Skip to content

Commit c1635d9

Browse files
anthony-nhsanthony-nhs
committed
more generic
1 parent fb4f07f commit c1635d9

5 files changed

Lines changed: 68 additions & 52 deletions

File tree

.github/workflows/build_multi_arch_image.yml

Lines changed: 29 additions & 36 deletions
Original file line numberDiff line numberDiff line change
@@ -8,9 +8,9 @@ name: Build and push docker image
88
docker_tag:
99
required: true
1010
type: string
11-
secrets:
12-
EPS_REPO_STATUS_PEM:
11+
container_name:
1312
required: true
13+
type: string
1414

1515
jobs:
1616
build_image:
@@ -48,40 +48,32 @@ jobs:
4848
uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f
4949
with:
5050
node-version-file: .tool-versions
51-
- name: Generate a token to get details from other repositories
52-
id: generate-token
53-
uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf
54-
with:
55-
app-id: ${{ vars.EPS_REPO_STATUS_APP_ID }}
56-
private-key: ${{ secrets.EPS_REPO_STATUS_PEM }}
57-
owner: "NHSDigital"
5851

5952
- name: make install
6053
run: |
6154
make install-node
6255
- name: Build container
6356
run: >
64-
make build-base-image
57+
make build-image
6558
66-
docker tag ghcr.io/nhsdigital/eps-devcontainer-base:latest "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-${ARCHITECTURE}"
59+
docker tag "ghcr.io/nhsdigital/eps-devcontainers-${CONTAINER_NAME}:latest" "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}"
6760
68-
docker save "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-${ARCHITECTURE}" -o "eps-devcontainer-base-${DOCKER_TAG}-${ARCHITECTURE}.img"
61+
docker save "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" -o "eps-devcontainer-${CONTAINER_NAME}-${DOCKER_TAG}-${ARCHITECTURE}.img"
6962
env:
70-
GH_TOKEN: ${{ steps.generate-token.outputs.token }}
7163
ARCHITECTURE: '${{ matrix.arch }}'
7264
DOCKER_TAG: '${{ inputs.docker_tag }}'
73-
GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
65+
CONTAINER_NAME: '${{ inputs.container_name }}'
7466
- uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
7567
name: Upload docker images
7668
with:
77-
name: "eps-devcontainer-base-${{ inputs.docker_tag }}-${{ matrix.arch }}.img"
69+
name: "eps-devcontainer-${{ inputs.container_name }}-${{ inputs.docker_tag }}-${{ matrix.arch }}.img"
7870
path: |
79-
eps-devcontainer-base-${{ inputs.docker_tag }}-${{ matrix.arch }}.img
71+
eps-devcontainer-${{ inputs.container_name }}-${{ inputs.docker_tag }}-${{ matrix.arch }}.img
8072
- name: Check docker vulnerabilities - json output
8173
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8
8274
with:
8375
scan-type: "image"
84-
image-ref: "ghcr.io/nhsdigital/eps-devcontainers/base:${{ inputs.docker_tag }}-${{ matrix.arch }}"
76+
image-ref: "ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }}:${{ inputs.docker_tag }}-${{ matrix.arch }}"
8577
severity: "CRITICAL,HIGH"
8678
scanners: "vuln"
8779
vuln-type: "os,library"
@@ -99,7 +91,7 @@ jobs:
9991
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8
10092
with:
10193
scan-type: "image"
102-
image-ref: "ghcr.io/nhsdigital/eps-devcontainers/base:${{ inputs.docker_tag }}-${{ matrix.arch }}"
94+
image-ref: "ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }}:${{ inputs.docker_tag }}-${{ matrix.arch }}"
10395
severity: "CRITICAL,HIGH"
10496
scanners: "vuln"
10597
vuln-type: "os,library"
@@ -146,11 +138,11 @@ jobs:
146138
- name: Download amd64 images
147139
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
148140
with:
149-
name: eps-devcontainer-base-${{ inputs.docker_tag }}-amd64.img
141+
name: eps-devcontainer-${{ inputs.container_name }}-${{ inputs.docker_tag }}-amd64.img
150142
- name: Download arm64 images
151143
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
152144
with:
153-
name: eps-devcontainer-base-${{ inputs.docker_tag }}-arm64.img
145+
name: eps-devcontainer-${{ inputs.container_name }}-${{ inputs.docker_tag }}-arm64.img
154146
- name: Login to github container registry
155147
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9
156148
with:
@@ -162,29 +154,30 @@ jobs:
162154
- name: Load and push multi-arch image
163155
run: |
164156
echo "loading images"
165-
docker load -i "eps-devcontainer-base-${DOCKER_TAG}-amd64.img"
166-
docker load -i "eps-devcontainer-base-${DOCKER_TAG}-arm64.img"
157+
docker load -i "eps-devcontainer-${CONTAINER_NAME}-${DOCKER_TAG}-amd64.img"
158+
docker load -i "eps-devcontainer-${CONTAINER_NAME}-${DOCKER_TAG}-arm64.img"
167159
168160
echo "Tagging latest images"
169-
docker tag "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-amd64" "ghcr.io/nhsdigital/eps-devcontainers/base:latest-amd64"
170-
docker tag "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-arm64" "ghcr.io/nhsdigital/eps-devcontainers/base:latest-arm64"
161+
docker tag "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-amd64" "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-amd64"
162+
docker tag "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-arm64" "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-arm64"
171163
172164
echo "pushing images"
173-
docker push "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-amd64"
174-
docker push "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-arm64"
175-
docker push "ghcr.io/nhsdigital/eps-devcontainers/base:latest-amd64"
176-
docker push "ghcr.io/nhsdigital/eps-devcontainers/base:latest-arm64"
165+
docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-amd64"
166+
docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-arm64"
167+
docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-amd64"
168+
docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-arm64"
177169
178170
echo "creating manifest"
179-
docker manifest create "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}" \
180-
--amend "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-amd64" \
181-
--amend "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-arm64"
182-
docker manifest create "ghcr.io/nhsdigital/eps-devcontainers/base:latest" \
183-
--amend "ghcr.io/nhsdigital/eps-devcontainers/base:latest-amd64" \
184-
--amend "ghcr.io/nhsdigital/eps-devcontainers/base:latest-arm64"
171+
docker manifest create "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}" \
172+
--amend "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-amd64" \
173+
--amend "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-arm64"
174+
docker manifest create "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest" \
175+
--amend "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-amd64" \
176+
--amend "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-arm64"
185177
186178
echo "pushing manifest"
187-
docker manifest push "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}"
188-
docker manifest push "ghcr.io/nhsdigital/eps-devcontainers/base:latest"
179+
docker manifest push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}"
180+
docker manifest push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest"
189181
env:
190182
DOCKER_TAG: ${{ inputs.docker_tag }}
183+
CONTAINER_NAME: '${{ inputs.container_name }}'

.github/workflows/pull_request.yml

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -92,5 +92,4 @@ jobs:
9292
with:
9393
publish_image: true
9494
docker_tag: 'pr${{ needs.get_issue_number.outputs.issue_number }}-${{ needs.get_commit_id.outputs.sha_short }}'
95-
secrets:
96-
EPS_REPO_STATUS_PEM: ${{ secrets.EPS_REPO_STATUS_PEM }}
95+
container_name: base

.github/workflows/release.yml

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,7 @@ jobs:
2323
TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml)
2424
echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT"
2525
quality_checks:
26-
uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@e31e25273fb87450be4ef763ddbed4f531c45f8e
26+
uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@5ccebbf821beef2de6abdce9e392b3cbeb4999e3
2727
needs:
2828
- get_asdf_version
2929
with:
@@ -45,5 +45,4 @@ jobs:
4545
with:
4646
publish_image: true
4747
docker_tag: '${{ needs.tag_release.outputs.version_tag }}'
48-
secrets:
49-
EPS_REPO_STATUS_PEM: ${{ secrets.EPS_REPO_STATUS_PEM }}
48+
container_name: base

.trivyignore.yaml

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -494,3 +494,27 @@ vulnerabilities:
494494
purls:
495495
- "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04"
496496
expired_at: 2026-06-01
497+
- id: CVE-2025-68121
498+
statement: "CHANGE ME"
499+
expired_at: 2026-06-01
500+
- id: CVE-2025-61730
501+
statement: "CHANGE ME"
502+
expired_at: 2026-06-01
503+
- id: CVE-2024-35870
504+
statement: "CHANGE ME"
505+
expired_at: 2026-06-01
506+
- id: CVE-2024-53179
507+
statement: "CHANGE ME"
508+
expired_at: 2026-06-01
509+
- id: CVE-2025-37849
510+
statement: "CHANGE ME"
511+
expired_at: 2026-06-01
512+
- id: CVE-2025-37899
513+
statement: "CHANGE ME"
514+
expired_at: 2026-06-01
515+
- id: CVE-2025-38118
516+
statement: "CHANGE ME"
517+
expired_at: 2026-06-01
518+
- id: CVE-2026-26007
519+
statement: "CHANGE ME"
520+
expired_at: 2026-06-01

Makefile

Lines changed: 12 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,10 @@
1-
CONTAINER_PREFIX=ghcr.io/nhsdigital/eps-devcontainer-
2-
CONTAINER_NAME=base
3-
IMAGE_NAME=${CONTAINER_PREFIX}$(CONTAINER_NAME)
4-
WORKSPACE_FOLDER=.
1+
CONTAINER_PREFIX=ghcr.io/nhsdigital/eps-devcontainers-
2+
3+
guard-%:
4+
@ if [ "${${*}}" = "" ]; then \
5+
echo "Environment variable $* not set"; \
6+
exit 1; \
7+
fi
58

69
install: install-python install-node install-hooks
710

@@ -15,21 +18,19 @@ install-hooks: install-python
1518
poetry run pre-commit install --install-hooks --overwrite
1619

1720
install-hooks:
18-
build-base-image:
19-
CONTAINER_NAME=$(CONTAINER_NAME) \
21+
build-image: guard-CONTAINER_NAME
2022
npx devcontainer build \
21-
--workspace-folder ./src/base/ \
23+
--workspace-folder ./src/$${CONTAINER_NAME}/ \
2224
--push false \
23-
--platform linux/${ARCHITECTURE} \
24-
--image-name "${IMAGE_NAME}"
25+
--image-name "${CONTAINER_PREFIX}$${CONTAINER_NAME}"
2526

26-
scan-base-image:
27+
scan-image: guard-CONTAINER_NAME
2728
trivy image \
2829
--severity HIGH,CRITICAL \
2930
--ignorefile .trivyignore.yaml \
3031
--scanners vuln \
3132
--exit-code 1 \
32-
--format table ${IMAGE_NAME}
33+
--format table "${CONTAINER_PREFIX}$${CONTAINER_NAME}"
3334

3435
lint: lint-githubactions
3536

0 commit comments

Comments
 (0)