Merge remote-tracking branch 'origin/main' into syft_grype

anthony-nhs · anthony-nhs · commit e7e7eda9f9a7 · 2026-03-30T17:26:17.000Z
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -22,7 +22,9 @@
       "--network=host"
     ],
     "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" },
-  "postAttachCommand": "git-secrets --register-aws; git-secrets --add-provider -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt",
+    "postCreateCommand": "bash ${SCRIPTS_DIR}/post_create.sh",
+    "postStartCommand": "bash ${SCRIPTS_DIR}/post_start.sh",
+    "postAttachCommand": "bash ${SCRIPTS_DIR}/post_attach.sh",
     "features": {
     },
     "customizations": {
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -5,11 +5,11 @@ on:
 
 jobs:
   get_config_values:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@5ac2707dd9cd60ad127275179495b9c890d74711
+    uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@f2d4d6942115472d3f08316cd25f400b02a9dc69
     with:
       verify_published_from_main_image: true
   quality_checks:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@f2d4d6942115472d3f08316cd25f400b02a9dc69
     needs:
       - get_config_values
     with:
@@ -18,7 +18,7 @@ jobs:
       SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}'
   tag_release:
     needs: [quality_checks, get_config_values]
-    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711
+    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@f2d4d6942115472d3f08316cd25f400b02a9dc69
     permissions:
       id-token: write
       contents: write
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
@@ -9,16 +9,16 @@ jobs:
   dependabot-auto-approve-and-merge:
     needs: quality_checks
     uses: >-
-      NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@5ac2707dd9cd60ad127275179495b9c890d74711
+      NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@f2d4d6942115472d3f08316cd25f400b02a9dc69
     secrets:
       AUTOMERGE_APP_ID: '${{ secrets.AUTOMERGE_APP_ID }}'
       AUTOMERGE_PEM: '${{ secrets.AUTOMERGE_PEM }}'
   get_config_values:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@5ac2707dd9cd60ad127275179495b9c890d74711
+    uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@f2d4d6942115472d3f08316cd25f400b02a9dc69
     with:
       verify_published_from_main_image: false
   quality_checks:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@f2d4d6942115472d3f08316cd25f400b02a9dc69
     needs:
       - get_config_values
     with:
@@ -27,7 +27,7 @@ jobs:
       SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}'
   pr_title_format_check:
     uses: >-
-      NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@5ac2707dd9cd60ad127275179495b9c890d74711
+      NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@f2d4d6942115472d3f08316cd25f400b02a9dc69
   get_issue_number:
     runs-on: ubuntu-22.04
     needs: quality_checks
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -2,15 +2,15 @@ name: release workflow
 on:
   workflow_dispatch:
   schedule:
-    - cron: "0 18 * * 4"
+    - cron: "0 18 * * 3"
 
 jobs:
   get_config_values:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@5ac2707dd9cd60ad127275179495b9c890d74711
+    uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@f2d4d6942115472d3f08316cd25f400b02a9dc69
     with:
       verify_published_from_main_image: false
   quality_checks:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@f2d4d6942115472d3f08316cd25f400b02a9dc69
     needs:
       - get_config_values
     with:
@@ -19,7 +19,7 @@ jobs:
       SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}'
   tag_release:
     needs: [quality_checks, get_config_values]
-    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711
+    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@f2d4d6942115472d3f08316cd25f400b02a9dc69
     permissions:
       id-token: write
       contents: write
diff --git a/.gitignore b/.gitignore
@@ -5,3 +5,4 @@ src/base/.devcontainer/language_versions/
 .out/
 .envrc
 .sbom/
+.grype_out/
diff --git a/Makefile b/Makefile
@@ -73,8 +73,12 @@ build-grant:
 	docker build -f src/base/.devcontainer/Dockerfile.grant --tag local_grant src/base/.devcontainer/
 
 build-image: build-syft build-grype build-grant guard-CONTAINER_NAME guard-BASE_VERSION_TAG guard-BASE_FOLDER guard-IMAGE_TAG
+	workspace_folder="$${CONTAINER_NAME}"; \
+	case "$${CONTAINER_NAME}" in \
+		eps_*) workspace_folder="$$(printf '%s' "$${CONTAINER_NAME}" | tr '_' '-')" ;; \
+	esac; \
 	npx devcontainer build \
-		--workspace-folder ./src/$${BASE_FOLDER}/$${CONTAINER_NAME} \
+		--workspace-folder ./src/$${BASE_FOLDER}/$${workspace_folder} \
 		$(NO_CACHE_FLAG) \
 		--push false \
 		--output type=image,name="${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}",push=false,compression=zstd \
diff --git a/src/base/.devcontainer/Dockerfile b/src/base/.devcontainer/Dockerfile
@@ -13,6 +13,7 @@ ENV CONTAINER_NAME=${CONTAINER_NAME}
 ENV TARGETARCH=${TARGETARCH}
 
 COPY .tool-versions.asdf ${SCRIPTS_DIR}/${CONTAINER_NAME}/.tool-versions.asdf
+COPY --chmod=755 scripts/lifecycle/*.sh ${SCRIPTS_DIR}/
 COPY --chmod=755 scripts/root_install.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/root_install.sh
 COPY --chmod=755 Mk ${SCRIPTS_DIR}/Mk
 
diff --git a/src/base/.devcontainer/Mk/check.mk b/src/base/.devcontainer/Mk/check.mk
@@ -93,7 +93,7 @@ guard-%:
 	fi
 
 zizmor:
-	zizmor .
+	zizmor --min-severity medium .
 
 generate-sbom:
 	syft \
diff --git a/src/base/.devcontainer/devcontainer.json b/src/base/.devcontainer/devcontainer.json
@@ -12,6 +12,9 @@
         "IMAGE_TAG": "${localEnv:IMAGE_TAG}"
       }
     },
+    "postCreateCommand": "bash ${SCRIPTS_DIR}/post_create.sh",
+    "postStartCommand": "bash ${SCRIPTS_DIR}/post_start.sh",
+    "postAttachCommand": "bash ${SCRIPTS_DIR}/post_attach.sh",
     "features": {
       "ghcr.io/devcontainers/features/docker-outside-of-docker:1": {
         "version": "latest",
diff --git a/src/base/.devcontainer/scripts/lifecycle/post_attach.sh b/src/base/.devcontainer/scripts/lifecycle/post_attach.sh
@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+# Script to run as devcontainer postAttachCommand
+set -euo pipefail
+
+# currently empty
diff --git a/src/base/.devcontainer/scripts/lifecycle/post_create.sh b/src/base/.devcontainer/scripts/lifecycle/post_create.sh
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+# Script to run as devcontainer postCreateCommand
+set -euo pipefail
+
+# Install git-secrets, register AWS patterns and NHS rules in an idempotent way
+if ! git config --get-all secrets.patterns | grep -Fq AKIA; then
+  git-secrets --register-aws
+fi
+if ! git config --get-all secrets.providers | grep -Fxq "cat /usr/share/secrets-scanner/nhsd-rules-deny.txt"; then
+  git-secrets --add-provider -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt
+fi
diff --git a/src/base/.devcontainer/scripts/lifecycle/post_start.sh b/src/base/.devcontainer/scripts/lifecycle/post_start.sh
@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+# Script to run as devcontainer postStartCommand
+set -euo pipefail
+
+# currently empty
diff --git a/src/base_node/node_24/.devcontainer/devcontainer.json b/src/base_node/node_24/.devcontainer/devcontainer.json
@@ -13,6 +13,9 @@
       },
       "context": "."
     },
+    "postCreateCommand": "bash ${SCRIPTS_DIR}/post_create.sh",
+    "postStartCommand": "bash ${SCRIPTS_DIR}/post_start.sh",
+    "postAttachCommand": "bash ${SCRIPTS_DIR}/post_attach.sh",
     "features": {}
   }
   
diff --git a/src/languages/node_24_python_3_10/.devcontainer/devcontainer.json b/src/languages/node_24_python_3_10/.devcontainer/devcontainer.json
@@ -13,6 +13,9 @@
       },
       "context": "."
     },
+    "postCreateCommand": "bash ${SCRIPTS_DIR}/post_create.sh",
+    "postStartCommand": "bash ${SCRIPTS_DIR}/post_start.sh",
+    "postAttachCommand": "bash ${SCRIPTS_DIR}/post_attach.sh",
     "features": {}
   }
   
diff --git a/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json b/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json
@@ -13,6 +13,9 @@
       },
       "context": "."
     },
+    "postCreateCommand": "bash ${SCRIPTS_DIR}/post_create.sh",
+    "postStartCommand": "bash ${SCRIPTS_DIR}/post_start.sh",
+    "postAttachCommand": "bash ${SCRIPTS_DIR}/post_attach.sh",
     "features": {}
   }
   
diff --git a/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json b/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json
@@ -13,6 +13,9 @@
       },
       "context": "."
     },
+    "postCreateCommand": "bash ${SCRIPTS_DIR}/post_create.sh",
+    "postStartCommand": "bash ${SCRIPTS_DIR}/post_start.sh",
+    "postAttachCommand": "bash ${SCRIPTS_DIR}/post_attach.sh",
     "features": {}
   }
   
diff --git a/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json b/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json
@@ -13,6 +13,9 @@
       },
       "context": "."
     },
+    "postCreateCommand": "bash ${SCRIPTS_DIR}/post_create.sh",
+    "postStartCommand": "bash ${SCRIPTS_DIR}/post_start.sh",
+    "postAttachCommand": "bash ${SCRIPTS_DIR}/post_attach.sh",
     "features": {}
   }
   
diff --git a/src/projects/eps-data-extract/.devcontainer/devcontainer.json b/src/projects/eps-data-extract/.devcontainer/devcontainer.json
@@ -13,6 +13,9 @@
       },
       "context": "."
     },
+    "postCreateCommand": "bash ${SCRIPTS_DIR}/post_create.sh",
+    "postStartCommand": "bash ${SCRIPTS_DIR}/post_start.sh",
+    "postAttachCommand": "bash ${SCRIPTS_DIR}/post_attach.sh",
     "features": {}
   }
   
diff --git a/src/projects/eps-storage-terraform/.devcontainer/devcontainer.json b/src/projects/eps-storage-terraform/.devcontainer/devcontainer.json
@@ -13,6 +13,9 @@
       },
       "context": "."
     },
+    "postCreateCommand": "bash ${SCRIPTS_DIR}/post_create.sh",
+    "postStartCommand": "bash ${SCRIPTS_DIR}/post_start.sh",
+    "postAttachCommand": "bash ${SCRIPTS_DIR}/post_attach.sh",
     "features": {}
   }
   
diff --git a/src/projects/fhir_facade_api/.devcontainer/devcontainer.json b/src/projects/fhir_facade_api/.devcontainer/devcontainer.json
@@ -13,6 +13,9 @@
       },
       "context": "."
     },
+    "postCreateCommand": "bash ${SCRIPTS_DIR}/post_create.sh",
+    "postStartCommand": "bash ${SCRIPTS_DIR}/post_start.sh",
+    "postAttachCommand": "bash ${SCRIPTS_DIR}/post_attach.sh",
     "features": {}
   }
   
diff --git a/src/projects/node_24_python_3_14_golang_1_24/.devcontainer/devcontainer.json b/src/projects/node_24_python_3_14_golang_1_24/.devcontainer/devcontainer.json
@@ -13,6 +13,9 @@
       },
       "context": "."
     },
+    "postCreateCommand": "bash ${SCRIPTS_DIR}/post_create.sh",
+    "postStartCommand": "bash ${SCRIPTS_DIR}/post_start.sh",
+    "postAttachCommand": "bash ${SCRIPTS_DIR}/post_attach.sh",
     "features": {}
   }
   
diff --git a/src/projects/node_24_python_3_14_java_24/.devcontainer/devcontainer.json b/src/projects/node_24_python_3_14_java_24/.devcontainer/devcontainer.json
@@ -13,6 +13,9 @@
       },
       "context": "."
     },
+    "postCreateCommand": "bash ${SCRIPTS_DIR}/post_create.sh",
+    "postStartCommand": "bash ${SCRIPTS_DIR}/post_start.sh",
+    "postAttachCommand": "bash ${SCRIPTS_DIR}/post_attach.sh",
     "features": {}
   }
   
diff --git a/src/projects/regression_tests/.devcontainer/devcontainer.json b/src/projects/regression_tests/.devcontainer/devcontainer.json
@@ -13,6 +13,9 @@
       },
       "context": "."
     },
+    "postCreateCommand": "bash ${SCRIPTS_DIR}/post_create.sh",
+    "postStartCommand": "bash ${SCRIPTS_DIR}/post_start.sh",
+    "postAttachCommand": "bash ${SCRIPTS_DIR}/post_attach.sh",
     "features": {}
   }
   

-Original file line number
+Diff line change
 .out/
 .envrc
 .sbom/
 +.grype_out/