64 make build-base-image +``` +to build a local image, and then +``` +make scan-base-image +``` +to scan for vulnerabilities diff --git a/src/base/.devcontainer/devcontainer.json b/src/base/.devcontainer/devcontainer.json index ae0f548..9f369d3 100644 --- a/src/base/.devcontainer/devcontainer.json +++ b/src/base/.devcontainer/devcontainer.json @@ -1,7 +1,7 @@ // For format details, see https://aka.ms/devcontainer.json. For config options, see the // README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu { - "name": "Ubuntu", + "name": "EPS Devcontainer Base", // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile "build": { "dockerfile": "Dockerfile", From 34fc02c8ad7fb83415972c23530282e9ba0a066e Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 6 Feb 2026 13:26:33 +0000 Subject: [PATCH 38/64] free space on build --- .github/workflows/build_multi_arch_image.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 185eca6..454509f 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -26,6 +26,20 @@ jobs: - arch: arm64 runner: ubuntu-22.04-arm steps: + - name: Free Disk Space for Docker + uses: >- + endersonmenezes/free-disk-space@e6ed9b02e683a3b55ed0252f1ee469ce3b39a885 + with: + remove_android: true + remove_dotnet: true + remove_haskell: true + remove_tool_cache: true + rm_cmd: rm + remove_packages: >- + azure-cli google-cloud-cli microsoft-edge-stable + google-chrome-stable firefox postgresql* temurin-* *llvm* mysql* + dotnet-sdk-* + remove_packages_one_command: true - name: Checkout code uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 with: From 438de78b0d75927896fbad7985169bb9310d41a3 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 6 Feb 2026 13:31:38 +0000 Subject: [PATCH 39/64] add common files --- CODE_OF_CONDUCT.md | 76 ++++++++++++++++++++++++++++++++++++++++++++++ CONTRIBUTING.md | 61 +++++++++++++++++++++++++++++++++++++ LICENSE | 21 +++++++++++++ SECURITY.md | 35 +++++++++++++++++++++ 4 files changed, 193 insertions(+) create mode 100644 CODE_OF_CONDUCT.md create mode 100644 CONTRIBUTING.md create mode 100644 LICENSE create mode 100644 SECURITY.md diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md new file mode 100644 index 0000000..65cf5ff --- /dev/null +++ b/CODE_OF_CONDUCT.md @@ -0,0 +1,76 @@ +# Contributor Covenant Code of Conduct + +## Our Pledge + +In the interest of fostering an open and welcoming environment, we as +contributors and maintainers pledge to making participation in our project and +our community a harassment-free experience for everyone, regardless of age, body +size, disability, ethnicity, sex characteristics, gender identity and expression, +level of experience, education, socio-economic status, nationality, personal +appearance, race, religion, or sexual identity and orientation. + +## Our Standards + +Examples of behavior that contributes to creating a positive environment +include: + +* Using welcoming and inclusive language +* Being respectful of differing viewpoints and experiences +* Gracefully accepting constructive criticism +* Focusing on what is best for the community +* Showing empathy towards other community members + +Examples of unacceptable behavior by participants include: + +* The use of sexualized language or imagery and unwelcome sexual attention or + advances +* Trolling, insulting/derogatory comments, and personal or political attacks +* Public or private harassment +* Publishing others' private information, such as a physical or electronic + address, without explicit permission +* Other conduct which could reasonably be considered inappropriate in a + professional setting + +## Our Responsibilities + +Project maintainers are responsible for clarifying the standards of acceptable +behavior and are expected to take appropriate and fair corrective action in +response to any instances of unacceptable behavior. + +Project maintainers have the right and responsibility to remove, edit, or +reject comments, commits, code, wiki edits, issues, and other contributions +that are not aligned to this Code of Conduct, or to ban temporarily or +permanently any contributor for other behaviors that they deem inappropriate, +threatening, offensive, or harmful. + +## Scope + +This Code of Conduct applies both within project spaces and in public spaces +when an individual is representing the project or its community. Examples of +representing a project or community include using an official project e-mail +address, posting via an official social media account, or acting as an appointed +representative at an online or offline event. Representation of a project may be +further defined and clarified by project maintainers. + +## Enforcement + +Instances of abusive, harassing, or otherwise unacceptable behavior may be +reported by contacting the project team. All +complaints will be reviewed and investigated and will result in a response that +is deemed necessary and appropriate to the circumstances. The project team is +obligated to maintain confidentiality with regard to the reporter of an incident. +Further details of specific enforcement policies may be posted separately. + +Project maintainers who do not follow or enforce the Code of Conduct in good +faith may face temporary or permanent repercussions as determined by other +members of the project's leadership. + +## Attribution + +This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, +available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html + +[homepage]: https://www.contributor-covenant.org + +For answers to common questions about this code of conduct, see +https://www.contributor-covenant.org/faq diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..9f62523 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,61 @@ +# Contribution Guidelines + +## Raising an Issue + +If you raise an issue against this repository, please include as much information as possible to reproduce any bugs, +or specific locations in the case of content errors. + +## Contributing code + +To contribute code, please fork the repository and raise a pull request. + +Ideally pull requests should be fairly granular and aim to solve one problem each. It would also be helpful if they +linked to an issue. If the maintainers cannot understand why a pull request was raised, it will be rejected, +so please explain why the changes need to be made (unless it is self-evident). + +### Merge responsibility + +- It is the responsibility of the reviewer to merge branches they have approved. +- It is the responsibility of the author of the merge to ensure their merge is in a mergeable state. +- It is the responsibility of the maintainers to ensure the merge process is unambiguous and automated where possible. + +### Branch naming + +Branch names should be of the format: + +`aea-nnn-short-issue-description` + +Multiple branches are permitted for the same ticket. + +### Commit messages + +We do not enforce any conventions on commit messages to a branch, as we use squash commits when merging to main branch. + +Commits from a pull request get squashed into a single commit on merge, using the pull request title as the commit message. +Please format your pull request title using tags from [ESLint Convention](https://github.com/conventional-changelog/conventional-changelog/tree/master/packages/conventional-changelog-eslint) as follows: + +```text +Tag: [AEA-NNNN] - Short description +``` + +Tag can be one of: + +- `Fix` - for a bug fix. (Patch release) +- `Update` - either for a backwards-compatible enhancement or for a rule change that adds reported problems. (Patch release) +- `New` - implemented a new feature. (Minor release) +- `Breaking` - for a backwards-incompatible enhancement or feature. (Major release) +- `Docs` - changes to documentation only. (Patch release) +- `Build` - changes to build process only. (No release) +- `Upgrade` - for a dependency upgrade. (Patch release) +- `Chore` - for refactoring, adding tests, etc. (anything that isn't user-facing). (Patch release) + +If the current release is x.y.z then +- a patch release increases z by 1 +- a minor release increases y by 1 +- a major release increases x by 1 + +Correct tagging is necessary for our automated versioning and release process ([Release](./RELEASE.md)). + +### Changelog + +Release changelogs are generated from the titles of pull requests merged into the `main` branch. Please ensure that your pull request title is sufficiently descriptive of the changes made. diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..0ba95e8 --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Crown Copyright (c) + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..15baeac --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,35 @@ +# Security + +NHS England takes security and the protection of private data extremely seriously. If you believe you have found a vulnerability or other issue which has compromised or could compromise the security of any of our systems and/or private data managed by our systems, please do not hesitate to contact us using the methods outlined below. + +## Table of Contents + +- [Security](#security) + - [Table of Contents](#table-of-contents) + - [Reporting a vulnerability](#reporting-a-vulnerability) + - [Email](#email) + - [NCSC](#ncsc) + - [General Security Enquiries](#general-security-enquiries) + +## Reporting a vulnerability + +Please note, email is our preferred method of receiving reports. + +### Email + +If you wish to notify us of a vulnerability via email, please include detailed information on the nature of the vulnerability and any steps required to reproduce it. + +You can reach us at: + +- [epssupport@nhs.net](epssupport@nhs.net) +- [cybersecurity@nhs.net](cybersecurity@nhs.net) + +### NCSC + +You can send your report to the National Cyber Security Centre, who will assess your report and pass it on to NHS England if necessary. + +You can report vulnerabilities here: [https://www.ncsc.gov.uk/information/vulnerability-reporting](https://www.ncsc.gov.uk/information/vulnerability-reporting) + +## General Security Enquiries + +If you have general enquiries regarding our cybersecurity, please reach out to us at [cybersecurity@nhs.net](cybersecurity@nhs.net) From eb0658322507ec340ca0555cfe908a498d687b8d Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 6 Feb 2026 13:50:42 +0000 Subject: [PATCH 40/64] upload scan results --- .github/workflows/build_multi_arch_image.yml | 26 +++++++++++++++++--- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 454509f..b01002b 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -77,7 +77,25 @@ jobs: name: "eps-devcontainer-base-${{ inputs.docker_tag }}-${{ matrix.arch }}.img" path: | eps-devcontainer-base-${{ inputs.docker_tag }}-${{ matrix.arch }}.img - - name: Check docker vulnerabilities + - name: Check docker vulnerabilities - json output + uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 + with: + scan-type: "image" + image-ref: "ghcr.io/nhsdigital/eps-devcontainers:${{ inputs.docker_tag }}-${{ matrix.arch }}" + severity: "CRITICAL,HIGH" + scanners: "vuln" + vuln-type: "os,library" + format: "json" + output: "scan_results_docker_${{ matrix.arch }}.json" + exit-code: "0" + trivy-config: trivy.yaml + - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f + name: Upload scan results + with: + name: "scan_results_docker_${{ matrix.arch }}.json" + path: | + "scan_results_docker_${{ matrix.arch }}.json" + - name: Check docker vulnerabilities - table output uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: scan-type: "image" @@ -86,7 +104,7 @@ jobs: scanners: "vuln" vuln-type: "os,library" format: "table" - output: "dependency_results_docker.txt" + output: "scan_results_docker.txt" exit-code: "1" trivy-config: trivy.yaml @@ -94,8 +112,8 @@ jobs: if: always() run: | echo "Scan output for ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-${ARCHITECTURE}" - if [ -f dependency_results_docker.txt ]; then - cat dependency_results_docker.txt + if [ -f scan_results_docker.txt ]; then + cat scan_results_docker.txt fi env: ARCHITECTURE: '${{ matrix.arch }}' From fb3ed0be463798e38c207f9e7b00ec9aef0819a0 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 6 Feb 2026 14:18:36 +0000 Subject: [PATCH 41/64] update path --- .github/workflows/build_multi_arch_image.yml | 4 ++-- README.md | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index b01002b..2e3ea71 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -86,7 +86,7 @@ jobs: scanners: "vuln" vuln-type: "os,library" format: "json" - output: "scan_results_docker_${{ matrix.arch }}.json" + output: "scan_results_docker.json" exit-code: "0" trivy-config: trivy.yaml - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f @@ -94,7 +94,7 @@ jobs: with: name: "scan_results_docker_${{ matrix.arch }}.json" path: | - "scan_results_docker_${{ matrix.arch }}.json" + "scan_results_docker.json" - name: Check docker vulnerabilities - table output uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: diff --git a/README.md b/README.md index 883bb6f..692f065 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,8 @@ Install asdf versions of node, python, java, terraform, golang used by all EPS p Install and setup git-secrets # Project structure -The dev container is defined in src/base/.devcontainer folder. This folder contains a Dockerfile and a devcontainer.json file which is used to build the container +The dev container is defined in src/base/.devcontainer folder. This folder contains a Dockerfile and a devcontainer.json file which is used to build the container. +As part of the dockerfile, there are scripts in the scripts folder that run as root and vscode user that setup and install various programs. The dev container is built using https://github.com/devcontainers/cli From b0127fd1d7739e28930a4b09b11a1db43e8bd678 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 6 Feb 2026 14:48:09 +0000 Subject: [PATCH 42/64] update .trivyignore --- .trivyignore.yaml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/.trivyignore.yaml b/.trivyignore.yaml index f9052ce..ca32650 100644 --- a/.trivyignore.yaml +++ b/.trivyignore.yaml @@ -469,3 +469,28 @@ vulnerabilities: purls: - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" expired_at: 2026-06-01 + - id: CVE-2024-35870 + statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2024-53179 + statement: "kernel: smb: client: fix use-after-free of signing key" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-21780 + statement: "kernel: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table() " + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-37899 + statement: "kernel: ksmbd: fix use-after-free in session logoff" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-38118 + statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 From 119f27291567424bde1b14cb5643a177677ffe0b Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 6 Feb 2026 15:20:18 +0000 Subject: [PATCH 43/64] try publishing image --- .github/workflows/pull_request.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 654d25d..1052066 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -90,7 +90,7 @@ jobs: - get_issue_number - get_commit_id with: - publish_image: false + publish_image: true docker_tag: 'pr${{ needs.get_issue_number.outputs.issue_number }}-${{ needs.get_commit_id.outputs.sha_short }}' secrets: EPS_REPO_STATUS_PEM: ${{ secrets.EPS_REPO_STATUS_PEM }} From 02d47c4213559152c1562f09c0a18c10738d8cb5 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 6 Feb 2026 16:08:02 +0000 Subject: [PATCH 44/64] correct login --- .gitallowed | 2 ++ .github/workflows/build_multi_arch_image.yml | 13 +++++++++---- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/.gitallowed b/.gitallowed index 76bb1a8..bb5927a 100644 --- a/.gitallowed +++ b/.gitallowed @@ -1 +1,3 @@ id-token: write +password: \${{secrets\.GITHUB_TOKEN}} +\.gitallowed diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 2e3ea71..af4c3e2 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -151,9 +151,16 @@ jobs: uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 with: name: eps-devcontainer-base-${{ inputs.docker_tag }}-arm64.img + - name: Login to github container registry + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 + with: + registry: ghcr.io + username: ${{github.actor}} + password: ${{secrets.GITHUB_TOKEN}} + + - name: Load and push multi-arch image run: > - echo "${GITHUB_TOKEN}" | docker login ghcr.io -u "${GITHUB_ACTOR}" --password-stdin echo "loading images" docker load -i "eps-devcontainer-base-${DOCKER_TAG}-amd64.img" docker load -i "eps-devcontainer-base-${DOCKER_TAG}-arm64.img" @@ -180,6 +187,4 @@ jobs: docker manifest push "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}" docker manifest push "ghcr.io/nhsdigital/eps-devcontainers:latest" env: - DOCKER_TAG: '${{ inputs.docker_tag }}' - GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}' - GITHUB_ACTOR: '${{ github.actor }}' + DOCKER_TAG: ${{ inputs.docker_tag }} From 2d98a0c5354cb7fd26511daa8e127ce401971c91 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 6 Feb 2026 16:54:21 +0000 Subject: [PATCH 45/64] correct workflow --- .github/workflows/build_multi_arch_image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index af4c3e2..8006211 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -160,7 +160,7 @@ jobs: - name: Load and push multi-arch image - run: > + run: | echo "loading images" docker load -i "eps-devcontainer-base-${DOCKER_TAG}-amd64.img" docker load -i "eps-devcontainer-base-${DOCKER_TAG}-arm64.img" From 1ff48846c5136e839263413c962753e41a30fff2 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 07:31:23 +0000 Subject: [PATCH 46/64] build base image --- .github/workflows/build_multi_arch_image.yml | 38 +++---- Makefile | 5 +- scripts/generate_language_version_files.sh | 98 ------------------- src/base/.devcontainer/.tool-versions | 2 +- src/base/.devcontainer/Dockerfile | 5 - src/base/.devcontainer/devcontainer.json | 5 +- .../.devcontainer/scripts/root_install.sh | 20 ++-- .../.devcontainer/scripts/vscode_install.sh | 25 ----- 8 files changed, 35 insertions(+), 163 deletions(-) delete mode 100755 scripts/generate_language_version_files.sh diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 8006211..236bc88 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -63,9 +63,9 @@ jobs: run: > make build-base-image - docker tag ghcr.io/nhsdigital/eps-devcontainer-base:latest "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-${ARCHITECTURE}" + docker tag ghcr.io/nhsdigital/eps-devcontainer-base:latest "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-${ARCHITECTURE}" - docker save "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-${ARCHITECTURE}" -o "eps-devcontainer-base-${DOCKER_TAG}-${ARCHITECTURE}.img" + docker save "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-${ARCHITECTURE}" -o "eps-devcontainer-base-${DOCKER_TAG}-${ARCHITECTURE}.img" env: GH_TOKEN: ${{ steps.generate-token.outputs.token }} ARCHITECTURE: '${{ matrix.arch }}' @@ -81,7 +81,7 @@ jobs: uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: scan-type: "image" - image-ref: "ghcr.io/nhsdigital/eps-devcontainers:${{ inputs.docker_tag }}-${{ matrix.arch }}" + image-ref: "ghcr.io/nhsdigital/eps-devcontainers/base:${{ inputs.docker_tag }}-${{ matrix.arch }}" severity: "CRITICAL,HIGH" scanners: "vuln" vuln-type: "os,library" @@ -99,7 +99,7 @@ jobs: uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: scan-type: "image" - image-ref: "ghcr.io/nhsdigital/eps-devcontainers:${{ inputs.docker_tag }}-${{ matrix.arch }}" + image-ref: "ghcr.io/nhsdigital/eps-devcontainers/base:${{ inputs.docker_tag }}-${{ matrix.arch }}" severity: "CRITICAL,HIGH" scanners: "vuln" vuln-type: "os,library" @@ -111,7 +111,7 @@ jobs: - name: Show docker vulnerability output if: always() run: | - echo "Scan output for ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-${ARCHITECTURE}" + echo "Scan output for ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-${ARCHITECTURE}" if [ -f scan_results_docker.txt ]; then cat scan_results_docker.txt fi @@ -166,25 +166,25 @@ jobs: docker load -i "eps-devcontainer-base-${DOCKER_TAG}-arm64.img" echo "Tagging latest images" - docker tag "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-amd64" "ghcr.io/nhsdigital/eps-devcontainers:latest-amd64" - docker tag "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-arm64" "ghcr.io/nhsdigital/eps-devcontainers:latest-arm64" + docker tag "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-amd64" "ghcr.io/nhsdigital/eps-devcontainers/base:latest-amd64" + docker tag "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-arm64" "ghcr.io/nhsdigital/eps-devcontainers/base:latest-arm64" echo "pushing images" - docker push "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-amd64" - docker push "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-arm64" - docker push ghcr.io/nhsdigital/eps-devcontainers:latest-amd64 - docker push ghcr.io/nhsdigital/eps-devcontainers:latest-arm64 + docker push "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-amd64" + docker push "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-arm64" + docker push "ghcr.io/nhsdigital/eps-devcontainers/base:latest-amd64" + docker push "ghcr.io/nhsdigital/eps-devcontainers/base:latest-arm64" echo "creating manifest" - docker manifest create "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}" \ - --amend "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-amd64" \ - --amend "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-arm64" - docker manifest create "ghcr.io/nhsdigital/eps-devcontainers:latest" \ - --amend "ghcr.io/nhsdigital/eps-devcontainers:latest-amd64" \ - --amend "ghcr.io/nhsdigital/eps-devcontainers:latest-arm64" + docker manifest create "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}" \ + --amend "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-amd64" \ + --amend "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-arm64" + docker manifest create "ghcr.io/nhsdigital/eps-devcontainers/base:latest" \ + --amend "ghcr.io/nhsdigital/eps-devcontainers/base:latest-amd64" \ + --amend "ghcr.io/nhsdigital/eps-devcontainers/base:latest-arm64" echo "pushing manifest" - docker manifest push "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}" - docker manifest push "ghcr.io/nhsdigital/eps-devcontainers:latest" + docker manifest push "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}" + docker manifest push "ghcr.io/nhsdigital/eps-devcontainers/base:latest" env: DOCKER_TAG: ${{ inputs.docker_tag }} diff --git a/Makefile b/Makefile index 454c5bf..ea1d8ba 100644 --- a/Makefile +++ b/Makefile @@ -15,7 +15,7 @@ install-hooks: install-python poetry run pre-commit install --install-hooks --overwrite install-hooks: -build-base-image: generate-language-version-files +build-base-image: CONTAINER_NAME=$(CONTAINER_NAME) \ npx devcontainer build \ --workspace-folder ./src/base/ \ @@ -23,9 +23,6 @@ build-base-image: generate-language-version-files --platform linux/${ARCHITECTURE} \ --image-name "${IMAGE_NAME}" -generate-language-version-files: - ./scripts/generate_language_version_files.sh - scan-base-image: trivy image \ --severity HIGH,CRITICAL \ diff --git a/scripts/generate_language_version_files.sh b/scripts/generate_language_version_files.sh deleted file mode 100755 index 7f4821d..0000000 --- a/scripts/generate_language_version_files.sh +++ /dev/null @@ -1,98 +0,0 @@ -#!/usr/bin/env bash -set -e - -# Get the current directory of the script -SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" -LANGUAGE_VERSIONS_DIR="${SCRIPT_DIR}/../src/base/.devcontainer/language_versions" - -# Check if the user is logged in with GitHub CLI -if ! gh auth status > /dev/null 2>&1; then - echo "You are not logged in to GitHub CLI. Initiating login..." - gh auth login -fi - -# Fetch the repos.json file from the eps-repo-status repository using GitHub CLI -REPOS_JSON_PATH="repos/NHSDigital/eps-repo-status/contents/repos.json" -TEMP_REPOS_JSON="/tmp/repos.json" - -# Download the repos.json file -if ! gh api -H 'Accept: application/vnd.github.v3.raw' "$REPOS_JSON_PATH" > "$TEMP_REPOS_JSON"; then - echo "Failed to fetch repos.json using GitHub CLI. Exiting." - exit 1 -fi - -# Parse the repoUrl values from the JSON file -mapfile -t REPOS < <(jq -r '.[].repoUrl' "$TEMP_REPOS_JSON") - -# Define output files -mkdir -p "${LANGUAGE_VERSIONS_DIR}" -NODEJS_FILE="${LANGUAGE_VERSIONS_DIR}/nodejs-versions.txt" -PYTHON_FILE="${LANGUAGE_VERSIONS_DIR}/python-versions.txt" -JAVA_FILE="${LANGUAGE_VERSIONS_DIR}/java-versions.txt" -TERRAFORM_FILE="${LANGUAGE_VERSIONS_DIR}/terraform-versions.txt" -GOLANG_FILE="${LANGUAGE_VERSIONS_DIR}/golang-versions.txt" -ALL_LANGUAGES_FILE="${LANGUAGE_VERSIONS_DIR}/language-versions.txt" -# Clear existing files -true > "$NODEJS_FILE" -true > "$PYTHON_FILE" -true > "$JAVA_FILE" -true > "$TERRAFORM_FILE" -true > "$GOLANG_FILE" -true > "$ALL_LANGUAGES_FILE" - -# Loop through repositories and fetch .tool-versions -for repo in "${REPOS[@]}"; do - TEMP_FILE="/tmp/.tool-versions" - - # Fetch .tool-versions from the repository - gh api -H 'Accept: application/vnd.github.v3.raw' "repos/${repo}/contents/.tool-versions" > "$TEMP_FILE" - - # Extract versions and append to respective files - if [ -f "$TEMP_FILE" ]; then - echo "" >> ${TEMP_FILE} - while IFS= read -r line; do - tool=$(echo "$line" | awk '{print $1}') - version=$(echo "$line" | awk '{print $2}') - - case $tool in - nodejs) - echo "$version" >> "$NODEJS_FILE" - echo "nodejs $version : ${repo}" >> "$ALL_LANGUAGES_FILE" - ;; - python) - echo "$version" >> "$PYTHON_FILE" - echo "python $version : ${repo}" >> "$ALL_LANGUAGES_FILE" - ;; - java) - echo "$version" >> "$JAVA_FILE" - echo "java $version : ${repo}" >> "$ALL_LANGUAGES_FILE" - ;; - terraform) - echo "$version" >> "$TERRAFORM_FILE" - echo "terraform $version : ${repo}" >> "$ALL_LANGUAGES_FILE" - ;; - golang) - echo "$version" >> "$GOLANG_FILE" - echo "golang $version : ${repo}" >> "$ALL_LANGUAGES_FILE" - ;; - poetry) - echo "poetry $version : ${repo}" >> "$ALL_LANGUAGES_FILE" - ;; - esac - done < "$TEMP_FILE" - fi - - # Remove temporary file - rm -f "$TEMP_FILE" -done - -# Remove duplicate entries from the files -sort -u "$NODEJS_FILE" -o "$NODEJS_FILE" -sort -u "$PYTHON_FILE" -o "$PYTHON_FILE" -sort -u "$JAVA_FILE" -o "$JAVA_FILE" -sort -u "$TERRAFORM_FILE" -o "$TERRAFORM_FILE" -sort -u "$GOLANG_FILE" -o "$GOLANG_FILE" -sort -u "$ALL_LANGUAGES_FILE" -o "$ALL_LANGUAGES_FILE" - -echo "Version files generated successfully." -cat "$ALL_LANGUAGES_FILE" diff --git a/src/base/.devcontainer/.tool-versions b/src/base/.devcontainer/.tool-versions index 79ed779..9d748cb 100644 --- a/src/base/.devcontainer/.tool-versions +++ b/src/base/.devcontainer/.tool-versions @@ -2,4 +2,4 @@ shellcheck 0.11.0 direnv 2.37.1 actionlint 1.7.10 ruby 3.3.0 -trivy 0.68.2 +trivy 0.69.1 diff --git a/src/base/.devcontainer/Dockerfile b/src/base/.devcontainer/Dockerfile index 6c0e8d6..bc6c461 100644 --- a/src/base/.devcontainer/Dockerfile +++ b/src/base/.devcontainer/Dockerfile @@ -20,10 +20,5 @@ ENV PATH="/home/vscode/.asdf/shims/:$PATH" WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} COPY .tool-versions.asdf /home/vscode/.tool-versions.asdf COPY .tool-versions /home/vscode/.tool-versions -COPY language_versions/nodejs-versions.txt /tmp/nodejs-versions.txt -COPY language_versions/python-versions.txt /tmp/python-versions.txt -COPY language_versions/java-versions.txt /tmp/java-versions.txt -COPY language_versions/terraform-versions.txt /tmp/terraform-versions.txt -COPY language_versions/golang-versions.txt /tmp/golang-versions.txt RUN ./vscode_install.sh diff --git a/src/base/.devcontainer/devcontainer.json b/src/base/.devcontainer/devcontainer.json index 9f369d3..6ef919b 100644 --- a/src/base/.devcontainer/devcontainer.json +++ b/src/base/.devcontainer/devcontainer.json @@ -17,7 +17,10 @@ "moby": "true", "installDockerBuildx": "true" }, - "ghcr.io/devcontainers/features/github-cli:1": {} + "ghcr.io/devcontainers/features/github-cli:1": {}, + "ghcr.io/devcontainers/features/aws-cli:1": { + "version": "latest" + } } } diff --git a/src/base/.devcontainer/scripts/root_install.sh b/src/base/.devcontainer/scripts/root_install.sh index bdc0bc6..9f86e5c 100755 --- a/src/base/.devcontainer/scripts/root_install.sh +++ b/src/base/.devcontainer/scripts/root_install.sh @@ -32,16 +32,16 @@ apt-get -y install --no-install-recommends htop vim curl git build-essential \ # install aws stuff # Download correct AWS CLI for arch -echo "Installing aws cli" -if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then - wget -O /tmp/awscliv2.zip --no-verbose "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip" - else - wget -O /tmp/awscliv2.zip --no-verbose "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" - fi - unzip -q /tmp/awscliv2.zip -d /tmp/aws-cli - /tmp/aws-cli/aws/install - rm /tmp/awscliv2.zip - rm -rf /tmp/aws-cli +# echo "Installing aws cli" +# if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then +# wget -O /tmp/awscliv2.zip --no-verbose "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip" +# else +# wget -O /tmp/awscliv2.zip --no-verbose "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" +# fi +# unzip -q /tmp/awscliv2.zip -d /tmp/aws-cli +# /tmp/aws-cli/aws/install +# rm /tmp/awscliv2.zip +# rm -rf /tmp/aws-cli # Download correct SAM CLI for arch echo "Installing aws-sam cli" diff --git a/src/base/.devcontainer/scripts/vscode_install.sh b/src/base/.devcontainer/scripts/vscode_install.sh index 838353a..bfcc23e 100755 --- a/src/base/.devcontainer/scripts/vscode_install.sh +++ b/src/base/.devcontainer/scripts/vscode_install.sh @@ -31,31 +31,6 @@ asdf plugin add trivy https://github.com/zufardhiyaulhaq/asdf-trivy.git cd /home/vscode asdf install -# Read Node.js versions from file and install -while IFS= read -r version; do - asdf install nodejs "$version" -done < /tmp/nodejs-versions.txt - -# Read Python versions from file and install -while IFS= read -r version; do - asdf install python "$version" -done < /tmp/python-versions.txt - -# Read Java versions from file and install -# while IFS= read -r version; do -# asdf install java "$version" -# done < /tmp/java-versions.txt - -# Read Terraform versions from file and install -while IFS= read -r version; do - asdf install terraform "$version" -done < /tmp/terraform-versions.txt - -# Read Golang versions from file and install -while IFS= read -r version; do - asdf install golang "$version" -done < /tmp/golang-versions.txt - # setup gitsecrets git-secrets --register-aws --global git-secrets --add-provider --global -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt From fb4f07fc27208066c0922cae6b4646810f760451 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 07:58:44 +0000 Subject: [PATCH 47/64] fix it --- .github/workflows/pull_request.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 1052066..0796f80 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -9,7 +9,7 @@ jobs: dependabot-auto-approve-and-merge: needs: quality_checks uses: >- - NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@2b3ddfd1e59daf9905522d0140c6cd08e2547432 + NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@5ccebbf821beef2de6abdce9e392b3cbeb4999e3 secrets: AUTOMERGE_APP_ID: '${{ secrets.AUTOMERGE_APP_ID }}' AUTOMERGE_PEM: '${{ secrets.AUTOMERGE_PEM }}' @@ -32,7 +32,7 @@ jobs: TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml) echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT" quality_checks: - uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@trivy + uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@5ccebbf821beef2de6abdce9e392b3cbeb4999e3 needs: - get_asdf_version with: @@ -41,7 +41,7 @@ jobs: SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}' pr_title_format_check: uses: >- - NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@2b3ddfd1e59daf9905522d0140c6cd08e2547432 + NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@5ccebbf821beef2de6abdce9e392b3cbeb4999e3 get_issue_number: runs-on: ubuntu-22.04 needs: quality_checks From c1635d9af94db331ed8dd68ec4569de2791043ad Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 08:19:59 +0000 Subject: [PATCH 48/64] more generic --- .github/workflows/build_multi_arch_image.yml | 65 +++++++++----------- .github/workflows/pull_request.yml | 3 +- .github/workflows/release.yml | 5 +- .trivyignore.yaml | 24 ++++++++ Makefile | 23 +++---- 5 files changed, 68 insertions(+), 52 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 236bc88..9d95662 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -8,9 +8,9 @@ name: Build and push docker image docker_tag: required: true type: string - secrets: - EPS_REPO_STATUS_PEM: + container_name: required: true + type: string jobs: build_image: @@ -48,40 +48,32 @@ jobs: uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f with: node-version-file: .tool-versions - - name: Generate a token to get details from other repositories - id: generate-token - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf - with: - app-id: ${{ vars.EPS_REPO_STATUS_APP_ID }} - private-key: ${{ secrets.EPS_REPO_STATUS_PEM }} - owner: "NHSDigital" - name: make install run: | make install-node - name: Build container run: > - make build-base-image + make build-image - docker tag ghcr.io/nhsdigital/eps-devcontainer-base:latest "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-${ARCHITECTURE}" + docker tag "ghcr.io/nhsdigital/eps-devcontainers-${CONTAINER_NAME}:latest" "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" - docker save "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-${ARCHITECTURE}" -o "eps-devcontainer-base-${DOCKER_TAG}-${ARCHITECTURE}.img" + docker save "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" -o "eps-devcontainer-${CONTAINER_NAME}-${DOCKER_TAG}-${ARCHITECTURE}.img" env: - GH_TOKEN: ${{ steps.generate-token.outputs.token }} ARCHITECTURE: '${{ matrix.arch }}' DOCKER_TAG: '${{ inputs.docker_tag }}' - GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }} + CONTAINER_NAME: '${{ inputs.container_name }}' - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f name: Upload docker images with: - name: "eps-devcontainer-base-${{ inputs.docker_tag }}-${{ matrix.arch }}.img" + name: "eps-devcontainer-${{ inputs.container_name }}-${{ inputs.docker_tag }}-${{ matrix.arch }}.img" path: | - eps-devcontainer-base-${{ inputs.docker_tag }}-${{ matrix.arch }}.img + eps-devcontainer-${{ inputs.container_name }}-${{ inputs.docker_tag }}-${{ matrix.arch }}.img - name: Check docker vulnerabilities - json output uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: scan-type: "image" - image-ref: "ghcr.io/nhsdigital/eps-devcontainers/base:${{ inputs.docker_tag }}-${{ matrix.arch }}" + image-ref: "ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }}:${{ inputs.docker_tag }}-${{ matrix.arch }}" severity: "CRITICAL,HIGH" scanners: "vuln" vuln-type: "os,library" @@ -99,7 +91,7 @@ jobs: uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: scan-type: "image" - image-ref: "ghcr.io/nhsdigital/eps-devcontainers/base:${{ inputs.docker_tag }}-${{ matrix.arch }}" + image-ref: "ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }}:${{ inputs.docker_tag }}-${{ matrix.arch }}" severity: "CRITICAL,HIGH" scanners: "vuln" vuln-type: "os,library" @@ -146,11 +138,11 @@ jobs: - name: Download amd64 images uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 with: - name: eps-devcontainer-base-${{ inputs.docker_tag }}-amd64.img + name: eps-devcontainer-${{ inputs.container_name }}-${{ inputs.docker_tag }}-amd64.img - name: Download arm64 images uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 with: - name: eps-devcontainer-base-${{ inputs.docker_tag }}-arm64.img + name: eps-devcontainer-${{ inputs.container_name }}-${{ inputs.docker_tag }}-arm64.img - name: Login to github container registry uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 with: @@ -162,29 +154,30 @@ jobs: - name: Load and push multi-arch image run: | echo "loading images" - docker load -i "eps-devcontainer-base-${DOCKER_TAG}-amd64.img" - docker load -i "eps-devcontainer-base-${DOCKER_TAG}-arm64.img" + docker load -i "eps-devcontainer-${CONTAINER_NAME}-${DOCKER_TAG}-amd64.img" + docker load -i "eps-devcontainer-${CONTAINER_NAME}-${DOCKER_TAG}-arm64.img" echo "Tagging latest images" - docker tag "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-amd64" "ghcr.io/nhsdigital/eps-devcontainers/base:latest-amd64" - docker tag "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-arm64" "ghcr.io/nhsdigital/eps-devcontainers/base:latest-arm64" + docker tag "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-amd64" "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-amd64" + docker tag "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-arm64" "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-arm64" echo "pushing images" - docker push "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-amd64" - docker push "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-arm64" - docker push "ghcr.io/nhsdigital/eps-devcontainers/base:latest-amd64" - docker push "ghcr.io/nhsdigital/eps-devcontainers/base:latest-arm64" + docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-amd64" + docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-arm64" + docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-amd64" + docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-arm64" echo "creating manifest" - docker manifest create "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}" \ - --amend "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-amd64" \ - --amend "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-arm64" - docker manifest create "ghcr.io/nhsdigital/eps-devcontainers/base:latest" \ - --amend "ghcr.io/nhsdigital/eps-devcontainers/base:latest-amd64" \ - --amend "ghcr.io/nhsdigital/eps-devcontainers/base:latest-arm64" + docker manifest create "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}" \ + --amend "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-amd64" \ + --amend "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-arm64" + docker manifest create "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest" \ + --amend "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-amd64" \ + --amend "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-arm64" echo "pushing manifest" - docker manifest push "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}" - docker manifest push "ghcr.io/nhsdigital/eps-devcontainers/base:latest" + docker manifest push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}" + docker manifest push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest" env: DOCKER_TAG: ${{ inputs.docker_tag }} + CONTAINER_NAME: '${{ inputs.container_name }}' diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 0796f80..f07de62 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -92,5 +92,4 @@ jobs: with: publish_image: true docker_tag: 'pr${{ needs.get_issue_number.outputs.issue_number }}-${{ needs.get_commit_id.outputs.sha_short }}' - secrets: - EPS_REPO_STATUS_PEM: ${{ secrets.EPS_REPO_STATUS_PEM }} + container_name: base diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8da9db2..efffec9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -23,7 +23,7 @@ jobs: TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml) echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT" quality_checks: - uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@e31e25273fb87450be4ef763ddbed4f531c45f8e + uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@5ccebbf821beef2de6abdce9e392b3cbeb4999e3 needs: - get_asdf_version with: @@ -45,5 +45,4 @@ jobs: with: publish_image: true docker_tag: '${{ needs.tag_release.outputs.version_tag }}' - secrets: - EPS_REPO_STATUS_PEM: ${{ secrets.EPS_REPO_STATUS_PEM }} + container_name: base diff --git a/.trivyignore.yaml b/.trivyignore.yaml index ca32650..da35d5d 100644 --- a/.trivyignore.yaml +++ b/.trivyignore.yaml @@ -494,3 +494,27 @@ vulnerabilities: purls: - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" expired_at: 2026-06-01 + - id: CVE-2025-68121 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2025-61730 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2024-35870 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2024-53179 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2025-37849 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2025-37899 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2025-38118 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2026-26007 + statement: "CHANGE ME" + expired_at: 2026-06-01 diff --git a/Makefile b/Makefile index ea1d8ba..245a2dc 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,10 @@ -CONTAINER_PREFIX=ghcr.io/nhsdigital/eps-devcontainer- -CONTAINER_NAME=base -IMAGE_NAME=${CONTAINER_PREFIX}$(CONTAINER_NAME) -WORKSPACE_FOLDER=. +CONTAINER_PREFIX=ghcr.io/nhsdigital/eps-devcontainers- + +guard-%: + @ if [ "${${*}}" = "" ]; then \ + echo "Environment variable $* not set"; \ + exit 1; \ + fi install: install-python install-node install-hooks @@ -15,21 +18,19 @@ install-hooks: install-python poetry run pre-commit install --install-hooks --overwrite install-hooks: -build-base-image: - CONTAINER_NAME=$(CONTAINER_NAME) \ +build-image: guard-CONTAINER_NAME npx devcontainer build \ - --workspace-folder ./src/base/ \ + --workspace-folder ./src/$${CONTAINER_NAME}/ \ --push false \ - --platform linux/${ARCHITECTURE} \ - --image-name "${IMAGE_NAME}" + --image-name "${CONTAINER_PREFIX}$${CONTAINER_NAME}" -scan-base-image: +scan-image: guard-CONTAINER_NAME trivy image \ --severity HIGH,CRITICAL \ --ignorefile .trivyignore.yaml \ --scanners vuln \ --exit-code 1 \ - --format table ${IMAGE_NAME} + --format table "${CONTAINER_PREFIX}$${CONTAINER_NAME}" lint: lint-githubactions From 438e1255bf30b1c891e706ce8398341ff7f2c4bd Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 08:29:43 +0000 Subject: [PATCH 49/64] fix name --- .github/workflows/build_multi_arch_image.yml | 2 +- Makefile | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 9d95662..927c0ab 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -56,7 +56,7 @@ jobs: run: > make build-image - docker tag "ghcr.io/nhsdigital/eps-devcontainers-${CONTAINER_NAME}:latest" "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" + docker tag "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest" "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" docker save "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" -o "eps-devcontainer-${CONTAINER_NAME}-${DOCKER_TAG}-${ARCHITECTURE}.img" env: diff --git a/Makefile b/Makefile index 245a2dc..99d85f3 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -CONTAINER_PREFIX=ghcr.io/nhsdigital/eps-devcontainers- +CONTAINER_PREFIX=ghcr.io/nhsdigital/eps-devcontainers/ guard-%: @ if [ "${${*}}" = "" ]; then \ @@ -30,7 +30,7 @@ scan-image: guard-CONTAINER_NAME --ignorefile .trivyignore.yaml \ --scanners vuln \ --exit-code 1 \ - --format table "${CONTAINER_PREFIX}$${CONTAINER_NAME}" + --format table "${CONTAINER_PREFIX}/$${CONTAINER_NAME}" lint: lint-githubactions From 57f26d54ebbdf3ba595842b2ae05a856209f0579 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 09:23:13 +0000 Subject: [PATCH 50/64] add another image --- Makefile | 1 - src/base/.devcontainer/Dockerfile | 1 + .../.devcontainer/scripts/vscode_install.sh | 7 ------ src/common/Dockerfile | 9 ++++++++ .../.devcontainer/devcontainer.json | 23 +++++++++++++++++++ 5 files changed, 33 insertions(+), 8 deletions(-) create mode 100644 src/common/Dockerfile create mode 100644 src/node_24_python_3.14/.devcontainer/devcontainer.json diff --git a/Makefile b/Makefile index 99d85f3..1654e93 100644 --- a/Makefile +++ b/Makefile @@ -17,7 +17,6 @@ install-node: install-hooks: install-python poetry run pre-commit install --install-hooks --overwrite -install-hooks: build-image: guard-CONTAINER_NAME npx devcontainer build \ --workspace-folder ./src/$${CONTAINER_NAME}/ \ diff --git a/src/base/.devcontainer/Dockerfile b/src/base/.devcontainer/Dockerfile index bc6c461..bc39b56 100644 --- a/src/base/.devcontainer/Dockerfile +++ b/src/base/.devcontainer/Dockerfile @@ -22,3 +22,4 @@ COPY .tool-versions.asdf /home/vscode/.tool-versions.asdf COPY .tool-versions /home/vscode/.tool-versions RUN ./vscode_install.sh +WORKDIR /home/vscode diff --git a/src/base/.devcontainer/scripts/vscode_install.sh b/src/base/.devcontainer/scripts/vscode_install.sh index bfcc23e..2759bce 100755 --- a/src/base/.devcontainer/scripts/vscode_install.sh +++ b/src/base/.devcontainer/scripts/vscode_install.sh @@ -13,17 +13,10 @@ echo 'export GEM_HOME="$HOME/gems"' >> ~/.bashrc echo 'export PATH="$HOME/gems/bin:$PATH"' >> ~/.bashrc # Install ASDF plugins -asdf plugin add python -asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git asdf plugin add shellcheck https://github.com/luizm/asdf-shellcheck.git -asdf plugin add nodejs https://github.com/asdf-vm/asdf-nodejs.git asdf plugin add direnv asdf plugin add actionlint asdf plugin add ruby https://github.com/asdf-vm/asdf-ruby.git -asdf plugin add java -asdf plugin add maven -asdf plugin add golang https://github.com/kennyp/asdf-golang.git -asdf plugin add golangci-lint https://github.com/hypnoglow/asdf-golangci-lint.git asdf plugin add terraform https://github.com/asdf-community/asdf-hashicorp.git asdf plugin add trivy https://github.com/zufardhiyaulhaq/asdf-trivy.git diff --git a/src/common/Dockerfile b/src/common/Dockerfile new file mode 100644 index 0000000..69227f5 --- /dev/null +++ b/src/common/Dockerfile @@ -0,0 +1,9 @@ +FROM ghcr.io/nhsdigital/eps-devcontainers/base:latest + +# common Dockerfile used to setup poetry after installing python + +ARG POETRY_VERSION=2.3.2 + +RUN curl -sSL https://install.python-poetry.org | python3 - --version ${POETRY_VERSION} + +ENV PATH="/home/vscode/.local/bin:${PATH}" diff --git a/src/node_24_python_3.14/.devcontainer/devcontainer.json b/src/node_24_python_3.14/.devcontainer/devcontainer.json new file mode 100644 index 0000000..83773b5 --- /dev/null +++ b/src/node_24_python_3.14/.devcontainer/devcontainer.json @@ -0,0 +1,23 @@ +// For format details, see https://aka.ms/devcontainer.json. For config options, see the +// README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu +{ + "name": "EPS Devcontainer node_24 python_3.14", + // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile + "build": { + "dockerfile": "../../common/Dockerfile", + "args": {} + }, + "runArgs": [ + "--network=host" + ], + "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" }, + "features": { + "ghcr.io/devcontainers/features/node:1": { + "version": "24.13.1" + }, + "ghcr.io/devcontainers/features/python:1": { + "version": "3.14.3" + } + } + } + From 9236a42723e806865b4ef8688ddf01c35ffd31f5 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 10:04:34 +0000 Subject: [PATCH 51/64] build more images --- .github/workflows/build_multi_arch_image.yml | 31 +++++++++++++------ .github/workflows/pull_request.yml | 14 +++++++-- .github/workflows/release.yml | 2 +- Makefile | 2 +- src/common/Dockerfile | 4 ++- .../.devcontainer/devcontainer.json | 4 ++- 6 files changed, 41 insertions(+), 16 deletions(-) rename src/{node_24_python_3.14 => node_24_python_3_14}/.devcontainer/devcontainer.json (90%) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 927c0ab..8b74393 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -2,7 +2,7 @@ name: Build and push docker image 'on': workflow_call: inputs: - publish_image: + tag_latest: required: true type: boolean docker_tag: @@ -63,6 +63,7 @@ jobs: ARCHITECTURE: '${{ matrix.arch }}' DOCKER_TAG: '${{ inputs.docker_tag }}' CONTAINER_NAME: '${{ inputs.container_name }}' + BASE_VERSION: ${{ inputs.docker_tag}} - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f name: Upload docker images with: @@ -114,7 +115,6 @@ jobs: publish_image: needs: build_image runs-on: ubuntu-22.04 - if: ${{ inputs.publish_image }} permissions: contents: read packages: write @@ -150,33 +150,44 @@ jobs: username: ${{github.actor}} password: ${{secrets.GITHUB_TOKEN}} - - - name: Load and push multi-arch image + - name: Load and push multi-arch tagged image run: | echo "loading images" docker load -i "eps-devcontainer-${CONTAINER_NAME}-${DOCKER_TAG}-amd64.img" docker load -i "eps-devcontainer-${CONTAINER_NAME}-${DOCKER_TAG}-arm64.img" + echo "pushing images" + docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-amd64" + docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-arm64" + + echo "creating manifest" + docker manifest create "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}" \ + --amend "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-amd64" \ + --amend "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-arm64" + + echo "pushing manifest" + docker manifest push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}" + env: + DOCKER_TAG: ${{ inputs.docker_tag }} + CONTAINER_NAME: '${{ inputs.container_name }}' + + - name: Load and push multi-arch latest image + if: ${{ inputs.tag_latest }} + run: | echo "Tagging latest images" docker tag "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-amd64" "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-amd64" docker tag "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-arm64" "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-arm64" echo "pushing images" - docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-amd64" - docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-arm64" docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-amd64" docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-arm64" echo "creating manifest" - docker manifest create "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}" \ - --amend "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-amd64" \ - --amend "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-arm64" docker manifest create "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest" \ --amend "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-amd64" \ --amend "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-arm64" echo "pushing manifest" - docker manifest push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}" docker manifest push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest" env: DOCKER_TAG: ${{ inputs.docker_tag }} diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index f07de62..88fda51 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -84,12 +84,22 @@ jobs: # echo "commit_id=${{ github.sha }}" >> "$GITHUB_ENV" echo "commit_id=${{ github.sha }}" >> "$GITHUB_OUTPUT" echo "sha_short=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT" - package_docker_image: + package_base_docker_image: uses: ./.github/workflows/build_multi_arch_image.yml needs: - get_issue_number - get_commit_id with: - publish_image: true + tag_latest: false docker_tag: 'pr${{ needs.get_issue_number.outputs.issue_number }}-${{ needs.get_commit_id.outputs.sha_short }}' container_name: base + package_node_24_python_3_14_docker_image: + uses: ./.github/workflows/build_multi_arch_image.yml + needs: + - get_issue_number + - get_commit_id + - package_base_docker_image + with: + tag_latest: false + docker_tag: 'pr${{ needs.get_issue_number.outputs.issue_number }}-${{ needs.get_commit_id.outputs.sha_short }}' + container_name: node_24_python_3_14 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index efffec9..ab35ddb 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -43,6 +43,6 @@ jobs: needs: tag_release uses: ./.github/workflows/build_multi_arch_image.yml with: - publish_image: true + tag_latest: true docker_tag: '${{ needs.tag_release.outputs.version_tag }}' container_name: base diff --git a/Makefile b/Makefile index 1654e93..47ef153 100644 --- a/Makefile +++ b/Makefile @@ -17,7 +17,7 @@ install-node: install-hooks: install-python poetry run pre-commit install --install-hooks --overwrite -build-image: guard-CONTAINER_NAME +build-image: guard-CONTAINER_NAME guard-BASE_VERSION npx devcontainer build \ --workspace-folder ./src/$${CONTAINER_NAME}/ \ --push false \ diff --git a/src/common/Dockerfile b/src/common/Dockerfile index 69227f5..84ca1d6 100644 --- a/src/common/Dockerfile +++ b/src/common/Dockerfile @@ -1,4 +1,6 @@ -FROM ghcr.io/nhsdigital/eps-devcontainers/base:latest +ARG BASE_VERSION=latest + +FROM ghcr.io/nhsdigital/eps-devcontainers/base:${BASE_VERSION} # common Dockerfile used to setup poetry after installing python diff --git a/src/node_24_python_3.14/.devcontainer/devcontainer.json b/src/node_24_python_3_14/.devcontainer/devcontainer.json similarity index 90% rename from src/node_24_python_3.14/.devcontainer/devcontainer.json rename to src/node_24_python_3_14/.devcontainer/devcontainer.json index 83773b5..c033f16 100644 --- a/src/node_24_python_3.14/.devcontainer/devcontainer.json +++ b/src/node_24_python_3_14/.devcontainer/devcontainer.json @@ -5,7 +5,9 @@ // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile "build": { "dockerfile": "../../common/Dockerfile", - "args": {} + "args": { + "BASE_VERSION": "${localEnv:BASE_VERSION}" + } }, "runArgs": [ "--network=host" From bbadc2d5e865d365d837789314edeeb7fb35af3f Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 10:20:09 +0000 Subject: [PATCH 52/64] correct tag --- .github/workflows/pull_request.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 88fda51..9f76321 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -91,7 +91,7 @@ jobs: - get_commit_id with: tag_latest: false - docker_tag: 'pr${{ needs.get_issue_number.outputs.issue_number }}-${{ needs.get_commit_id.outputs.sha_short }}' + docker_tag: 'pr-${{ needs.get_issue_number.outputs.issue_number }}-${{ needs.get_commit_id.outputs.sha_short }}' container_name: base package_node_24_python_3_14_docker_image: uses: ./.github/workflows/build_multi_arch_image.yml @@ -101,5 +101,5 @@ jobs: - package_base_docker_image with: tag_latest: false - docker_tag: 'pr${{ needs.get_issue_number.outputs.issue_number }}-${{ needs.get_commit_id.outputs.sha_short }}' + docker_tag: 'pr-${{ needs.get_issue_number.outputs.issue_number }}-${{ needs.get_commit_id.outputs.sha_short }}' container_name: node_24_python_3_14 From 828a1822905f38c12fa565d752dc9dc01aa40870 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 10:34:55 +0000 Subject: [PATCH 53/64] update trivyignore --- .trivyignore.yaml | 9 +++++++++ Makefile | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/.trivyignore.yaml b/.trivyignore.yaml index da35d5d..62fcf7b 100644 --- a/.trivyignore.yaml +++ b/.trivyignore.yaml @@ -518,3 +518,12 @@ vulnerabilities: - id: CVE-2026-26007 statement: "CHANGE ME" expired_at: 2026-06-01 + - id: CVE-2026-24842 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2026-23949 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2026-24049 + statement: "CHANGE ME" + expired_at: 2026-06-01 diff --git a/Makefile b/Makefile index 47ef153..d75d048 100644 --- a/Makefile +++ b/Makefile @@ -29,7 +29,7 @@ scan-image: guard-CONTAINER_NAME --ignorefile .trivyignore.yaml \ --scanners vuln \ --exit-code 1 \ - --format table "${CONTAINER_PREFIX}/$${CONTAINER_NAME}" + --format table "${CONTAINER_PREFIX}$${CONTAINER_NAME}" lint: lint-githubactions From 1bed137facd0b0e1e2074b5a33439675fd05e263 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 11:28:06 +0000 Subject: [PATCH 54/64] build multiple images --- .github/workflows/build_all_images.yml | 36 +++++++++++++++++++ .github/workflows/pull_request.yml | 17 ++------- .github/workflows/release.yml | 9 +++-- .../.devcontainer/devcontainer.json | 25 +++++++++++++ 4 files changed, 68 insertions(+), 19 deletions(-) create mode 100644 .github/workflows/build_all_images.yml create mode 100644 src/node_24_python_3_13/.devcontainer/devcontainer.json diff --git a/.github/workflows/build_all_images.yml b/.github/workflows/build_all_images.yml new file mode 100644 index 0000000..535f581 --- /dev/null +++ b/.github/workflows/build_all_images.yml @@ -0,0 +1,36 @@ +name: build_all_images +'on': + workflow_call: + inputs: + docker_tag: + required: true + type: string + tag_latest: + required: true + type: boolean +env: + BRANCH_NAME: '${{ github.event.pull_request.head.ref }}' +jobs: + package_base_docker_image: + uses: ./.github/workflows/build_multi_arch_image.yml + with: + tag_latest: ${{ inputs.tag_latest }} + docker_tag: ${{ inputs.docker_tag }} + container_name: base + package_non_base_docker_image: + runs-on: ubuntu-22.04 + needs: + - package_base_docker_image + strategy: + fail-fast: false + matrix: + include: + - container_name: node_24_python_3_14 + - container_name: node_24_python_3_13 + steps: + - name: build + uses: ./.github/workflows/build_multi_arch_image.yml + with: + tag_latest: ${{ inputs.tag_latest }} + docker_tag: ${{ inputs.docker_tag }} + container_name: ${{ matrix.container_name }} diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 9f76321..3e39073 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -84,22 +84,11 @@ jobs: # echo "commit_id=${{ github.sha }}" >> "$GITHUB_ENV" echo "commit_id=${{ github.sha }}" >> "$GITHUB_OUTPUT" echo "sha_short=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT" - package_base_docker_image: - uses: ./.github/workflows/build_multi_arch_image.yml + build_all_images: needs: - get_issue_number - get_commit_id - with: - tag_latest: false + uses: ./.github/workflows/build_all_images.yml + with: docker_tag: 'pr-${{ needs.get_issue_number.outputs.issue_number }}-${{ needs.get_commit_id.outputs.sha_short }}' - container_name: base - package_node_24_python_3_14_docker_image: - uses: ./.github/workflows/build_multi_arch_image.yml - needs: - - get_issue_number - - get_commit_id - - package_base_docker_image - with: tag_latest: false - docker_tag: 'pr-${{ needs.get_issue_number.outputs.issue_number }}-${{ needs.get_commit_id.outputs.sha_short }}' - container_name: node_24_python_3_14 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ab35ddb..0a4876c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -39,10 +39,9 @@ jobs: branch_name: main tag_format: ${{ needs.get_asdf_version.outputs.tag_format }} secrets: inherit - package_docker_image: + build_all_images: needs: tag_release - uses: ./.github/workflows/build_multi_arch_image.yml - with: - tag_latest: true + uses: ./.github/workflows/build_all_images.yml + with: docker_tag: '${{ needs.tag_release.outputs.version_tag }}' - container_name: base + tag_latest: true diff --git a/src/node_24_python_3_13/.devcontainer/devcontainer.json b/src/node_24_python_3_13/.devcontainer/devcontainer.json new file mode 100644 index 0000000..58a0c60 --- /dev/null +++ b/src/node_24_python_3_13/.devcontainer/devcontainer.json @@ -0,0 +1,25 @@ +// For format details, see https://aka.ms/devcontainer.json. For config options, see the +// README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu +{ + "name": "EPS Devcontainer node_24 python_3.13", + // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile + "build": { + "dockerfile": "../../common/Dockerfile", + "args": { + "BASE_VERSION": "${localEnv:BASE_VERSION}" + } + }, + "runArgs": [ + "--network=host" + ], + "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" }, + "features": { + "ghcr.io/devcontainers/features/node:1": { + "version": "24.13.1" + }, + "ghcr.io/devcontainers/features/python:1": { + "version": "3.13.12" + } + } + } + From 989fd406edd241fc0c408d22e90e01aeb7157a16 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 11:32:33 +0000 Subject: [PATCH 55/64] debug to find scan results --- .github/workflows/build_multi_arch_image.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 8b74393..df2d6b4 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -27,8 +27,7 @@ jobs: runner: ubuntu-22.04-arm steps: - name: Free Disk Space for Docker - uses: >- - endersonmenezes/free-disk-space@e6ed9b02e683a3b55ed0252f1ee469ce3b39a885 + uses: endersonmenezes/free-disk-space@e6ed9b02e683a3b55ed0252f1ee469ce3b39a885 with: remove_android: true remove_dotnet: true @@ -82,6 +81,10 @@ jobs: output: "scan_results_docker.json" exit-code: "0" trivy-config: trivy.yaml + - name: find scan results + run: | + ls -lart + find . -name "scan_results_docker.json" - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f name: Upload scan results with: From 0b67ad5f4c9d0a96141985e965fe6aabc9cf099a Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 11:51:55 +0000 Subject: [PATCH 56/64] try a single path --- .github/workflows/build_multi_arch_image.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index df2d6b4..2678be8 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -89,8 +89,7 @@ jobs: name: Upload scan results with: name: "scan_results_docker_${{ matrix.arch }}.json" - path: | - "scan_results_docker.json" + path: scan_results_docker.json - name: Check docker vulnerabilities - table output uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: From f096643163e35f08de4f536b23e670591575eb28 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 11:59:21 +0000 Subject: [PATCH 57/64] fix matrix --- .github/workflows/build_all_images.yml | 13 +++++-------- .github/workflows/build_multi_arch_image.yml | 6 +++--- 2 files changed, 8 insertions(+), 11 deletions(-) diff --git a/.github/workflows/build_all_images.yml b/.github/workflows/build_all_images.yml index 535f581..331a9ac 100644 --- a/.github/workflows/build_all_images.yml +++ b/.github/workflows/build_all_images.yml @@ -18,7 +18,6 @@ jobs: docker_tag: ${{ inputs.docker_tag }} container_name: base package_non_base_docker_image: - runs-on: ubuntu-22.04 needs: - package_base_docker_image strategy: @@ -27,10 +26,8 @@ jobs: include: - container_name: node_24_python_3_14 - container_name: node_24_python_3_13 - steps: - - name: build - uses: ./.github/workflows/build_multi_arch_image.yml - with: - tag_latest: ${{ inputs.tag_latest }} - docker_tag: ${{ inputs.docker_tag }} - container_name: ${{ matrix.container_name }} + uses: ./.github/workflows/build_multi_arch_image.yml + with: + tag_latest: ${{ inputs.tag_latest }} + docker_tag: ${{ inputs.docker_tag }} + container_name: ${{ matrix.container_name }} diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 2678be8..f024b36 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -14,6 +14,7 @@ name: Build and push docker image jobs: build_image: + name: Build image for ${{ inputs.container_name }} permissions: id-token: write runs-on: '${{ matrix.runner }}' @@ -115,7 +116,7 @@ jobs: DOCKER_TAG: '${{ inputs.docker_tag }}' publish_image: - needs: build_image + name: Publish image for ${{ inputs.container_name }} runs-on: ubuntu-22.04 permissions: contents: read @@ -124,8 +125,7 @@ jobs: id-token: write steps: - name: Free Disk Space for Docker - uses: >- - endersonmenezes/free-disk-space@e6ed9b02e683a3b55ed0252f1ee469ce3b39a885 + uses: endersonmenezes/free-disk-space@e6ed9b02e683a3b55ed0252f1ee469ce3b39a885 with: remove_android: true remove_dotnet: true From 831b8b7da36581114bbb9506d1308586b779e63f Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 12:04:24 +0000 Subject: [PATCH 58/64] add needs --- .github/workflows/build_multi_arch_image.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index f024b36..a91f006 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -118,6 +118,7 @@ jobs: publish_image: name: Publish image for ${{ inputs.container_name }} runs-on: ubuntu-22.04 + needs: build_image permissions: contents: read packages: write From 4cd5eacdfa373f3622b53e84a4486a5ef1ebd17e Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 12:10:45 +0000 Subject: [PATCH 59/64] fix name --- .github/workflows/build_multi_arch_image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index a91f006..36bb97c 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -14,7 +14,7 @@ name: Build and push docker image jobs: build_image: - name: Build image for ${{ inputs.container_name }} + name: Build image for ${{ inputs.container_name }} on ${{ matrix.arch }} permissions: id-token: write runs-on: '${{ matrix.runner }}' From 194411235e6150ccf6347f0d097d65c3b5db8bca Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 12:32:44 +0000 Subject: [PATCH 60/64] use specific trivyignore --- .github/workflows/build_multi_arch_image.yml | 23 +- .gitignore | 1 + Makefile | 8 +- src/base/.trivyignore.yaml | 1 + src/base/trivy.yaml | 1 + src/common/.trivyignore.yaml | 502 ++++++++++++++++++ src/node_24_python_3_13/.trivyignore.yaml | 529 +++++++++++++++++++ src/node_24_python_3_13/trivy.yaml | 1 + src/node_24_python_3_14/.trivyignore.yaml | 28 + src/node_24_python_3_14/trivy.yaml | 1 + 10 files changed, 1084 insertions(+), 11 deletions(-) create mode 100644 src/base/.trivyignore.yaml create mode 100644 src/base/trivy.yaml create mode 100644 src/common/.trivyignore.yaml create mode 100644 src/node_24_python_3_13/.trivyignore.yaml create mode 100644 src/node_24_python_3_13/trivy.yaml create mode 100644 src/node_24_python_3_14/.trivyignore.yaml create mode 100644 src/node_24_python_3_14/trivy.yaml diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 36bb97c..240b7f3 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -53,12 +53,19 @@ jobs: run: | make install-node - name: Build container - run: > + run: | make build-image - docker tag "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest" "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" - docker save "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" -o "eps-devcontainer-${CONTAINER_NAME}-${DOCKER_TAG}-${ARCHITECTURE}.img" + + # create combined trivy ignore file for use in trivy scan, combining common and specific ignore files if they exist + combined="src/${CONTAINER_NAME}/.trivyignore_combined.yaml" + common="src/common/.trivyignore.yaml" + specific="src/${CONTAINER_NAME}/.trivyignore.yaml" + echo "vulnerabilities:" > "$combined" + if [ -f "$common" ]; then sed -n '2,$p' "$common" >> "$combined"; fi + if [ -f "$specific" ]; then sed -n '2,$p' "$specific" >> "$combined"; fi + env: ARCHITECTURE: '${{ matrix.arch }}' DOCKER_TAG: '${{ inputs.docker_tag }}' @@ -81,15 +88,11 @@ jobs: format: "json" output: "scan_results_docker.json" exit-code: "0" - trivy-config: trivy.yaml - - name: find scan results - run: | - ls -lart - find . -name "scan_results_docker.json" + trivy-config: src/${{ inputs.container_name }}/trivy.yaml - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f name: Upload scan results with: - name: "scan_results_docker_${{ matrix.arch }}.json" + name: "scan_results_docker_${{ inputs.container_name }}_${{ matrix.arch }}.json" path: scan_results_docker.json - name: Check docker vulnerabilities - table output uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 @@ -102,7 +105,7 @@ jobs: format: "table" output: "scan_results_docker.txt" exit-code: "1" - trivy-config: trivy.yaml + trivy-config: src/${{ inputs.container_name }}/trivy.yaml - name: Show docker vulnerability output if: always() diff --git a/.gitignore b/.gitignore index 42dd729..0e266d2 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ node_modules/ .venv/ src/base/.devcontainer/language_versions/ +.trivyignore_combined.yaml diff --git a/Makefile b/Makefile index d75d048..e89d2ae 100644 --- a/Makefile +++ b/Makefile @@ -24,9 +24,15 @@ build-image: guard-CONTAINER_NAME guard-BASE_VERSION --image-name "${CONTAINER_PREFIX}$${CONTAINER_NAME}" scan-image: guard-CONTAINER_NAME + @combined="src/$${CONTAINER_NAME}/.trivyignore_combined.yaml"; \ + common="src/common/.trivyignore.yaml"; \ + specific="src/$${CONTAINER_NAME}/.trivyignore.yaml"; \ + echo "vulnerabilities:" > "$$combined"; \ + if [ -f "$$common" ]; then sed -n '2,$$p' "$$common" >> "$$combined"; fi; \ + if [ -f "$$specific" ]; then sed -n '2,$$p' "$$specific" >> "$$combined"; fi trivy image \ --severity HIGH,CRITICAL \ - --ignorefile .trivyignore.yaml \ + --config src/${CONTAINER_NAME}/trivy.yaml \ --scanners vuln \ --exit-code 1 \ --format table "${CONTAINER_PREFIX}$${CONTAINER_NAME}" diff --git a/src/base/.trivyignore.yaml b/src/base/.trivyignore.yaml new file mode 100644 index 0000000..8697da6 --- /dev/null +++ b/src/base/.trivyignore.yaml @@ -0,0 +1 @@ +vulnerabilities: diff --git a/src/base/trivy.yaml b/src/base/trivy.yaml new file mode 100644 index 0000000..48343ee --- /dev/null +++ b/src/base/trivy.yaml @@ -0,0 +1 @@ +ignorefile: "src/base/.trivyignore_combined.yaml" diff --git a/src/common/.trivyignore.yaml b/src/common/.trivyignore.yaml new file mode 100644 index 0000000..89d5f1f --- /dev/null +++ b/src/common/.trivyignore.yaml @@ -0,0 +1,502 @@ +vulnerabilities: + - id: CVE-2026-25547 + statement: "@isaacs/brace-expansion has Uncontrolled Resource Consumption" + purls: + - "pkg:npm/%40isaacs/brace-expansion@5.0.0" + expired_at: 2026-06-01 + - id: CVE-2021-3807 + statement: "nodejs-ansi-regex Regular expression denial of service (ReDoS) matching ANSI escape codes" + purls: + - "pkg:npm/ansi-regex@3.0.0" + expired_at: 2026-06-01 + - id: CVE-2021-3807 + statement: "nodejs-ansi-regex Regular expression denial of service (ReDoS) matching ANSI escape codes" + purls: + - "pkg:npm/ansi-regex@5.0.0" + expired_at: 2026-06-01 + - id: CVE-2025-64756 + statement: "glob glob Command Injection Vulnerability via Malicious Filenames" + purls: + - "pkg:npm/glob@10.4.5" + expired_at: 2026-06-01 + - id: CVE-2025-64756 + statement: "glob glob Command Injection Vulnerability via Malicious Filenames" + purls: + - "pkg:npm/glob@11.0.3" + expired_at: 2026-06-01 + - id: CVE-2022-25881 + statement: "http-cache-semantics Regular Expression Denial of Service (ReDoS) vulnerability" + purls: + - "pkg:npm/http-cache-semantics@4.1.0" + expired_at: 2026-06-01 + - id: CVE-2024-29415 + statement: "node-ip Incomplete fix for CVE-2023-42282" + purls: + - "pkg:npm/ip@1.1.5" + expired_at: 2026-06-01 + - id: CVE-2022-3517 + statement: "nodejs-minimatch ReDoS via the braceExpand function" + purls: + - "pkg:npm/minimatch@3.0.4" + expired_at: 2026-06-01 + - id: CVE-2026-0775 + statement: "npmcli npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability" + purls: + - "pkg:npm/npm@11.6.2" + expired_at: 2026-06-01 + - id: CVE-2022-29244 + statement: "nodejs npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace" + purls: + - "pkg:npm/npm@8.5.0" + expired_at: 2026-06-01 + - id: CVE-2026-0775 + statement: "npmcli npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability" + purls: + - "pkg:npm/npm@8.5.0" + expired_at: 2026-06-01 + - id: CVE-2022-25883 + statement: "nodejs-semver Regular expression denial of service" + purls: + - "pkg:npm/semver@7.3.5" + expired_at: 2026-06-01 + - id: CVE-2026-23745 + statement: "node-tar tar node-tar Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" + purls: + - "pkg:npm/tar@6.1.11" + expired_at: 2026-06-01 + - id: CVE-2026-23950 + statement: "node-tar tar node-tar Arbitrary file overwrite via Unicode path collision race condition" + purls: + - "pkg:npm/tar@6.1.11" + expired_at: 2026-06-01 + - id: CVE-2026-24842 + statement: "node-tar tar node-tar Arbitrary file creation via path traversal bypass in hardlink security check" + purls: + - "pkg:npm/tar@6.1.11" + expired_at: 2026-06-01 + - id: CVE-2026-23745 + statement: "node-tar tar node-tar Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-06-01 + - id: CVE-2026-23950 + statement: "node-tar tar node-tar Arbitrary file overwrite via Unicode path collision race condition" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-06-01 + - id: CVE-2026-24842 + statement: "node-tar tar node-tar Arbitrary file creation via path traversal bypass in hardlink security check" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-06-01 + - id: CVE-2022-40897 + statement: "pypa-setuptools Regular Expression Denial of Service (ReDoS) in package_index.py" + purls: + - "pkg:pypi/setuptools@56.0.0" + expired_at: 2026-06-01 + - id: CVE-2024-6345 + statement: "pypa/setuptools Remote code execution via download functions in the package_index module in pypa/setuptools" + purls: + - "pkg:pypi/setuptools@56.0.0" + expired_at: 2026-06-01 + - id: CVE-2025-47273 + statement: "setuptools Path Traversal Vulnerability in setuptools PackageIndex" + purls: + - "pkg:pypi/setuptools@56.0.0" + expired_at: 2026-06-01 + - id: CVE-2022-40897 + statement: "pypa-setuptools Regular Expression Denial of Service (ReDoS) in package_index.py" + purls: + - "pkg:pypi/setuptools@65.5.0" + expired_at: 2026-06-01 + - id: CVE-2024-6345 + statement: "pypa/setuptools Remote code execution via download functions in the package_index module in pypa/setuptools" + purls: + - "pkg:pypi/setuptools@65.5.0" + expired_at: 2026-06-01 + - id: CVE-2025-47273 + statement: "setuptools Path Traversal Vulnerability in setuptools PackageIndex" + purls: + - "pkg:pypi/setuptools@65.5.0" + expired_at: 2026-06-01 + - id: CVE-2024-49761 + statement: "rexml REXML ReDoS vulnerability" + purls: + - "pkg:gem/rexml@3.2.6" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.25.5" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.25.5" + expired_at: 2026-06-01 + - id: CVE-2025-47907 + statement: "database/sql Postgres Scan Race Condition" + purls: + - "pkg:golang/stdlib@v1.24.4" + expired_at: 2026-06-01 + - id: CVE-2025-58183 + statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" + purls: + - "pkg:golang/stdlib@v1.24.4" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.24.4" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.24.4" + expired_at: 2026-06-01 + - id: CVE-2025-61729 + statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" + purls: + - "pkg:golang/stdlib@v1.24.4" + expired_at: 2026-06-01 + - id: CVE-2025-22874 + statement: "crypto/x509 Usage of ExtKeyUsageAny disables policy validation in crypto/x509" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-47907 + statement: "database/sql Postgres Scan Race Condition" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-58183 + statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-61729 + statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-66564 + statement: "github.com/sigstore/timestamp-authority Sigstore Timestamp Authority Denial of Service via excessive OID or Content-Type header parsing" + purls: + - "pkg:golang/github.com/sigstore/timestamp-authority@v1.2.2" + expired_at: 2026-06-01 + - id: CVE-2025-47907 + statement: "database/sql Postgres Scan Race Condition" + purls: + - "pkg:golang/stdlib@v1.23.4" + expired_at: 2026-06-01 + - id: CVE-2025-58183 + statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" + purls: + - "pkg:golang/stdlib@v1.23.4" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.23.4" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.23.4" + expired_at: 2026-06-01 + - id: CVE-2025-61729 + statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" + purls: + - "pkg:golang/stdlib@v1.23.4" + expired_at: 2026-06-01 + - id: CVE-2023-24538 + statement: "golang html/template backticks not treated as string delimiters" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-24540 + statement: "golang html/template improper handling of JavaScript whitespace" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2024-24790 + statement: "golang net/netip Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-24675 + statement: "golang encoding/pem fix stack overflow in Decode" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-27664 + statement: "golang net/http handle server errors after sending GOAWAY" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-28131 + statement: "golang encoding/xml stack exhaustion in Decoder.Skip" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-28327 + statement: "golang crypto/elliptic panic caused by oversized scalar" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-2879 + statement: "golang archive/tar github.com/vbatts/tar-split unbounded memory consumption when reading headers" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-2880 + statement: "golang net/http/httputil ReverseProxy should not forward unparseable query parameters" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-29804 + statement: "ELSA-2022-17957 ol8addon security update (IMPORTANT)" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30580 + statement: "golang os/exec Code injection in Cmd.Start" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30630 + statement: "golang io/fs stack exhaustion in Glob" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30631 + statement: "golang compress/gzip stack exhaustion in Reader.Read" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30632 + statement: "golang path/filepath stack exhaustion in Glob" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30633 + statement: "golang encoding/xml stack exhaustion in Unmarshal" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30634 + statement: "ELSA-2022-17957 ol8addon security update (IMPORTANT)" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30635 + statement: "golang encoding/gob stack exhaustion in Decoder.Decode" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-32189 + statement: "golang math/big decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41715 + statement: "golang regexp/syntax limit memory used by parsing regexps" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41716 + statement: "Due to unsanitized NUL values, attackers may be able to maliciously se ..." + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41720 + statement: "golang os, net/http avoid escapes from os.DirFS and http.Dir on Windows" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41722 + statement: "golang path/filepath path-filepath filepath.Clean path traversal" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41723 + statement: "golang.org/x/net/http2 avoid quadratic complexity in HPACK decoding" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41724 + statement: "golang crypto/tls large handshake records may cause panics" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41725 + statement: "golang net/http, mime/multipart denial of service from excessive resource consumption" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-24534 + statement: "golang net/http, net/textproto denial of service from excessive memory allocation" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-24536 + statement: "golang net/http, net/textproto, mime/multipart denial of service from excessive resource consumption" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-24537 + statement: "golang go/parser Infinite loop in parsing" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-24539 + statement: "golang html/template improper sanitization of CSS values" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-29400 + statement: "golang html/template improper handling of empty HTML attributes" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-29403 + statement: "golang runtime unexpected behavior of setuid/setgid binaries" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-39325 + statement: "golang net/http, x/net/http2 rapid stream resets can cause excessive work (CVE-2023-44487)" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-45283 + statement: "The filepath package does not recognize paths with a prefix as sp ..." + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-45287 + statement: "golang crypto/tls Timing Side Channel attack in RSA based TLS key exchanges." + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-45288 + statement: "golang net/http, x/net/http2 unlimited number of CONTINUATION frames causes DoS" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2024-34156 + statement: "encoding/gob golang Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2025-47907 + statement: "database/sql Postgres Scan Race Condition" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2025-58183 + statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2025-61729 + statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2024-25621 + statement: "github.com/containerd/containerd containerd local privilege escalation" + purls: + - "pkg:golang/github.com/containerd/containerd/v2@v2.1.4" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.24.9" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.24.9" + expired_at: 2026-06-01 + - id: CVE-2025-61729 + statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" + purls: + - "pkg:golang/stdlib@v1.24.9" + expired_at: 2026-06-01 + - id: CVE-2024-35870 + statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2024-53179 + statement: "kernel: smb: client: fix use-after-free of signing key" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-21780 + statement: "kernel: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-37899 + statement: "kernel: ksmbd: fix use-after-free in session logoff" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-38118 + statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2024-35870 + statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2024-53179 + statement: "kernel: smb: client: fix use-after-free of signing key" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-21780 + statement: "kernel: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table() " + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-37899 + statement: "kernel: ksmbd: fix use-after-free in session logoff" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-38118 + statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-68121 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2025-61730 + statement: "CHANGE ME" + expired_at: 2026-06-01 diff --git a/src/node_24_python_3_13/.trivyignore.yaml b/src/node_24_python_3_13/.trivyignore.yaml new file mode 100644 index 0000000..62fcf7b --- /dev/null +++ b/src/node_24_python_3_13/.trivyignore.yaml @@ -0,0 +1,529 @@ +vulnerabilities: + - id: CVE-2026-25547 + statement: "@isaacs/brace-expansion has Uncontrolled Resource Consumption" + purls: + - "pkg:npm/%40isaacs/brace-expansion@5.0.0" + expired_at: 2026-06-01 + - id: CVE-2021-3807 + statement: "nodejs-ansi-regex Regular expression denial of service (ReDoS) matching ANSI escape codes" + purls: + - "pkg:npm/ansi-regex@3.0.0" + expired_at: 2026-06-01 + - id: CVE-2021-3807 + statement: "nodejs-ansi-regex Regular expression denial of service (ReDoS) matching ANSI escape codes" + purls: + - "pkg:npm/ansi-regex@5.0.0" + expired_at: 2026-06-01 + - id: CVE-2025-64756 + statement: "glob glob Command Injection Vulnerability via Malicious Filenames" + purls: + - "pkg:npm/glob@10.4.5" + expired_at: 2026-06-01 + - id: CVE-2025-64756 + statement: "glob glob Command Injection Vulnerability via Malicious Filenames" + purls: + - "pkg:npm/glob@11.0.3" + expired_at: 2026-06-01 + - id: CVE-2022-25881 + statement: "http-cache-semantics Regular Expression Denial of Service (ReDoS) vulnerability" + purls: + - "pkg:npm/http-cache-semantics@4.1.0" + expired_at: 2026-06-01 + - id: CVE-2024-29415 + statement: "node-ip Incomplete fix for CVE-2023-42282" + purls: + - "pkg:npm/ip@1.1.5" + expired_at: 2026-06-01 + - id: CVE-2022-3517 + statement: "nodejs-minimatch ReDoS via the braceExpand function" + purls: + - "pkg:npm/minimatch@3.0.4" + expired_at: 2026-06-01 + - id: CVE-2026-0775 + statement: "npmcli npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability" + purls: + - "pkg:npm/npm@11.6.2" + expired_at: 2026-06-01 + - id: CVE-2022-29244 + statement: "nodejs npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace" + purls: + - "pkg:npm/npm@8.5.0" + expired_at: 2026-06-01 + - id: CVE-2026-0775 + statement: "npmcli npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability" + purls: + - "pkg:npm/npm@8.5.0" + expired_at: 2026-06-01 + - id: CVE-2022-25883 + statement: "nodejs-semver Regular expression denial of service" + purls: + - "pkg:npm/semver@7.3.5" + expired_at: 2026-06-01 + - id: CVE-2026-23745 + statement: "node-tar tar node-tar Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" + purls: + - "pkg:npm/tar@6.1.11" + expired_at: 2026-06-01 + - id: CVE-2026-23950 + statement: "node-tar tar node-tar Arbitrary file overwrite via Unicode path collision race condition" + purls: + - "pkg:npm/tar@6.1.11" + expired_at: 2026-06-01 + - id: CVE-2026-24842 + statement: "node-tar tar node-tar Arbitrary file creation via path traversal bypass in hardlink security check" + purls: + - "pkg:npm/tar@6.1.11" + expired_at: 2026-06-01 + - id: CVE-2026-23745 + statement: "node-tar tar node-tar Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-06-01 + - id: CVE-2026-23950 + statement: "node-tar tar node-tar Arbitrary file overwrite via Unicode path collision race condition" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-06-01 + - id: CVE-2026-24842 + statement: "node-tar tar node-tar Arbitrary file creation via path traversal bypass in hardlink security check" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-06-01 + - id: CVE-2022-40897 + statement: "pypa-setuptools Regular Expression Denial of Service (ReDoS) in package_index.py" + purls: + - "pkg:pypi/setuptools@56.0.0" + expired_at: 2026-06-01 + - id: CVE-2024-6345 + statement: "pypa/setuptools Remote code execution via download functions in the package_index module in pypa/setuptools" + purls: + - "pkg:pypi/setuptools@56.0.0" + expired_at: 2026-06-01 + - id: CVE-2025-47273 + statement: "setuptools Path Traversal Vulnerability in setuptools PackageIndex" + purls: + - "pkg:pypi/setuptools@56.0.0" + expired_at: 2026-06-01 + - id: CVE-2022-40897 + statement: "pypa-setuptools Regular Expression Denial of Service (ReDoS) in package_index.py" + purls: + - "pkg:pypi/setuptools@65.5.0" + expired_at: 2026-06-01 + - id: CVE-2024-6345 + statement: "pypa/setuptools Remote code execution via download functions in the package_index module in pypa/setuptools" + purls: + - "pkg:pypi/setuptools@65.5.0" + expired_at: 2026-06-01 + - id: CVE-2025-47273 + statement: "setuptools Path Traversal Vulnerability in setuptools PackageIndex" + purls: + - "pkg:pypi/setuptools@65.5.0" + expired_at: 2026-06-01 + - id: CVE-2024-49761 + statement: "rexml REXML ReDoS vulnerability" + purls: + - "pkg:gem/rexml@3.2.6" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.25.5" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.25.5" + expired_at: 2026-06-01 + - id: CVE-2025-47907 + statement: "database/sql Postgres Scan Race Condition" + purls: + - "pkg:golang/stdlib@v1.24.4" + expired_at: 2026-06-01 + - id: CVE-2025-58183 + statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" + purls: + - "pkg:golang/stdlib@v1.24.4" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.24.4" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.24.4" + expired_at: 2026-06-01 + - id: CVE-2025-61729 + statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" + purls: + - "pkg:golang/stdlib@v1.24.4" + expired_at: 2026-06-01 + - id: CVE-2025-22874 + statement: "crypto/x509 Usage of ExtKeyUsageAny disables policy validation in crypto/x509" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-47907 + statement: "database/sql Postgres Scan Race Condition" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-58183 + statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-61729 + statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-66564 + statement: "github.com/sigstore/timestamp-authority Sigstore Timestamp Authority Denial of Service via excessive OID or Content-Type header parsing" + purls: + - "pkg:golang/github.com/sigstore/timestamp-authority@v1.2.2" + expired_at: 2026-06-01 + - id: CVE-2025-47907 + statement: "database/sql Postgres Scan Race Condition" + purls: + - "pkg:golang/stdlib@v1.23.4" + expired_at: 2026-06-01 + - id: CVE-2025-58183 + statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" + purls: + - "pkg:golang/stdlib@v1.23.4" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.23.4" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.23.4" + expired_at: 2026-06-01 + - id: CVE-2025-61729 + statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" + purls: + - "pkg:golang/stdlib@v1.23.4" + expired_at: 2026-06-01 + - id: CVE-2023-24538 + statement: "golang html/template backticks not treated as string delimiters" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-24540 + statement: "golang html/template improper handling of JavaScript whitespace" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2024-24790 + statement: "golang net/netip Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-24675 + statement: "golang encoding/pem fix stack overflow in Decode" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-27664 + statement: "golang net/http handle server errors after sending GOAWAY" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-28131 + statement: "golang encoding/xml stack exhaustion in Decoder.Skip" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-28327 + statement: "golang crypto/elliptic panic caused by oversized scalar" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-2879 + statement: "golang archive/tar github.com/vbatts/tar-split unbounded memory consumption when reading headers" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-2880 + statement: "golang net/http/httputil ReverseProxy should not forward unparseable query parameters" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-29804 + statement: "ELSA-2022-17957 ol8addon security update (IMPORTANT)" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30580 + statement: "golang os/exec Code injection in Cmd.Start" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30630 + statement: "golang io/fs stack exhaustion in Glob" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30631 + statement: "golang compress/gzip stack exhaustion in Reader.Read" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30632 + statement: "golang path/filepath stack exhaustion in Glob" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30633 + statement: "golang encoding/xml stack exhaustion in Unmarshal" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30634 + statement: "ELSA-2022-17957 ol8addon security update (IMPORTANT)" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30635 + statement: "golang encoding/gob stack exhaustion in Decoder.Decode" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-32189 + statement: "golang math/big decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41715 + statement: "golang regexp/syntax limit memory used by parsing regexps" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41716 + statement: "Due to unsanitized NUL values, attackers may be able to maliciously se ..." + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41720 + statement: "golang os, net/http avoid escapes from os.DirFS and http.Dir on Windows" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41722 + statement: "golang path/filepath path-filepath filepath.Clean path traversal" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41723 + statement: "golang.org/x/net/http2 avoid quadratic complexity in HPACK decoding" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41724 + statement: "golang crypto/tls large handshake records may cause panics" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41725 + statement: "golang net/http, mime/multipart denial of service from excessive resource consumption" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-24534 + statement: "golang net/http, net/textproto denial of service from excessive memory allocation" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-24536 + statement: "golang net/http, net/textproto, mime/multipart denial of service from excessive resource consumption" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-24537 + statement: "golang go/parser Infinite loop in parsing" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-24539 + statement: "golang html/template improper sanitization of CSS values" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-29400 + statement: "golang html/template improper handling of empty HTML attributes" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-29403 + statement: "golang runtime unexpected behavior of setuid/setgid binaries" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-39325 + statement: "golang net/http, x/net/http2 rapid stream resets can cause excessive work (CVE-2023-44487)" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-45283 + statement: "The filepath package does not recognize paths with a prefix as sp ..." + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-45287 + statement: "golang crypto/tls Timing Side Channel attack in RSA based TLS key exchanges." + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-45288 + statement: "golang net/http, x/net/http2 unlimited number of CONTINUATION frames causes DoS" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2024-34156 + statement: "encoding/gob golang Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2025-47907 + statement: "database/sql Postgres Scan Race Condition" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2025-58183 + statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2025-61729 + statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2024-25621 + statement: "github.com/containerd/containerd containerd local privilege escalation" + purls: + - "pkg:golang/github.com/containerd/containerd/v2@v2.1.4" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.24.9" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.24.9" + expired_at: 2026-06-01 + - id: CVE-2025-61729 + statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" + purls: + - "pkg:golang/stdlib@v1.24.9" + expired_at: 2026-06-01 + - id: CVE-2024-35870 + statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2024-53179 + statement: "kernel: smb: client: fix use-after-free of signing key" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-21780 + statement: "kernel: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-37899 + statement: "kernel: ksmbd: fix use-after-free in session logoff" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-38118 + statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2024-35870 + statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2024-53179 + statement: "kernel: smb: client: fix use-after-free of signing key" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-21780 + statement: "kernel: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table() " + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-37899 + statement: "kernel: ksmbd: fix use-after-free in session logoff" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-38118 + statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-68121 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2025-61730 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2024-35870 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2024-53179 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2025-37849 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2025-37899 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2025-38118 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2026-26007 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2026-24842 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2026-23949 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2026-24049 + statement: "CHANGE ME" + expired_at: 2026-06-01 diff --git a/src/node_24_python_3_13/trivy.yaml b/src/node_24_python_3_13/trivy.yaml new file mode 100644 index 0000000..46a4f39 --- /dev/null +++ b/src/node_24_python_3_13/trivy.yaml @@ -0,0 +1 @@ +ignorefile: "src/node_24_python_3_13/.trivyignore_combined.yaml" diff --git a/src/node_24_python_3_14/.trivyignore.yaml b/src/node_24_python_3_14/.trivyignore.yaml new file mode 100644 index 0000000..1b10dea --- /dev/null +++ b/src/node_24_python_3_14/.trivyignore.yaml @@ -0,0 +1,28 @@ +vulnerabilities: + - id: CVE-2024-35870 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2024-53179 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2025-37849 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2025-37899 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2025-38118 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2026-26007 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2026-24842 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2026-23949 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2026-24049 + statement: "CHANGE ME" + expired_at: 2026-06-01 diff --git a/src/node_24_python_3_14/trivy.yaml b/src/node_24_python_3_14/trivy.yaml new file mode 100644 index 0000000..e8aafd5 --- /dev/null +++ b/src/node_24_python_3_14/trivy.yaml @@ -0,0 +1 @@ +ignorefile: "src/node_24_python_3_14/.trivyignore_combined.yaml" From e06fc1a4e42780cbeb9d386dc1a1c4e281912e5e Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 12:41:07 +0000 Subject: [PATCH 61/64] bump trivy --- .tool-versions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.tool-versions b/.tool-versions index 07d6f84..e2bc3a2 100644 --- a/.tool-versions +++ b/.tool-versions @@ -5,4 +5,4 @@ shellcheck 0.11.0 direnv 2.37.1 actionlint 1.7.10 ruby 3.3.0 -trivy 0.68.2 +trivy 0.69.1 From 61ec9f7e5e6467009416c85a196c890f1aaf4608 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 12:50:05 +0000 Subject: [PATCH 62/64] upload combined trivyignore --- .github/workflows/build_multi_arch_image.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 240b7f3..2c4d5f7 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -65,12 +65,18 @@ jobs: echo "vulnerabilities:" > "$combined" if [ -f "$common" ]; then sed -n '2,$p' "$common" >> "$combined"; fi if [ -f "$specific" ]; then sed -n '2,$p' "$specific" >> "$combined"; fi + echo "Combined trivy ignore file created at $combined" env: ARCHITECTURE: '${{ matrix.arch }}' DOCKER_TAG: '${{ inputs.docker_tag }}' CONTAINER_NAME: '${{ inputs.container_name }}' BASE_VERSION: ${{ inputs.docker_tag}} + - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f + name: Upload combined trivy ignore file + with: + name: "trivyigonre-${{ inputs.container_name }}-${{ matrix.arch }}" + path: src/${{ inputs.container_name}}/.trivyignore_combined.yaml - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f name: Upload docker images with: From b903207fe99cea23eb6958dea2ded683254064a0 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 13:06:37 +0000 Subject: [PATCH 63/64] even more debug --- .github/workflows/build_multi_arch_image.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 2c4d5f7..0582572 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -66,6 +66,7 @@ jobs: if [ -f "$common" ]; then sed -n '2,$p' "$common" >> "$combined"; fi if [ -f "$specific" ]; then sed -n '2,$p' "$specific" >> "$combined"; fi echo "Combined trivy ignore file created at $combined" + cat "$combined" env: ARCHITECTURE: '${{ matrix.arch }}' @@ -76,7 +77,7 @@ jobs: name: Upload combined trivy ignore file with: name: "trivyigonre-${{ inputs.container_name }}-${{ matrix.arch }}" - path: src/${{ inputs.container_name}}/.trivyignore_combined.yaml + path: src/${{ inputs.container_name }}/.trivyignore_combined.yaml - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f name: Upload docker images with: From 4a44268db35dfc9c0a46360a6ba20f3dd86a004f Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 13:23:42 +0000 Subject: [PATCH 64/64] more supressions --- src/common/.trivyignore.yaml | 34 ++++++---------------------------- 1 file changed, 6 insertions(+), 28 deletions(-) diff --git a/src/common/.trivyignore.yaml b/src/common/.trivyignore.yaml index 89d5f1f..9af6ac3 100644 --- a/src/common/.trivyignore.yaml +++ b/src/common/.trivyignore.yaml @@ -444,15 +444,8 @@ vulnerabilities: purls: - "pkg:golang/stdlib@v1.24.9" expired_at: 2026-06-01 - - id: CVE-2024-35870 - statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - id: CVE-2024-53179 statement: "kernel: smb: client: fix use-after-free of signing key" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" expired_at: 2026-06-01 - id: CVE-2025-21780 statement: "kernel: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()" @@ -461,38 +454,17 @@ vulnerabilities: expired_at: 2026-06-01 - id: CVE-2025-37899 statement: "kernel: ksmbd: fix use-after-free in session logoff" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2025-38118 - statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" expired_at: 2026-06-01 - id: CVE-2024-35870 statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2024-53179 - statement: "kernel: smb: client: fix use-after-free of signing key" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" expired_at: 2026-06-01 - id: CVE-2025-21780 statement: "kernel: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table() " purls: - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" expired_at: 2026-06-01 - - id: CVE-2025-37899 - statement: "kernel: ksmbd: fix use-after-free in session logoff" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - id: CVE-2025-38118 statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" expired_at: 2026-06-01 - id: CVE-2025-68121 statement: "CHANGE ME" @@ -500,3 +472,9 @@ vulnerabilities: - id: CVE-2025-61730 statement: "CHANGE ME" expired_at: 2026-06-01 + - id: CVE-2025-37849 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2026-26007 + statement: "CHANGE ME" + expired_at: 2026-06-01