Merge branch 'main' into dependabot/npm_and_yarn/devcontainers/cli-0.83.0

Author: anthony-nhs

.github/scripts/delete_unused_images.sh

@@ -0,0 +1,95 @@
+#!/usr/bin/env bash
+set -e
+
+get_container_package_name() {
+	local container_name=$1
+
+	if [[ -z "${container_name}" ]]; then
+		echo "Container name is required" >&2
+		return 1
+	fi
+
+	# URL-encode the package path (eps-devcontainers/${container_name}) for the GH API
+	printf 'eps-devcontainers/%s' "${container_name}" | jq -sRr @uri
+}
+
+get_container_versions_json() {
+	local container_name=$1
+	local package_name
+
+	package_name=$(get_container_package_name "${container_name}")
+
+	gh api \
+		-H "Accept: application/vnd.github+json" \
+		"/orgs/nhsdigital/packages/container/${package_name}/versions" \
+		--paginate
+}
+
+delete_pr_images() {
+	local container_name=$1
+	local package_name
+	local versions_json
+	local tags
+
+	if [[ -z "${container_name}" ]]; then
+		echo "Container name is required" >&2
+		return 1
+	fi
+
+	package_name=$(get_container_package_name "${container_name}")
+	versions_json=$(get_container_versions_json "${container_name}")
+	tags=$(jq -r '[.[].metadata.container.tags[]?] | unique | .[]' <<<"${versions_json}")
+
+	if [[ -z "${tags}" ]]; then
+		return 0
+	fi
+
+	while IFS= read -r tag; do
+		if [[ "${tag}" =~ ^pr-[0-9]+- ]]; then
+			local pull_request
+			local pr_json
+			local pr_state
+
+			pull_request=${tag#pr-}
+			pull_request=${pull_request%%-*}
+
+			if ! pr_json=$(gh api \
+				-H "Accept: application/vnd.github+json" \
+				"/repos/NHSDigital/eps-devcontainers/pulls/${pull_request}"); then
+				continue
+			fi
+            echo "Checking PR #${pull_request} for tag ${tag} in container ${container_name}..."
+			pr_state=$(jq -r '.state // empty' <<<"${pr_json}")
+			if [[ "${pr_state}" != "closed" ]]; then
+                echo "State is not closed - not deleting images"
+				continue
+			fi
+
+			jq -r --arg tag "${tag}" '.[] | select(.metadata.container.tags[]? == $tag) | .id' \
+				<<<"${versions_json}" \
+				| while IFS= read -r version_id; do
+					if [[ -n "${version_id}" ]]; then
+                        echo "Deleting image with tag ${tag} (version ID: ${version_id}) from container ${container_name}..."
+						gh api \
+							-H "Accept: application/vnd.github+json" \
+							-X DELETE \
+							"/orgs/nhsdigital/packages/container/${package_name}/versions/${version_id}"
+					fi
+				done
+		fi
+	done <<<"${tags}"
+}
+
+
+language_folders=$(find src/languages -mindepth 1 -maxdepth 1 -type d -printf '%f\n' | jq -R -s -c 'split("\n")[:-1]')
+project_folders=$(find src/projects -mindepth 1 -maxdepth 1 -type d -printf '%f\n' | jq -R -s -c 'split("\n")[:-1]')
+
+for container_name in $(jq -r '.[]' <<<"${project_folders}"); do
+	delete_pr_images "${container_name}"
+done
+
+for container_name in $(jq -r '.[]' <<<"${language_folders}"); do
+	delete_pr_images "${container_name}"
+done
+
+delete_pr_images "base"

.github/workflows/build_all_images.yml

@@ -17,7 +17,7 @@ jobs:
       language_folders: ${{ steps.find-folders.outputs.languages }}
       project_folders: ${{ steps.find-folders.outputs.projects }}
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
 
       - id: find-folders
         run: |

.github/workflows/build_multi_arch_image.yml

@@ -53,11 +53,11 @@ jobs:
               username: ${{github.actor}}
               password: ${{secrets.GITHUB_TOKEN}}
       - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           fetch-depth: 0
       - name: setup node
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238
         with:
           node-version-file: .tool-versions
 
@@ -88,7 +88,7 @@ jobs:
           IMAGE_TAG: ":${{ inputs.docker_tag }}-${{ matrix.arch }}"
           BASE_FOLDER: "${{ inputs.base_folder }}"
       - name: Check docker vulnerabilities - json output
-        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8
+        uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284
         with:
           scan-type: "image"
           image-ref:  "ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }}:${{ inputs.docker_tag }}-${{ matrix.arch }}"
@@ -105,7 +105,7 @@ jobs:
           name: "scan_results_docker_${{ inputs.container_name }}_${{ matrix.arch }}.json"
           path: scan_results_docker.json
       - name: Check docker vulnerabilities - table output
-        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8
+        uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284
         with:
           scan-type: "image"
           image-ref:  "ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }}:${{ inputs.docker_tag }}-${{ matrix.arch }}"

.github/workflows/ci.yml

@@ -11,7 +11,7 @@ jobs:
       tag_format: '${{ steps.load-config.outputs.TAG_FORMAT }}'
     steps:
       - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       - name: Get asdf version
         id: asdf-version
         run: >-
@@ -23,7 +23,7 @@ jobs:
           TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml)
           echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT"
   quality_checks:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@5ccebbf821beef2de6abdce9e392b3cbeb4999e3
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@997a1946c83bb2a9eda418847ed640738af949ff
     needs:
       - get_asdf_version
     with:
@@ -32,7 +32,7 @@ jobs:
       SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}'
   tag_release:
     needs: [quality_checks, get_asdf_version]
-    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml@e31e25273fb87450be4ef763ddbed4f531c45f8e
+    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml@997a1946c83bb2a9eda418847ed640738af949ff
     with:
       dry_run: true
       asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}

.github/workflows/delete_old_images.yml

@@ -0,0 +1,55 @@
+name: "Delete old cloudformation stacks"
+
+# Controls when the action will run - in this case triggered manually and on schedule
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 1,13 * * *"
+  push:
+    branches: [main]
+
+jobs:
+  delete-old-cloudformation-stacks:
+    runs-on: ubuntu-22.04
+    permissions:
+      id-token: write
+      contents: read
+
+    steps:
+      - name: Checkout local code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          ref: ${{ env.BRANCH_NAME }}
+          fetch-depth: 0
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
+        with:
+          aws-region: eu-west-2
+          role-to-assume: ${{ secrets.DEV_CLOUD_FORMATION_DEPLOY_ROLE }}
+          role-session-name: psu-delete-old-stacks
+
+      - name: delete stacks
+        shell: bash
+        working-directory: .github/scripts
+        run: ./delete_stacks.sh
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  delete-old-proxygen-deployments:
+    runs-on: ubuntu-22.04
+    permissions:
+      id-token: write
+      contents: read
+
+    steps:
+      - name: Checkout local code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          ref: ${{ env.BRANCH_NAME }}
+          fetch-depth: 0
+
+      - name: delete unused images
+        shell: bash
+        working-directory: .github/scripts
+        run: ./delete_unused_images.sh

.github/workflows/pull_request.yml

@@ -9,7 +9,7 @@ jobs:
   dependabot-auto-approve-and-merge:
     needs: quality_checks
     uses: >-
-      NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@5ccebbf821beef2de6abdce9e392b3cbeb4999e3
+      NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@997a1946c83bb2a9eda418847ed640738af949ff
     secrets:
       AUTOMERGE_APP_ID: '${{ secrets.AUTOMERGE_APP_ID }}'
       AUTOMERGE_PEM: '${{ secrets.AUTOMERGE_PEM }}'
@@ -20,7 +20,7 @@ jobs:
       tag_format: '${{ steps.load-config.outputs.TAG_FORMAT }}'
     steps:
       - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       - name: Get asdf version
         id: asdf-version
         run: >-
@@ -32,7 +32,7 @@ jobs:
           TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml)
           echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT"
   quality_checks:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@5ccebbf821beef2de6abdce9e392b3cbeb4999e3
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@997a1946c83bb2a9eda418847ed640738af949ff
     needs:
       - get_asdf_version
     with:
@@ -41,7 +41,7 @@ jobs:
       SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}'
   pr_title_format_check:
     uses: >-
-      NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@5ccebbf821beef2de6abdce9e392b3cbeb4999e3
+      NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@997a1946c83bb2a9eda418847ed640738af949ff
   get_issue_number:
     runs-on: ubuntu-22.04
     needs: quality_checks
@@ -75,7 +75,7 @@ jobs:
       sha_short: '${{ steps.commit_id.outputs.sha_short }}'
     steps:
       - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           ref: '${{ env.BRANCH_NAME }}'
       - name: Get Commit ID

.github/workflows/release.yml

@@ -12,7 +12,7 @@ jobs:
       tag_format: '${{ steps.load-config.outputs.TAG_FORMAT }}'
     steps:
       - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       - name: Get asdf version
         id: asdf-version
         run: >-
@@ -24,7 +24,7 @@ jobs:
           TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml)
           echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT"
   quality_checks:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@5ccebbf821beef2de6abdce9e392b3cbeb4999e3
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@997a1946c83bb2a9eda418847ed640738af949ff
     needs:
       - get_asdf_version
     with:
@@ -33,7 +33,7 @@ jobs:
       SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}'
   tag_release:
     needs: [quality_checks, get_asdf_version]
-    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml@e31e25273fb87450be4ef763ddbed4f531c45f8e
+    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml@997a1946c83bb2a9eda418847ed640738af949ff
     with:
       dry_run: false
       asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}

Makefile

@@ -25,6 +25,7 @@ build-image: guard-CONTAINER_NAME guard-BASE_VERSION guard-BASE_FOLDER
 	npx devcontainer build \
 		--workspace-folder ./src/$${BASE_FOLDER}/$${CONTAINER_NAME} \
 		--push false \
+		--cache-from "${CONTAINER_PREFIX}$${CONTAINER_NAME}:latest" \
 		--label "org.opencontainers.image.revision=$$DOCKER_TAG" \
 		--image-name "${CONTAINER_PREFIX}$${CONTAINER_NAME}${IMAGE_TAG}"
 
@@ -70,3 +71,9 @@ test:
 
 lint-githubactions:
 	actionlint
+
+github-login:
+	gh auth login --scopes read:packages
+
+lint-githubaction-scripts:
+	shellcheck .github/scripts/*.sh