less permissions

anthony-nhs · anthony-nhs · commit 4e9d9828f9e6 · 2026-04-15T08:05:54.000Z
diff --git a/.github/workflows/build_all_images.yml b/.github/workflows/build_all_images.yml
@@ -39,6 +39,44 @@ jobs:
             echo "projects=$project_folders"
           } >> "$GITHUB_OUTPUT"
 
+  build_tool_images:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      attestations: read
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - name: build_grype
+        run:
+          make build-grype
+          docker save "local_grype:latest" -o grype_image.tar
+      - name: build_syft
+        run:
+          make build-syft
+          docker save "local_syft:latest" -o syft_image.tar
+      - name: build_grant
+        run:
+          make build-grant
+          docker save "local_grant:latest" -o grant_image.tar
+
+      - name: build_tflint
+        run:
+          make build-tflint
+          docker save "local_tflint:latest" -o tflint_image.tar
+
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
+        name: Upload docker images
+        with:
+          name: docker_artifact
+          path: |
+            grype_image.tar
+            syft_image.tar
+            grant_image.tar
+            tflint_image.tar
   package_base_docker_image:
     uses: ./.github/workflows/build_multi_arch_image.yml
     with:
diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml
@@ -134,11 +134,30 @@ jobs:
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f
         with:
           node-version: '24.14.0'
+      - name: docker_artifact download
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
+        with:
+          name: docker_artifact
+          path: images/
+      - name: extract docker images
+        run: |
+          for image in images/*.tar; do
+            docker load -i "$image"
+          done
+          rm -rf images
       - name: setup syft and grype
         run: |
           mkdir -p "$RUNNER_TEMP/bin"
-          docker build  --output="$RUNNER_TEMP/bin" -f "src/base/.devcontainer/Dockerfile.syft" src/base/.devcontainer/
-          docker build  --output="$RUNNER_TEMP/bin" -f "src/base/.devcontainer/Dockerfile.grype" src/base/.devcontainer/
+          id=$(docker create local_grype:latest)
+          docker cp "$id":/grype - | tar -xOf - grype > "$RUNNER_TEMP/bin/grype"
+          chmod +x "$RUNNER_TEMP/bin/grype"
+          docker rm -v "$id"
+
+          mkdir -p "$RUNNER_TEMP/bin"
+          id=$(docker create local_syft:latest)
+          docker cp "$id":/syft - | tar -xOf - syft > "$RUNNER_TEMP/bin/syft"
+          chmod +x "$RUNNER_TEMP/bin/syft"
+          docker rm -v "$id"
           echo "$RUNNER_TEMP/bin" >> "$GITHUB_PATH"
       - name: make install
         run: |
diff --git a/Makefile b/Makefile
@@ -65,19 +65,35 @@ build-all: build-base-image build-node-24-image build-node-24-python-3-10-image
 	build-regression-tests-image
 
 build-syft:
-	docker build -f src/base/.devcontainer/Dockerfile.syft --tag local_syft:latest src/base/.devcontainer/
+	@if docker image inspect local_syft:latest >/dev/null 2>&1; then \
+		echo "Image local_syft:latest already exists. Skipping build."; \
+	else \
+		docker build -f src/base/.devcontainer/Dockerfile.syft --tag local_syft:latest src/base/.devcontainer/; \
+	fi
 build-grype:
-	docker build -f src/base/.devcontainer/Dockerfile.grype --tag local_grype:latest src/base/.devcontainer/
+	@if docker image inspect local_grype:latest >/dev/null 2>&1; then \
+		echo "Image local_grype:latest already exists. Skipping build."; \
+	else \
+		docker build -f src/base/.devcontainer/Dockerfile.grype --tag local_grype:latest src/base/.devcontainer/; \
+	fi
 
 build-grant:
-	docker build -f src/base/.devcontainer/Dockerfile.grant --tag local_grant:latest src/base/.devcontainer/
+	@if docker image inspect local_grant:latest >/dev/null 2>&1; then \
+		echo "Image local_grant:latest already exists. Skipping build."; \
+	else \
+		docker build -f src/base/.devcontainer/Dockerfile.grant --tag local_grant:latest src/base/.devcontainer/; \
+	fi
 
 build-tflint:
-	docker buildx build \
-		--secret id=GH_TOKEN,env=GITHUB_TOKEN \
-		-f src/projects/eps-storage-terraform/.devcontainer/Dockerfile.tflint \
-		--tag local_tflint:latest \
-		src/projects/eps-storage-terraform/.devcontainer/
+	@if docker image inspect local_tflint:latest >/dev/null 2>&1; then \
+		echo "Image local_tflint:latest already exists. Skipping build."; \
+	else \
+		docker buildx build \
+			--secret id=GH_TOKEN,env=GITHUB_TOKEN \
+			-f src/projects/eps-storage-terraform/.devcontainer/Dockerfile.tflint \
+			--tag local_tflint:latest \
+			src/projects/eps-storage-terraform/.devcontainer/; \
+	fi
 
 build-image: build-syft build-grype build-grant build-tflint guard-CONTAINER_NAME guard-BASE_VERSION_TAG guard-BASE_FOLDER guard-IMAGE_TAG
 	workspace_folder="$${CONTAINER_NAME}"; \
