From 22a47f1b88e259a00edb1bc3ddbdb4bb303beeea Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sat, 14 Feb 2026 15:17:05 +0000 Subject: [PATCH 01/18] set correct user --- .github/workflows/build_multi_arch_image.yml | 4 +-- src/base/.devcontainer/Dockerfile | 20 +++++++++++++- src/base/.devcontainer/devcontainer.json | 7 ++--- .../.devcontainer/scripts/root_install.sh | 9 +++---- .../.devcontainer/scripts/vscode_install.sh | 4 --- src/common/Dockerfile | 24 +++++++++++++++++ .../.devcontainer/devcontainer.json | 4 ++- .../.devcontainer/devcontainer.json | 4 ++- .../.devcontainer/devcontainer.json | 4 ++- .../.devcontainer/scripts/root_install.sh | 4 +++ .../.devcontainer/devcontainer.json | 4 ++- .../fhir_facade_api/.devcontainer/Dockerfile | 27 +++++++++++++++++++ .../.devcontainer/devcontainer.json | 4 ++- 13 files changed, 97 insertions(+), 22 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index d12e7671..04e4c860 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -82,13 +82,11 @@ jobs: env: ARCHITECTURE: '${{ matrix.arch }}' - DOCKER_TAG: '${{ inputs.docker_tag }}' CONTAINER_NAME: '${{ inputs.container_name }}' + DOCKER_TAG: '${{ inputs.docker_tag }}' BASE_VERSION: ${{ inputs.docker_tag}} IMAGE_TAG: ":${{ inputs.docker_tag }}-${{ matrix.arch }}" BASE_FOLDER: "${{ inputs.base_folder }}" - VSCODE_UID: "1001" - VSCODE_GID: "1001" - name: Check docker vulnerabilities - json output uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 with: diff --git a/src/base/.devcontainer/Dockerfile b/src/base/.devcontainer/Dockerfile index ee1a55cb..5bc6fb36 100644 --- a/src/base/.devcontainer/Dockerfile +++ b/src/base/.devcontainer/Dockerfile @@ -4,10 +4,17 @@ ARG BASE_VERSION=latest ARG TARGETARCH ARG SCRIPTS_DIR=/usr/local/share/eps ARG CONTAINER_NAME +ARG DOCKER_TAG +ARG BASE_VERSION +ARG IMAGE_TAG + +ENV BASE_VERSION=${BASE_VERSION} ENV TARGETARCH=${TARGETARCH} -ENV CONTAINER_NAME=${CONTAINER_NAME} ENV SCRIPTS_DIR=${SCRIPTS_DIR} +ENV CONTAINER_NAME=${CONTAINER_NAME} +ENV DOCKER_TAG=${DOCKER_TAG} ENV BASE_VERSION=${BASE_VERSION} +ENV IMAGE_TAG=${IMAGE_TAG} LABEL org.opencontainers.image.source=https://github.com/NHSDigital/eps-devcontainers LABEL org.opencontainers.image.description="EPS base devcontainer" @@ -26,3 +33,14 @@ COPY --chown=vscode:vscode .tool-versions /home/vscode/.tool-versions ENV PATH="/home/vscode/.asdf/shims/:$PATH" WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} RUN ./vscode_install.sh + +USER root +# store version info in VERSION.txt for reference +RUN echo "[[ ${CONTAINER_NAME} ]]" > "${SCRIPTS_DIR}/VERSION.txt" && \ + echo "BASE_VERSION=${BASE_VERSION}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ + echo "DOCKER_TAG=${DOCKER_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ + echo "IMAGE_TAG=${IMAGE_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ + echo "" >> "${SCRIPTS_DIR}/VERSION.txt" + +USER vscode +WORKDIR /home/vscode diff --git a/src/base/.devcontainer/devcontainer.json b/src/base/.devcontainer/devcontainer.json index 27c98ce5..0ca0fe2c 100644 --- a/src/base/.devcontainer/devcontainer.json +++ b/src/base/.devcontainer/devcontainer.json @@ -6,9 +6,10 @@ "build": { "dockerfile": "Dockerfile", "args": { - "CONTAINER_NAME": "eps_devcontainer_base", - "VSCODE_UID": "${localEnv:VSCODE_UID}", - "VSCODE_GID": "${localEnv:VSCODE_GID}" + "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", + "DOCKER_TAG": "${localEnv:DOCKER_TAG}", + "BASE_VERSION": "${localEnv:BASE_VERSION}", + "IMAGE_TAG": "${localEnv:IMAGE_TAG}" } }, "runArgs": [ diff --git a/src/base/.devcontainer/scripts/root_install.sh b/src/base/.devcontainer/scripts/root_install.sh index d8720d01..9b6d7c1a 100755 --- a/src/base/.devcontainer/scripts/root_install.sh +++ b/src/base/.devcontainer/scripts/root_install.sh @@ -67,14 +67,11 @@ mkdir -p /usr/share/secrets-scanner chmod 755 /usr/share/secrets-scanner curl -L https://raw.githubusercontent.com/NHSDigital/software-engineering-quality-framework/main/tools/nhsd-git-secrets/nhsd-rules-deny.txt -o /usr/share/secrets-scanner/nhsd-rules-deny.txt -# fix user and group ids for vscode user to match host, and ensure vscode owns their home directory -requested_uid="${VSCODE_UID:-1000}" -requested_gid="${VSCODE_GID:-1000}" +# fix user and group ids for vscode user to be 1001 so it can be used by github actions +requested_uid=1001 +requested_gid=1001 current_uid="$(id -u vscode)" current_gid="$(id -g vscode)" if [ "${current_gid}" != "${requested_gid}" ]; then groupmod -g "${requested_gid}" vscode; fi if [ "${current_uid}" != "${requested_uid}" ]; then usermod -u "${requested_uid}" -g "${requested_gid}" vscode; fi chown -R vscode:vscode /home/vscode - -# store base version in VERSION.txt for reference -echo "VERSION=${BASE_VERSION}" > "${SCRIPTS_DIR}/VERSION.txt" diff --git a/src/base/.devcontainer/scripts/vscode_install.sh b/src/base/.devcontainer/scripts/vscode_install.sh index 8c118d98..5f1a123d 100755 --- a/src/base/.devcontainer/scripts/vscode_install.sh +++ b/src/base/.devcontainer/scripts/vscode_install.sh @@ -24,7 +24,3 @@ asdf plugin add yq https://github.com/sudermanjr/asdf-yq.git # install base asdf versions of common tools cd /home/vscode asdf install - -# setup gitsecrets -git-secrets --register-aws --global -git-secrets --add-provider --global -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt diff --git a/src/common/Dockerfile b/src/common/Dockerfile index 7b2cc33f..49c3a927 100644 --- a/src/common/Dockerfile +++ b/src/common/Dockerfile @@ -2,8 +2,21 @@ ARG BASE_VERSION=latest FROM ghcr.io/nhsdigital/eps-devcontainers/base:${BASE_VERSION} +ARG BASE_VERSION=latest +ARG TARGETARCH +ARG SCRIPTS_DIR=/usr/local/share/eps ARG CONTAINER_NAME +ARG DOCKER_TAG +ARG BASE_VERSION +ARG IMAGE_TAG + +ENV BASE_VERSION=${BASE_VERSION} +ENV TARGETARCH=${TARGETARCH} +ENV SCRIPTS_DIR=${SCRIPTS_DIR} ENV CONTAINER_NAME=${CONTAINER_NAME} +ENV DOCKER_TAG=${DOCKER_TAG} +ENV BASE_VERSION=${BASE_VERSION} +ENV IMAGE_TAG=${IMAGE_TAG} LABEL org.opencontainers.image.source=https://github.com/NHSDigital/eps-devcontainers LABEL org.opencontainers.image.description="EPS ${CONTAINER_NAME} devcontainer" @@ -19,6 +32,17 @@ USER vscode WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} COPY .tool-versions /tmp/.tool-versions RUN cat /tmp/.tool-versions >> /home/vscode/.tool-versions +ENV PATH="/home/vscode/.asdf/shims/:$PATH" RUN ./vscode_install.sh + +USER root +# store version info in VERSION.txt for reference +RUN echo "[[ ${CONTAINER_NAME} ]]" >> "${SCRIPTS_DIR}/VERSION.txt" && \ + echo "BASE_VERSION=${BASE_VERSION}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ + echo "DOCKER_TAG=${DOCKER_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ + echo "IMAGE_TAG=${IMAGE_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ + echo "" >> "${SCRIPTS_DIR}/VERSION.txt" + +USER vscode WORKDIR /home/vscode diff --git a/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json b/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json index fe1b068d..5348d339 100644 --- a/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json +++ b/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json @@ -6,8 +6,10 @@ "build": { "dockerfile": "../../../common/Dockerfile", "args": { + "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", + "DOCKER_TAG": "${localEnv:DOCKER_TAG}", "BASE_VERSION": "${localEnv:BASE_VERSION}", - "CONTAINER_NAME": "eps_devcontainer_node_24_python_3_13" + "IMAGE_TAG": "${localEnv:IMAGE_TAG}" }, "context": "." }, diff --git a/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json b/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json index fe1b068d..5348d339 100644 --- a/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json +++ b/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json @@ -6,8 +6,10 @@ "build": { "dockerfile": "../../../common/Dockerfile", "args": { + "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", + "DOCKER_TAG": "${localEnv:DOCKER_TAG}", "BASE_VERSION": "${localEnv:BASE_VERSION}", - "CONTAINER_NAME": "eps_devcontainer_node_24_python_3_13" + "IMAGE_TAG": "${localEnv:IMAGE_TAG}" }, "context": "." }, diff --git a/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json b/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json index afbfe613..1bf1e6f6 100644 --- a/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json +++ b/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json @@ -6,8 +6,10 @@ "build": { "dockerfile": "../../../common/Dockerfile", "args": { + "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", + "DOCKER_TAG": "${localEnv:DOCKER_TAG}", "BASE_VERSION": "${localEnv:BASE_VERSION}", - "CONTAINER_NAME": "eps_devcontainer_node_24_python_3_14" + "IMAGE_TAG": "${localEnv:IMAGE_TAG}" }, "context": "." }, diff --git a/src/languages/node_24_python_3_14/.devcontainer/scripts/root_install.sh b/src/languages/node_24_python_3_14/.devcontainer/scripts/root_install.sh index 0510f2c0..a07f0522 100755 --- a/src/languages/node_24_python_3_14/.devcontainer/scripts/root_install.sh +++ b/src/languages/node_24_python_3_14/.devcontainer/scripts/root_install.sh @@ -1,2 +1,6 @@ #!/usr/bin/env bash set -e + +# store version info in VERSION.txt for reference +echo "VERSION=${BASE_VERSION}" > "${SCRIPTS_DIR}/VERSION.txt" +echo "CONTAINER_NAME=${CONTAINER_NAME}" >> "${SCRIPTS_DIR}/VERSION.txt" diff --git a/src/languages/python_3_10/.devcontainer/devcontainer.json b/src/languages/python_3_10/.devcontainer/devcontainer.json index fe1b068d..5348d339 100644 --- a/src/languages/python_3_10/.devcontainer/devcontainer.json +++ b/src/languages/python_3_10/.devcontainer/devcontainer.json @@ -6,8 +6,10 @@ "build": { "dockerfile": "../../../common/Dockerfile", "args": { + "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", + "DOCKER_TAG": "${localEnv:DOCKER_TAG}", "BASE_VERSION": "${localEnv:BASE_VERSION}", - "CONTAINER_NAME": "eps_devcontainer_node_24_python_3_13" + "IMAGE_TAG": "${localEnv:IMAGE_TAG}" }, "context": "." }, diff --git a/src/projects/fhir_facade_api/.devcontainer/Dockerfile b/src/projects/fhir_facade_api/.devcontainer/Dockerfile index a24639df..dbe7bd22 100644 --- a/src/projects/fhir_facade_api/.devcontainer/Dockerfile +++ b/src/projects/fhir_facade_api/.devcontainer/Dockerfile @@ -2,6 +2,22 @@ ARG BASE_VERSION=latest FROM ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_13:${BASE_VERSION} +ARG BASE_VERSION=latest +ARG TARGETARCH +ARG SCRIPTS_DIR=/usr/local/share/eps +ARG CONTAINER_NAME +ARG DOCKER_TAG +ARG BASE_VERSION +ARG IMAGE_TAG + +ENV BASE_VERSION=${BASE_VERSION} +ENV TARGETARCH=${TARGETARCH} +ENV SCRIPTS_DIR=${SCRIPTS_DIR} +ENV CONTAINER_NAME=${CONTAINER_NAME} +ENV DOCKER_TAG=${DOCKER_TAG} +ENV BASE_VERSION=${BASE_VERSION} +ENV IMAGE_TAG=${IMAGE_TAG} + LABEL org.opencontainers.image.source=https://github.com/NHSDigital/eps-devcontainers LABEL org.opencontainers.image.description="EPS fhir facade devcontainer" LABEL org.opencontainers.image.licenses=MIT @@ -18,3 +34,14 @@ COPY .tool-versions /tmp/.tool-versions RUN cat /tmp/.tool-versions >> /home/vscode/.tool-versions RUN ./vscode_install.sh + +USER root +# store version info in VERSION.txt for reference +RUN echo "[[ ${CONTAINER_NAME} ]]" >> "${SCRIPTS_DIR}/VERSION.txt" && \ + echo "BASE_VERSION=${BASE_VERSION}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ + echo "DOCKER_TAG=${DOCKER_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ + echo "IMAGE_TAG=${IMAGE_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ + echo "" >> "${SCRIPTS_DIR}/VERSION.txt" + +USER vscode +WORKDIR /home/vscode diff --git a/src/projects/fhir_facade_api/.devcontainer/devcontainer.json b/src/projects/fhir_facade_api/.devcontainer/devcontainer.json index da3a820b..fcf3f373 100644 --- a/src/projects/fhir_facade_api/.devcontainer/devcontainer.json +++ b/src/projects/fhir_facade_api/.devcontainer/devcontainer.json @@ -6,8 +6,10 @@ "build": { "dockerfile": "Dockerfile", "args": { + "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", + "DOCKER_TAG": "${localEnv:DOCKER_TAG}", "BASE_VERSION": "${localEnv:BASE_VERSION}", - "CONTAINER_NAME": "fhir_facade_api" + "IMAGE_TAG": "${localEnv:IMAGE_TAG}" }, "context": "." }, From 69b4bfb46790e26dd83c746d6585179cfbd37328 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sat, 14 Feb 2026 15:48:27 +0000 Subject: [PATCH 02/18] clear ssh dir --- src/base/.devcontainer/Dockerfile | 1 + src/common/Dockerfile | 1 + src/projects/fhir_facade_api/.devcontainer/Dockerfile | 1 + 3 files changed, 3 insertions(+) diff --git a/src/base/.devcontainer/Dockerfile b/src/base/.devcontainer/Dockerfile index 5bc6fb36..2e3a4ca3 100644 --- a/src/base/.devcontainer/Dockerfile +++ b/src/base/.devcontainer/Dockerfile @@ -33,6 +33,7 @@ COPY --chown=vscode:vscode .tool-versions /home/vscode/.tool-versions ENV PATH="/home/vscode/.asdf/shims/:$PATH" WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} RUN ./vscode_install.sh +RUN rm -rf /home/vscode/.ssh USER root # store version info in VERSION.txt for reference diff --git a/src/common/Dockerfile b/src/common/Dockerfile index 49c3a927..8591c36d 100644 --- a/src/common/Dockerfile +++ b/src/common/Dockerfile @@ -35,6 +35,7 @@ RUN cat /tmp/.tool-versions >> /home/vscode/.tool-versions ENV PATH="/home/vscode/.asdf/shims/:$PATH" RUN ./vscode_install.sh +RUN rm -rf /home/vscode/.ssh USER root # store version info in VERSION.txt for reference diff --git a/src/projects/fhir_facade_api/.devcontainer/Dockerfile b/src/projects/fhir_facade_api/.devcontainer/Dockerfile index dbe7bd22..ce7a9658 100644 --- a/src/projects/fhir_facade_api/.devcontainer/Dockerfile +++ b/src/projects/fhir_facade_api/.devcontainer/Dockerfile @@ -34,6 +34,7 @@ COPY .tool-versions /tmp/.tool-versions RUN cat /tmp/.tool-versions >> /home/vscode/.tool-versions RUN ./vscode_install.sh +RUN rm -rf /home/vscode/.ssh USER root # store version info in VERSION.txt for reference From 82b374ad3149e746c16ef3cddd91e3fef1258e96 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sat, 14 Feb 2026 15:58:01 +0000 Subject: [PATCH 03/18] fix setting version --- .../node_24_python_3_14/.devcontainer/scripts/root_install.sh | 4 ---- 1 file changed, 4 deletions(-) diff --git a/src/languages/node_24_python_3_14/.devcontainer/scripts/root_install.sh b/src/languages/node_24_python_3_14/.devcontainer/scripts/root_install.sh index a07f0522..0510f2c0 100755 --- a/src/languages/node_24_python_3_14/.devcontainer/scripts/root_install.sh +++ b/src/languages/node_24_python_3_14/.devcontainer/scripts/root_install.sh @@ -1,6 +1,2 @@ #!/usr/bin/env bash set -e - -# store version info in VERSION.txt for reference -echo "VERSION=${BASE_VERSION}" > "${SCRIPTS_DIR}/VERSION.txt" -echo "CONTAINER_NAME=${CONTAINER_NAME}" >> "${SCRIPTS_DIR}/VERSION.txt" From 8402b54e04171c7de2364ec17fc36b042d2ceb44 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sat, 14 Feb 2026 16:11:43 +0000 Subject: [PATCH 04/18] more info to container --- .github/workflows/build_multi_arch_image.yml | 4 ++-- src/base/.devcontainer/Dockerfile | 7 ++++--- src/common/Dockerfile | 19 +++++++++---------- .../.devcontainer/devcontainer.json | 2 +- .../.devcontainer/devcontainer.json | 2 +- .../.devcontainer/devcontainer.json | 2 +- .../.devcontainer/devcontainer.json | 4 ++-- .../fhir_facade_api/.devcontainer/Dockerfile | 19 +++++++++---------- .../.devcontainer/devcontainer.json | 2 +- 9 files changed, 30 insertions(+), 31 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 04e4c860..384f30bf 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -83,8 +83,8 @@ jobs: env: ARCHITECTURE: '${{ matrix.arch }}' CONTAINER_NAME: '${{ inputs.container_name }}' - DOCKER_TAG: '${{ inputs.docker_tag }}' - BASE_VERSION: ${{ inputs.docker_tag}} + MULTI_ARCH_TAG: '${{ inputs.docker_tag }}' + BASE_VERSION_TAG: ${{ inputs.docker_tag}} IMAGE_TAG: ":${{ inputs.docker_tag }}-${{ matrix.arch }}" BASE_FOLDER: "${{ inputs.base_folder }}" - name: Check docker vulnerabilities - json output diff --git a/src/base/.devcontainer/Dockerfile b/src/base/.devcontainer/Dockerfile index 2e3a4ca3..ecdc9720 100644 --- a/src/base/.devcontainer/Dockerfile +++ b/src/base/.devcontainer/Dockerfile @@ -4,7 +4,7 @@ ARG BASE_VERSION=latest ARG TARGETARCH ARG SCRIPTS_DIR=/usr/local/share/eps ARG CONTAINER_NAME -ARG DOCKER_TAG +ARG MULTI_ARCH_TAG ARG BASE_VERSION ARG IMAGE_TAG @@ -12,7 +12,7 @@ ENV BASE_VERSION=${BASE_VERSION} ENV TARGETARCH=${TARGETARCH} ENV SCRIPTS_DIR=${SCRIPTS_DIR} ENV CONTAINER_NAME=${CONTAINER_NAME} -ENV DOCKER_TAG=${DOCKER_TAG} +ENV MULTI_ARCH_TAG=${MULTI_ARCH_TAG} ENV BASE_VERSION=${BASE_VERSION} ENV IMAGE_TAG=${IMAGE_TAG} @@ -39,8 +39,9 @@ USER root # store version info in VERSION.txt for reference RUN echo "[[ ${CONTAINER_NAME} ]]" > "${SCRIPTS_DIR}/VERSION.txt" && \ echo "BASE_VERSION=${BASE_VERSION}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ - echo "DOCKER_TAG=${DOCKER_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ + echo "MULTI_ARCH_TAG=${MULTI_ARCH_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ echo "IMAGE_TAG=${IMAGE_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ + echo "BUILD_TIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ")" >> "${SCRIPTS_DIR}/VERSION.txt" && \ echo "" >> "${SCRIPTS_DIR}/VERSION.txt" USER vscode diff --git a/src/common/Dockerfile b/src/common/Dockerfile index 8591c36d..51618f6f 100644 --- a/src/common/Dockerfile +++ b/src/common/Dockerfile @@ -1,21 +1,19 @@ -ARG BASE_VERSION=latest +ARG BASE_VERSION_TAG=latest -FROM ghcr.io/nhsdigital/eps-devcontainers/base:${BASE_VERSION} +FROM ghcr.io/nhsdigital/eps-devcontainers/base:${BASE_VERSION_TAG} -ARG BASE_VERSION=latest +ARG BASE_VERSION_TAG=latest ARG TARGETARCH ARG SCRIPTS_DIR=/usr/local/share/eps ARG CONTAINER_NAME -ARG DOCKER_TAG -ARG BASE_VERSION +ARG MULTI_ARCH_TAG ARG IMAGE_TAG -ENV BASE_VERSION=${BASE_VERSION} +ENV BASE_VERSION_TAG=${BASE_VERSION_TAG} ENV TARGETARCH=${TARGETARCH} ENV SCRIPTS_DIR=${SCRIPTS_DIR} ENV CONTAINER_NAME=${CONTAINER_NAME} -ENV DOCKER_TAG=${DOCKER_TAG} -ENV BASE_VERSION=${BASE_VERSION} +ENV MULTI_ARCH_TAG=${MULTI_ARCH_TAG} ENV IMAGE_TAG=${IMAGE_TAG} LABEL org.opencontainers.image.source=https://github.com/NHSDigital/eps-devcontainers @@ -40,9 +38,10 @@ RUN rm -rf /home/vscode/.ssh USER root # store version info in VERSION.txt for reference RUN echo "[[ ${CONTAINER_NAME} ]]" >> "${SCRIPTS_DIR}/VERSION.txt" && \ - echo "BASE_VERSION=${BASE_VERSION}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ - echo "DOCKER_TAG=${DOCKER_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ + echo "BASE_VERSION_TAG=${BASE_VERSION_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ + echo "MULTI_ARCH_TAG=${MULTI_ARCH_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ echo "IMAGE_TAG=${IMAGE_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ + echo "BUILD_TIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ")" >> "${SCRIPTS_DIR}/VERSION.txt" && \ echo "" >> "${SCRIPTS_DIR}/VERSION.txt" USER vscode diff --git a/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json b/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json index 5348d339..6a24af77 100644 --- a/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json +++ b/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json @@ -8,7 +8,7 @@ "args": { "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", "DOCKER_TAG": "${localEnv:DOCKER_TAG}", - "BASE_VERSION": "${localEnv:BASE_VERSION}", + "BASE_VERSION_TAG": "${localEnv:BASE_VERSION_TAG}", "IMAGE_TAG": "${localEnv:IMAGE_TAG}" }, "context": "." diff --git a/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json b/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json index 5348d339..6a24af77 100644 --- a/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json +++ b/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json @@ -8,7 +8,7 @@ "args": { "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", "DOCKER_TAG": "${localEnv:DOCKER_TAG}", - "BASE_VERSION": "${localEnv:BASE_VERSION}", + "BASE_VERSION_TAG": "${localEnv:BASE_VERSION_TAG}", "IMAGE_TAG": "${localEnv:IMAGE_TAG}" }, "context": "." diff --git a/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json b/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json index 1bf1e6f6..d6d4b883 100644 --- a/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json +++ b/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json @@ -8,7 +8,7 @@ "args": { "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", "DOCKER_TAG": "${localEnv:DOCKER_TAG}", - "BASE_VERSION": "${localEnv:BASE_VERSION}", + "BASE_VERSION_TAG": "${localEnv:BASE_VERSION_TAG}", "IMAGE_TAG": "${localEnv:IMAGE_TAG}" }, "context": "." diff --git a/src/languages/python_3_10/.devcontainer/devcontainer.json b/src/languages/python_3_10/.devcontainer/devcontainer.json index 5348d339..250871c7 100644 --- a/src/languages/python_3_10/.devcontainer/devcontainer.json +++ b/src/languages/python_3_10/.devcontainer/devcontainer.json @@ -1,14 +1,14 @@ // For format details, see https://aka.ms/devcontainer.json. For config options, see the // README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu { - "name": "EPS Devcontainer node_24 python_3.13", + "name": "EPS Devcontainer node_24 python_3.10", // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile "build": { "dockerfile": "../../../common/Dockerfile", "args": { "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", "DOCKER_TAG": "${localEnv:DOCKER_TAG}", - "BASE_VERSION": "${localEnv:BASE_VERSION}", + "BASE_VERSION_TAG": "${localEnv:BASE_VERSION_TAG}", "IMAGE_TAG": "${localEnv:IMAGE_TAG}" }, "context": "." diff --git a/src/projects/fhir_facade_api/.devcontainer/Dockerfile b/src/projects/fhir_facade_api/.devcontainer/Dockerfile index ce7a9658..346eca7b 100644 --- a/src/projects/fhir_facade_api/.devcontainer/Dockerfile +++ b/src/projects/fhir_facade_api/.devcontainer/Dockerfile @@ -1,21 +1,19 @@ -ARG BASE_VERSION=latest +ARG BASE_VERSION_TAG=latest -FROM ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_13:${BASE_VERSION} +FROM ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_13:${BASE_VERSION_TAG} -ARG BASE_VERSION=latest +ARG BASE_VERSION_TAG=latest ARG TARGETARCH ARG SCRIPTS_DIR=/usr/local/share/eps ARG CONTAINER_NAME -ARG DOCKER_TAG -ARG BASE_VERSION +ARG MULTI_ARCH_TAG ARG IMAGE_TAG -ENV BASE_VERSION=${BASE_VERSION} +ENV BASE_VERSION_TAG=${BASE_VERSION_TAG} ENV TARGETARCH=${TARGETARCH} ENV SCRIPTS_DIR=${SCRIPTS_DIR} ENV CONTAINER_NAME=${CONTAINER_NAME} -ENV DOCKER_TAG=${DOCKER_TAG} -ENV BASE_VERSION=${BASE_VERSION} +ENV MULTI_ARCH_TAG=${MULTI_ARCH_TAG} ENV IMAGE_TAG=${IMAGE_TAG} LABEL org.opencontainers.image.source=https://github.com/NHSDigital/eps-devcontainers @@ -39,9 +37,10 @@ RUN rm -rf /home/vscode/.ssh USER root # store version info in VERSION.txt for reference RUN echo "[[ ${CONTAINER_NAME} ]]" >> "${SCRIPTS_DIR}/VERSION.txt" && \ - echo "BASE_VERSION=${BASE_VERSION}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ - echo "DOCKER_TAG=${DOCKER_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ + echo "BASE_VERSION_TAG=${BASE_VERSION_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ + echo "MULTI_ARCH_TAG=${MULTI_ARCH_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ echo "IMAGE_TAG=${IMAGE_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ + echo "BUILD_TIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ")" >> "${SCRIPTS_DIR}/VERSION.txt" && \ echo "" >> "${SCRIPTS_DIR}/VERSION.txt" USER vscode diff --git a/src/projects/fhir_facade_api/.devcontainer/devcontainer.json b/src/projects/fhir_facade_api/.devcontainer/devcontainer.json index fcf3f373..d97eaa15 100644 --- a/src/projects/fhir_facade_api/.devcontainer/devcontainer.json +++ b/src/projects/fhir_facade_api/.devcontainer/devcontainer.json @@ -8,7 +8,7 @@ "args": { "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", "DOCKER_TAG": "${localEnv:DOCKER_TAG}", - "BASE_VERSION": "${localEnv:BASE_VERSION}", + "BASE_VERSION_TAG": "${localEnv:BASE_VERSION_TAG}", "IMAGE_TAG": "${localEnv:IMAGE_TAG}" }, "context": "." From c8571d65ac62b68a71d894d6b2f933da360f686a Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sat, 14 Feb 2026 16:40:40 +0000 Subject: [PATCH 05/18] fix homedir --- src/base/.devcontainer/scripts/root_install.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/base/.devcontainer/scripts/root_install.sh b/src/base/.devcontainer/scripts/root_install.sh index 9b6d7c1a..f02b7836 100755 --- a/src/base/.devcontainer/scripts/root_install.sh +++ b/src/base/.devcontainer/scripts/root_install.sh @@ -75,3 +75,8 @@ current_gid="$(id -g vscode)" if [ "${current_gid}" != "${requested_gid}" ]; then groupmod -g "${requested_gid}" vscode; fi if [ "${current_uid}" != "${requested_uid}" ]; then usermod -u "${requested_uid}" -g "${requested_gid}" vscode; fi chown -R vscode:vscode /home/vscode + +# link /home/vscode to /github/home for github actions to be able to access files in the container, and set permissions +mkdir -p /github +ln -s /home/vscode /github/home +chown -R vscode:vscode /github/home From f22b31d69387747f184772ed496b225336ef8067 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sat, 14 Feb 2026 17:07:32 +0000 Subject: [PATCH 06/18] fix var --- Makefile | 2 +- src/base/.devcontainer/devcontainer.json | 4 ++-- .../node_24_python_3_12/.devcontainer/devcontainer.json | 2 +- .../node_24_python_3_13/.devcontainer/devcontainer.json | 2 +- .../node_24_python_3_14/.devcontainer/devcontainer.json | 2 +- src/languages/python_3_10/.devcontainer/devcontainer.json | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Makefile b/Makefile index 00443ccc..bbcba6b9 100644 --- a/Makefile +++ b/Makefile @@ -21,7 +21,7 @@ install-node: install-hooks: install-python poetry run pre-commit install --install-hooks --overwrite -build-image: guard-CONTAINER_NAME guard-BASE_VERSION guard-BASE_FOLDER +build-image: guard-CONTAINER_NAME guard-BASE_VERSION_TAG guard-BASE_FOLDER npx devcontainer build \ --workspace-folder ./src/$${BASE_FOLDER}/$${CONTAINER_NAME} \ --push false \ diff --git a/src/base/.devcontainer/devcontainer.json b/src/base/.devcontainer/devcontainer.json index 0ca0fe2c..7faa350f 100644 --- a/src/base/.devcontainer/devcontainer.json +++ b/src/base/.devcontainer/devcontainer.json @@ -7,8 +7,8 @@ "dockerfile": "Dockerfile", "args": { "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", - "DOCKER_TAG": "${localEnv:DOCKER_TAG}", - "BASE_VERSION": "${localEnv:BASE_VERSION}", + "MULTI_ARCH_TAG": "${localEnv:MULTI_ARCH_TAG}", + "BASE_VERSION_TAG": "${localEnv:BASE_VERSION_TAG}", "IMAGE_TAG": "${localEnv:IMAGE_TAG}" } }, diff --git a/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json b/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json index 6a24af77..3c8fb354 100644 --- a/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json +++ b/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json @@ -7,7 +7,7 @@ "dockerfile": "../../../common/Dockerfile", "args": { "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", - "DOCKER_TAG": "${localEnv:DOCKER_TAG}", + "MULTI_ARCH_TAG": "${localEnv:MULTI_ARCH_TAG}", "BASE_VERSION_TAG": "${localEnv:BASE_VERSION_TAG}", "IMAGE_TAG": "${localEnv:IMAGE_TAG}" }, diff --git a/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json b/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json index 6a24af77..3c8fb354 100644 --- a/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json +++ b/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json @@ -7,7 +7,7 @@ "dockerfile": "../../../common/Dockerfile", "args": { "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", - "DOCKER_TAG": "${localEnv:DOCKER_TAG}", + "MULTI_ARCH_TAG": "${localEnv:MULTI_ARCH_TAG}", "BASE_VERSION_TAG": "${localEnv:BASE_VERSION_TAG}", "IMAGE_TAG": "${localEnv:IMAGE_TAG}" }, diff --git a/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json b/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json index d6d4b883..7d1b3e92 100644 --- a/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json +++ b/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json @@ -7,7 +7,7 @@ "dockerfile": "../../../common/Dockerfile", "args": { "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", - "DOCKER_TAG": "${localEnv:DOCKER_TAG}", + "MULTI_ARCH_TAG": "${localEnv:MULTI_ARCH_TAG}", "BASE_VERSION_TAG": "${localEnv:BASE_VERSION_TAG}", "IMAGE_TAG": "${localEnv:IMAGE_TAG}" }, diff --git a/src/languages/python_3_10/.devcontainer/devcontainer.json b/src/languages/python_3_10/.devcontainer/devcontainer.json index 250871c7..aa03d36d 100644 --- a/src/languages/python_3_10/.devcontainer/devcontainer.json +++ b/src/languages/python_3_10/.devcontainer/devcontainer.json @@ -7,7 +7,7 @@ "dockerfile": "../../../common/Dockerfile", "args": { "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", - "DOCKER_TAG": "${localEnv:DOCKER_TAG}", + "MULTI_ARCH_TAG": "${localEnv:MULTI_ARCH_TAG}", "BASE_VERSION_TAG": "${localEnv:BASE_VERSION_TAG}", "IMAGE_TAG": "${localEnv:IMAGE_TAG}" }, From 35c76238328a509c046c4c41e5309a244e284107 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 10:22:57 +0000 Subject: [PATCH 07/18] fix tags --- README.md | 6 ++--- src/base/.devcontainer/Dockerfile | 25 ++++++------------ src/common/Dockerfile | 26 +++++++------------ .../fhir_facade_api/.devcontainer/Dockerfile | 26 +++++++------------ .../.devcontainer/devcontainer.json | 2 +- 5 files changed, 32 insertions(+), 53 deletions(-) diff --git a/README.md b/README.md index 5d5e41a3..37aca91a 100644 --- a/README.md +++ b/README.md @@ -86,21 +86,21 @@ You can use these commands to build images Base image ``` CONTAINER_NAME=base \ - BASE_VERSION=latest \ + BASE_VERSION_TAG=latest \ BASE_FOLDER=. \ make build-image ``` Language images ``` CONTAINER_NAME=node_24_python_3_12 \ - BASE_VERSION=latest \ + BASE_VERSION_TAG=latest \ BASE_FOLDER=languages \ make build-image ``` Project images ``` CONTAINER_NAME=fhir_facade_api \ - BASE_VERSION=latest \ + BASE_VERSION_TAG=latest \ BASE_FOLDER=projects \ make build-image ``` diff --git a/src/base/.devcontainer/Dockerfile b/src/base/.devcontainer/Dockerfile index ecdc9720..8457c94f 100644 --- a/src/base/.devcontainer/Dockerfile +++ b/src/base/.devcontainer/Dockerfile @@ -1,24 +1,25 @@ FROM mcr.microsoft.com/devcontainers/base:ubuntu-22.04 -ARG BASE_VERSION=latest -ARG TARGETARCH ARG SCRIPTS_DIR=/usr/local/share/eps ARG CONTAINER_NAME ARG MULTI_ARCH_TAG -ARG BASE_VERSION +ARG BASE_VERSION_TAG ARG IMAGE_TAG +ARG TARGETARCH -ENV BASE_VERSION=${BASE_VERSION} -ENV TARGETARCH=${TARGETARCH} ENV SCRIPTS_DIR=${SCRIPTS_DIR} ENV CONTAINER_NAME=${CONTAINER_NAME} ENV MULTI_ARCH_TAG=${MULTI_ARCH_TAG} -ENV BASE_VERSION=${BASE_VERSION} +ENV BASE_VERSION_TAG=${BASE_VERSION_TAG} ENV IMAGE_TAG=${IMAGE_TAG} +ENV TARGETARCH=${TARGETARCH} LABEL org.opencontainers.image.source=https://github.com/NHSDigital/eps-devcontainers LABEL org.opencontainers.image.description="EPS base devcontainer" LABEL org.opencontainers.image.licenses=MIT +LABEL org.opencontainers.image.version=${IMAGE_TAG} +LABEL org.opencontainers.image.containerName=${CONTAINER_NAME} + COPY .tool-versions.asdf ${SCRIPTS_DIR}/${CONTAINER_NAME}/.tool-versions.asdf COPY --chmod=755 scripts ${SCRIPTS_DIR}/${CONTAINER_NAME} @@ -33,16 +34,6 @@ COPY --chown=vscode:vscode .tool-versions /home/vscode/.tool-versions ENV PATH="/home/vscode/.asdf/shims/:$PATH" WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} RUN ./vscode_install.sh -RUN rm -rf /home/vscode/.ssh +# Switch back to root to install the devcontainer CLI globally USER root -# store version info in VERSION.txt for reference -RUN echo "[[ ${CONTAINER_NAME} ]]" > "${SCRIPTS_DIR}/VERSION.txt" && \ - echo "BASE_VERSION=${BASE_VERSION}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ - echo "MULTI_ARCH_TAG=${MULTI_ARCH_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ - echo "IMAGE_TAG=${IMAGE_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ - echo "BUILD_TIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ")" >> "${SCRIPTS_DIR}/VERSION.txt" && \ - echo "" >> "${SCRIPTS_DIR}/VERSION.txt" - -USER vscode -WORKDIR /home/vscode diff --git a/src/common/Dockerfile b/src/common/Dockerfile index 51618f6f..3d67193c 100644 --- a/src/common/Dockerfile +++ b/src/common/Dockerfile @@ -1,24 +1,28 @@ ARG BASE_VERSION_TAG=latest +ARG BASE_IMAGE=ghcr.io/nhsdigital/eps-devcontainers/base:${BASE_VERSION_TAG} -FROM ghcr.io/nhsdigital/eps-devcontainers/base:${BASE_VERSION_TAG} +FROM ${BASE_IMAGE} -ARG BASE_VERSION_TAG=latest -ARG TARGETARCH ARG SCRIPTS_DIR=/usr/local/share/eps ARG CONTAINER_NAME ARG MULTI_ARCH_TAG +ARG BASE_VERSION_TAG ARG IMAGE_TAG +ARG TARGETARCH -ENV BASE_VERSION_TAG=${BASE_VERSION_TAG} -ENV TARGETARCH=${TARGETARCH} ENV SCRIPTS_DIR=${SCRIPTS_DIR} ENV CONTAINER_NAME=${CONTAINER_NAME} ENV MULTI_ARCH_TAG=${MULTI_ARCH_TAG} +ENV BASE_VERSION_TAG=${BASE_VERSION_TAG} ENV IMAGE_TAG=${IMAGE_TAG} +ENV TARGETARCH=${TARGETARCH} LABEL org.opencontainers.image.source=https://github.com/NHSDigital/eps-devcontainers LABEL org.opencontainers.image.description="EPS ${CONTAINER_NAME} devcontainer" LABEL org.opencontainers.image.licenses=MIT +LABEL org.opencontainers.image.version=${IMAGE_TAG} +LABEL org.opencontainers.image.baseImage=${BASE_IMAGE} +LABEL org.opencontainers.image.containerName=${CONTAINER_NAME} USER root COPY --chmod=755 scripts ${SCRIPTS_DIR}/${CONTAINER_NAME} @@ -33,16 +37,6 @@ RUN cat /tmp/.tool-versions >> /home/vscode/.tool-versions ENV PATH="/home/vscode/.asdf/shims/:$PATH" RUN ./vscode_install.sh -RUN rm -rf /home/vscode/.ssh +# Switch back to root to install the devcontainer CLI globally USER root -# store version info in VERSION.txt for reference -RUN echo "[[ ${CONTAINER_NAME} ]]" >> "${SCRIPTS_DIR}/VERSION.txt" && \ - echo "BASE_VERSION_TAG=${BASE_VERSION_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ - echo "MULTI_ARCH_TAG=${MULTI_ARCH_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ - echo "IMAGE_TAG=${IMAGE_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ - echo "BUILD_TIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ")" >> "${SCRIPTS_DIR}/VERSION.txt" && \ - echo "" >> "${SCRIPTS_DIR}/VERSION.txt" - -USER vscode -WORKDIR /home/vscode diff --git a/src/projects/fhir_facade_api/.devcontainer/Dockerfile b/src/projects/fhir_facade_api/.devcontainer/Dockerfile index 346eca7b..1765df0d 100644 --- a/src/projects/fhir_facade_api/.devcontainer/Dockerfile +++ b/src/projects/fhir_facade_api/.devcontainer/Dockerfile @@ -1,24 +1,28 @@ ARG BASE_VERSION_TAG=latest +ARG BASE_IMAGE=ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_13:${BASE_VERSION_TAG} -FROM ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_13:${BASE_VERSION_TAG} +FROM ${BASE_IMAGE} -ARG BASE_VERSION_TAG=latest -ARG TARGETARCH ARG SCRIPTS_DIR=/usr/local/share/eps ARG CONTAINER_NAME ARG MULTI_ARCH_TAG +ARG BASE_VERSION_TAG ARG IMAGE_TAG +ARG TARGETARCH -ENV BASE_VERSION_TAG=${BASE_VERSION_TAG} -ENV TARGETARCH=${TARGETARCH} ENV SCRIPTS_DIR=${SCRIPTS_DIR} ENV CONTAINER_NAME=${CONTAINER_NAME} ENV MULTI_ARCH_TAG=${MULTI_ARCH_TAG} +ENV BASE_VERSION_TAG=${BASE_VERSION_TAG} ENV IMAGE_TAG=${IMAGE_TAG} +ENV TARGETARCH=${TARGETARCH} LABEL org.opencontainers.image.source=https://github.com/NHSDigital/eps-devcontainers LABEL org.opencontainers.image.description="EPS fhir facade devcontainer" LABEL org.opencontainers.image.licenses=MIT +LABEL org.opencontainers.image.version=${IMAGE_TAG} +LABEL org.opencontainers.image.baseImage=${BASE_IMAGE} +LABEL org.opencontainers.image.containerName=${CONTAINER_NAME} USER root COPY --chmod=755 scripts ${SCRIPTS_DIR}/${CONTAINER_NAME} @@ -32,16 +36,6 @@ COPY .tool-versions /tmp/.tool-versions RUN cat /tmp/.tool-versions >> /home/vscode/.tool-versions RUN ./vscode_install.sh -RUN rm -rf /home/vscode/.ssh +# Switch back to root to install the devcontainer CLI globally USER root -# store version info in VERSION.txt for reference -RUN echo "[[ ${CONTAINER_NAME} ]]" >> "${SCRIPTS_DIR}/VERSION.txt" && \ - echo "BASE_VERSION_TAG=${BASE_VERSION_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ - echo "MULTI_ARCH_TAG=${MULTI_ARCH_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ - echo "IMAGE_TAG=${IMAGE_TAG}" >> "${SCRIPTS_DIR}/VERSION.txt" && \ - echo "BUILD_TIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ")" >> "${SCRIPTS_DIR}/VERSION.txt" && \ - echo "" >> "${SCRIPTS_DIR}/VERSION.txt" - -USER vscode -WORKDIR /home/vscode diff --git a/src/projects/fhir_facade_api/.devcontainer/devcontainer.json b/src/projects/fhir_facade_api/.devcontainer/devcontainer.json index d97eaa15..6b10ee82 100644 --- a/src/projects/fhir_facade_api/.devcontainer/devcontainer.json +++ b/src/projects/fhir_facade_api/.devcontainer/devcontainer.json @@ -7,7 +7,7 @@ "dockerfile": "Dockerfile", "args": { "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", - "DOCKER_TAG": "${localEnv:DOCKER_TAG}", + "MULTI_ARCH_TAG": "${localEnv:MULTI_ARCH_TAG}", "BASE_VERSION_TAG": "${localEnv:BASE_VERSION_TAG}", "IMAGE_TAG": "${localEnv:IMAGE_TAG}" }, From d9eab88291dc165d83d509420e105af86e5707e0 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 10:25:05 +0000 Subject: [PATCH 08/18] go back to user 1000 --- src/base/.devcontainer/scripts/root_install.sh | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/src/base/.devcontainer/scripts/root_install.sh b/src/base/.devcontainer/scripts/root_install.sh index f02b7836..372b37e8 100755 --- a/src/base/.devcontainer/scripts/root_install.sh +++ b/src/base/.devcontainer/scripts/root_install.sh @@ -67,16 +67,4 @@ mkdir -p /usr/share/secrets-scanner chmod 755 /usr/share/secrets-scanner curl -L https://raw.githubusercontent.com/NHSDigital/software-engineering-quality-framework/main/tools/nhsd-git-secrets/nhsd-rules-deny.txt -o /usr/share/secrets-scanner/nhsd-rules-deny.txt -# fix user and group ids for vscode user to be 1001 so it can be used by github actions -requested_uid=1001 -requested_gid=1001 -current_uid="$(id -u vscode)" -current_gid="$(id -g vscode)" -if [ "${current_gid}" != "${requested_gid}" ]; then groupmod -g "${requested_gid}" vscode; fi -if [ "${current_uid}" != "${requested_uid}" ]; then usermod -u "${requested_uid}" -g "${requested_gid}" vscode; fi chown -R vscode:vscode /home/vscode - -# link /home/vscode to /github/home for github actions to be able to access files in the container, and set permissions -mkdir -p /github -ln -s /home/vscode /github/home -chown -R vscode:vscode /github/home From 03d618984d2eb63a3e20a6cbafc34f17e1a337e8 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 12:47:57 +0000 Subject: [PATCH 09/18] fix work dir --- src/base/.devcontainer/Dockerfile | 2 +- src/base/.devcontainer/scripts/root_install.sh | 2 ++ src/common/Dockerfile | 5 ++++- src/projects/fhir_facade_api/.devcontainer/Dockerfile | 2 +- 4 files changed, 8 insertions(+), 3 deletions(-) diff --git a/src/base/.devcontainer/Dockerfile b/src/base/.devcontainer/Dockerfile index 8457c94f..a2785e2a 100644 --- a/src/base/.devcontainer/Dockerfile +++ b/src/base/.devcontainer/Dockerfile @@ -15,7 +15,7 @@ ENV IMAGE_TAG=${IMAGE_TAG} ENV TARGETARCH=${TARGETARCH} LABEL org.opencontainers.image.source=https://github.com/NHSDigital/eps-devcontainers -LABEL org.opencontainers.image.description="EPS base devcontainer" +LABEL org.opencontainers.image.description="EPS devcontainer ${CONTAINER_NAME}${IMAGE_TAG}" LABEL org.opencontainers.image.licenses=MIT LABEL org.opencontainers.image.version=${IMAGE_TAG} LABEL org.opencontainers.image.containerName=${CONTAINER_NAME} diff --git a/src/base/.devcontainer/scripts/root_install.sh b/src/base/.devcontainer/scripts/root_install.sh index 372b37e8..d9c69755 100755 --- a/src/base/.devcontainer/scripts/root_install.sh +++ b/src/base/.devcontainer/scripts/root_install.sh @@ -68,3 +68,5 @@ chmod 755 /usr/share/secrets-scanner curl -L https://raw.githubusercontent.com/NHSDigital/software-engineering-quality-framework/main/tools/nhsd-git-secrets/nhsd-rules-deny.txt -o /usr/share/secrets-scanner/nhsd-rules-deny.txt chown -R vscode:vscode /home/vscode +mkdir -p /work +chown -R vscode:vscode /work diff --git a/src/common/Dockerfile b/src/common/Dockerfile index 3d67193c..df35cef9 100644 --- a/src/common/Dockerfile +++ b/src/common/Dockerfile @@ -3,6 +3,8 @@ ARG BASE_IMAGE=ghcr.io/nhsdigital/eps-devcontainers/base:${BASE_VERSION_TAG} FROM ${BASE_IMAGE} +ARG BASE_VERSION_TAG=latest +ARG BASE_IMAGE=ghcr.io/nhsdigital/eps-devcontainers/base:${BASE_VERSION_TAG} ARG SCRIPTS_DIR=/usr/local/share/eps ARG CONTAINER_NAME ARG MULTI_ARCH_TAG @@ -10,6 +12,7 @@ ARG BASE_VERSION_TAG ARG IMAGE_TAG ARG TARGETARCH +ENV BASE_IMAGE=${BASE_IMAGE} ENV SCRIPTS_DIR=${SCRIPTS_DIR} ENV CONTAINER_NAME=${CONTAINER_NAME} ENV MULTI_ARCH_TAG=${MULTI_ARCH_TAG} @@ -18,7 +21,7 @@ ENV IMAGE_TAG=${IMAGE_TAG} ENV TARGETARCH=${TARGETARCH} LABEL org.opencontainers.image.source=https://github.com/NHSDigital/eps-devcontainers -LABEL org.opencontainers.image.description="EPS ${CONTAINER_NAME} devcontainer" +LABEL org.opencontainers.image.description="EPS devcontainer ${CONTAINER_NAME}${IMAGE_TAG}" LABEL org.opencontainers.image.licenses=MIT LABEL org.opencontainers.image.version=${IMAGE_TAG} LABEL org.opencontainers.image.baseImage=${BASE_IMAGE} diff --git a/src/projects/fhir_facade_api/.devcontainer/Dockerfile b/src/projects/fhir_facade_api/.devcontainer/Dockerfile index 1765df0d..d736b73f 100644 --- a/src/projects/fhir_facade_api/.devcontainer/Dockerfile +++ b/src/projects/fhir_facade_api/.devcontainer/Dockerfile @@ -18,7 +18,7 @@ ENV IMAGE_TAG=${IMAGE_TAG} ENV TARGETARCH=${TARGETARCH} LABEL org.opencontainers.image.source=https://github.com/NHSDigital/eps-devcontainers -LABEL org.opencontainers.image.description="EPS fhir facade devcontainer" +LABEL org.opencontainers.image.description="EPS devcontainer ${CONTAINER_NAME}${IMAGE_TAG}" LABEL org.opencontainers.image.licenses=MIT LABEL org.opencontainers.image.version=${IMAGE_TAG} LABEL org.opencontainers.image.baseImage=${BASE_IMAGE} From 0102c0d646ebba5accc5ba2efe07790889884475 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 13:31:54 +0000 Subject: [PATCH 10/18] make /work writable by all --- .github/workflows/build_multi_arch_image.yml | 20 ++++++++++++++++--- Makefile | 5 ++--- README.md | 1 + src/base/.devcontainer/Dockerfile | 2 +- .../.devcontainer/scripts/root_install.sh | 1 + src/common/Dockerfile | 2 +- .../fhir_facade_api/.devcontainer/Dockerfile | 2 +- 7 files changed, 24 insertions(+), 9 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 384f30bf..a26901e1 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -85,7 +85,7 @@ jobs: CONTAINER_NAME: '${{ inputs.container_name }}' MULTI_ARCH_TAG: '${{ inputs.docker_tag }}' BASE_VERSION_TAG: ${{ inputs.docker_tag}} - IMAGE_TAG: ":${{ inputs.docker_tag }}-${{ matrix.arch }}" + IMAGE_TAG: "${{ inputs.docker_tag }}-${{ matrix.arch }}" BASE_FOLDER: "${{ inputs.base_folder }}" - name: Check docker vulnerabilities - json output uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 @@ -131,6 +131,11 @@ jobs: run: | echo "Pushing image..." docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" + BUILD_TIMESTAMP=$(date -u +"%Y-%m-%dT%H:%M:%SZ") + export BUILD_TIMESTAMP + docker buildx imagetools create \ + --annotation "index:org.opencontainers.image.created=${BUILD_TIMESTAMP}" \ + "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" env: DOCKER_TAG: ${{ inputs.docker_tag }} CONTAINER_NAME: '${{ inputs.container_name }}' @@ -164,10 +169,19 @@ jobs: - name: Push multi-arch tagged image run: | - docker buildx imagetools create -t "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}" \ + BUILD_TIMESTAMP=$(date -u +"%Y-%m-%dT%H:%M:%SZ") + export BUILD_TIMESTAMP + docker buildx imagetools create \ + --annotation "index:org.opencontainers.image.source=https://github.com/NHSDigital/eps-devcontainers" \ + --annotation "index:org.opencontainers.image.description=EPS devcontainer ${CONTAINER_NAME}:${DOCKER_TAG}" \ + --annotation "index:org.opencontainers.image.licenses=MIT" \ + --annotation "index:org.opencontainers.image.version=${DOCKER_TAG}" \ + --annotation "index:org.opencontainers.image.containerName=${CONTAINER_NAME}" \ + --annotation "index:org.opencontainers.image.created=${BUILD_TIMESTAMP}" \ + --tag "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}" \ "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-amd64" \ "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-arm64" - echo "## PUSHED IMAGE : ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}" >> "$GITHUB_STEP_SUMMARY" + echo "## PUSHED IMAGE : ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}" >> "$GITHUB_STEP_SUMMARY" env: DOCKER_TAG: ${{ inputs.docker_tag }} CONTAINER_NAME: '${{ inputs.container_name }}' diff --git a/Makefile b/Makefile index bbcba6b9..46211271 100644 --- a/Makefile +++ b/Makefile @@ -21,13 +21,12 @@ install-node: install-hooks: install-python poetry run pre-commit install --install-hooks --overwrite -build-image: guard-CONTAINER_NAME guard-BASE_VERSION_TAG guard-BASE_FOLDER +build-image: guard-CONTAINER_NAME guard-BASE_VERSION_TAG guard-BASE_FOLDER guard-IMAGE_TAG npx devcontainer build \ --workspace-folder ./src/$${BASE_FOLDER}/$${CONTAINER_NAME} \ --push false \ --cache-from "${CONTAINER_PREFIX}$${CONTAINER_NAME}:latest" \ - --label "org.opencontainers.image.revision=$$DOCKER_TAG" \ - --image-name "${CONTAINER_PREFIX}$${CONTAINER_NAME}${IMAGE_TAG}" + --image-name "${CONTAINER_PREFIX}$${CONTAINER_NAME}:${IMAGE_TAG}" scan-image: guard-CONTAINER_NAME guard-BASE_FOLDER @combined="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore_combined.yaml"; \ diff --git a/README.md b/README.md index 37aca91a..cdb4d80d 100644 --- a/README.md +++ b/README.md @@ -88,6 +88,7 @@ Base image CONTAINER_NAME=base \ BASE_VERSION_TAG=latest \ BASE_FOLDER=. \ + IMAGE_TAG=local-build \ make build-image ``` Language images diff --git a/src/base/.devcontainer/Dockerfile b/src/base/.devcontainer/Dockerfile index a2785e2a..85f5a943 100644 --- a/src/base/.devcontainer/Dockerfile +++ b/src/base/.devcontainer/Dockerfile @@ -15,7 +15,7 @@ ENV IMAGE_TAG=${IMAGE_TAG} ENV TARGETARCH=${TARGETARCH} LABEL org.opencontainers.image.source=https://github.com/NHSDigital/eps-devcontainers -LABEL org.opencontainers.image.description="EPS devcontainer ${CONTAINER_NAME}${IMAGE_TAG}" +LABEL org.opencontainers.image.description="EPS devcontainer ${CONTAINER_NAME}:${IMAGE_TAG}" LABEL org.opencontainers.image.licenses=MIT LABEL org.opencontainers.image.version=${IMAGE_TAG} LABEL org.opencontainers.image.containerName=${CONTAINER_NAME} diff --git a/src/base/.devcontainer/scripts/root_install.sh b/src/base/.devcontainer/scripts/root_install.sh index d9c69755..1c6e20ec 100755 --- a/src/base/.devcontainer/scripts/root_install.sh +++ b/src/base/.devcontainer/scripts/root_install.sh @@ -70,3 +70,4 @@ curl -L https://raw.githubusercontent.com/NHSDigital/software-engineering-qualit chown -R vscode:vscode /home/vscode mkdir -p /work chown -R vscode:vscode /work +chmod -R 777 /work diff --git a/src/common/Dockerfile b/src/common/Dockerfile index df35cef9..6e8d1c0f 100644 --- a/src/common/Dockerfile +++ b/src/common/Dockerfile @@ -21,7 +21,7 @@ ENV IMAGE_TAG=${IMAGE_TAG} ENV TARGETARCH=${TARGETARCH} LABEL org.opencontainers.image.source=https://github.com/NHSDigital/eps-devcontainers -LABEL org.opencontainers.image.description="EPS devcontainer ${CONTAINER_NAME}${IMAGE_TAG}" +LABEL org.opencontainers.image.description="EPS devcontainer ${CONTAINER_NAME}:${IMAGE_TAG}" LABEL org.opencontainers.image.licenses=MIT LABEL org.opencontainers.image.version=${IMAGE_TAG} LABEL org.opencontainers.image.baseImage=${BASE_IMAGE} diff --git a/src/projects/fhir_facade_api/.devcontainer/Dockerfile b/src/projects/fhir_facade_api/.devcontainer/Dockerfile index d736b73f..474753de 100644 --- a/src/projects/fhir_facade_api/.devcontainer/Dockerfile +++ b/src/projects/fhir_facade_api/.devcontainer/Dockerfile @@ -18,7 +18,7 @@ ENV IMAGE_TAG=${IMAGE_TAG} ENV TARGETARCH=${TARGETARCH} LABEL org.opencontainers.image.source=https://github.com/NHSDigital/eps-devcontainers -LABEL org.opencontainers.image.description="EPS devcontainer ${CONTAINER_NAME}${IMAGE_TAG}" +LABEL org.opencontainers.image.description="EPS devcontainer ${CONTAINER_NAME}:${IMAGE_TAG}" LABEL org.opencontainers.image.licenses=MIT LABEL org.opencontainers.image.version=${IMAGE_TAG} LABEL org.opencontainers.image.baseImage=${BASE_IMAGE} From 37cee2e3a094d493de939b6140fea3b137737470 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 13:50:36 +0000 Subject: [PATCH 11/18] try it this way --- .github/workflows/build_multi_arch_image.yml | 2 ++ src/base/.devcontainer/Dockerfile | 3 +++ src/common/Dockerfile | 4 +--- src/projects/fhir_facade_api/.devcontainer/Dockerfile | 4 +--- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index a26901e1..e7b5d527 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -135,6 +135,7 @@ jobs: export BUILD_TIMESTAMP docker buildx imagetools create \ --annotation "index:org.opencontainers.image.created=${BUILD_TIMESTAMP}" \ + --tag "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" \ "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" env: DOCKER_TAG: ${{ inputs.docker_tag }} @@ -178,6 +179,7 @@ jobs: --annotation "index:org.opencontainers.image.version=${DOCKER_TAG}" \ --annotation "index:org.opencontainers.image.containerName=${CONTAINER_NAME}" \ --annotation "index:org.opencontainers.image.created=${BUILD_TIMESTAMP}" \ + --annotation "index:org.opencontainers.image.authors=NHS England EPS Team" \ --tag "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}" \ "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-amd64" \ "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-arm64" diff --git a/src/base/.devcontainer/Dockerfile b/src/base/.devcontainer/Dockerfile index 85f5a943..b3b4d741 100644 --- a/src/base/.devcontainer/Dockerfile +++ b/src/base/.devcontainer/Dockerfile @@ -19,6 +19,9 @@ LABEL org.opencontainers.image.description="EPS devcontainer ${CONTAINER_NAME}:$ LABEL org.opencontainers.image.licenses=MIT LABEL org.opencontainers.image.version=${IMAGE_TAG} LABEL org.opencontainers.image.containerName=${CONTAINER_NAME} +LABEL org.opencontainers.image.authors="NHS England EPS Team" +LABEL org.opencontainers.image.base.image="mcr.microsoft.com/devcontainers/base:ubuntu-22.04" + COPY .tool-versions.asdf ${SCRIPTS_DIR}/${CONTAINER_NAME}/.tool-versions.asdf diff --git a/src/common/Dockerfile b/src/common/Dockerfile index 6e8d1c0f..3a7473f7 100644 --- a/src/common/Dockerfile +++ b/src/common/Dockerfile @@ -20,11 +20,9 @@ ENV BASE_VERSION_TAG=${BASE_VERSION_TAG} ENV IMAGE_TAG=${IMAGE_TAG} ENV TARGETARCH=${TARGETARCH} -LABEL org.opencontainers.image.source=https://github.com/NHSDigital/eps-devcontainers LABEL org.opencontainers.image.description="EPS devcontainer ${CONTAINER_NAME}:${IMAGE_TAG}" -LABEL org.opencontainers.image.licenses=MIT LABEL org.opencontainers.image.version=${IMAGE_TAG} -LABEL org.opencontainers.image.baseImage=${BASE_IMAGE} +LABEL org.opencontainers.image.base.name=${BASE_IMAGE} LABEL org.opencontainers.image.containerName=${CONTAINER_NAME} USER root diff --git a/src/projects/fhir_facade_api/.devcontainer/Dockerfile b/src/projects/fhir_facade_api/.devcontainer/Dockerfile index 474753de..8226af24 100644 --- a/src/projects/fhir_facade_api/.devcontainer/Dockerfile +++ b/src/projects/fhir_facade_api/.devcontainer/Dockerfile @@ -17,11 +17,9 @@ ENV BASE_VERSION_TAG=${BASE_VERSION_TAG} ENV IMAGE_TAG=${IMAGE_TAG} ENV TARGETARCH=${TARGETARCH} -LABEL org.opencontainers.image.source=https://github.com/NHSDigital/eps-devcontainers LABEL org.opencontainers.image.description="EPS devcontainer ${CONTAINER_NAME}:${IMAGE_TAG}" -LABEL org.opencontainers.image.licenses=MIT LABEL org.opencontainers.image.version=${IMAGE_TAG} -LABEL org.opencontainers.image.baseImage=${BASE_IMAGE} +LABEL org.opencontainers.image.base.name=${BASE_IMAGE} LABEL org.opencontainers.image.containerName=${CONTAINER_NAME} USER root From c2726ade3a11959cef613c5b0ca88c3ff71d6577 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 14:43:49 +0000 Subject: [PATCH 12/18] add user 1001 --- src/base/.devcontainer/Dockerfile | 7 +++++++ src/base/.devcontainer/scripts/root_install.sh | 6 ++++-- src/common/Dockerfile | 7 +++++++ src/projects/fhir_facade_api/.devcontainer/Dockerfile | 7 +++++++ 4 files changed, 25 insertions(+), 2 deletions(-) diff --git a/src/base/.devcontainer/Dockerfile b/src/base/.devcontainer/Dockerfile index b3b4d741..17e583a0 100644 --- a/src/base/.devcontainer/Dockerfile +++ b/src/base/.devcontainer/Dockerfile @@ -40,3 +40,10 @@ RUN ./vscode_install.sh # Switch back to root to install the devcontainer CLI globally USER root + +RUN cp -R /home/vscode/.asdf /home/githubrunner/.asdf && \ + cp /home/vscode/.tool-versions.asdf /home/githubrunner/.tool-versions.asdf && \ + cp /home/vscode/.tool-versions /home/githubrunner/.tool-versions && \ + cp -R /home/vscode/.config /home/githubrunner/.config && \ + cp -R /home/vscode/.local /home/githubrunner/.local && \ + chown -R githubrunner:githubrunner /home/githubrunner/ diff --git a/src/base/.devcontainer/scripts/root_install.sh b/src/base/.devcontainer/scripts/root_install.sh index 1c6e20ec..140ff4ab 100755 --- a/src/base/.devcontainer/scripts/root_install.sh +++ b/src/base/.devcontainer/scripts/root_install.sh @@ -69,5 +69,7 @@ curl -L https://raw.githubusercontent.com/NHSDigital/software-engineering-qualit chown -R vscode:vscode /home/vscode mkdir -p /work -chown -R vscode:vscode /work -chmod -R 777 /work + +addgroup githubrunner -gid 1001 +adduser githubrunner -uid 1001 -gid 1001 --shell /bin/bash --disabled-password -c "Githubrunner user" +echo "githubrunner ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers diff --git a/src/common/Dockerfile b/src/common/Dockerfile index 3a7473f7..111efcee 100644 --- a/src/common/Dockerfile +++ b/src/common/Dockerfile @@ -41,3 +41,10 @@ RUN ./vscode_install.sh # Switch back to root to install the devcontainer CLI globally USER root + +RUN cp -R /home/vscode/.asdf /home/githubrunner/.asdf && \ + cp /home/vscode/.tool-versions.asdf /home/githubrunner/.tool-versions.asdf && \ + cp /home/vscode/.tool-versions /home/githubrunner/.tool-versions && \ + cp -R /home/vscode/.config /home/githubrunner/.config && \ + cp -R /home/vscode/.local /home/githubrunner/.local && \ + chown -R githubrunner:githubrunner /home/githubrunner/ diff --git a/src/projects/fhir_facade_api/.devcontainer/Dockerfile b/src/projects/fhir_facade_api/.devcontainer/Dockerfile index 8226af24..3698a8b1 100644 --- a/src/projects/fhir_facade_api/.devcontainer/Dockerfile +++ b/src/projects/fhir_facade_api/.devcontainer/Dockerfile @@ -37,3 +37,10 @@ RUN ./vscode_install.sh # Switch back to root to install the devcontainer CLI globally USER root + +RUN cp -R /home/vscode/.asdf /home/githubrunner/.asdf && \ + cp /home/vscode/.tool-versions.asdf /home/githubrunner/.tool-versions.asdf && \ + cp /home/vscode/.tool-versions /home/githubrunner/.tool-versions && \ + cp -R /home/vscode/.config /home/githubrunner/.config && \ + cp -R /home/vscode/.local /home/githubrunner/.local && \ + chown -R githubrunner:githubrunner /home/githubrunner/ From 6a483563722a1be96c3688acece6d6a74cb3145b Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 16:34:25 +0000 Subject: [PATCH 13/18] fix tag --- Makefile | 8 ++++---- README.md | 6 ++++-- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/Makefile b/Makefile index 46211271..fe68b5d9 100644 --- a/Makefile +++ b/Makefile @@ -26,7 +26,7 @@ build-image: guard-CONTAINER_NAME guard-BASE_VERSION_TAG guard-BASE_FOLDER guard --workspace-folder ./src/$${BASE_FOLDER}/$${CONTAINER_NAME} \ --push false \ --cache-from "${CONTAINER_PREFIX}$${CONTAINER_NAME}:latest" \ - --image-name "${CONTAINER_PREFIX}$${CONTAINER_NAME}:${IMAGE_TAG}" + --image-name "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" scan-image: guard-CONTAINER_NAME guard-BASE_FOLDER @combined="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore_combined.yaml"; \ @@ -40,7 +40,7 @@ scan-image: guard-CONTAINER_NAME guard-BASE_FOLDER --config src/${BASE_FOLDER}/${CONTAINER_NAME}/trivy.yaml \ --scanners vuln \ --exit-code 1 \ - --format table "${CONTAINER_PREFIX}$${CONTAINER_NAME}" + --format table "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" scan-image-json: guard-CONTAINER_NAME guard-BASE_FOLDER @combined="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore_combined.yaml"; \ @@ -56,11 +56,11 @@ scan-image-json: guard-CONTAINER_NAME guard-BASE_FOLDER --scanners vuln \ --exit-code 1 \ --format json \ - --output .out/scan_results_docker.json "${CONTAINER_PREFIX}$${CONTAINER_NAME}" + --output .out/scan_results_docker.json "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" shell-image: guard-CONTAINER_NAME docker run -it \ - "${CONTAINER_PREFIX}$${CONTAINER_NAME}${IMAGE_TAG}" \ + "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" \ bash lint: lint-githubactions diff --git a/README.md b/README.md index cdb4d80d..924a88d3 100644 --- a/README.md +++ b/README.md @@ -94,15 +94,17 @@ CONTAINER_NAME=base \ Language images ``` CONTAINER_NAME=node_24_python_3_12 \ - BASE_VERSION_TAG=latest \ + BASE_VERSION_TAG=local-build \ BASE_FOLDER=languages \ + IMAGE_TAG=local-build \ make build-image ``` Project images ``` CONTAINER_NAME=fhir_facade_api \ - BASE_VERSION_TAG=latest \ + BASE_VERSION_TAG=local-build \ BASE_FOLDER=projects \ + IMAGE_TAG=local-build \ make build-image ``` From 85d8bf70c21c0b095fe8d7e814f874f9ef2af212 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 17:38:09 +0000 Subject: [PATCH 14/18] fix copy --- src/base/.devcontainer/Dockerfile | 6 +++--- src/common/Dockerfile | 6 +++--- src/projects/fhir_facade_api/.devcontainer/Dockerfile | 6 +++--- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/src/base/.devcontainer/Dockerfile b/src/base/.devcontainer/Dockerfile index 17e583a0..23a3b744 100644 --- a/src/base/.devcontainer/Dockerfile +++ b/src/base/.devcontainer/Dockerfile @@ -41,9 +41,9 @@ RUN ./vscode_install.sh # Switch back to root to install the devcontainer CLI globally USER root -RUN cp -R /home/vscode/.asdf /home/githubrunner/.asdf && \ +RUN cp -R /home/vscode/.asdf /home/githubrunner/ && \ cp /home/vscode/.tool-versions.asdf /home/githubrunner/.tool-versions.asdf && \ cp /home/vscode/.tool-versions /home/githubrunner/.tool-versions && \ - cp -R /home/vscode/.config /home/githubrunner/.config && \ - cp -R /home/vscode/.local /home/githubrunner/.local && \ + cp -R /home/vscode/.config /home/githubrunner/ && \ + cp -R /home/vscode/.local /home/githubrunner/ && \ chown -R githubrunner:githubrunner /home/githubrunner/ diff --git a/src/common/Dockerfile b/src/common/Dockerfile index 111efcee..5669b7e2 100644 --- a/src/common/Dockerfile +++ b/src/common/Dockerfile @@ -42,9 +42,9 @@ RUN ./vscode_install.sh # Switch back to root to install the devcontainer CLI globally USER root -RUN cp -R /home/vscode/.asdf /home/githubrunner/.asdf && \ +RUN cp -R /home/vscode/.asdf /home/githubrunner/ && \ cp /home/vscode/.tool-versions.asdf /home/githubrunner/.tool-versions.asdf && \ cp /home/vscode/.tool-versions /home/githubrunner/.tool-versions && \ - cp -R /home/vscode/.config /home/githubrunner/.config && \ - cp -R /home/vscode/.local /home/githubrunner/.local && \ + cp -R /home/vscode/.config /home/githubrunner/ && \ + cp -R /home/vscode/.local /home/githubrunner/ && \ chown -R githubrunner:githubrunner /home/githubrunner/ diff --git a/src/projects/fhir_facade_api/.devcontainer/Dockerfile b/src/projects/fhir_facade_api/.devcontainer/Dockerfile index 3698a8b1..34adbcb6 100644 --- a/src/projects/fhir_facade_api/.devcontainer/Dockerfile +++ b/src/projects/fhir_facade_api/.devcontainer/Dockerfile @@ -38,9 +38,9 @@ RUN ./vscode_install.sh # Switch back to root to install the devcontainer CLI globally USER root -RUN cp -R /home/vscode/.asdf /home/githubrunner/.asdf && \ +RUN cp -R /home/vscode/.asdf /home/githubrunner/ && \ cp /home/vscode/.tool-versions.asdf /home/githubrunner/.tool-versions.asdf && \ cp /home/vscode/.tool-versions /home/githubrunner/.tool-versions && \ - cp -R /home/vscode/.config /home/githubrunner/.config && \ - cp -R /home/vscode/.local /home/githubrunner/.local && \ + cp -R /home/vscode/.config /home/githubrunner/ && \ + cp -R /home/vscode/.local /home/githubrunner/ && \ chown -R githubrunner:githubrunner /home/githubrunner/ From e287e899ccbc0455bd4cc6a02f9ecabb09e2d0c7 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 17:43:21 +0000 Subject: [PATCH 15/18] more debug --- .github/workflows/build_multi_arch_image.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index e7b5d527..d2c1ee05 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -131,6 +131,7 @@ jobs: run: | echo "Pushing image..." docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" + echo "Tagging image with build timestamp annotation..." BUILD_TIMESTAMP=$(date -u +"%Y-%m-%dT%H:%M:%SZ") export BUILD_TIMESTAMP docker buildx imagetools create \ From 36dcbc3f4cc0d6508e6c9a325cd985fffe6ce812 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 18:36:08 +0000 Subject: [PATCH 16/18] go back to 1001 --- src/base/.devcontainer/Dockerfile | 9 --------- src/base/.devcontainer/scripts/root_install.sh | 13 ++++++++----- src/common/Dockerfile | 8 -------- .../fhir_facade_api/.devcontainer/Dockerfile | 7 ------- 4 files changed, 8 insertions(+), 29 deletions(-) diff --git a/src/base/.devcontainer/Dockerfile b/src/base/.devcontainer/Dockerfile index 23a3b744..b9cbafb8 100644 --- a/src/base/.devcontainer/Dockerfile +++ b/src/base/.devcontainer/Dockerfile @@ -22,8 +22,6 @@ LABEL org.opencontainers.image.containerName=${CONTAINER_NAME} LABEL org.opencontainers.image.authors="NHS England EPS Team" LABEL org.opencontainers.image.base.image="mcr.microsoft.com/devcontainers/base:ubuntu-22.04" - - COPY .tool-versions.asdf ${SCRIPTS_DIR}/${CONTAINER_NAME}/.tool-versions.asdf COPY --chmod=755 scripts ${SCRIPTS_DIR}/${CONTAINER_NAME} @@ -40,10 +38,3 @@ RUN ./vscode_install.sh # Switch back to root to install the devcontainer CLI globally USER root - -RUN cp -R /home/vscode/.asdf /home/githubrunner/ && \ - cp /home/vscode/.tool-versions.asdf /home/githubrunner/.tool-versions.asdf && \ - cp /home/vscode/.tool-versions /home/githubrunner/.tool-versions && \ - cp -R /home/vscode/.config /home/githubrunner/ && \ - cp -R /home/vscode/.local /home/githubrunner/ && \ - chown -R githubrunner:githubrunner /home/githubrunner/ diff --git a/src/base/.devcontainer/scripts/root_install.sh b/src/base/.devcontainer/scripts/root_install.sh index 140ff4ab..e0014fb3 100755 --- a/src/base/.devcontainer/scripts/root_install.sh +++ b/src/base/.devcontainer/scripts/root_install.sh @@ -67,9 +67,12 @@ mkdir -p /usr/share/secrets-scanner chmod 755 /usr/share/secrets-scanner curl -L https://raw.githubusercontent.com/NHSDigital/software-engineering-quality-framework/main/tools/nhsd-git-secrets/nhsd-rules-deny.txt -o /usr/share/secrets-scanner/nhsd-rules-deny.txt -chown -R vscode:vscode /home/vscode -mkdir -p /work +# fix user and group ids for vscode user to be 1001 so it can be used by github actions +requested_uid=1001 +requested_gid=1001 +current_uid="$(id -u vscode)" +current_gid="$(id -g vscode)" +if [ "${current_gid}" != "${requested_gid}" ]; then groupmod -g "${requested_gid}" vscode; fi +if [ "${current_uid}" != "${requested_uid}" ]; then usermod -u "${requested_uid}" -g "${requested_gid}" vscode; fi -addgroup githubrunner -gid 1001 -adduser githubrunner -uid 1001 -gid 1001 --shell /bin/bash --disabled-password -c "Githubrunner user" -echo "githubrunner ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers +chown -R vscode:vscode /home/vscode diff --git a/src/common/Dockerfile b/src/common/Dockerfile index 5669b7e2..fdf7afd1 100644 --- a/src/common/Dockerfile +++ b/src/common/Dockerfile @@ -35,16 +35,8 @@ USER vscode WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} COPY .tool-versions /tmp/.tool-versions RUN cat /tmp/.tool-versions >> /home/vscode/.tool-versions -ENV PATH="/home/vscode/.asdf/shims/:$PATH" RUN ./vscode_install.sh # Switch back to root to install the devcontainer CLI globally USER root - -RUN cp -R /home/vscode/.asdf /home/githubrunner/ && \ - cp /home/vscode/.tool-versions.asdf /home/githubrunner/.tool-versions.asdf && \ - cp /home/vscode/.tool-versions /home/githubrunner/.tool-versions && \ - cp -R /home/vscode/.config /home/githubrunner/ && \ - cp -R /home/vscode/.local /home/githubrunner/ && \ - chown -R githubrunner:githubrunner /home/githubrunner/ diff --git a/src/projects/fhir_facade_api/.devcontainer/Dockerfile b/src/projects/fhir_facade_api/.devcontainer/Dockerfile index 34adbcb6..8226af24 100644 --- a/src/projects/fhir_facade_api/.devcontainer/Dockerfile +++ b/src/projects/fhir_facade_api/.devcontainer/Dockerfile @@ -37,10 +37,3 @@ RUN ./vscode_install.sh # Switch back to root to install the devcontainer CLI globally USER root - -RUN cp -R /home/vscode/.asdf /home/githubrunner/ && \ - cp /home/vscode/.tool-versions.asdf /home/githubrunner/.tool-versions.asdf && \ - cp /home/vscode/.tool-versions /home/githubrunner/.tool-versions && \ - cp -R /home/vscode/.config /home/githubrunner/ && \ - cp -R /home/vscode/.local /home/githubrunner/ && \ - chown -R githubrunner:githubrunner /home/githubrunner/ From 423fa2fca225d009e63ba1a7d15fca057337d972 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 18:47:13 +0000 Subject: [PATCH 17/18] fix output --- .github/workflows/build_multi_arch_image.yml | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index d2c1ee05..99d4bc65 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -131,13 +131,7 @@ jobs: run: | echo "Pushing image..." docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" - echo "Tagging image with build timestamp annotation..." - BUILD_TIMESTAMP=$(date -u +"%Y-%m-%dT%H:%M:%SZ") - export BUILD_TIMESTAMP - docker buildx imagetools create \ - --annotation "index:org.opencontainers.image.created=${BUILD_TIMESTAMP}" \ - --tag "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" \ - "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" + echo "## PUSHED IMAGE : ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" >> "$GITHUB_STEP_SUMMARY" env: DOCKER_TAG: ${{ inputs.docker_tag }} CONTAINER_NAME: '${{ inputs.container_name }}' @@ -148,6 +142,7 @@ jobs: docker tag "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-${ARCHITECTURE}" echo "Pushing image..." docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-${ARCHITECTURE}" + echo "## PUSHED IMAGE : ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-${ARCHITECTURE}" >> "$GITHUB_STEP_SUMMARY" env: DOCKER_TAG: ${{ inputs.docker_tag }} CONTAINER_NAME: '${{ inputs.container_name }}' From 92d42df7d95ab26d24f4bcd0fc373a5bff9b33f1 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Mon, 16 Feb 2026 08:56:03 +0000 Subject: [PATCH 18/18] update readme --- Makefile | 4 +-- README.md | 94 +++++++++++++++++++++++++++++++++++++++++++++++-------- 2 files changed, 83 insertions(+), 15 deletions(-) diff --git a/Makefile b/Makefile index fe68b5d9..8d9c358f 100644 --- a/Makefile +++ b/Makefile @@ -42,7 +42,7 @@ scan-image: guard-CONTAINER_NAME guard-BASE_FOLDER --exit-code 1 \ --format table "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" -scan-image-json: guard-CONTAINER_NAME guard-BASE_FOLDER +scan-image-json: guard-CONTAINER_NAME guard-BASE_FOLDER guard-IMAGE_TAG @combined="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore_combined.yaml"; \ common="src/common/.trivyignore.yaml"; \ specific="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore.yaml"; \ @@ -58,7 +58,7 @@ scan-image-json: guard-CONTAINER_NAME guard-BASE_FOLDER --format json \ --output .out/scan_results_docker.json "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" -shell-image: guard-CONTAINER_NAME +shell-image: guard-CONTAINER_NAME guard-IMAGE_TAG docker run -it \ "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" \ bash diff --git a/README.md b/README.md index 924a88d3..b5ba50d2 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,8 @@ Images are built using using https://github.com/devcontainers/cli. We build a base image based on mcr.microsoft.com/devcontainers/base:ubuntu-22.04 that other images are then based on +The images have vsocde user setup as user 1001 so that they can be used in github actions + The base image contains - latest os packages - asdf @@ -31,24 +33,80 @@ asdf install and setup for these so they are available globally as vscode user Install and setup git-secrets # Using the images -In each eps project, you can put this in the devcontainer Dockerfile. You should not need to add any features. +In each eps project, this should be the contents of .devcontainer/Dockerfile. + ``` -FROM ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_13: +ARG IMAGE_NAME=node_24_python_3_14 +ARG IMAGE_VERSION=latest +FROM ghcr.io/nhsdigital/eps-devcontainers/${IMAGE_NAME}:${IMAGE_VERSION} USER root # specify DOCKER_GID to force container docker group id to match host RUN if [ -n "${DOCKER_GID}" ]; then \ - if ! getent group docker; then \ - groupadd -g ${DOCKER_GID} docker; \ - else \ - groupmod -g ${DOCKER_GID} docker; \ - fi && \ - usermod -aG docker vscode; \ + if ! getent group docker; then \ + groupadd -g ${DOCKER_GID} docker; \ + else \ + groupmod -g ${DOCKER_GID} docker; \ + fi && \ + usermod -aG docker vscode; \ fi - -USER vscode ``` +And this should be the contents of .devcontainer/devcontainer.json. +This file will be used in github workflows to calculate the version of container to use in builds, so it must be valid JSON (no comments). +The name should be changed to match the name of the project. +IMAGE_NAME and IMAGE_VERSION should be changed as appropriate. +You should not need to add any features as these are already baked into the image +``` +{ + "name": "eps-common-workflows", + "build": { + "dockerfile": "Dockerfile", + "args": { + "DOCKER_GID": "${env:DOCKER_GID:}", + "IMAGE_NAME": "node_24_python_3_14", + "IMAGE_VERSION": "v1.0.1", + "USER_UID": "${localEnv:USER_ID:}", + "USER_GID": "${localEnv:GROUP_ID:}" + }, + "updateRemoteUserUID": false, + "postAttachCommand": "git-secrets --register-aws; git-secrets --add-provider -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt", + "mounts": [ + "source=${env:HOME}${env:USERPROFILE}/.aws,target=/home/vscode/.aws,type=bind", + "source=${env:HOME}${env:USERPROFILE}/.ssh,target=/home/vscode/.ssh,type=bind", + "source=${env:HOME}${env:USERPROFILE}/.gnupg,target=/home/vscode/.gnupg,type=bind", + "source=${env:HOME}${env:USERPROFILE}/.npmrc,target=/home/vscode/.npmrc,type=bind" + ], + "containerUser": "vscode", + "remoteEnv": { + "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" + }, + "features": {}, + "customizations": { + ... add any customisations you want here + } + } +} +``` + +This job should be used in github actions wherever you need to get the dev container name or tag +``` + get_config_values: + runs-on: ubuntu-22.04 + outputs: + devcontainer_image_name: ${{ steps.load-config.outputs.DEVCONTAINER_IMAGE_NAME }} + devcontainer_image_version: ${{ steps.load-config.outputs.DEVCONTAINER_VERSION }} + steps: + - name: Checkout code + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + - name: Load config value + id: load-config + run: | + DEVCONTAINER_IMAGE_NAME=$(jq -r '.build.args.IMAGE_NAME' .devcontainer/devcontainer.json) + DEVCONTAINER_IMAGE_VERSION=$(jq -r '.build.args.IMAGE_VERSION' .devcontainer/devcontainer.json) + echo "DEVCONTAINER_IMAGE_NAME=$DEVCONTAINER_IMAGE_NAME" >> "$GITHUB_OUTPUT" + echo "DEVCONTAINER_IMAGE_VERSION=$DEVCONTAINER_VERSION" >> "$GITHUB_OUTPUT" +``` # Project structure We have 3 types of dev container. These are defined under src @@ -58,9 +116,9 @@ We have 3 types of dev container. These are defined under src Each image to be built contains a .devcontainer folder that defines how the devcontainer should be built. At a minimum, this should contain a devcontainer.json file. See https://containers.dev/implementors/json_reference/ for options for this -Images under languages should point to a dockerfile under src/common that is based off the base image. This also runs `.devcontainer/scripts/root_install.sh` and `.devcontainer/scripts/vscode_install.sh` as vscode user as part of the build +Images under languages should point to a dockerfile under src/common that is based off the base image. This also runs `.devcontainer/scripts/root_install.sh` and `.devcontainer/scripts/vscode_install.sh` as vscode user as part of the build. These files should be in the language specific folder. -We use trivy to scan for vulnerabilities in the built docker images. Known vulnerabilities in the base image are in `src/common/.trivyignore.yaml`. Vulnerabilities in specific images are in `.trivyignore.yaml` file in each images folder. These are combined before running a scan to exclude know vulnerabilities +We use trivy to scan for vulnerabilities in the built docker images. Known vulnerabilities in the base image are in `src/common/.trivyignore.yaml`. Vulnerabilities in specific images are in `.trivyignore.yaml` file in each images folder. These are combined before running a scan to exclude all known vulnerabilities # Pull requests and merge to main process For each pull request, and merge to main, images are built and scanned using trivy, but the images are not pushed to github container registry @@ -72,7 +130,9 @@ The base image is built first, and then language images, and finally project ima Docker images are scanned for vulnerabilities using trivy as part of a build step, and the build fails if vulnerabilities are found not in .trivyignore file. For pull requests, images are tagged with the pr--. -For merges to main, images are tagged with the +For merges to main, images are tagged with the . + +When a pull request is merged to main or closed, all associated images are deleted from the registry using the github workflow delete_old_images # Release workflow There is a release workflow that runs weekly at 18:00 on Thursday and on demand. @@ -114,18 +174,21 @@ Base image ``` CONTAINER_NAME=base \ BASE_FOLDER=. \ + IMAGE_TAG=local-build \ make scan-image ``` Language images ``` CONTAINER_NAME=node_24_python_3_12 \ BASE_FOLDER=languages \ + IMAGE_TAG=local-build \ make scan-image ``` Project images ``` CONTAINER_NAME=fhir_facade_api \ BASE_FOLDER=projects \ + IMAGE_TAG=local-build \ make scan-image ``` @@ -134,19 +197,24 @@ You can use this to start an interactive shell on built images base image ``` CONTAINER_NAME=base \ + IMAGE_TAG=local-build \ make shell-image ``` Language images ``` CONTAINER_NAME=node_24_python_3_12 \ + IMAGE_TAG=local-build \ make shell-image ``` Project images ``` CONTAINER_NAME=fhir_facade_api \ + IMAGE_TAG=local-build \ make shell-image ``` +## Using local or pull request images +You can use local or pull request images by changing IMAGE_VERSION in devcontainer.json ## Generating a .trivyignore file You can generate a .trivyignore file for known vulnerabilities by either downloading the json scan output generated by the build, or by generating it locally using the scanning images commands above with a make target of scan-image-json