Merge branch 'main' into allow-reverts

Author: connoravo-nhs

.devcontainer/Dockerfile

@@ -1,53 +1,14 @@
-FROM mcr.microsoft.com/devcontainers/base:ubuntu
-
-# provide DOCKER_GID via build args if you need to force group id to match host
-ARG DOCKER_GID
+ARG IMAGE_NAME=node_24_python_3_14
+ARG IMAGE_VERSION=latest
+FROM ghcr.io/nhsdigital/eps-devcontainers/${IMAGE_NAME}:${IMAGE_VERSION}
 
+USER root
 # specify DOCKER_GID to force container docker group id to match host
 RUN if [ -n "${DOCKER_GID}" ]; then \
-      if ! getent group docker; then \
-        groupadd -g ${DOCKER_GID} docker; \
-      else \
-        groupmod -g ${DOCKER_GID} docker; \
-      fi && \
-      usermod -aG docker vscode; \
+    if ! getent group docker; then \
+    groupadd -g ${DOCKER_GID} docker; \
+    else \
+    groupmod -g ${DOCKER_GID} docker; \
+    fi && \
+    usermod -aG docker vscode; \
     fi
-
-# Anticipate and resolve potential permission issues with apt
-RUN mkdir -p /tmp && chmod 1777 /tmp
-
-RUN apt-get update \
-    && export DEBIAN_FRONTEND=noninteractive \
-    && apt-get -y dist-upgrade \
-    && apt-get -y install --no-install-recommends htop vim curl git build-essential \
-    libffi-dev libssl-dev libxml2-dev libxslt1-dev libjpeg8-dev libbz2-dev \
-    zlib1g-dev unixodbc unixodbc-dev libsecret-1-0 libsecret-1-dev libsqlite3-dev \
-    jq apt-transport-https ca-certificates gnupg-agent \
-    software-properties-common bash-completion python3-pip make libbz2-dev \
-    libreadline-dev libsqlite3-dev wget llvm libncurses5-dev libncursesw5-dev \
-    xz-utils tk-dev liblzma-dev netcat-traditional libyaml-dev
-
-USER vscode
-
-# Install ASDF
-RUN git clone https://github.com/asdf-vm/asdf.git ~/.asdf --branch v0.11.3 && \
-    echo '. $HOME/.asdf/asdf.sh' >> ~/.bashrc && \
-    echo '. $HOME/.asdf/completions/asdf.bash' >> ~/.bashrc
-
-ENV PATH="$PATH:/home/vscode/.asdf/bin/:/workspaces/eps-prescription-tracker-ui/node_modules/.bin:/workspaces/eps-common-workflows/.venv/bin"
-
-# Install ASDF plugins#
-RUN asdf plugin add nodejs https://github.com/asdf-vm/asdf-nodejs.git && \
-    asdf plugin add actionlint && \
-    asdf plugin add shellcheck https://github.com/luizm/asdf-shellcheck.git && \
-    asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git && \
-    asdf plugin add python
-
-WORKDIR /workspaces/eps-common-workflows
-
-ADD .tool-versions /workspaces/eps-common-workflows/.tool-versions
-ADD .tool-versions /home/vscode/.tool-versions
-
-RUN asdf install python && \
-    asdf install && \
-    asdf reshim nodejs

.devcontainer/devcontainer.json

@@ -1,45 +1,48 @@
-// For format details, see https://aka.ms/devcontainer.json. For config options, see the
-// README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu
 {
-    "name": "Ubuntu",
-    // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile
-    "build": {
-      "dockerfile": "Dockerfile",
-      "context": "..",
-      "args": {
-        "DOCKER_GID": "${env:DOCKER_GID:}"
-      }
-    },
-    "mounts": [
-      "source=${env:HOME}${env:USERPROFILE}/.aws,target=/home/vscode/.aws,type=bind",
-      "source=${env:HOME}${env:USERPROFILE}/.ssh,target=/home/vscode/.ssh,type=bind",
-      "source=${env:HOME}${env:USERPROFILE}/.gnupg,target=/home/vscode/.gnupg,type=bind",
-      "source=${env:HOME}${env:USERPROFILE}/.npmrc,target=/home/vscode/.npmrc,type=bind"
-    ],
-    "containerUser": "vscode",
-    "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" },
-    "postAttachCommand": "docker build -f /workspaces/eps-common-workflows/dockerfiles/nhsd-git-secrets.dockerfile -t git-secrets . && pre-commit install --install-hooks -f",
-    "features": {
-      "ghcr.io/devcontainers/features/docker-outside-of-docker:1": {
-        "version": "latest",
-        "moby": "true",
-        "installDockerBuildx": "true"
-      }
+  "name": "eps-common-workflows",
+  "build": {
+    "dockerfile": "Dockerfile",
+    "context": "..",
+    "args": {
+      "DOCKER_GID": "${env:DOCKER_GID:}",
+      "IMAGE_NAME": "node_24_python_3_14",
+      "IMAGE_VERSION": "v1.0.6",
+      "USER_UID": "${localEnv:USER_ID:}",
+      "USER_GID": "${localEnv:GROUP_ID:}"
     },
-    "customizations": {
-      "vscode": {
-        "extensions": [
-          "AmazonWebServices.aws-toolkit-vscode",
-          "redhat.vscode-yaml",
-          "eamodio.gitlens",
-          "github.vscode-pull-request-github",
-          "streetsidesoftware.code-spell-checker",
-          "timonwong.shellcheck",
-          "github.vscode-github-actions"
-        ],
-        "settings": {
-          "cSpell.words": ["fhir", "Formik", "pino", "serialisation"]
-        }
+    "updateRemoteUserUID": false
+  },
+  "postAttachCommand": "git-secrets --register-aws; git-secrets --add-provider -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt",
+  "mounts": [
+    "source=${env:HOME}${env:USERPROFILE}/.aws,target=/home/vscode/.aws,type=bind",
+    "source=${env:HOME}${env:USERPROFILE}/.ssh,target=/home/vscode/.ssh,type=bind",
+    "source=${env:HOME}${env:USERPROFILE}/.gnupg,target=/home/vscode/.gnupg,type=bind",
+    "source=${env:HOME}${env:USERPROFILE}/.npmrc,target=/home/vscode/.npmrc,type=bind"
+  ],
+  "containerUser": "vscode",
+  "remoteEnv": {
+    "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}"
+  },
+  "features": {},
+  "customizations": {
+    "vscode": {
+      "extensions": [
+        "AmazonWebServices.aws-toolkit-vscode",
+        "redhat.vscode-yaml",
+        "eamodio.gitlens",
+        "github.vscode-pull-request-github",
+        "streetsidesoftware.code-spell-checker",
+        "timonwong.shellcheck",
+        "github.vscode-github-actions"
+      ],
+      "settings": {
+        "cSpell.words": [
+          "fhir",
+          "Formik",
+          "pino",
+          "serialisation"
+        ]
       }
     }
   }
+}

.gitallowed

@@ -5,4 +5,5 @@ password: \${{ secrets\.GITHUB_TOKEN }}
 def __init__\(self, token: str, owner: str, repo: str.*
 self\.token = token
 token = os\.environ\.get\(\"GH_TOKEN\"\)
+poetry\.lock
 \-Dsonar\.token=\"\$SONAR_TOKEN\"

.github/workflows/get-repo-config.yml

@@ -0,0 +1,145 @@
+name: Get Repo Config and Image
+on:
+    workflow_call:
+        inputs:
+            registry:
+                required: false
+                type: string
+                default: ghcr.io
+            namespace:
+                required: false
+                type: string
+                default: nhsdigital/eps-devcontainers
+            owner:
+                required: false
+                type: string
+                default: NHSDigital
+            verify_published_from_main_image:
+                required: false
+                type: boolean
+                default: true
+            predicate_type:
+                required: false
+                type: string
+                default: https://slsa.dev/provenance/v1
+        outputs:
+            tag_format:
+                description: The tag format to be used for releases, as defined in .github/config/settings.yml
+                value: ${{ jobs.get_config_values.outputs.tag_format }}
+            devcontainer_image:
+                description: The devcontainer image name as defined in .devcontainer/devcontainer.json
+                value: ${{ jobs.get_config_values.outputs.devcontainer_image }}
+            devcontainer_version:
+                description: The devcontainer image version as defined in .devcontainer/devcontainer.json
+                value: ${{ jobs.get_config_values.outputs.devcontainer_version }}
+            pinned_image:
+                description: Fully-qualified digest-pinned image reference
+                value: ${{ jobs.verify_attestation.outputs.pinned_image }}
+            resolved_digest:
+                description: Resolved digest for the supplied image reference
+                value: ${{ jobs.verify_attestation.outputs.resolved_digest }}
+
+jobs:
+  get_config_values:
+    runs-on: ubuntu-22.04
+    outputs:
+      tag_format: ${{ steps.load-config.outputs.TAG_FORMAT }}
+      devcontainer_version: ${{ steps.load-config.outputs.DEVCONTAINER_VERSION }}
+      devcontainer_image: ${{ steps.load-config.outputs.DEVCONTAINER_IMAGE }}
+      runtime_docker_image: ${{ steps.load-config.outputs.RUNTIME_DOCKER_IMAGE }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          ref: ${{ env.BRANCH_NAME }}
+          fetch-depth: 0
+
+      - name: Load config value
+        id: load-config
+        run: |
+          TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml)
+          DEVCONTAINER_IMAGE=$(jq -r '.build.args.IMAGE_NAME' .devcontainer/devcontainer.json)
+          DEVCONTAINER_VERSION=$(jq -r '.build.args.IMAGE_VERSION' .devcontainer/devcontainer.json)
+          RUNTIME_DOCKER_IMAGE="${DEVCONTAINER_IMAGE}:githubactions-${DEVCONTAINER_VERSION}"
+          {
+            echo "TAG_FORMAT=$TAG_FORMAT" 
+            echo "DEVCONTAINER_IMAGE=$DEVCONTAINER_IMAGE"
+            echo "DEVCONTAINER_VERSION=$DEVCONTAINER_VERSION"
+            echo "RUNTIME_DOCKER_IMAGE=$RUNTIME_DOCKER_IMAGE"
+          } >> "$GITHUB_OUTPUT"
+
+  verify_attestation:
+    runs-on: ubuntu-22.04
+    needs: get_config_values
+    permissions:
+        contents: read
+        packages: read
+        attestations: read
+    outputs:
+        pinned_image: ${{ steps.resolve.outputs.pinned_image }}
+        resolved_digest: ${{ steps.resolve.outputs.resolved_digest }}
+    steps:
+      - name: Login to github container registry
+        if: startsWith(inputs.registry, 'ghcr.io')
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9
+        with:
+            registry: ghcr.io
+            username: ${{ github.actor }}
+            password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Resolve digest
+        id: resolve
+        shell: bash
+        env:
+            RUNTIME_DOCKER_IMAGE: ${{ needs.get_config_values.outputs.runtime_docker_image }}
+            REGISTRY: ${{ inputs.registry }}
+            NAMESPACE: ${{ inputs.namespace }}
+        run: |
+            set -euo pipefail
+
+            if [[ "$RUNTIME_DOCKER_IMAGE" == *"/"* ]]; then
+            IMAGE_REF="$RUNTIME_DOCKER_IMAGE"
+            else
+            IMAGE_REF="${REGISTRY}/${NAMESPACE}/${RUNTIME_DOCKER_IMAGE}"
+            fi
+
+            if [[ "$IMAGE_REF" == *@sha256:* ]]; then
+            IMAGE_BASE="${IMAGE_REF%@*}"
+            RESOLVED_DIGEST="${IMAGE_REF#*@}"
+            else
+            RESOLVED_DIGEST="$(docker buildx imagetools inspect "$IMAGE_REF" | awk '/^Digest:/ {print $2; exit}')"
+            IMAGE_BASE="${IMAGE_REF%:*}"
+            fi
+
+            if [[ -z "$RESOLVED_DIGEST" ]]; then
+            echo "Could not resolve digest for image: $IMAGE_REF" >&2
+            exit 1
+            fi
+
+            PINNED_IMAGE="${IMAGE_BASE}@${RESOLVED_DIGEST}"
+            echo "resolved_digest=${RESOLVED_DIGEST}" >> "$GITHUB_OUTPUT"
+            echo "pinned_image=${PINNED_IMAGE}" >> "$GITHUB_OUTPUT"
+            echo "Resolved image reference: ${IMAGE_REF}"
+            echo "Resolved digest: ${RESOLVED_DIGEST}"
+            echo "Resolved image reference: ${PINNED_IMAGE}"
+
+      - name: Verify attestation
+        shell: bash
+        env:
+            GH_TOKEN: ${{ github.token }}
+            OWNER: ${{ inputs.owner }}
+            VERIFY_PUBLISHED_FROM_MAIN_IMAGE: ${{ inputs.verify_published_from_main_image }}
+            PREDICATE_TYPE: ${{ inputs.predicate_type }}
+            PINNED_IMAGE: ${{ steps.resolve.outputs.pinned_image }}
+        run: |
+            set -euo pipefail
+
+            args=("oci://${PINNED_IMAGE}" "--owner" "$OWNER" "--predicate-type" "$PREDICATE_TYPE")
+
+            if [[ "$VERIFY_PUBLISHED_FROM_MAIN_IMAGE" == "true" ]]; then
+            args+=("--source-ref" "refs/heads/main")
+            fi
+
+
+            GH_FORCE_TTY=120 gh attestation verify "${args[@]}" 2>&1 
+            echo "Verified attestation for ${PINNED_IMAGE}"

.github/workflows/pull_request.yml

@@ -1,4 +1,4 @@
-name: pr
+name: Pull Request
 
 on:
   pull_request:
@@ -14,38 +14,33 @@ jobs:
     secrets:
       AUTOMERGE_APP_ID: ${{ secrets.AUTOMERGE_APP_ID }}
       AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }}
+  
   pr_title_format_check:
     uses: ./.github/workflows/pr_title_check.yml
-  get_asdf_version:
-    runs-on: ubuntu-22.04
-    outputs:
-      asdf_version: ${{ steps.asdf-version.outputs.version }}
-      tag_format: ${{ steps.load-config.outputs.TAG_FORMAT }}
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
 
-      - name: Get asdf version
-        id: asdf-version
-        run: echo "version=$(awk '!/^#/ && NF {print $1; exit}' .tool-versions.asdf)" >> "$GITHUB_OUTPUT"
-      - name: Load config value
-        id: load-config
-        run: |
-          TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml)
-          echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT"
+  get_config_values:
+    uses: ./.github/workflows/get-repo-config.yml
+    with:
+      verify_published_from_main_image: false
+
   quality_checks:
-    uses: ./.github/workflows/quality-checks.yml
-    needs: [get_asdf_version]
+    uses: ./.github/workflows/quality-checks-devcontainer.yml
+    needs: [get_config_values]
     with:
-      asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}
+      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
     secrets:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+      
   tag_release:
-    needs: [quality_checks, get_asdf_version]
-    uses: ./.github/workflows/tag-release.yml
+    needs: get_config_values
+    uses: ./.github/workflows/tag-release-devcontainer.yml
+    permissions:
+      contents: read
+      packages: read
+      attestations: read
     with:
       dry_run: true
-      asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}
+      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
       branch_name: ${{ github.event.pull_request.head.ref }}
-      tag_format: ${{ needs.get_asdf_version.outputs.tag_format }}
+      tag_format: ${{ needs.get_config_values.outputs.tag_format }}
     secrets: inherit