verify attestation

anthony-nhs · anthony-nhs · commit e5dfa968f6cd · 2026-02-19T07:16:26.000Z
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
@@ -37,11 +37,6 @@ jobs:
             echo "DEVCONTAINER_IMAGE=$DEVCONTAINER_IMAGE"
             echo "DEVCONTAINER_VERSION=$DEVCONTAINER_VERSION"
           } >> "$GITHUB_OUTPUT"
-  verify_attestation:
-    needs: get_config_values
-    uses: ./.github/workflows/verify_attestation.yml
-    with:
-      runtime_docker_image: "${{ needs.get_config_values.outputs.devcontainer_image }}:githubactions-${{ needs.get_config_values.outputs.devcontainer_version }}"
   quality_checks:
     uses: ./.github/workflows/quality-checks-devcontainer.yml
     needs: [get_config_values]
diff --git a/.github/workflows/quality-checks-devcontainer.yml b/.github/workflows/quality-checks-devcontainer.yml
@@ -34,7 +34,7 @@ jobs:
     runs-on: ubuntu-22.04
     needs: verify_attestation
     container:
-      image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }}
+      image: ${{ needs.verify_attestation.outputs.pinned_image }}
       options: --user 1001:1001 --group-add 128
     defaults:
       run:
@@ -212,8 +212,9 @@ jobs:
 
   get_docker_images_to_scan:
     runs-on: ubuntu-22.04
+    needs: verify_attestation
     container:
-      image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }}
+      image: ${{ needs.verify_attestation.outputs.pinned_image }}
       options: --user 1001:1001 --group-add 128
     defaults:
       run:
@@ -281,9 +282,9 @@ jobs:
 
   docker_vulnerability_scan:
     runs-on: ubuntu-22.04
-    needs: [get_docker_images_to_scan]
+    needs: [get_docker_images_to_scan, verify_attestation]
     container:
-      image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }}
+      image: ${{ needs.verify_attestation.outputs.pinned_image }}
       options: --user 1001:1001 --group-add 128
     defaults:
       run:
@@ -324,8 +325,9 @@ jobs:
 
   IaC-validation:
     runs-on: ubuntu-22.04
+    needs: verify_attestation
     container:
-      image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }}
+      image: ${{ needs.verify_attestation.outputs.pinned_image }}
       options: --user 1001:1001 --group-add 128
     defaults:
       run:
diff --git a/.github/workflows/tag-release-devcontainer.yml b/.github/workflows/tag-release-devcontainer.yml
@@ -59,10 +59,15 @@ on:
                 required: false
                 description: "NPM token to publish packages"
 jobs:
+    verify_attestation:
+        uses: ./.github/workflows/verify_attestation.yml
+        with:
+            runtime_docker_image: "${{ inputs.runtime_docker_image }}"
     tag_release:
         runs-on: ubuntu-22.04
+        needs: verify_attestation
         container:
-            image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }}
+            image: ${{ needs.verify_attestation.outputs.pinned_image }}
             options: --user 1001:1001 --group-add 128
         defaults:
             run:
