File tree Expand file tree Collapse file tree
src/projects/eps-storage-terraform/.devcontainer Expand file tree Collapse file tree Original file line number Diff line number Diff line change 9292 BASE_FOLDER : " ${{ inputs.base_folder }}"
9393 NO_CACHE : ' ${{ inputs.NO_CACHE }}'
9494 BUILDX_NO_DEFAULT_ATTESTATIONS : " 1"
95+ GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
9596 - name : Check docker vulnerabilities - json output
9697 run : |
9798 make scan-image-json
Original file line number Diff line number Diff line change 1717 uses : NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@f2d4d6942115472d3f08316cd25f400b02a9dc69
1818 needs :
1919 - get_config_values
20+ permissions :
21+ contents : read
22+ packages : read
23+ id-token : write
2024 with :
2125 pinned_image : ${{ needs.get_config_values.outputs.pinned_image }}
2226 secrets :
Original file line number Diff line number Diff line change 2828 - get_config_values
2929 with :
3030 pinned_image : ${{ needs.get_config_values.outputs.pinned_image }}
31+ permissions :
32+ contents : read
33+ packages : read
34+ id-token : write
3135 secrets :
3236 SONAR_TOKEN : ' ${{ secrets.SONAR_TOKEN }}'
3337 pr_title_format_check :
Original file line number Diff line number Diff line change 1818 uses : NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@f2d4d6942115472d3f08316cd25f400b02a9dc69
1919 needs :
2020 - get_config_values
21+ permissions :
22+ contents : read
23+ packages : read
24+ id-token : write
2125 with :
2226 pinned_image : ${{ needs.get_config_values.outputs.pinned_image }}
2327 secrets :
Original file line number Diff line number Diff line change @@ -43,7 +43,7 @@ build-node-24-python-3-14-image:
4343 CONTAINER_NAME=node_24_python_3_14 BASE_VERSION_TAG=local-build BASE_FOLDER=languages IMAGE_TAG=local-build $(MAKE ) build-image
4444
4545build-eps-storage-terraform-image :
46- CONTAINER_NAME=eps_storage_terraform BASE_VERSION_TAG=local-build BASE_FOLDER=projects IMAGE_TAG=local-build $(MAKE ) build-image
46+ CONTAINER_NAME=eps-storage-terraform BASE_VERSION_TAG=local-build BASE_FOLDER=projects IMAGE_TAG=local-build $(MAKE ) build-image
4747
4848build-eps-data-extract-image :
4949 CONTAINER_NAME=eps_data_extract BASE_VERSION_TAG=local-build BASE_FOLDER=projects IMAGE_TAG=local-build $(MAKE ) build-image
@@ -72,7 +72,14 @@ build-grype:
7272build-grant :
7373 docker build -f src/base/.devcontainer/Dockerfile.grant --tag local_grant:latest src/base/.devcontainer/
7474
75- build-image : build-syft build-grype build-grant guard-CONTAINER_NAME guard-BASE_VERSION_TAG guard-BASE_FOLDER guard-IMAGE_TAG
75+ build-tflint :
76+ docker buildx build \
77+ --secret id=GH_TOKEN,env=GITHUB_TOKEN \
78+ -f src/projects/eps-storage-terraform/.devcontainer/Dockerfile.tflint \
79+ --tag local_tflint:latest \
80+ src/projects/eps-storage-terraform/.devcontainer/
81+
82+ build-image : build-syft build-grype build-grant build-tflint guard-CONTAINER_NAME guard-BASE_VERSION_TAG guard-BASE_FOLDER guard-IMAGE_TAG
7683 workspace_folder=" $$ {CONTAINER_NAME}" ; \
7784 case " $$ {CONTAINER_NAME}" in \
7885 eps_* ) workspace_folder=" $$ (printf '%s' " $$ {CONTAINER_NAME}" | tr '_' '-')" ;; \
Original file line number Diff line number Diff line change 11ARG BASE_VERSION_TAG=latest
22ARG BASE_IMAGE=ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_13:${BASE_VERSION_TAG}
33
4+ FROM local_tflint:latest AS tflint-build
45FROM ${BASE_IMAGE}
56
67ARG SCRIPTS_DIR=/usr/local/share/eps
@@ -26,6 +27,7 @@ USER root
2627COPY --chmod=755 scripts ${SCRIPTS_DIR}/${CONTAINER_NAME}
2728WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME}
2829RUN ./root_install.sh
30+ COPY --from=tflint-build /tflint /usr/local/bin/tflint
2931
3032USER vscode
3133
Original file line number Diff line number Diff line change 1+ FROM serversideup/github-cli:2.89.0 AS build
2+ ARG TARGETARCH
3+ ARG TFLINT_VERSION="v0.61.0"
4+ COPY --chmod=755 scripts/install_tflint.sh /tmp/install_tflint.sh
5+ RUN --mount=type=secret,id=GH_TOKEN,env=GH_TOKEN \
6+ INSTALL_DIR=/tmp/tflint/ \
7+ ARCH="${TARGETARCH}" \
8+ VERSION="${TFLINT_VERSION}" \
9+ /tmp/install_tflint.sh
10+
11+ FROM scratch
12+ COPY --from=build /tmp/tflint/tflint /tflint
13+ ENTRYPOINT ["/tflint"]
Original file line number Diff line number Diff line change 1+ #! /usr/bin/env bash
2+
3+ set -euo pipefail
4+ export DEBIAN_FRONTEND=noninteractive
5+
6+ DEFAULT_INSTALL_DIR=" /usr/local/bin"
7+ INSTALL_DIR=" ${INSTALL_DIR:- $DEFAULT_INSTALL_DIR } "
8+
9+ case " ${TARGETARCH:- } " in
10+ amd64|arm64)
11+ TFLINT_ARCH=" ${TARGETARCH} "
12+ ;;
13+ * )
14+ echo " Unsupported or missing TARGETARCH: '${TARGETARCH:- } '"
15+ echo " Expected one of: amd64, arm64"
16+ exit 1
17+ ;;
18+ esac
19+
20+ if ! command -v curl > /dev/null 2>&1 || ! command -v unzip > /dev/null 2>&1 ; then
21+ apt-get update
22+ apt-get install -y --no-install-recommends curl unzip ca-certificates
23+ fi
24+
25+ if ! command -v gh > /dev/null 2>&1 ; then
26+ echo " GitHub CLI (gh) is required for attestation verification but was not found"
27+ exit 1
28+ fi
29+
30+ TFLINT_URL=" https://github.com/terraform-linters/tflint/releases/download/${TFLINT_VERSION} /tflint_linux_${TFLINT_ARCH} .zip"
31+ TFLINT_ASSET_NAME=" tflint_linux_${TFLINT_ARCH} .zip"
32+ CHECKSUMS_URL=" https://github.com/terraform-linters/tflint/releases/download/${TFLINT_VERSION} /checksums.txt"
33+ tmp_dir=" $( mktemp -d) "
34+ trap ' rm -rf "${tmp_dir}"'
35+
36+ curl -fsSL " ${CHECKSUMS_URL} " " ${tmp_dir} /checksums.txt"
37+ gh attestation verify " ${tmp_dir} /checksums.txt"
38+
39+ curl -fsSL " ${TFLINT_URL} " " ${tmp_dir} /${TFLINT_ASSET_NAME} "
40+ (
41+ cd " ${tmp_dir} "
42+ sha256sum --ignore-missing -c checksums.txt
43+ )
44+
45+ unzip -q " ${tmp_dir} /${TFLINT_ASSET_NAME} " " ${tmp_dir} "
46+
47+ mkdir -p " $INSTALL_DIR "
48+ install -m 0755 " $tmp_dir /tflint" " ${INSTALL_DIR} /tflint"
Original file line number Diff line number Diff line change 11#! /usr/bin/env bash
22
3- set -e
3+ set -euo pipefail
44
55# clean up
66apt-get clean
You can’t perform that action at this time.
0 commit comments