update readme

anthony-nhs · anthony-nhs · commit 844be0860e3b · 2026-02-12T14:03:56.000Z
diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml
@@ -66,7 +66,6 @@ jobs:
           if [ -f "$common" ]; then sed -n '2,$p' "$common" >> "$combined"; fi
           if [ -f "$specific" ]; then sed -n '2,$p' "$specific" >> "$combined"; fi
           echo "Combined trivy ignore file created at $combined"
-          cat "$combined"
 
         env:
           ARCHITECTURE: '${{ matrix.arch }}'
@@ -78,6 +77,7 @@ jobs:
         with:
           name: "trivyigonre-${{ inputs.container_name }}-${{ matrix.arch }}"
           path: src/${{ inputs.container_name }}/.trivyignore_combined.yaml
+          include-hidden-files: true
       - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
         name: Upload docker images
         with:
diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@ EPS DEV CONTAINERS
 ==================
 
 # Introduction
-This repo contains code to build a vscode devcontainer that is used as a base image for all EPS projects.   
+This repo contains code to build a vscode devcontainers that can be used as a base image for all EPS projects.   
 Images are build for amd64 and arm64 and a manifest file created that can be pulled for both architectures.   
 Images are based on mcr.microsoft.com/devcontainers/base:ubuntu-22.04
 Images contain
@@ -25,31 +25,63 @@ asdf install and setup for these so they are available globally as vscode user
  - trivy
 
 Install asdf plugins for all tools we use
-Install asdf versions of node, python, java, terraform, golang used by all EPS projects to speed up initial build of local dev container
 Install and setup git-secrets
 
 # Project structure
-The dev container is defined in src/base/.devcontainer folder. This folder contains a Dockerfile and a devcontainer.json file which is used to build the container.   
+## base container
+The base dev container is defined in src/base/.devcontainer folder. This folder contains a Dockerfile and a devcontainer.json file which is used to build the container.   
 As part of the dockerfile, there are scripts in the scripts folder that run as root and vscode user that setup and install various programs.
 
 The dev container is built using https://github.com/devcontainers/cli
 
-The script `scripts/generate_language_version_files.sh` gets the version of node, python, java and terraform from all EPS repositories. It uses the list of repos from https://github.com/NHSDigital/eps-repo-status/blob/main/repos.json to find all EPS repos.
+## common files
+There are some common files under src/common. These include
+- a Dockerfile used to build specific containers that installs poetry after python has been installed
+- a .trivyignore file that contains trivy suppressions in the base image
+
+## specific containers
+There are specific containers in src/<specific> - eg src/base/node_24_python_3_14
+These have a .devcontainer/devcontainer.json file used to built the image
+These use the base container as a base and then install specific versions of tools using devcontainer features, or a customised Dockerfile
+If there are specific vulnerabilities from these tools, then these should be added to the .trivyignore file in the folder
 
 # Build process
-Docker images are built for each pull request, and on merges to main
+Docker images are built for each pull request, and on merges to main.   
+Docker images are built for amd64 and arm64 architecture, and a combined manifest is created and pushed as part of the build.   
+
+The base image is built first, and then all other images are built
 
 Docker images are scanned for vulnerabilities using trivy as part of a build step, and the build fails if vulnerabilities are found not in .trivyignore file.
-   
-On merges to main, a new release is created and the images are pushed to github. The images are tagged with `latest` and the version of the release.
+
+For pull requests, an image is pushed with tag `pr-<pull-request-id>-<short commit sha>`
+On merges to main, a new release is created, and images are tagged with `latest` and the version of the release.
 
 # Local testing
 For local testing, you can run
 ```
-ARCHITECTURE=amd64 make build-base-image
+CONTAINER_NAME=base BASE_VERSION=latest make build-image
 ``` 
 to build a local image, and then
 ```
-make scan-base-image
+CONTAINER_NAME=base BASE_VERSION=latest make scan-image
 ```
 to scan for vulnerabilities
+
+# Using the images
+In each eps project, you can put this in the devcontainer Dockerfile. You should not need to add any features. 
+```
+FROM ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_13:<version>
+
+USER root
+# specify DOCKER_GID to force container docker group id to match host
+RUN if [ -n "${DOCKER_GID}" ]; then \
+      if ! getent group docker; then \
+        groupadd -g ${DOCKER_GID} docker; \
+      else \
+        groupmod -g ${DOCKER_GID} docker; \
+      fi && \
+      usermod -aG docker vscode; \
+    fi
+
+USER vscode
+```
