more tools installed by checking sha

anthony-nhs · anthony-nhs · commit 0127a8feb43b · 2026-04-16T10:24:48.000Z
diff --git a/src/base/.devcontainer/.tool-versions b/src/base/.devcontainer/.tool-versions
@@ -1,4 +1,2 @@
-direnv 2.37.1
 actionlint 1.7.12
 ruby 3.3.0
-yq 4.52.5
diff --git a/src/base/.devcontainer/Dockerfile b/src/base/.devcontainer/Dockerfile
@@ -13,6 +13,8 @@ ARG ASDF_VERSION="v0.18.1"
 ARG GITLEAKS_VERSION="8.30.1"
 ARG CFN_GUARD_VERSION="3.2.0"
 ARG SHELLCHECK_VERSION="v0.11.0"
+ARG DIRENV_VERSION="v2.37.1"
+ARG YQ_VERSION="v4.52.5"
 
 ENV SCRIPTS_DIR=${SCRIPTS_DIR}
 ENV CONTAINER_NAME=${CONTAINER_NAME}
@@ -22,6 +24,8 @@ ENV ASDF_VERSION=${ASDF_VERSION}
 ENV GITLEAKS_VERSION=${GITLEAKS_VERSION}
 ENV CFN_GUARD_VERSION=${CFN_GUARD_VERSION}
 ENV SHELLCHECK_VERSION=${SHELLCHECK_VERSION}
+ENV DIRENV_VERSION=${DIRENV_VERSION}
+ENV YQ_VERSION=${YQ_VERSION}
 
 COPY --chmod=755 scripts/lifecycle/*.sh ${SCRIPTS_DIR}/
 COPY --chmod=755 scripts/root_install.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/root_install.sh
@@ -30,6 +34,8 @@ COPY --chmod=755 scripts/install_asdf.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/instal
 COPY --chmod=755 scripts/install_gitleaks.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/install_gitleaks.sh
 COPY --chmod=755 scripts/install_cfn_guard.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/install_cfn_guard.sh
 COPY --chmod=755 scripts/install_shellcheck.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/install_shellcheck.sh
+COPY --chmod=755 scripts/install_direnv.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/install_direnv.sh
+COPY --chmod=755 scripts/install_yq.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/install_yq.sh
 COPY --chmod=755 Mk ${SCRIPTS_DIR}/Mk
 
 WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME}
diff --git a/src/base/.devcontainer/scripts/install_direnv.sh b/src/base/.devcontainer/scripts/install_direnv.sh
@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+VERSION=${VERSION:-"v2.37.1"}
+# Expected SHA256 checksums taken from https://github.com/direnv/direnv/releases/tag/v2.37.1
+# When we change direnv versions, these must be changed
+sha256sum_expected_arm="sha256:2a9cef8d73521d6a3ec3f2871c4b747b8c4cc038628c1b57a7efa42b393a2d82"
+sha256sum_expected_amd64="sha256:1f1b93dd6f38523fde26dfac96151ef9d31a374e3005cd3345fb93555ae0c9b5"
+
+if [ "$(id -u)" -ne 0 ]; then
+    echo -e 'Script must be run as root. Use sudo, su, or add "USER root" to your Dockerfile before running this script.'
+    exit 1
+fi
+
+# Checks if packages are installed and installs them if not
+check_packages() {
+    if ! dpkg -s "$@" > /dev/null 2>&1; then
+        sudo apt-get -y install --no-install-recommends "$@"
+    fi
+}
+
+check_packages curl ca-certificates tar
+
+install() {
+    tmp_dir="$(mktemp -d)"
+    trap 'rm -rf "${tmp_dir}"' EXIT
+
+    download_file="${tmp_dir}/direnv"
+
+    if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then
+        download_url="https://github.com/direnv/direnv/releases/download/${VERSION}/direnv.linux-arm64"
+        sha256sum_expected="${sha256sum_expected_arm}"
+    else
+        download_url="https://github.com/direnv/direnv/releases/download/${VERSION}/direnv.linux-amd64"
+        sha256sum_expected="${sha256sum_expected_amd64}"
+    fi
+    echo "Downloading direnv from ${download_url}..."
+    curl -fsSL "${download_url}" -o "${download_file}"
+
+    download_file_sha256sum=$(sha256sum "${download_file}" | awk '{print $1}')
+    if [ "${download_file_sha256sum}" != "${sha256sum_expected#sha256:}" ]; then
+        echo "SHA256 checksum mismatch for downloaded direnv archive"
+        echo "Expected: ${sha256sum_expected}"
+        echo "Actual:   sha256:${download_file_sha256sum}"
+        exit 1
+    fi
+
+    mkdir -p /usr/bin
+    mv "${download_file}" /usr/bin/direnv
+    chmod +x /usr/bin/direnv
+}
+echo "(*) Installing direnv..."
+
+install
+
+echo "Done!"
diff --git a/src/base/.devcontainer/scripts/install_yq.sh b/src/base/.devcontainer/scripts/install_yq.sh
@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+VERSION=${VERSION:-"v4.52.5"}
+# Expected SHA256 checksums taken from https://github.com/mikefarah/yq/releases/tag/v4.52.5
+# When we change yq versions, these must be changed
+sha256sum_expected_arm="sha256:90fa510c50ee8ca75544dbfffed10c88ed59b36834df35916520cddc623d9aaa"
+sha256sum_expected_amd64="sha256:75d893a0d5940d1019cb7cdc60001d9e876623852c31cfc6267047bc31149fa9"
+
+if [ "$(id -u)" -ne 0 ]; then
+    echo -e 'Script must be run as root. Use sudo, su, or add "USER root" to your Dockerfile before running this script.'
+    exit 1
+fi
+
+# Checks if packages are installed and installs them if not
+check_packages() {
+    if ! dpkg -s "$@" > /dev/null 2>&1; then
+        sudo apt-get -y install --no-install-recommends "$@"
+    fi
+}
+
+check_packages curl ca-certificates tar
+
+install() {
+    tmp_dir="$(mktemp -d)"
+    trap 'rm -rf "${tmp_dir}"' EXIT
+
+    download_file="${tmp_dir}/yq"
+
+    if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then
+        download_url="https://github.com/mikefarah/yq/releases/download/${VERSION}/yq_linux_arm64"
+        sha256sum_expected="${sha256sum_expected_arm}"
+    else
+        download_url="https://github.com/mikefarah/yq/releases/download/${VERSION}/yq_linux_amd64"
+        sha256sum_expected="${sha256sum_expected_amd64}"
+    fi
+    echo "Downloading yq from ${download_url}..."
+    curl -fsSL "${download_url}" -o "${download_file}"
+
+    download_file_sha256sum=$(sha256sum "${download_file}" | awk '{print $1}')
+    if [ "${download_file_sha256sum}" != "${sha256sum_expected#sha256:}" ]; then
+        echo "SHA256 checksum mismatch for downloaded yq archive"
+        echo "Expected: ${sha256sum_expected}"
+        echo "Actual:   sha256:${download_file_sha256sum}"
+        exit 1
+    fi
+
+    mkdir -p /usr/bin
+    mv "${download_file}" /usr/bin/yq
+    chmod +x /usr/bin/yq
+}
+echo "(*) Installing yq..."
+
+install
+
+echo "Done!"
diff --git a/src/base/.devcontainer/scripts/root_install.sh b/src/base/.devcontainer/scripts/root_install.sh
@@ -40,6 +40,10 @@ VERSION="${ASDF_VERSION}" "${SCRIPTS_DIR}/${CONTAINER_NAME}/install_asdf.sh"
 VERSION="${GITLEAKS_VERSION}" "${SCRIPTS_DIR}/${CONTAINER_NAME}/install_gitleaks.sh"
 # install shellcheck
 VERSION="${SHELLCHECK_VERSION}" "${SCRIPTS_DIR}/${CONTAINER_NAME}/install_shellcheck.sh"
+# install direnv
+VERSION="${DIRENV_VERSION}" "${SCRIPTS_DIR}/${CONTAINER_NAME}/install_direnv.sh"
+# install yq
+VERSION="${YQ_VERSION}" "${SCRIPTS_DIR}/${CONTAINER_NAME}/install_yq.sh"
 
 # install gitsecrets
 # this should be removed once we have migrated all repos to gitleaks
diff --git a/src/base/.devcontainer/scripts/vscode_install.sh b/src/base/.devcontainer/scripts/vscode_install.sh
@@ -12,11 +12,9 @@ echo 'export GEM_HOME="$HOME/gems"' >> ~/.bashrc
 echo 'export PATH="$HOME/gems/bin:$PATH"' >> ~/.bashrc
 
 # Install ASDF plugins
-asdf plugin add direnv
+# actionlint install is verified so can install via asdf
 asdf plugin add actionlint
 asdf plugin add ruby https://github.com/asdf-vm/asdf-ruby.git
-asdf plugin add terraform https://github.com/asdf-community/asdf-hashicorp.git
-asdf plugin add yq https://github.com/sudermanjr/asdf-yq.git
 
 # install cfn-guard
 VERSION="${CFN_GUARD_VERSION}" "${SCRIPTS_DIR}/${CONTAINER_NAME}/install_cfn_guard.sh"
diff --git a/src/projects/eps-storage-terraform/.devcontainer/scripts/vscode_install.sh b/src/projects/eps-storage-terraform/.devcontainer/scripts/vscode_install.sh
@@ -2,5 +2,6 @@
 set -e
 
 # install terraform using asdf
+# terraform is verified by asdf install
 asdf plugin add terraform
 asdf install
