use published dev container

Author: anthony-nhs

.devcontainer/Dockerfile

@@ -1,53 +1,14 @@
-FROM mcr.microsoft.com/devcontainers/base:ubuntu
-
-# provide DOCKER_GID via build args if you need to force group id to match host
-ARG DOCKER_GID
+FROM ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:v1.0.0
 
+USER root
 # specify DOCKER_GID to force container docker group id to match host
 RUN if [ -n "${DOCKER_GID}" ]; then \
-      if ! getent group docker; then \
-        groupadd -g ${DOCKER_GID} docker; \
-      else \
-        groupmod -g ${DOCKER_GID} docker; \
-      fi && \
-      usermod -aG docker vscode; \
+    if ! getent group docker; then \
+    groupadd -g ${DOCKER_GID} docker; \
+    else \
+    groupmod -g ${DOCKER_GID} docker; \
+    fi && \
+    usermod -aG docker vscode; \
     fi
 
-# Anticipate and resolve potential permission issues with apt
-RUN mkdir -p /tmp && chmod 1777 /tmp
-
-RUN apt-get update \
-    && export DEBIAN_FRONTEND=noninteractive \
-    && apt-get -y dist-upgrade \
-    && apt-get -y install --no-install-recommends htop vim curl git build-essential \
-    libffi-dev libssl-dev libxml2-dev libxslt1-dev libjpeg8-dev libbz2-dev \
-    zlib1g-dev unixodbc unixodbc-dev libsecret-1-0 libsecret-1-dev libsqlite3-dev \
-    jq apt-transport-https ca-certificates gnupg-agent \
-    software-properties-common bash-completion python3-pip make libbz2-dev \
-    libreadline-dev libsqlite3-dev wget llvm libncurses5-dev libncursesw5-dev \
-    xz-utils tk-dev liblzma-dev netcat-traditional libyaml-dev
-
 USER vscode
-
-# Install ASDF
-RUN git clone https://github.com/asdf-vm/asdf.git ~/.asdf --branch v0.11.3 && \
-    echo '. $HOME/.asdf/asdf.sh' >> ~/.bashrc && \
-    echo '. $HOME/.asdf/completions/asdf.bash' >> ~/.bashrc
-
-ENV PATH="$PATH:/home/vscode/.asdf/bin/:/workspaces/eps-prescription-tracker-ui/node_modules/.bin:/workspaces/eps-common-workflows/.venv/bin"
-
-# Install ASDF plugins#
-RUN asdf plugin add nodejs https://github.com/asdf-vm/asdf-nodejs.git && \
-    asdf plugin add actionlint && \
-    asdf plugin add shellcheck https://github.com/luizm/asdf-shellcheck.git && \
-    asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git && \
-    asdf plugin add python
-
-WORKDIR /workspaces/eps-common-workflows
-
-ADD .tool-versions /workspaces/eps-common-workflows/.tool-versions
-ADD .tool-versions /home/vscode/.tool-versions
-
-RUN asdf install python && \
-    asdf install && \
-    asdf reshim nodejs

.devcontainer/devcontainer.json

@@ -14,21 +14,14 @@
     "source=${env:HOME}${env:USERPROFILE}/.aws,target=/home/vscode/.aws,type=bind",
     "source=${env:HOME}${env:USERPROFILE}/.ssh,target=/home/vscode/.ssh,type=bind",
     "source=${env:HOME}${env:USERPROFILE}/.gnupg,target=/home/vscode/.gnupg,type=bind",
-    "source=${env:HOME}${env:USERPROFILE}/.npmrc,target=/home/vscode/.npmrc,type=bind"
+    "source=${env:HOME}${env:USERPROFILE}/.npmrc,target=/home/vscode/.npmrc,type=bind",
+    "source=${env:HOME}${env:USERPROFILE}/.gitconfig,target=/home/vscode/.gitconfig,type=bind"
   ],
   "containerUser": "vscode",
   "remoteEnv": {
     "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}"
   },
-  "postAttachCommand": "docker build -f /workspaces/eps-common-workflows/dockerfiles/nhsd-git-secrets.dockerfile -t git-secrets . && pre-commit install --install-hooks -f",
-  "features": {
-    "ghcr.io/devcontainers/features/github-cli:1": {},
-    "ghcr.io/devcontainers/features/docker-outside-of-docker:1": {
-      "version": "latest",
-      "moby": "true",
-      "installDockerBuildx": "true"
-    }
-  },
+  "features": {},
   "customizations": {
     "vscode": {
       "extensions": [

.github/workflows/pull_request.yml

@@ -38,6 +38,7 @@ jobs:
     needs: [get_asdf_version]
     with:
       asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}
+      runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:v1.0.0"
     secrets:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
   tag_release:

.github/workflows/quality-checks.yml

@@ -33,10 +33,15 @@ on:
         description: comma separated list of docker image references to scan when docker scanning is enabled.
         default: ""
         required: false
+      runtime_docker_image:
+        type: string
+        required: true
 
 jobs:
   quality_checks:
     runs-on: ubuntu-22.04
+    container:
+      image: ${{ inputs.runtime_docker_image }}
     steps:
       - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654
         if: ${{ inputs.install_java }}
@@ -50,70 +55,10 @@ jobs:
         with:
           ref: ${{ env.BRANCH_NAME }}
           fetch-depth: 0
-
-      # Must be done before anything installs, or it will check dependencies for secrets too.
-      - name: Ensure .gitallowed exists, for secret scanning
-        run: |
-          if [ ! -f ".gitallowed" ]; then
-            echo "Creating empty .gitallowed file"
-            touch .gitallowed
-            fi
-          echo "./nhsd-rules-deny.txt:10" >> .gitallowed
-          echo "Allowing the following regex patterns:"
-          cat .gitallowed
-
-      - name: Install git-secrets
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y git curl
-          git clone https://github.com/awslabs/git-secrets.git /tmp/git-secrets
-          cd /tmp/git-secrets
-          sudo make install
-
-      - name: Download regex patterns
-        run: |
-          curl -L https://raw.githubusercontent.com/NHSDigital/software-engineering-quality-framework/main/tools/nhsd-git-secrets/nhsd-rules-deny.txt -o nhsd-rules-deny.txt
-
-      - name: Configure git-secrets
-        run: |
-          git-secrets --register-aws
-          git-secrets --add-provider -- cat nhsd-rules-deny.txt
-
       - name: Run secrets scan
         run: |
           git-secrets --scan-history .
 
-      # using git commit sha for version of action to ensure we have stable version
-      - &install_asdf
-        name: Install asdf
-        uses: asdf-vm/actions/setup@b7bcd026f18772e44fe1026d729e1611cc435d47
-        with:
-          asdf_version: ${{ inputs.asdfVersion }}
-
-      - &cache_asdf
-        name: Cache asdf
-        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb
-        with:
-          path: ~/.asdf
-          key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}-${{ inputs.asdfVersion }}
-
-      - &install_asdf_deps
-        name: Install asdf dependencies in .tool-versions
-        uses: asdf-vm/actions/install@b7bcd026f18772e44fe1026d729e1611cc435d47
-        with:
-          asdf_version: ${{ inputs.asdfVersion }}
-        env:
-          PYTHON_CONFIGURE_OPTS: --enable-shared
-
-      - &reinstall_poetry
-        name: Reinstall poetry
-        if: ${{ inputs.reinstall_poetry }}
-        run: |
-          poetry_tool_version=$(cat .tool-versions | grep poetry)
-          poetry_version=${poetry_tool_version//"poetry "}
-          asdf uninstall poetry "$poetry_version"
-          asdf install poetry
-
       - &setup_npmrc
         name: Setting up .npmrc
         env:
@@ -356,6 +301,8 @@ jobs:
     outputs:
       docker_images: ${{ steps.normalized_docker_images.outputs.images }}
     runs-on: ubuntu-22.04
+    container:
+      image: ${{ inputs.runtime_docker_image }}
     steps:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
@@ -420,6 +367,8 @@ jobs:
 
   docker_vulnerability_scan:
     runs-on: ubuntu-22.04
+    container:
+      image: ghcr.io/nhsdigital/eps-devcontainers/fhir_facade_api:v1.0.0
     needs: get_docker_images_to_scan
     if: ${{ inputs.run_docker_scan == true }}
     strategy:
@@ -431,36 +380,6 @@ jobs:
         with:
           ref: ${{ env.BRANCH_NAME }}
           fetch-depth: 0
-      # using git commit sha for version of action to ensure we have stable version
-      - name: Install asdf
-        uses: asdf-vm/actions/setup@b7bcd026f18772e44fe1026d729e1611cc435d47
-        with:
-          asdf_version: ${{ inputs.asdfVersion }}
-
-      - name: Cache asdf
-        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb
-        with:
-          path: |
-            ~/.asdf
-          key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}-${{ inputs.asdfVersion }}
-          restore-keys: |
-            ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}-${{ inputs.asdfVersion }}
-
-      - name: Install asdf dependencies in .tool-versions
-        uses: asdf-vm/actions/install@b7bcd026f18772e44fe1026d729e1611cc435d47
-        with:
-          asdf_version: ${{ inputs.asdfVersion }}
-        env:
-          PYTHON_CONFIGURE_OPTS: --enable-shared
-
-      - name: Reinstall poetry
-        if: ${{ inputs.reinstall_poetry }}
-        run: |
-          poetry_tool_version=$(cat .tool-versions | grep poetry)
-          poetry_version=${poetry_tool_version//"poetry "}
-          asdf uninstall poetry "$poetry_version"
-          asdf install poetry
-
       - name: Setting up .npmrc
         env:
           NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -508,12 +427,10 @@ jobs:
 
   IaC-validation:
     runs-on: ubuntu-22.04
+    container:
+      image: ${{ inputs.runtime_docker_image }}
     steps:
       - *checkout
-      - *install_asdf
-      - *cache_asdf
-      - *install_asdf_deps
-      - *reinstall_poetry
 
       - name: Check for SAM templates
         id: check_sam_templates

.github/workflows/release.yml

@@ -30,6 +30,7 @@ jobs:
     uses: ./.github/workflows/quality-checks.yml
     with:
       asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}
+      runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:v1.0.0"
     secrets:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
   tag_release:

.tool-versions

@@ -1,5 +1,5 @@
-nodejs 24.12.0
+nodejs 24.13.0
 actionlint 1.7.10
 shellcheck 0.11.0
-python 3.14.2
-poetry 2.2.1
+python 3.14.3
+poetry 2.3.2