updates

Author: anthony-nhs

.github/workflows/pull_request.yml

@@ -56,5 +56,5 @@ jobs:
       runtime_docker_image: "${{ needs.get_config_values.outputs.devcontainer_image }}:githubactions-${{ needs.get_config_values.outputs.devcontainer_version }}"
       branch_name: ${{ github.event.pull_request.head.ref }}
       tag_format: ${{ needs.get_config_values.outputs.tag_format }}
-      use_published_from_main_image: false
+      verify_published_from_main_image: false
     secrets: inherit

.github/workflows/quality-checks-devcontainer.yml

@@ -30,7 +30,7 @@ jobs:
     uses: ./.github/workflows/verify-attestation.yml
     with:
       runtime_docker_image: "${{ inputs.runtime_docker_image }}"
-      use_published_from_main_image: false
+      verify_published_from_main_image: false
   quality_checks:
     runs-on: ubuntu-22.04
     needs: verify_attestation

.github/workflows/release.yml

@@ -44,5 +44,5 @@ jobs:
       runtime_docker_image: "${{ needs.get_config_values.outputs.devcontainer_image }}:githubactions-${{ needs.get_config_values.outputs.devcontainer_version }}"
       branch_name: main
       tag_format: ${{ needs.get_config_values.outputs.tag_format }}
-      use_published_from_main_image: true
+      verify_published_from_main_image: true
     secrets: inherit

.github/workflows/tag-release-devcontainer.yml

@@ -45,7 +45,7 @@ on:
                 description: "An repository for the extra artifact"
                 required: false
                 type: string
-            use_published_from_main_image:
+            verify_published_from_main_image:
                 required: true
                 type: boolean
         outputs:
@@ -66,7 +66,7 @@ jobs:
         uses: ./.github/workflows/verify-attestation.yml
         with:
             runtime_docker_image: "${{ inputs.runtime_docker_image }}"
-            use_published_from_main_image: ${{ inputs.use_published_from_main_image }}
+            verify_published_from_main_image: ${{ inputs.verify_published_from_main_image }}
     tag_release:
         runs-on: ubuntu-22.04
         needs: verify_attestation

.github/workflows/verify-attestation.yml

@@ -18,7 +18,7 @@ name: Verify image digest and attestation
                 required: false
                 type: string
                 default: NHSDigital
-            use_published_from_main_image:
+            verify_published_from_main_image:
                 required: false
                 type: boolean
                 default: true
@@ -94,15 +94,15 @@ jobs:
               env:
                   GH_TOKEN: ${{ github.token }}
                   OWNER: ${{ inputs.owner }}
-                  USE_PUBLISHED_FROM_MAIN_IMAGE: ${{ inputs.use_published_from_main_image }}
+                  VERIFY_PUBLISHED_FROM_MAIN_IMAGE: ${{ inputs.verify_published_from_main_image }}
                   PREDICATE_TYPE: ${{ inputs.predicate_type }}
                   PINNED_IMAGE: ${{ steps.resolve.outputs.pinned_image }}
               run: |
                   set -euo pipefail
 
                   args=("oci://${PINNED_IMAGE}" "--owner" "$OWNER" "--predicate-type" "$PREDICATE_TYPE")
 
-                  if [[ "$USE_PUBLISHED_FROM_MAIN_IMAGE" == "true" ]]; then
+                  if [[ "$VERIFY_PUBLISHED_FROM_MAIN_IMAGE" == "true" ]]; then
                     args+=("--source-ref" "refs/heads/main")
                   fi
 

README.md

@@ -4,8 +4,25 @@ A collection of common workflows used by other EPS repositories
 
 The workflows that are available to use are
 
-## Adding exclusions to trivy scanning
-The quality checks job uses trivy to scan for vulnerabilities.   
+## Workflow Index
+
+- [Combine Dependabot PRs](#combine-dependabot-prs)
+- [Dependabot Auto Approve and Merge](#dependabot-auto-approve-and-merge)
+- [PR Title Check](#pr-title-check)
+- [Quality Checks](#quality-checks)
+- [Quality Checks - Dev Container Version](#quality-checks---dev-container-version)
+- [Verify Image Digest and Attestation](#verify-image-digest-and-attestation)
+- [Tag Release](#tag-release)
+- [Tag Release - Devcontainer Version](#tag-release---devcontainer-version)
+
+## Other Docs
+
+- [Adding Exclusions to Trivy Scanning](#adding-exclusions-to-trivy-scanning)
+- [Secret Scanning Docker](#secret-scanning-docker)
+- [Run All Releases](#run-all-releases)
+
+## Adding Exclusions to Trivy Scanning
+The quality checks job uses Trivy to scan for vulnerabilities.   
 There may be times you want to add an exclusion for a known vulnerability that we are happy to accept
 To do this, in the calling repo, add trivy.yaml with this content
 ```
@@ -22,7 +39,7 @@ vulnerabilities:
 ```
 See https://trivy.dev/docs/latest/configuration/filtering/#trivyignoreyaml for more details
 
-## combine dependabot prs
+## Combine Dependabot PRs
 
 This workflow can be called to combine multiple open Dependabot PRs into a single PR.
 
@@ -68,7 +85,7 @@ jobs:
       ignoreLabel: ${{ github.event.inputs.ignoreLabel }}
 ```
 
-## dependabot auto approve and merge
+## Dependabot Auto Approve and Merge
 This workflow can be called to automatically approve and merge Dependabot PRs as part of the pull request workflow.
 
 #### Requirements
@@ -91,7 +108,7 @@ jobs:
       AUTOMERGE_APP_ID: ${{ secrets.AUTOMERGE_APP_ID }}
       AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }}
 ```
-## pr title check
+## PR Title Check
 This workflow checks that all pull requests have a title that matches the required format, and comments on the PR with a link to the relevant ticket if a ticket reference is found.
 
 #### Example
@@ -110,7 +127,7 @@ jobs:
     uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@f5c8313a10855d0cc911db6a9cd666494c00045a
 ```
 
-## quality checks
+## Quality Checks
 This workflow runs common quality checks.   
 To use this, you must have the following Makefile targets defined
 - install
@@ -123,15 +140,15 @@ To use this, you must have the following Makefile targets defined
 
 #### Inputs
 
-- `install_java`: Whether to install java or not
-- `run_sonar`: Whether to run sonar checks or not.
+- `install_java`: Whether to install Java or not
+- `run_sonar`: Whether to run Sonar checks or not.
 - `asdfVersion`: Override the version of asdf to install.
-- `reinstall_poetry`: If you are using this from a primarily python based project, you should set this to true to force a poetry reinstallation after python is installed
-- `run_docker_scan`: whether to run a scan of docker images
-- `docker_images`: csv list of docker images to scan. These must match images produced by make docker-build
+- `reinstall_poetry`: If you are using this from a primarily Python based project, you should set this to true to force a poetry reinstallation after Python is installed
+- `run_docker_scan`: whether to run a scan of Docker images
+- `docker_images`: csv list of Docker images to scan. These must match images produced by make docker-build
 
 #### Secret Inputs
-- `SONAR_TOKEN`: Token used to authenticate to sonar
+- `SONAR_TOKEN`: Token used to authenticate to Sonar
 
 #### Outputs
 
@@ -157,17 +174,17 @@ jobs:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 ```
 
-## quality checks - dev container version
+## Quality Checks - Dev Container Version
 This workflow runs common quality checks using a prebuilt devcontainer (https://github.com/NHSDigital/eps-devcontainers).
 To use this, you must have overridden any common makefile targets described in https://github.com/NHSDigital/eps-devcontainers?tab=readme-ov-file#common-makefile-targets
 #### Inputs
 
-- `run_sonar`: Whether to run sonar checks or not.
-- `run_docker_scan`: whether to run a scan of docker images
-- `docker_images`: csv list of docker images to scan. These must match images produced by make docker-build
-- `runtime_docker_image`: the docker image to run everything on. This should just be the image name and tag pushed to https://github.com/NHSDigital/eps-devcontainers
+- `run_sonar`: Whether to run Sonar checks or not.
+- `run_docker_scan`: whether to run a scan of Docker images
+- `docker_images`: csv list of Docker images to scan. These must match images produced by make docker-build
+- `runtime_docker_image`: the Docker image to run everything on. This should just be the image name and tag pushed to https://github.com/NHSDigital/eps-devcontainers
 #### Secret Inputs
-- `SONAR_TOKEN`: Token used to authenticate to sonar
+- `SONAR_TOKEN`: Token used to authenticate to Sonar
 
 #### Outputs
 
@@ -195,9 +212,48 @@ jobs:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 ```
 
+## Verify Image Digest and Attestation
+This workflow resolves an image reference to a pinned digest and verifies GitHub artifact attestation for that image.
+
+#### Inputs
+
+- `runtime_docker_image`: Image reference as `name:tag` (for example `node_24_python_3_12:v1.2.3`) or a fully qualified image reference.
+- `registry`: Container registry host. Default: `ghcr.io`
+- `namespace`: Image namespace/repository prefix. Default: `nhsdigital/eps-devcontainers`
+- `owner`: GitHub owner used by `gh attestation verify --owner`. Default: `NHSDigital`
+- `verify_published_from_main_image`: If true, verifies attestations published from `refs/heads/main`. Default: `true`
+- `predicate_type`: Attestation predicate type. Default: `https://slsa.dev/provenance/v1`
+
+#### Outputs
+
+- `pinned_image`: Fully-qualified digest-pinned image reference.
+- `resolved_digest`: Resolved digest for the supplied image reference.
+
+#### Example
+
+To use this workflow in your repository, call it from another workflow file:
+
+```yaml
+name: Verify Devcontainer Image
+
+on:
+  workflow_dispatch:
+
+jobs:
+  verify_attestation:
+    uses: NHSDigital/eps-common-workflows/.github/workflows/verify-attestation.yml@f5c8313a10855d0cc911db6a9cd666494c00045a
+    with:
+      runtime_docker_image: node_24_python_3_12:githubactions-v1.2.3
+      registry: ghcr.io
+      namespace: nhsdigital/eps-devcontainers
+      owner: NHSDigital
+      verify_published_from_main_image: true
+      predicate_type: https://slsa.dev/provenance/v1
+```
+
 
-## tag release
-This workflow uses the semantic-release npm package to generate a new version tag, changelog, and github release for a repo.
+## Tag Release
+This workflow uses the semantic-release npm package to generate a new version tag, changelog, and GitHub release for a repo.
 
 #### Inputs
 
@@ -211,7 +267,7 @@ This workflow uses the semantic-release npm package to generate a new version ta
 #### Outputs
 
 - `version_tag`: The version tag created by semantic-release.
-- `change_set_version`: A timestamped string that con be used for creating changesets.
+- `change_set_version`: A timestamped string that can be used for creating changesets.
 
 #### Example
 
@@ -234,26 +290,27 @@ jobs:
     publish_package: false
 ```
 
-## tag release - devcontainer version
-This workflow uses the semantic-release npm package to generate a new version tag, changelog, and github release for a repo.   
-*The devcontainer MUST have node installed*
+## Tag Release - Devcontainer Version
+This workflow uses the semantic-release npm package to generate a new version tag, changelog, and GitHub release for a repo.   
+*The devcontainer MUST have Node installed*
 #### Inputs
 
 - `dry_run`: Whether to run in dry_run mode (do not create tags) or not
 - `branch_name`: The branch name to base the release on
-- `runtime_docker_image`: the docker image to run everything on. This should just be the image name and tag pushed to https://github.com/NHSDigital/eps-devcontainers
+- `runtime_docker_image`: the Docker image to run everything on. This should just be the image name and tag pushed to https://github.com/NHSDigital/eps-devcontainers
 - `publish_packages`: comma separated list of package folders to publish to an npm registry
 - `tagFormat`: Default `v\\${version}`. A template for the version tag.
 - `main_branch`: The branch to use for publishing. Defaults to main
 - `extra_artifact_name`: optional param to include an extra artifact in the release
 - `extra_artifact_id`: optional param of the extra artifact id to include in the release
 - `extra_artifact_run_id`: optional param of the run id to download the extra artifact id to include in the release
 - `extra_artifact_repository` optional param to indicate which repo the run to download the artifact was from
+- `verify_published_from_main_image` indicates if we should verify the image was published from main branch in eps-devcontainers
 
 #### Outputs
 
 - `version_tag`: The version tag created by semantic-release.
-- `change_set_version`: A timestamped string that con be used for creating changesets.
+- `change_set_version`: A timestamped string that can be used for creating changesets.
 
 #### Example
 
@@ -278,9 +335,9 @@ jobs:
 ```
 
 
-## Secret scanning docker
+## Secret Scanning Docker
 
-The secret scanning also has a dockerfile, which can be run against a repo in order to scan it manually (or as part of pre-commit hooks). This can be done like so:
+The secret scanning also has a Dockerfile, which can be run against a repo in order to scan it manually (or as part of pre-commit hooks). This can be done like so:
 ```bash
 docker build -f https://raw.githubusercontent.com/NHSDigital/eps-workflow-quality-checks/refs/tags/v3.0.0/dockerfiles/nhsd-git-secrets.dockerfile -t git-secrets .
 docker run -v /path/to/repo:/src git-secrets --scan-history .
@@ -302,7 +359,7 @@ In order to enable the pre-commit hook for secret scanning (to prevent developer
 }
 ```
 
-And the this pre-commit hook to the `.pre-commit-config.yaml` file:
+And add this pre-commit hook to the `.pre-commit-config.yaml` file:
 ```yaml
 repos:
 - repo: local
@@ -317,28 +374,28 @@ repos:
       language: system
 ```
 
-## Run all releases
+## Run All Releases
 
 There are some scripts that can be used to trigger releases for all our repos.   
 It is invoked by running `./scripts/run_all_release.sh`.   
-This first authenticates to github using github cli tools to get a valid github token.   
+This first authenticates to GitHub using GitHub CLI tools to get a valid GitHub token.   
 
 It then has an array of repos which it loops through asking for confirmation if you want to run deployment for it.   
 
-For any that you have answered yes to, it then calls the python script `scripts/trigger_release.py`.   
+For any that you have answered yes to, it then calls the Python script `scripts/trigger_release.py`.   
 
-The python script will trigger the release.yml workflow for that repo and monitor the the run for it.   
+The Python script will trigger the release.yml workflow for that repo and monitor the run for it.   
 When it reaches one of the steps release_qa, release_ref, release_int it will approve release to that environment.   
-Once the run reaches release_prod step, the python script will exit.   
-The python script will also exit if the github run fails, or is cancelled at any step, or there is an unexpected response from github (eg user does not have permission to approve a deployment).   
-When the python script finishes, it logs the run url, the tag and summary of what happened.   
+Once the run reaches release_prod step, the Python script will exit.   
+The Python script will also exit if the GitHub run fails, or is cancelled at any step, or there is an unexpected response from GitHub (eg user does not have permission to approve a deployment).   
+When the Python script finishes, it logs the run URL, the tag and summary of what happened.   
 Python logs go to the console, and to a timestamped file in the logs folder.
 
 When all runs of the python script have finished then the shell script exits showing a summary of failed and successful runs.   
 
 
-If a run fails on a step BEFORE the tag_release step,  and the failure is transient (eg quality checks fails installing dependencies due to npm being down) then the whole release workflow can be rerun - either via this script or using the github website.   
+If a run fails on a step BEFORE the tag_release step,  and the failure is transient (eg quality checks fails installing dependencies due to npm being down) then the whole release workflow can be rerun - either via this script or using the GitHub website.   
 
-If a run fails on a step AFTER the tag_release step, and the failure is transient (eg regression tests failure) then that failing step can just be re-run manually via the github website.   
+If a run fails on a step AFTER the tag_release step, and the failure is transient (eg regression tests failure) then that failing step can just be re-run manually via the GitHub website.   
 
 If a run fails due to a code or cloudformation/cdk issue, then a new pull request should be created to fix this, merged to main, and a new release triggered.