Merge branch 'main' into copilot

Author: anthony-nhs

.devcontainer/devcontainer.json

@@ -6,7 +6,7 @@
     "args": {
       "DOCKER_GID": "${env:DOCKER_GID:}",
       "IMAGE_NAME": "node_24_python_3_14",
-      "IMAGE_VERSION": "v1.0.6",
+      "IMAGE_VERSION": "v1.2.0",
       "USER_UID": "${localEnv:USER_ID:}",
       "USER_GID": "${localEnv:GROUP_ID:}"
     },

.gitallowed

@@ -7,3 +7,6 @@ self\.token = token
 token = os\.environ\.get\(\"GH_TOKEN\"\)
 poetry\.lock
 \-Dsonar\.token=\"\$SONAR_TOKEN\"
+token: "\${{ steps\.generate-token\.outputs\.token }}"
+id-token: 'write'
+id-token: "write"

.github/dependabot.yaml

@@ -12,31 +12,37 @@ updates:
     open-pull-requests-limit: 20
     commit-message:
       prefix: "Upgrade: [dependabot] - "
+    cooldown:
+      default-days: 3
 
   ###################################
-  # NPM workspace  ##################
+  # Poetry  #########################
   ###################################
-  - package-ecosystem: "npm"
+  - package-ecosystem: "pip"
     directory: "/"
     schedule:
       interval: "weekly"
       day: "thursday"
-      time: "18:00" # UTC
+      time: "20:00" # UTC
     open-pull-requests-limit: 20
     versioning-strategy: increase
     commit-message:
       prefix: "Upgrade: [dependabot] - "
+    cooldown:
+      default-days: 3
 
   ###################################
-  # Poetry  #########################
+  # NPM workspace  ##################
   ###################################
-  - package-ecosystem: "pip"
+  - package-ecosystem: "npm"
     directory: "/"
     schedule:
       interval: "weekly"
       day: "thursday"
-      time: "18:00" # UTC
+      time: "22:00" # UTC
     open-pull-requests-limit: 20
     versioning-strategy: increase
     commit-message:
       prefix: "Upgrade: [dependabot] - "
+    cooldown:
+      default-days: 3

.github/workflows/dependabot-auto-approve-and-merge.yml

@@ -19,7 +19,7 @@ jobs:
         steps:
             - name: Get token from Github App
               id: get_app_token
-              uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf
+              uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859
               with:
                   app-id: ${{ secrets.AUTOMERGE_APP_ID }}
                   private-key: ${{ secrets.AUTOMERGE_PEM }}

.github/workflows/get-repo-config.yml

@@ -0,0 +1,162 @@
+name: Get Repo Config and Image
+on:
+    workflow_call:
+        inputs:
+            registry:
+                required: false
+                type: string
+                default: ghcr.io
+            namespace:
+                required: false
+                type: string
+                default: nhsdigital/eps-devcontainers
+            owner:
+                required: false
+                type: string
+                default: NHSDigital
+            verify_published_from_main_image:
+                required: false
+                type: boolean
+                default: true
+            predicate_type:
+                required: false
+                type: string
+                default: https://slsa.dev/provenance/v1
+        outputs:
+            tag_format:
+                description: The tag format to be used for releases, as defined in .github/config/settings.yml
+                value: ${{ jobs.get_config_values.outputs.tag_format }}
+            devcontainer_image:
+                description: The devcontainer image name as defined in .devcontainer/devcontainer.json
+                value: ${{ jobs.get_config_values.outputs.devcontainer_image }}
+            devcontainer_version:
+                description: The devcontainer image version as defined in .devcontainer/devcontainer.json
+                value: ${{ jobs.get_config_values.outputs.devcontainer_version }}
+            pinned_image:
+                description: Fully-qualified digest-pinned image reference
+                value: ${{ jobs.verify_attestation.outputs.pinned_image }}
+            resolved_digest:
+                description: Resolved digest for the supplied image reference
+                value: ${{ jobs.verify_attestation.outputs.resolved_digest }}
+
+jobs:
+    get_config_values:
+        runs-on: ubuntu-22.04
+        outputs:
+            tag_format: ${{ steps.load-config.outputs.TAG_FORMAT }}
+            devcontainer_version: ${{ steps.load-config.outputs.DEVCONTAINER_VERSION }}
+            devcontainer_image: ${{ steps.load-config.outputs.DEVCONTAINER_IMAGE }}
+            runtime_docker_image: ${{ steps.load-config.outputs.RUNTIME_DOCKER_IMAGE }}
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+              with:
+                  ref: ${{ env.BRANCH_NAME }}
+                  fetch-depth: 0
+
+            - name: Load config value
+              id: load-config
+              run: |
+                  TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml)
+                  DEVCONTAINER_IMAGE=$(jq -r '.build.args.IMAGE_NAME' .devcontainer/devcontainer.json)
+                  DEVCONTAINER_VERSION=$(jq -r '.build.args.IMAGE_VERSION' .devcontainer/devcontainer.json)
+                  RUNTIME_DOCKER_IMAGE="${DEVCONTAINER_IMAGE}:githubactions-${DEVCONTAINER_VERSION}"
+                  {
+                    echo "TAG_FORMAT=$TAG_FORMAT" 
+                    echo "DEVCONTAINER_IMAGE=$DEVCONTAINER_IMAGE"
+                    echo "DEVCONTAINER_VERSION=$DEVCONTAINER_VERSION"
+                    echo "RUNTIME_DOCKER_IMAGE=$RUNTIME_DOCKER_IMAGE"
+                  } >> "$GITHUB_OUTPUT"
+
+    verify_attestation:
+        runs-on: ubuntu-22.04
+        needs: get_config_values
+        permissions:
+            contents: read
+            packages: read
+            attestations: read
+        outputs:
+            pinned_image: ${{ steps.resolve.outputs.pinned_image }}
+            resolved_digest: ${{ steps.resolve.outputs.resolved_digest }}
+        steps:
+            - name: Login to github container registry
+              if: startsWith(inputs.registry, 'ghcr.io')
+              uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2
+              with:
+                  registry: ghcr.io
+                  username: ${{ github.actor }}
+                  password: ${{ secrets.GITHUB_TOKEN }}
+
+            - name: Resolve digest
+              id: resolve
+              shell: bash
+              env:
+                  RUNTIME_DOCKER_IMAGE: ${{ needs.get_config_values.outputs.runtime_docker_image }}
+                  REGISTRY: ${{ inputs.registry }}
+                  NAMESPACE: ${{ inputs.namespace }}
+              run: |
+                  set -euo pipefail
+
+                  if [[ "$RUNTIME_DOCKER_IMAGE" == *"/"* ]]; then
+                  IMAGE_REF="$RUNTIME_DOCKER_IMAGE"
+                  else
+                  IMAGE_REF="${REGISTRY}/${NAMESPACE}/${RUNTIME_DOCKER_IMAGE}"
+                  fi
+
+                  if [[ "$IMAGE_REF" == *@sha256:* ]]; then
+                  IMAGE_BASE="${IMAGE_REF%@*}"
+                  RESOLVED_DIGEST="${IMAGE_REF#*@}"
+                  else
+                  RESOLVED_DIGEST=""
+                  MAX_ATTEMPTS=5
+                  for attempt in $(seq 1 "$MAX_ATTEMPTS"); do
+                  if OUTPUT="$(docker buildx imagetools inspect "$IMAGE_REF" 2>&1)"; then
+                      RESOLVED_DIGEST="$(awk '/^Digest:/ {print $2; exit}' <<< "$OUTPUT")"
+                      if [[ -n "$RESOLVED_DIGEST" ]]; then
+                      break
+                      fi
+                      echo "Digest not found in imagetools output (attempt ${attempt}/${MAX_ATTEMPTS})." >&2
+                  else
+                      echo "Failed to inspect image ${IMAGE_REF} (attempt ${attempt}/${MAX_ATTEMPTS})." >&2
+                      echo "$OUTPUT" >&2
+                  fi
+
+                  if [[ "$attempt" -lt "$MAX_ATTEMPTS" ]]; then
+                      sleep $((attempt * 2))
+                  fi
+                  done
+                  IMAGE_BASE="${IMAGE_REF%:*}"
+                  fi
+
+                  if [[ -z "$RESOLVED_DIGEST" ]]; then
+                  echo "Could not resolve digest for image: $IMAGE_REF" >&2
+                  exit 1
+                  fi
+
+                  PINNED_IMAGE="${IMAGE_BASE}@${RESOLVED_DIGEST}"
+                  echo "resolved_digest=${RESOLVED_DIGEST}" >> "$GITHUB_OUTPUT"
+                  echo "pinned_image=${PINNED_IMAGE}" >> "$GITHUB_OUTPUT"
+                  echo "Resolved image reference: ${IMAGE_REF}"
+                  echo "Resolved digest: ${RESOLVED_DIGEST}"
+                  echo "Resolved image reference: ${PINNED_IMAGE}"
+
+            - name: Verify attestation
+              shell: bash
+              env:
+                  GH_TOKEN: ${{ github.token }}
+                  OWNER: ${{ inputs.owner }}
+                  VERIFY_PUBLISHED_FROM_MAIN_IMAGE: ${{ inputs.verify_published_from_main_image }}
+                  PREDICATE_TYPE: ${{ inputs.predicate_type }}
+                  PINNED_IMAGE: ${{ steps.resolve.outputs.pinned_image }}
+              run: |
+                  set -euo pipefail
+
+                  args=("oci://${PINNED_IMAGE}" "--owner" "$OWNER" "--predicate-type" "$PREDICATE_TYPE")
+
+                  if [[ "$VERIFY_PUBLISHED_FROM_MAIN_IMAGE" == "true" ]]; then
+                  args+=("--source-ref" "refs/heads/main")
+                  fi
+
+
+                  GH_FORCE_TTY=120 gh attestation verify "${args[@]}" 2>&1 
+                  echo "Verified attestation for ${PINNED_IMAGE}"

.github/workflows/pull_request.yml

@@ -1,4 +1,4 @@
-name: pr
+name: Pull Request
 
 on:
   pull_request:
@@ -14,47 +14,33 @@ jobs:
     secrets:
       AUTOMERGE_APP_ID: ${{ secrets.AUTOMERGE_APP_ID }}
       AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }}
+
   pr_title_format_check:
     uses: ./.github/workflows/pr_title_check.yml
+
   get_config_values:
-    runs-on: ubuntu-22.04
-    outputs:
-      tag_format: ${{ steps.load-config.outputs.TAG_FORMAT }}
-      devcontainer_version: ${{ steps.load-config.outputs.DEVCONTAINER_VERSION }}
-      devcontainer_image: ${{ steps.load-config.outputs.DEVCONTAINER_IMAGE }}
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+    uses: ./.github/workflows/get-repo-config.yml
+    with:
+      verify_published_from_main_image: false
 
-      - name: Load config value
-        id: load-config
-        run: |
-          TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml)
-          DEVCONTAINER_IMAGE=$(jq -r '.build.args.IMAGE_NAME' .devcontainer/devcontainer.json)
-          DEVCONTAINER_VERSION=$(jq -r '.build.args.IMAGE_VERSION' .devcontainer/devcontainer.json)
-          {
-            echo "TAG_FORMAT=$TAG_FORMAT" 
-            echo "DEVCONTAINER_IMAGE=$DEVCONTAINER_IMAGE"
-            echo "DEVCONTAINER_VERSION=$DEVCONTAINER_VERSION"
-          } >> "$GITHUB_OUTPUT"
   quality_checks:
     uses: ./.github/workflows/quality-checks-devcontainer.yml
     needs: [get_config_values]
     with:
-      runtime_docker_image: "${{ needs.get_config_values.outputs.devcontainer_image }}:githubactions-${{ needs.get_config_values.outputs.devcontainer_version }}"
+      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
     secrets:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+
   tag_release:
-    needs: [quality_checks, get_config_values]
+    needs: get_config_values
     uses: ./.github/workflows/tag-release-devcontainer.yml
     permissions:
-      contents: read
       packages: read
-      attestations: read
+      id-token: write
+      contents: write
     with:
       dry_run: true
-      runtime_docker_image: "${{ needs.get_config_values.outputs.devcontainer_image }}:githubactions-${{ needs.get_config_values.outputs.devcontainer_version }}"
+      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
       branch_name: ${{ github.event.pull_request.head.ref }}
       tag_format: ${{ needs.get_config_values.outputs.tag_format }}
-      verify_published_from_main_image: false
     secrets: inherit