update readme

anthony-nhs · anthony-nhs · commit 92d42df7d95a · 2026-02-16T08:56:03.000Z
diff --git a/Makefile b/Makefile
@@ -42,7 +42,7 @@ scan-image: guard-CONTAINER_NAME guard-BASE_FOLDER
 		--exit-code 1 \
 		--format table "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" 
 
-scan-image-json: guard-CONTAINER_NAME guard-BASE_FOLDER
+scan-image-json: guard-CONTAINER_NAME guard-BASE_FOLDER guard-IMAGE_TAG
 	@combined="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore_combined.yaml"; \
 	common="src/common/.trivyignore.yaml"; \
 	specific="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore.yaml"; \
@@ -58,7 +58,7 @@ scan-image-json: guard-CONTAINER_NAME guard-BASE_FOLDER
 		--format json \
 		--output .out/scan_results_docker.json "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" 
 
-shell-image: guard-CONTAINER_NAME
+shell-image: guard-CONTAINER_NAME guard-IMAGE_TAG
 	docker run -it \
 	"${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}"  \
 	bash
diff --git a/README.md b/README.md
@@ -8,6 +8,8 @@ Images are built using using https://github.com/devcontainers/cli.
 
 We build a base image based on mcr.microsoft.com/devcontainers/base:ubuntu-22.04 that other images are then based on
 
+The images have vsocde user setup as user 1001 so that they can be used in github actions
+
 The base image contains
  - latest os packages
  - asdf
@@ -31,24 +33,80 @@ asdf install and setup for these so they are available globally as vscode user
 Install and setup git-secrets
 
 # Using the images
-In each eps project, you can put this in the devcontainer Dockerfile. You should not need to add any features. 
+In each eps project, this should be the contents of .devcontainer/Dockerfile.
+
 ```
-FROM ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_13:<version>
+ARG IMAGE_NAME=node_24_python_3_14
+ARG IMAGE_VERSION=latest
+FROM ghcr.io/nhsdigital/eps-devcontainers/${IMAGE_NAME}:${IMAGE_VERSION}
 
 USER root
 # specify DOCKER_GID to force container docker group id to match host
 RUN if [ -n "${DOCKER_GID}" ]; then \
-      if ! getent group docker; then \
-        groupadd -g ${DOCKER_GID} docker; \
-      else \
-        groupmod -g ${DOCKER_GID} docker; \
-      fi && \
-      usermod -aG docker vscode; \
+    if ! getent group docker; then \
+    groupadd -g ${DOCKER_GID} docker; \
+    else \
+    groupmod -g ${DOCKER_GID} docker; \
+    fi && \
+    usermod -aG docker vscode; \
     fi
-
-USER vscode
 ```
+And this should be the contents of .devcontainer/devcontainer.json.   
+This file will be used in github workflows to calculate the version of container to use in builds, so it must be valid JSON (no comments).   
+The name should be changed to match the name of the project.   
+IMAGE_NAME and IMAGE_VERSION should be changed as appropriate.   
+You should not need to add any features as these are already baked into the image
+```
+{
+  "name": "eps-common-workflows",
+  "build": {
+    "dockerfile": "Dockerfile",
+    "args": {
+      "DOCKER_GID": "${env:DOCKER_GID:}",
+      "IMAGE_NAME": "node_24_python_3_14",
+      "IMAGE_VERSION": "v1.0.1",
+      "USER_UID": "${localEnv:USER_ID:}",
+      "USER_GID": "${localEnv:GROUP_ID:}"
+    },
+    "updateRemoteUserUID": false,
+    "postAttachCommand": "git-secrets --register-aws; git-secrets --add-provider -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt",
+    "mounts": [
+      "source=${env:HOME}${env:USERPROFILE}/.aws,target=/home/vscode/.aws,type=bind",
+      "source=${env:HOME}${env:USERPROFILE}/.ssh,target=/home/vscode/.ssh,type=bind",
+      "source=${env:HOME}${env:USERPROFILE}/.gnupg,target=/home/vscode/.gnupg,type=bind",
+      "source=${env:HOME}${env:USERPROFILE}/.npmrc,target=/home/vscode/.npmrc,type=bind"
+    ],
+    "containerUser": "vscode",
+    "remoteEnv": {
+      "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}"
+    },
+    "features": {},
+    "customizations": {
+      ... add any customisations you want here
+    }
+  }
+}
+```
+
+This job should be used in github actions wherever you need to get the dev container name or tag
 
+```
+  get_config_values:
+    runs-on: ubuntu-22.04
+    outputs:
+      devcontainer_image_name: ${{ steps.load-config.outputs.DEVCONTAINER_IMAGE_NAME }}
+      devcontainer_image_version: ${{ steps.load-config.outputs.DEVCONTAINER_VERSION }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - name: Load config value
+        id: load-config
+        run: |
+          DEVCONTAINER_IMAGE_NAME=$(jq -r '.build.args.IMAGE_NAME' .devcontainer/devcontainer.json)
+          DEVCONTAINER_IMAGE_VERSION=$(jq -r '.build.args.IMAGE_VERSION' .devcontainer/devcontainer.json)
+          echo "DEVCONTAINER_IMAGE_NAME=$DEVCONTAINER_IMAGE_NAME" >> "$GITHUB_OUTPUT"
+          echo "DEVCONTAINER_IMAGE_VERSION=$DEVCONTAINER_VERSION" >> "$GITHUB_OUTPUT"
+```
 # Project structure
 We have 3 types of dev container. These are defined under src
 
@@ -58,9 +116,9 @@ We have 3 types of dev container. These are defined under src
 
 Each image to be built contains a .devcontainer folder that defines how the devcontainer should be built. At a minimum, this should contain a devcontainer.json file. See https://containers.dev/implementors/json_reference/ for options for this
 
-Images under languages should point to a dockerfile under src/common that is based off the base image. This also runs `.devcontainer/scripts/root_install.sh` and `.devcontainer/scripts/vscode_install.sh` as vscode user as part of the build
+Images under languages should point to a dockerfile under src/common that is based off the base image. This also runs `.devcontainer/scripts/root_install.sh` and `.devcontainer/scripts/vscode_install.sh` as vscode user as part of the build. These files should be in the language specific folder.
 
-We use trivy to scan for vulnerabilities in the built docker images. Known vulnerabilities in the base image are in `src/common/.trivyignore.yaml`. Vulnerabilities in specific images are in `.trivyignore.yaml` file in each images folder. These are combined before running a scan to exclude know vulnerabilities
+We use trivy to scan for vulnerabilities in the built docker images. Known vulnerabilities in the base image are in `src/common/.trivyignore.yaml`. Vulnerabilities in specific images are in `.trivyignore.yaml` file in each images folder. These are combined before running a scan to exclude all known vulnerabilities
 
 # Pull requests and merge to main process
 For each pull request, and merge to main, images are built and scanned using trivy, but the images are not pushed to github container registry
@@ -72,7 +130,9 @@ The base image is built first, and then language images, and finally project ima
 Docker images are scanned for vulnerabilities using trivy as part of a build step, and the build fails if vulnerabilities are found not in .trivyignore file.
 
 For pull requests, images are tagged with the pr-<pull request id>-<short commit sha>.   
-For merges to main, images are tagged with the <short commit sha>
+For merges to main, images are tagged with the <short commit sha>.   
+
+When a pull request is merged to main or closed, all associated images are deleted from the registry using the github workflow delete_old_images
 
 # Release workflow
 There is a release workflow that runs weekly at 18:00 on Thursday and on demand.   
@@ -114,18 +174,21 @@ Base image
 ```
 CONTAINER_NAME=base \
   BASE_FOLDER=. \
+  IMAGE_TAG=local-build \
   make scan-image
 ```
 Language images
 ```
 CONTAINER_NAME=node_24_python_3_12 \
   BASE_FOLDER=languages \
+  IMAGE_TAG=local-build \
   make scan-image
 ``` 
 Project images
 ```
 CONTAINER_NAME=fhir_facade_api \
   BASE_FOLDER=projects \
+  IMAGE_TAG=local-build \
   make scan-image
 ``` 
 
@@ -134,19 +197,24 @@ You can use this to start an interactive shell on built images
 base image
 ```
 CONTAINER_NAME=base \
+  IMAGE_TAG=local-build \
   make shell-image
 ```
 Language images
 ```
 CONTAINER_NAME=node_24_python_3_12 \
+  IMAGE_TAG=local-build \
   make shell-image
 ``` 
 Project images
 ```
 CONTAINER_NAME=fhir_facade_api \
+  IMAGE_TAG=local-build \
   make shell-image
 ``` 
 
+## Using local or pull request images
+You can use local or pull request images by changing IMAGE_VERSION in devcontainer.json
 
 ## Generating a .trivyignore file
 You can generate a .trivyignore file for known vulnerabilities by either downloading the json scan output generated by the build, or by generating it locally using the scanning images commands above with a make target of scan-image-json
