use image

Author: anthony-nhs

.devcontainer/Dockerfile

@@ -1,98 +1,14 @@
-FROM mcr.microsoft.com/devcontainers/base:ubuntu-22.04
-ARG TARGETARCH
-ENV TARGETARCH=${TARGETARCH}
-
-# Install essential packages first
-RUN apt-get update && apt-get install -y \
-    curl \
-    wget \
-    git \
-    sudo \
-    unzip \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*
-
-# Copy ASDF version file
-ARG ASDF_VERSION
-COPY .tool-versions.asdf /tmp/.tool-versions.asdf
-
-# Add amd64 architecture if on arm64
-RUN if [ "$TARGETARCH" == "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then dpkg --add-architecture amd64; fi
-
-RUN apt-get update \
-    && export DEBIAN_FRONTEND=noninteractive \
-    && apt-get -y dist-upgrade \
-    && apt-get -y install --no-install-recommends htop vim curl git build-essential \
-    libffi-dev libssl-dev libxml2-dev libxslt1-dev libjpeg8-dev libbz2-dev \
-    zlib1g-dev unixodbc unixodbc-dev libsecret-1-0 libsecret-1-dev libsqlite3-dev \
-    jq apt-transport-https ca-certificates gnupg-agent \
-    software-properties-common bash-completion python3-pip make libbz2-dev \
-    libreadline-dev libsqlite3-dev wget llvm libncurses5-dev libncursesw5-dev \
-    xz-utils tk-dev liblzma-dev netcat-traditional libyaml-dev uuid-runtime xxd unzip
-
-# install aws stuff
-# Download correct AWS CLI for arch
-RUN if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then \
-      wget -O /tmp/awscliv2.zip "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip"; \
-    else \
-      wget -O /tmp/awscliv2.zip "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip"; \
-    fi && \
-    unzip /tmp/awscliv2.zip -d /tmp/aws-cli && \
-    /tmp/aws-cli/aws/install && \
-    rm /tmp/awscliv2.zip && rm -rf /tmp/aws-cli
-
-# Install ASDF
-RUN ASDF_VERSION=$(awk '!/^#/ && NF {print $1; exit}' /tmp/.tool-versions.asdf) && \
-    if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then \
-      wget -O /tmp/asdf.tar.gz "https://github.com/asdf-vm/asdf/releases/download/v${ASDF_VERSION}/asdf-v${ASDF_VERSION}-linux-arm64.tar.gz"; \
+ARG IMAGE_NAME=node_24_python_3_14
+ARG IMAGE_VERSION=latest
+FROM ghcr.io/nhsdigital/eps-devcontainers/${IMAGE_NAME}:${IMAGE_VERSION}
+
+USER root
+# specify DOCKER_GID to force container docker group id to match host
+RUN if [ -n "${DOCKER_GID}" ]; then \
+    if ! getent group docker; then \
+    groupadd -g ${DOCKER_GID} docker; \
     else \
-      wget -O /tmp/asdf.tar.gz "https://github.com/asdf-vm/asdf/releases/download/v${ASDF_VERSION}/asdf-v${ASDF_VERSION}-linux-amd64.tar.gz"; \
+    groupmod -g ${DOCKER_GID} docker; \
     fi && \
-    tar -xzf /tmp/asdf.tar.gz -C /tmp && \
-    mkdir -p /usr/bin && \
-    mv /tmp/asdf /usr/bin/asdf && \
-    chmod +x /usr/bin/asdf && \
-    rm -rf /tmp/asdf.tar.gz 
-
-# install gitsecrets
-RUN git clone https://github.com/awslabs/git-secrets.git /tmp/git-secrets && \
-    cd /tmp/git-secrets && \
-    make install && \
-    cd && \
-    rm -rf /tmp/git-secrets && \
-    mkdir -p /usr/share/secrets-scanner && \
-    chmod 755 /usr/share/secrets-scanner && \
-    curl -L https://raw.githubusercontent.com/NHSDigital/software-engineering-quality-framework/main/tools/nhsd-git-secrets/nhsd-rules-deny.txt -o /usr/share/secrets-scanner/nhsd-rules-deny.txt
-
-USER vscode
-
-ENV PATH="/home/vscode/.asdf/shims/:$PATH:/workspaces/eps-devcontainers/node_modules/.bin"
-RUN \
-    echo 'PATH="/home/vscode/.asdf/shims/:$PATH:/workspaces/eps-devcontainers/node_modules/.bin"' >> ~/.bashrc; \
-    echo '. <(asdf completion bash)' >> ~/.bashrc; \
-    echo '# Install Ruby Gems to ~/gems' >> ~/.bashrc; \
-    echo 'export GEM_HOME="$HOME/gems"' >> ~/.bashrc; \
-    echo 'export PATH="$HOME/gems/bin:$PATH"' >> ~/.bashrc;
-
-# Install ASDF plugins
-RUN asdf plugin add python; \
-    asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git; \
-    asdf plugin add shellcheck https://github.com/luizm/asdf-shellcheck.git; \
-    asdf plugin add nodejs https://github.com/asdf-vm/asdf-nodejs.git; \
-    asdf plugin add direnv; \
-    asdf plugin add actionlint; \
-    asdf plugin add ruby https://github.com/asdf-vm/asdf-ruby.git; \
-    asdf plugin add trivy https://github.com/zufardhiyaulhaq/asdf-trivy.git; \
-    asdf plugin add yq https://github.com/sudermanjr/asdf-yq.git
-
-
-WORKDIR /workspaces/eps-devcontainers
-COPY .tool-versions /workspaces/eps-devcontainers/.tool-versions
-COPY .tool-versions /home/vscode/.tool-versions
-
-# install python before poetry to ensure correct python version is used
-RUN asdf install python; \
-    asdf install
-
-RUN git-secrets --register-aws --global && \
-  git-secrets --add-provider --global -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt
+    usermod -aG docker vscode; \
+    fi

.devcontainer/devcontainer.json

@@ -3,11 +3,19 @@
 {
     "name": "eps-devcontainers",
     // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile
-    "build": {
-      "dockerfile": "Dockerfile",
-      "context": "..",
-      "args": {}
+  "build": {
+    "dockerfile": "Dockerfile",
+    "context": "..",
+    "args": {
+      "DOCKER_GID": "${env:DOCKER_GID:}",
+      "IMAGE_NAME": "node_24_python_3_14",
+      "IMAGE_VERSION": "v1.0.4",
+      "USER_UID": "${localEnv:USER_ID:}",
+      "USER_GID": "${localEnv:GROUP_ID:}"
     },
+    "updateRemoteUserUID": false
+  },
+  "postAttachCommand": "git-secrets --register-aws; git-secrets --add-provider -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt",
     "mounts": [
       "source=${env:HOME}${env:USERPROFILE}/.aws,target=/home/vscode/.aws,type=bind",
       "source=${env:HOME}${env:USERPROFILE}/.ssh,target=/home/vscode/.ssh,type=bind",
@@ -18,14 +26,7 @@
       "--network=host"
     ],
     "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" },
-    "postAttachCommand": "docker build -f https://raw.githubusercontent.com/NHSDigital/eps-workflow-quality-checks/refs/tags/v4.0.4/dockerfiles/nhsd-git-secrets.dockerfile -t git-secrets . && poetry run pre-commit install --install-hooks -f",
     "features": {
-      "ghcr.io/devcontainers/features/docker-outside-of-docker:1": {
-        "version": "latest",
-        "moby": "true",
-        "installDockerBuildx": "true"
-      },
-      "ghcr.io/devcontainers/features/github-cli:1": {}
     },
     "customizations": {
       "vscode": {

.github/workflows/build_all_images.yml

@@ -11,6 +11,9 @@ name: build_all_images
       NO_CACHE:
         required: true
         type: boolean
+      runtime_docker_image:
+        type: string
+        required: true
 env:
   BRANCH_NAME: '${{ github.event.pull_request.head.ref }}'
 jobs:
@@ -41,6 +44,7 @@ jobs:
       container_name: base
       base_folder: "."
       NO_CACHE: ${{ inputs.NO_CACHE }}
+      runtime_docker_image: ${{ inputs.runtime_docker_image }}
   package_base_node_images:
     needs:
       - package_base_docker_image
@@ -56,6 +60,7 @@ jobs:
       container_name: ${{ matrix.container_name }}
       base_folder: "base_node"
       NO_CACHE: ${{ inputs.NO_CACHE }}
+      runtime_docker_image: ${{ inputs.runtime_docker_image }}
   package_node_24_language_docker_images:
     needs:
       - package_base_docker_image
@@ -73,6 +78,7 @@ jobs:
       base_folder: "languages"
       NO_CACHE: ${{ inputs.NO_CACHE }}
       EXTRA_COMMON: "common_node_24"
+      runtime_docker_image: ${{ inputs.runtime_docker_image }}
   package_project_docker_images:
     needs:
       - package_node_24_language_docker_images
@@ -88,3 +94,4 @@ jobs:
       container_name: ${{ matrix.container_name }}
       base_folder: "projects"
       NO_CACHE: ${{ inputs.NO_CACHE }}
+      runtime_docker_image: ${{ inputs.runtime_docker_image }}

.github/workflows/build_multi_arch_image.yml

@@ -20,6 +20,9 @@ name: Build and push docker image
       EXTRA_COMMON:
         required: false
         type: string
+      runtime_docker_image:
+        type: string
+        required: true
 
 jobs:
   build_and_push_image:
@@ -30,6 +33,13 @@ jobs:
       attestations: write
       id-token: write
     runs-on: '${{ matrix.runner }}'
+    container:
+      image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }}
+      options: --user 1001:1001 --group-add 128
+    defaults:
+      run:
+        shell: bash
+
     strategy:
       fail-fast: false
       matrix:
@@ -39,6 +49,9 @@ jobs:
           - arch: arm64
             runner: ubuntu-22.04-arm
     steps:
+      - name: copy .tool-versions
+        run: |
+          cp /home/vscode/.tool-versions "$HOME/.tool-versions"
       - name: Free Disk Space for Docker
         uses: endersonmenezes/free-disk-space@e6ed9b02e683a3b55ed0252f1ee469ce3b39a885
         with:

.github/workflows/ci.yml

@@ -4,6 +4,21 @@ on:
     branches: [main]
 
 jobs:
+  get_config_values:
+    runs-on: ubuntu-22.04
+    outputs:
+      devcontainer_image_name: ${{ steps.load-config.outputs.DEVCONTAINER_IMAGE_NAME }}
+      devcontainer_image_version: ${{ steps.load-config.outputs.DEVCONTAINER_IMAGE_VERSION }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - name: Load config value
+        id: load-config
+        run: |
+          DEVCONTAINER_IMAGE_NAME=$(jq -r '.build.args.IMAGE_NAME' .devcontainer/devcontainer.json)
+          DEVCONTAINER_IMAGE_VERSION=$(jq -r '.build.args.IMAGE_VERSION' .devcontainer/devcontainer.json)
+          echo "DEVCONTAINER_IMAGE_NAME=$DEVCONTAINER_IMAGE_NAME" >> "$GITHUB_OUTPUT"
+          echo "DEVCONTAINER_IMAGE_VERSION=$DEVCONTAINER_IMAGE_VERSION" >> "$GITHUB_OUTPUT"
   get_asdf_version:
     runs-on: ubuntu-22.04
     outputs:
@@ -40,9 +55,12 @@ jobs:
       tag_format: ${{ needs.get_asdf_version.outputs.tag_format }}
     secrets: inherit
   build_all_images:
-    needs: tag_release
+    needs: 
+      - tag_release
+      - get_config_values
     uses: ./.github/workflows/build_all_images.yml 
     with: 
       docker_tag: 'ci-${{ needs.tag_release.outputs.version_tag }}'
       tag_latest: false
       NO_CACHE: false
+      runtime_docker_image: "${{ needs.get_config_values.outputs.devcontainer_image_name }}:githubactions-${{ needs.get_config_values.outputs.devcontainer_image_version }}"

.github/workflows/pull_request.yml

@@ -6,6 +6,21 @@ name: pull_request
 env:
   BRANCH_NAME: '${{ github.event.pull_request.head.ref }}'
 jobs:
+  get_config_values:
+    runs-on: ubuntu-22.04
+    outputs:
+      devcontainer_image_name: ${{ steps.load-config.outputs.DEVCONTAINER_IMAGE_NAME }}
+      devcontainer_image_version: ${{ steps.load-config.outputs.DEVCONTAINER_IMAGE_VERSION }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - name: Load config value
+        id: load-config
+        run: |
+          DEVCONTAINER_IMAGE_NAME=$(jq -r '.build.args.IMAGE_NAME' .devcontainer/devcontainer.json)
+          DEVCONTAINER_IMAGE_VERSION=$(jq -r '.build.args.IMAGE_VERSION' .devcontainer/devcontainer.json)
+          echo "DEVCONTAINER_IMAGE_NAME=$DEVCONTAINER_IMAGE_NAME" >> "$GITHUB_OUTPUT"
+          echo "DEVCONTAINER_IMAGE_VERSION=$DEVCONTAINER_IMAGE_VERSION" >> "$GITHUB_OUTPUT"
   dependabot-auto-approve-and-merge:
     needs: quality_checks
     uses: >-
@@ -88,8 +103,10 @@ jobs:
     needs:
       - get_issue_number
       - get_commit_id
+      - get_config_values
     uses: ./.github/workflows/build_all_images.yml 
     with: 
       docker_tag: 'pr-${{ needs.get_issue_number.outputs.issue_number }}-${{ needs.get_commit_id.outputs.sha_short }}'
       tag_latest: false
       NO_CACHE: false
+      runtime_docker_image: "${{ needs.get_config_values.outputs.devcontainer_image_name }}:githubactions-${{ needs.get_config_values.outputs.devcontainer_image_version }}"

.github/workflows/release.yml

@@ -5,6 +5,21 @@ on:
     - cron: "0 18 * * 4"
 
 jobs:
+  get_config_values:
+    runs-on: ubuntu-22.04
+    outputs:
+      devcontainer_image_name: ${{ steps.load-config.outputs.DEVCONTAINER_IMAGE_NAME }}
+      devcontainer_image_version: ${{ steps.load-config.outputs.DEVCONTAINER_IMAGE_VERSION }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - name: Load config value
+        id: load-config
+        run: |
+          DEVCONTAINER_IMAGE_NAME=$(jq -r '.build.args.IMAGE_NAME' .devcontainer/devcontainer.json)
+          DEVCONTAINER_IMAGE_VERSION=$(jq -r '.build.args.IMAGE_VERSION' .devcontainer/devcontainer.json)
+          echo "DEVCONTAINER_IMAGE_NAME=$DEVCONTAINER_IMAGE_NAME" >> "$GITHUB_OUTPUT"
+          echo "DEVCONTAINER_IMAGE_VERSION=$DEVCONTAINER_IMAGE_VERSION" >> "$GITHUB_OUTPUT"
   get_asdf_version:
     runs-on: ubuntu-22.04
     outputs:
@@ -41,9 +56,12 @@ jobs:
       tag_format: ${{ needs.get_asdf_version.outputs.tag_format }}
     secrets: inherit
   build_all_images:
-    needs: tag_release
+    needs: 
+      - tag_release
+      - get_config_values
     uses: ./.github/workflows/build_all_images.yml 
     with: 
       docker_tag: '${{ needs.tag_release.outputs.version_tag }}'
       tag_latest: true
       NO_CACHE: true
+      runtime_docker_image: "${{ needs.get_config_values.outputs.devcontainer_image_name }}:githubactions-${{ needs.get_config_values.outputs.devcontainer_image_version }}"

README.md

@@ -130,6 +130,11 @@ It is important that
 - there is `options: --user 1001:1001 --group-add 128` below image to ensure it uses the correct user id and is added to the docker group
 - the default shell is set to be bash
 - the first step copies .tool-versions from /home/vscode to $HOME/.tool-versions
+## Using local or pull request images in visual studio code
+You can use local or pull request images by changing IMAGE_VERSION in devcontainer.json.    
+For an image built locally following instructions below, you should put the IMAGE_VERSION=local-build. 
+For an image built from a pull request, you should put the IMAGE_VERSION=<tag of image as show in pull request job>.  
+You can only use images built from a pull request for testing changes in github actions.   
 
 # Project structure
 We have 5 types of dev container. These are defined under src
@@ -271,12 +276,6 @@ CONTAINER_NAME=base \
   make shell-image
 ```
 
-## Using local or pull request images in visual studio code
-You can use local or pull request images by changing IMAGE_VERSION in devcontainer.json.    
-For an image built locally, you should put the IMAGE_VERSION=local-build. 
-For an image built from a pull request, you should put the IMAGE_VERSION=<tag of image as show in pull request job>.  
-You can only use images built from a pull request for testing changes in github actions.   
-
 ## Generating a .trivyignore file
 You can generate a .trivyignore file for known vulnerabilities by either downloading the json scan output generated by the build, or by generating it locally using the scanning images commands above with a make target of scan-image-json