build it another way

Author: anthony-nhs

.devcontainer/Dockerfile

@@ -1,3 +1,14 @@
+FROM golang:1.26.1-bookworm AS build
+RUN apt-get update && apt-get install -y \
+    jq \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+COPY scripts/install_cosign.sh /tmp/install_cosign.sh
+COPY scripts/install_trivy.sh /tmp/install_trivy.sh
+RUN INSTALL_DIR=/usr/local/bin /tmp/install_cosign.sh
+RUN INSTALL_DIR=/tmp/trivy_arm64 ARCH=ARM64 /tmp/install_trivy.sh
+RUN INSTALL_DIR=/tmp/trivy_amd64 ARCH=64bit /tmp/install_trivy.sh
+
 FROM mcr.microsoft.com/devcontainers/base:ubuntu-22.04
 ARG TARGETARCH
 ENV TARGETARCH=${TARGETARCH}
@@ -63,7 +74,7 @@ RUN git clone https://github.com/awslabs/git-secrets.git /tmp/git-secrets && \
     mkdir -p /usr/share/secrets-scanner && \
     chmod 755 /usr/share/secrets-scanner && \
     curl -L https://raw.githubusercontent.com/NHSDigital/software-engineering-quality-framework/main/tools/nhsd-git-secrets/nhsd-rules-deny.txt -o /usr/share/secrets-scanner/nhsd-rules-deny.txt
-
+COPY --from=build /tmp/trivy_amd64/trivy /usr/local/bin/trivy
 USER vscode
 
 ENV PATH="/home/vscode/.asdf/shims:/home/vscode/.local/bin:$PATH:/workspaces/eps-devcontainers/node_modules/.bin"
@@ -83,9 +94,7 @@ RUN asdf plugin add python; \
     asdf plugin add actionlint; \
     asdf plugin add ruby https://github.com/asdf-vm/asdf-ruby.git; \
     asdf plugin add trivy https://github.com/zufardhiyaulhaq/asdf-trivy.git; \
-    asdf plugin add yq https://github.com/sudermanjr/asdf-yq.git; \
-    asdf plugin add golang
-
+    asdf plugin add yq https://github.com/sudermanjr/asdf-yq.git;
 
 WORKDIR /workspaces/eps-devcontainers
 COPY .tool-versions /workspaces/eps-devcontainers/.tool-versions
@@ -95,10 +104,5 @@ COPY .tool-versions /home/vscode/.tool-versions
 RUN asdf install python; \
     asdf install
 
-COPY scripts/install_cosign.sh /tmp/install_cosign.sh
-COPY scripts/install_trivy.sh /tmp/install_trivy.sh
-RUN INSTALL_DIR=/home/vscode/.local/bin /tmp/install_cosign.sh
-RUN INSTALL_DIR=/home/vscode/.local/bin /tmp/install_trivy.sh
-
 RUN git-secrets --register-aws --global && \
   git-secrets --add-provider --global -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt

.devcontainer/Dockerfile.test

@@ -0,0 +1,10 @@
+FROM golang:1.26.1-bookworm
+RUN apt-get update && apt-get install -y \
+    jq \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+COPY scripts/install_cosign.sh /tmp/install_cosign.sh
+COPY scripts/install_trivy.sh /tmp/install_trivy.sh
+RUN INSTALL_DIR=/usr/local/bin /tmp/install_cosign.sh
+RUN INSTALL_DIR=trivy_arm64 ARCH=ARM64 /tmp/install_trivy.sh
+RUN INSTALL_DIR=trivy_amd64 ARCH=64bit /tmp/install_trivy.sh

.github/workflows/build_all_images.yml

@@ -64,6 +64,9 @@ jobs:
 
   package_base_docker_image:
     uses: ./.github/workflows/build_multi_arch_image.yml
+    needs: [
+      download_trivy
+    ]
     with:
       tag_latest: ${{ inputs.tag_latest }}
       docker_tag: ${{ inputs.docker_tag }}

.gitignore

@@ -4,3 +4,4 @@ src/base/.devcontainer/language_versions/
 .trivyignore_combined.yaml
 .out/
 .envrc
+.trivy_out/

.tool-versions

@@ -6,4 +6,3 @@ direnv 2.37.1
 actionlint 1.7.10
 ruby 3.3.0
 yq 4.52.2
-golang 1.24.13

Makefile

@@ -1,4 +1,8 @@
 CONTAINER_PREFIX=ghcr.io/nhsdigital/eps-devcontainers/
+include src/base/.devcontainer/Mk/build.mk
+include src/base/.devcontainer/Mk/check.mk
+include src/base/.devcontainer/Mk/trivy.mk
+include src/base/.devcontainer/Mk/credentials.mk
 
 ifeq ($(strip $(NO_CACHE)),true)
 NO_CACHE_FLAG=--no-cache