NHSDigital · anthony-nhs · Jan 7, 2026 · Jan 7, 2026 · Jan 7, 2026 · Jan 7, 2026
diff --git a/.gitallowed b/.gitallowed
@@ -0,0 +1,3 @@
+id-token: write
+password: \${{secrets\.GITHUB_TOKEN}}
+\.gitallowed
diff --git a/.github/config/settings.yml b/.github/config/settings.yml
@@ -0,0 +1 @@
+TAG_FORMAT: "v${version}"
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,46 @@
+#########################################################################
+# Dependabot configuration file
+#########################################################################
+
+version: 2
+
+updates:
+  - package-ecosystem: "github-actions"
+    # Workflow files stored in the
+    # default location of `.github/workflows`
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "friday"
+      time: "18:00" # UTC
+    open-pull-requests-limit: 20
+    commit-message:
+      prefix: "Upgrade: [dependabot] - "
+
+  ###################################
+  # NPM workspace  ##################
+  ###################################
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "friday"
+      time: "18:00"
+    open-pull-requests-limit: 20
+    versioning-strategy: increase
+    commit-message:
+      prefix: "Upgrade: [dependabot] - "
+
+  ###################################
+  # Poetry  #########################
+  ###################################
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "friday"
+      time: "18:00"
+    open-pull-requests-limit: 20
+    versioning-strategy: increase
+    commit-message:
+      prefix: "Upgrade: [dependabot] - "
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -0,0 +1,59 @@
+## Summary
+
+**Remove items from this list if they are not relevant. Remove this line once this has been done**
+
+- Routine Change
+- :exclamation: Breaking Change
+- :robot: Operational or Infrastructure Change
+- :sparkles: New Feature
+- :warning: Potential issues that might be caused by this change
+
+### Details
+
+Add any summary information of what is in the change. **Remove this line if you have nothing to add.**
+
+## Pull Request Naming
+
+Pull requests should be named using the following format:
+
+```text
+Tag: [AEA-NNNN] - Short description
+```
+
+Tag can be one of:
+
+- `Fix` - for a bug fix. (Patch release)
+- `Update` - either for a backwards-compatible enhancement or for a rule change that adds reported problems. (Patch release)
+- `New` - implemented a new feature. (Minor release)
+- `Breaking` - for a backwards-incompatible enhancement or feature. (Major release)
+- `Docs` - changes to documentation only. (Patch release)
+- `Build` - changes to build process only. (No release)
+- `Upgrade` - for a dependency upgrade. (Patch release)
+- `Chore` - for refactoring, adding tests, etc. (anything that isn't user-facing). (Patch release)
+
+If the current release is x.y.z then
+- a patch release increases z by 1
+- a minor release increases y by 1
+- a major release increases x by 1
+
+Correct tagging is necessary for our automated versioning and release process.
+
+The description of your pull request will be used as the commit message for the merge, and also be included in the changelog. Please ensure that your title is sufficiently descriptive.
+
+### Rerunning Checks
+
+If you need to rename your pull request, you can restart the checks by either:
+
+- Closing and reopening the pull request
+- pushing an empty commit 
+  ```bash
+  git commit --allow-empty -m 'trigger build'
+  git push
+  ```
+- Amend your last commit and force push to the branch
+  ```bash
+  git commit --amend --no-edit
+  git push --force
+  ```
+
+Rerunning the checks from within the pull request will not use the updated title.
diff --git a/.github/workflows/build_all_images.yml b/.github/workflows/build_all_images.yml
@@ -0,0 +1,33 @@
+name: build_all_images
+'on':
+  workflow_call:
+    inputs:
+      docker_tag:
+        required: true
+        type: string
+      tag_latest:
+        required: true
+        type: boolean
+env:
+  BRANCH_NAME: '${{ github.event.pull_request.head.ref }}'
+jobs:
+  package_base_docker_image:
+    uses: ./.github/workflows/build_multi_arch_image.yml
+    with:
+      tag_latest: ${{ inputs.tag_latest }}
+      docker_tag: ${{ inputs.docker_tag }}
+      container_name: base
+  package_non_base_docker_image:
+    needs:
+      - package_base_docker_image
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - container_name: node_24_python_3_14
+          - container_name: node_24_python_3_13
+    uses: ./.github/workflows/build_multi_arch_image.yml
+    with:
+      tag_latest: ${{ inputs.tag_latest }}
+      docker_tag: ${{ inputs.docker_tag }}
+      container_name: ${{ matrix.container_name }}
diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml
@@ -0,0 +1,207 @@
+name: Build and push docker image
+'on':
+  workflow_call:
+    inputs:
+      tag_latest:
+        required: true
+        type: boolean
+      docker_tag:
+        required: true
+        type: string
+      container_name:
+        required: true
+        type: string
+
+jobs:
+  build_image:
+    name: Build image for ${{ inputs.container_name }} on ${{ matrix.arch }}
+    permissions:
+      id-token: write
+    runs-on: '${{ matrix.runner }}'
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - arch: amd64
+            runner: ubuntu-22.04
+          - arch: arm64
+            runner: ubuntu-22.04-arm
+    steps:
+      - name: Free Disk Space for Docker
+        uses: endersonmenezes/free-disk-space@e6ed9b02e683a3b55ed0252f1ee469ce3b39a885
+        with:
+          remove_android: true
+          remove_dotnet: true
+          remove_haskell: true
+          remove_tool_cache: true
+          rm_cmd: rm
+          remove_packages: >-
+            azure-cli google-cloud-cli microsoft-edge-stable
+            google-chrome-stable firefox postgresql* temurin-* *llvm* mysql*
+            dotnet-sdk-*
+          remove_packages_one_command: true
+      - name: Checkout code
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+        with:
+          fetch-depth: 0
+      - name: setup node
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f
+        with:
+          node-version-file: .tool-versions
+
+      - name: make install
+        run: |
+          make install-node
+      - name: Build container
+        run: |
+          make build-image
+          docker tag "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest" "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}"
+          docker save "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" -o "eps-devcontainer-${CONTAINER_NAME}-${DOCKER_TAG}-${ARCHITECTURE}.img"
+
+          # create combined trivy ignore file for use in trivy scan, combining common and specific ignore files if they exist
+          combined="src/${CONTAINER_NAME}/.trivyignore_combined.yaml"
+          common="src/common/.trivyignore.yaml"
+          specific="src/${CONTAINER_NAME}/.trivyignore.yaml"
+          echo "vulnerabilities:" > "$combined"
+          if [ -f "$common" ]; then sed -n '2,$p' "$common" >> "$combined"; fi
+          if [ -f "$specific" ]; then sed -n '2,$p' "$specific" >> "$combined"; fi
+          echo "Combined trivy ignore file created at $combined"
+          cat "$combined"
+
+        env:
+          ARCHITECTURE: '${{ matrix.arch }}'
+          DOCKER_TAG: '${{ inputs.docker_tag }}'
+          CONTAINER_NAME: '${{ inputs.container_name }}'
+          BASE_VERSION: ${{ inputs.docker_tag}}
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
+        name: Upload combined trivy ignore file
+        with:
+          name: "trivyigonre-${{ inputs.container_name }}-${{ matrix.arch }}"
+          path: src/${{ inputs.container_name }}/.trivyignore_combined.yaml
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
+        name: Upload docker images
+        with:
+          name: "eps-devcontainer-${{ inputs.container_name }}-${{ inputs.docker_tag }}-${{ matrix.arch }}.img"
+          path: |
+            eps-devcontainer-${{ inputs.container_name }}-${{ inputs.docker_tag }}-${{ matrix.arch }}.img
+      - name: Check docker vulnerabilities - json output
+        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8
+        with:
+          scan-type: "image"
+          image-ref:  "ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }}:${{ inputs.docker_tag }}-${{ matrix.arch }}"
+          severity: "CRITICAL,HIGH"
+          scanners: "vuln"
+          vuln-type: "os,library"
+          format: "json"
+          output: "scan_results_docker.json"
+          exit-code: "0"
+          trivy-config: src/${{ inputs.container_name }}/trivy.yaml
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
+        name: Upload scan results
+        with:
+          name: "scan_results_docker_${{ inputs.container_name }}_${{ matrix.arch }}.json"
+          path: scan_results_docker.json
+      - name: Check docker vulnerabilities - table output
+        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8
+        with:
+          scan-type: "image"
+          image-ref:  "ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }}:${{ inputs.docker_tag }}-${{ matrix.arch }}"
+          severity: "CRITICAL,HIGH"
+          scanners: "vuln"
+          vuln-type: "os,library"
+          format: "table"
+          output: "scan_results_docker.txt"
+          exit-code: "1"
+          trivy-config: src/${{ inputs.container_name }}/trivy.yaml
+
+      - name: Show docker vulnerability output
+        if: always()
+        run: |
+          echo "Scan output for ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-${ARCHITECTURE}"
+          if [ -f scan_results_docker.txt ]; then
+            cat scan_results_docker.txt
+          fi
+        env:
+          ARCHITECTURE: '${{ matrix.arch }}'
+          DOCKER_TAG: '${{ inputs.docker_tag }}'
+
+  publish_image:
+    name: Publish image for ${{ inputs.container_name }}
+    runs-on: ubuntu-22.04
+    needs: build_image
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+    steps:
+      - name: Free Disk Space for Docker
+        uses: endersonmenezes/free-disk-space@e6ed9b02e683a3b55ed0252f1ee469ce3b39a885
+        with:
+          remove_android: true
+          remove_dotnet: true
+          remove_haskell: true
+          remove_tool_cache: true
+          rm_cmd: rm
+          remove_packages: >-
+            azure-cli google-cloud-cli microsoft-edge-stable
+            google-chrome-stable firefox postgresql* temurin-* *llvm* mysql*
+            dotnet-sdk-*
+          remove_packages_one_command: true
+      - name: Download amd64 images
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
+        with:
+          name: eps-devcontainer-${{ inputs.container_name }}-${{ inputs.docker_tag }}-amd64.img
+      - name: Download arm64 images
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
+        with:
+          name: eps-devcontainer-${{ inputs.container_name }}-${{ inputs.docker_tag }}-arm64.img
+      - name: Login to github container registry
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9
+        with:
+              registry: ghcr.io
+              username: ${{github.actor}}
+              password: ${{secrets.GITHUB_TOKEN}}
+
+      - name: Load and push multi-arch tagged image
+        run: |
+          echo "loading images"
+          docker load -i "eps-devcontainer-${CONTAINER_NAME}-${DOCKER_TAG}-amd64.img"
+          docker load -i "eps-devcontainer-${CONTAINER_NAME}-${DOCKER_TAG}-arm64.img"
+
+          echo "pushing images"
+          docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-amd64"
+          docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-arm64"
+
+          echo "creating manifest"
+          docker manifest create "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}" \
+            --amend "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-amd64" \
+            --amend "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-arm64"
+
+          echo "pushing manifest"
+          docker manifest push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}"
+        env:
+          DOCKER_TAG: ${{ inputs.docker_tag }}
+          CONTAINER_NAME: '${{ inputs.container_name }}'
+
+      - name: Load and push multi-arch latest image
+        if: ${{ inputs.tag_latest }}
+        run: |
+          echo "Tagging latest images"
+          docker tag "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-amd64" "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-amd64"
+          docker tag "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-arm64" "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-arm64"
+
+          echo "pushing images"
+          docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-amd64"
+          docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-arm64"
+
+          echo "creating manifest"
+          docker manifest create "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest" \
+            --amend "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-amd64" \
+            --amend "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-arm64"
+
+          echo "pushing manifest"
+          docker manifest push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest"
+        env:
+          DOCKER_TAG: ${{ inputs.docker_tag }}
+          CONTAINER_NAME: '${{ inputs.container_name }}'