From 733ec9ea73ed663b987c60d04d8b9a108435cfed Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 13 Feb 2026 16:24:14 +0000 Subject: [PATCH 01/54] use published dev container --- .devcontainer/Dockerfile | 55 ++------------ .devcontainer/devcontainer.json | 13 +--- .github/workflows/pull_request.yml | 1 + .github/workflows/quality-checks.yml | 105 +++------------------------ .github/workflows/release.yml | 1 + .tool-versions | 6 +- 6 files changed, 27 insertions(+), 154 deletions(-) diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index f519b68..db31d46 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -1,53 +1,14 @@ -FROM mcr.microsoft.com/devcontainers/base:ubuntu - -# provide DOCKER_GID via build args if you need to force group id to match host -ARG DOCKER_GID +FROM ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:v1.0.0 +USER root # specify DOCKER_GID to force container docker group id to match host RUN if [ -n "${DOCKER_GID}" ]; then \ - if ! getent group docker; then \ - groupadd -g ${DOCKER_GID} docker; \ - else \ - groupmod -g ${DOCKER_GID} docker; \ - fi && \ - usermod -aG docker vscode; \ + if ! getent group docker; then \ + groupadd -g ${DOCKER_GID} docker; \ + else \ + groupmod -g ${DOCKER_GID} docker; \ + fi && \ + usermod -aG docker vscode; \ fi -# Anticipate and resolve potential permission issues with apt -RUN mkdir -p /tmp && chmod 1777 /tmp - -RUN apt-get update \ - && export DEBIAN_FRONTEND=noninteractive \ - && apt-get -y dist-upgrade \ - && apt-get -y install --no-install-recommends htop vim curl git build-essential \ - libffi-dev libssl-dev libxml2-dev libxslt1-dev libjpeg8-dev libbz2-dev \ - zlib1g-dev unixodbc unixodbc-dev libsecret-1-0 libsecret-1-dev libsqlite3-dev \ - jq apt-transport-https ca-certificates gnupg-agent \ - software-properties-common bash-completion python3-pip make libbz2-dev \ - libreadline-dev libsqlite3-dev wget llvm libncurses5-dev libncursesw5-dev \ - xz-utils tk-dev liblzma-dev netcat-traditional libyaml-dev - USER vscode - -# Install ASDF -RUN git clone https://github.com/asdf-vm/asdf.git ~/.asdf --branch v0.11.3 && \ - echo '. $HOME/.asdf/asdf.sh' >> ~/.bashrc && \ - echo '. $HOME/.asdf/completions/asdf.bash' >> ~/.bashrc - -ENV PATH="$PATH:/home/vscode/.asdf/bin/:/workspaces/eps-prescription-tracker-ui/node_modules/.bin:/workspaces/eps-common-workflows/.venv/bin" - -# Install ASDF plugins# -RUN asdf plugin add nodejs https://github.com/asdf-vm/asdf-nodejs.git && \ - asdf plugin add actionlint && \ - asdf plugin add shellcheck https://github.com/luizm/asdf-shellcheck.git && \ - asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git && \ - asdf plugin add python - -WORKDIR /workspaces/eps-common-workflows - -ADD .tool-versions /workspaces/eps-common-workflows/.tool-versions -ADD .tool-versions /home/vscode/.tool-versions - -RUN asdf install python && \ - asdf install && \ - asdf reshim nodejs diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index fe626eb..b18823e 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -14,21 +14,14 @@ "source=${env:HOME}${env:USERPROFILE}/.aws,target=/home/vscode/.aws,type=bind", "source=${env:HOME}${env:USERPROFILE}/.ssh,target=/home/vscode/.ssh,type=bind", "source=${env:HOME}${env:USERPROFILE}/.gnupg,target=/home/vscode/.gnupg,type=bind", - "source=${env:HOME}${env:USERPROFILE}/.npmrc,target=/home/vscode/.npmrc,type=bind" + "source=${env:HOME}${env:USERPROFILE}/.npmrc,target=/home/vscode/.npmrc,type=bind", + "source=${env:HOME}${env:USERPROFILE}/.gitconfig,target=/home/vscode/.gitconfig,type=bind" ], "containerUser": "vscode", "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" }, - "postAttachCommand": "docker build -f /workspaces/eps-common-workflows/dockerfiles/nhsd-git-secrets.dockerfile -t git-secrets . && pre-commit install --install-hooks -f", - "features": { - "ghcr.io/devcontainers/features/github-cli:1": {}, - "ghcr.io/devcontainers/features/docker-outside-of-docker:1": { - "version": "latest", - "moby": "true", - "installDockerBuildx": "true" - } - }, + "features": {}, "customizations": { "vscode": { "extensions": [ diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index f606e1f..aa97d2b 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -38,6 +38,7 @@ jobs: needs: [get_asdf_version] with: asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }} + runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:v1.0.0" secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} tag_release: diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index faef2de..dc2f259 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -33,10 +33,15 @@ on: description: comma separated list of docker image references to scan when docker scanning is enabled. default: "" required: false + runtime_docker_image: + type: string + required: true jobs: quality_checks: runs-on: ubuntu-22.04 + container: + image: ${{ inputs.runtime_docker_image }} steps: - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 if: ${{ inputs.install_java }} @@ -50,70 +55,10 @@ jobs: with: ref: ${{ env.BRANCH_NAME }} fetch-depth: 0 - - # Must be done before anything installs, or it will check dependencies for secrets too. - - name: Ensure .gitallowed exists, for secret scanning - run: | - if [ ! -f ".gitallowed" ]; then - echo "Creating empty .gitallowed file" - touch .gitallowed - fi - echo "./nhsd-rules-deny.txt:10" >> .gitallowed - echo "Allowing the following regex patterns:" - cat .gitallowed - - - name: Install git-secrets - run: | - sudo apt-get update - sudo apt-get install -y git curl - git clone https://github.com/awslabs/git-secrets.git /tmp/git-secrets - cd /tmp/git-secrets - sudo make install - - - name: Download regex patterns - run: | - curl -L https://raw.githubusercontent.com/NHSDigital/software-engineering-quality-framework/main/tools/nhsd-git-secrets/nhsd-rules-deny.txt -o nhsd-rules-deny.txt - - - name: Configure git-secrets - run: | - git-secrets --register-aws - git-secrets --add-provider -- cat nhsd-rules-deny.txt - - name: Run secrets scan run: | git-secrets --scan-history . - # using git commit sha for version of action to ensure we have stable version - - &install_asdf - name: Install asdf - uses: asdf-vm/actions/setup@b7bcd026f18772e44fe1026d729e1611cc435d47 - with: - asdf_version: ${{ inputs.asdfVersion }} - - - &cache_asdf - name: Cache asdf - uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb - with: - path: ~/.asdf - key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}-${{ inputs.asdfVersion }} - - - &install_asdf_deps - name: Install asdf dependencies in .tool-versions - uses: asdf-vm/actions/install@b7bcd026f18772e44fe1026d729e1611cc435d47 - with: - asdf_version: ${{ inputs.asdfVersion }} - env: - PYTHON_CONFIGURE_OPTS: --enable-shared - - - &reinstall_poetry - name: Reinstall poetry - if: ${{ inputs.reinstall_poetry }} - run: | - poetry_tool_version=$(cat .tool-versions | grep poetry) - poetry_version=${poetry_tool_version//"poetry "} - asdf uninstall poetry "$poetry_version" - asdf install poetry - - &setup_npmrc name: Setting up .npmrc env: @@ -356,6 +301,8 @@ jobs: outputs: docker_images: ${{ steps.normalized_docker_images.outputs.images }} runs-on: ubuntu-22.04 + container: + image: ${{ inputs.runtime_docker_image }} steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd @@ -420,6 +367,8 @@ jobs: docker_vulnerability_scan: runs-on: ubuntu-22.04 + container: + image: ghcr.io/nhsdigital/eps-devcontainers/fhir_facade_api:v1.0.0 needs: get_docker_images_to_scan if: ${{ inputs.run_docker_scan == true }} strategy: @@ -431,36 +380,6 @@ jobs: with: ref: ${{ env.BRANCH_NAME }} fetch-depth: 0 - # using git commit sha for version of action to ensure we have stable version - - name: Install asdf - uses: asdf-vm/actions/setup@b7bcd026f18772e44fe1026d729e1611cc435d47 - with: - asdf_version: ${{ inputs.asdfVersion }} - - - name: Cache asdf - uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb - with: - path: | - ~/.asdf - key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}-${{ inputs.asdfVersion }} - restore-keys: | - ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}-${{ inputs.asdfVersion }} - - - name: Install asdf dependencies in .tool-versions - uses: asdf-vm/actions/install@b7bcd026f18772e44fe1026d729e1611cc435d47 - with: - asdf_version: ${{ inputs.asdfVersion }} - env: - PYTHON_CONFIGURE_OPTS: --enable-shared - - - name: Reinstall poetry - if: ${{ inputs.reinstall_poetry }} - run: | - poetry_tool_version=$(cat .tool-versions | grep poetry) - poetry_version=${poetry_tool_version//"poetry "} - asdf uninstall poetry "$poetry_version" - asdf install poetry - - name: Setting up .npmrc env: NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -508,12 +427,10 @@ jobs: IaC-validation: runs-on: ubuntu-22.04 + container: + image: ${{ inputs.runtime_docker_image }} steps: - *checkout - - *install_asdf - - *cache_asdf - - *install_asdf_deps - - *reinstall_poetry - name: Check for SAM templates id: check_sam_templates diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c4cc00a..d7884fa 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -30,6 +30,7 @@ jobs: uses: ./.github/workflows/quality-checks.yml with: asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }} + runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:v1.0.0" secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} tag_release: diff --git a/.tool-versions b/.tool-versions index 8605e6e..d3c826a 100644 --- a/.tool-versions +++ b/.tool-versions @@ -1,5 +1,5 @@ -nodejs 24.12.0 +nodejs 24.13.0 actionlint 1.7.10 shellcheck 0.11.0 -python 3.14.2 -poetry 2.2.1 +python 3.14.3 +poetry 2.3.2 From 704eedb885629868e6901194998c5cdeaf611d71 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 13 Feb 2026 16:48:45 +0000 Subject: [PATCH 02/54] use new image --- .devcontainer/Dockerfile | 2 +- .github/workflows/pull_request.yml | 2 +- .github/workflows/release.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index db31d46..a07ebbc 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -1,4 +1,4 @@ -FROM ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:v1.0.0 +FROM ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:pr-15-a1b9b25 USER root # specify DOCKER_GID to force container docker group id to match host diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index aa97d2b..d994c2c 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -38,7 +38,7 @@ jobs: needs: [get_asdf_version] with: asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }} - runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:v1.0.0" + runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:pr-15-a1b9b25" secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} tag_release: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d7884fa..6147569 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -30,7 +30,7 @@ jobs: uses: ./.github/workflows/quality-checks.yml with: asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }} - runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:v1.0.0" + runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:pr-15-a1b9b25" secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} tag_release: From 08472c0e31768ba7d0b5cbf63c72d9df4a7c35c2 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 13 Feb 2026 17:26:27 +0000 Subject: [PATCH 03/54] use old image --- .github/workflows/pull_request.yml | 2 +- .github/workflows/quality-checks.yml | 3 +++ .github/workflows/release.yml | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index d994c2c..aa97d2b 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -38,7 +38,7 @@ jobs: needs: [get_asdf_version] with: asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }} - runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:pr-15-a1b9b25" + runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:v1.0.0" secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} tag_release: diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index dc2f259..b79dbe2 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -42,6 +42,7 @@ jobs: runs-on: ubuntu-22.04 container: image: ${{ inputs.runtime_docker_image }} + options: --user 0 steps: - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 if: ${{ inputs.install_java }} @@ -303,6 +304,7 @@ jobs: runs-on: ubuntu-22.04 container: image: ${{ inputs.runtime_docker_image }} + options: --user 0 steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd @@ -429,6 +431,7 @@ jobs: runs-on: ubuntu-22.04 container: image: ${{ inputs.runtime_docker_image }} + options: --user 0 steps: - *checkout diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6147569..d7884fa 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -30,7 +30,7 @@ jobs: uses: ./.github/workflows/quality-checks.yml with: asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }} - runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:pr-15-a1b9b25" + runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:v1.0.0" secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} tag_release: From 54d444af81b7e47d29e8c1a67d5841b42daccf43 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 13 Feb 2026 18:28:55 +0000 Subject: [PATCH 04/54] fix it --- .devcontainer/Dockerfile | 3 +- .devcontainer/devcontainer.json | 67 ++++++++++++++-------------- .github/workflows/pull_request.yml | 2 +- .github/workflows/quality-checks.yml | 2 +- .github/workflows/release.yml | 2 +- 5 files changed, 38 insertions(+), 38 deletions(-) diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index a07ebbc..6f9e404 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -1,4 +1,5 @@ -FROM ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:pr-15-a1b9b25 +ARG IMAGE_VERSION=latest +FROM ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:${IMAGE_VERSION} USER root # specify DOCKER_GID to force container docker group id to match host diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index b18823e..7ec5ffa 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -7,40 +7,39 @@ "dockerfile": "Dockerfile", "context": "..", "args": { - "DOCKER_GID": "${env:DOCKER_GID:}" - } - }, - "mounts": [ - "source=${env:HOME}${env:USERPROFILE}/.aws,target=/home/vscode/.aws,type=bind", - "source=${env:HOME}${env:USERPROFILE}/.ssh,target=/home/vscode/.ssh,type=bind", - "source=${env:HOME}${env:USERPROFILE}/.gnupg,target=/home/vscode/.gnupg,type=bind", - "source=${env:HOME}${env:USERPROFILE}/.npmrc,target=/home/vscode/.npmrc,type=bind", - "source=${env:HOME}${env:USERPROFILE}/.gitconfig,target=/home/vscode/.gitconfig,type=bind" - ], - "containerUser": "vscode", - "remoteEnv": { - "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" - }, - "features": {}, - "customizations": { - "vscode": { - "extensions": [ - "AmazonWebServices.aws-toolkit-vscode", - "redhat.vscode-yaml", - "eamodio.gitlens", - "github.vscode-pull-request-github", - "streetsidesoftware.code-spell-checker", - "timonwong.shellcheck", - "github.vscode-github-actions" - ], - "settings": { - "cSpell.words": [ - "fhir", - "Formik", - "pino", - "serialisation" - ] + "DOCKER_GID": "${env:DOCKER_GID:}", + "IMAGE_VERSION": "pr-15-c27cba7" // This arg is used in the Dockerfile to specify the base image version } + }, + "mounts": [ + "source=${env:HOME}${env:USERPROFILE}/.aws,target=/home/vscode/.aws,type=bind", + "source=${env:HOME}${env:USERPROFILE}/.ssh,target=/home/vscode/.ssh,type=bind", + "source=${env:HOME}${env:USERPROFILE}/.gnupg,target=/home/vscode/.gnupg,type=bind", + "source=${env:HOME}${env:USERPROFILE}/.npmrc,target=/home/vscode/.npmrc,type=bind" + ], + "containerUser": "vscode", + "remoteEnv": { + "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" + }, + "features": {}, + "customizations": { + "vscode": { + "extensions": [ + "AmazonWebServices.aws-toolkit-vscode", + "redhat.vscode-yaml", + "eamodio.gitlens", + "github.vscode-pull-request-github", + "streetsidesoftware.code-spell-checker", + "timonwong.shellcheck", + "github.vscode-github-actions" + ], + "settings": { + "cSpell.words": [ + "fhir", + "Formik", + "pino", + "serialisation" + ] + } } } } -} diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index aa97d2b..0ee0ae8 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -38,7 +38,7 @@ jobs: needs: [get_asdf_version] with: asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }} - runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:v1.0.0" + runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:pr-15-c27cba7" secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} tag_release: diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index b79dbe2..d3a2940 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -431,7 +431,7 @@ jobs: runs-on: ubuntu-22.04 container: image: ${{ inputs.runtime_docker_image }} - options: --user 0 + options: --user 1001:1001 steps: - *checkout diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d7884fa..e6aeed8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -30,7 +30,7 @@ jobs: uses: ./.github/workflows/quality-checks.yml with: asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }} - runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:v1.0.0" + runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:pr-15-c27cba7" secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} tag_release: From 577d8e775071b3391e723728226920c2d3b3af09 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 13 Feb 2026 18:32:46 +0000 Subject: [PATCH 05/54] fix user --- .github/workflows/quality-checks.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index d3a2940..a8b984e 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -301,6 +301,7 @@ jobs: get_docker_images_to_scan: outputs: docker_images: ${{ steps.normalized_docker_images.outputs.images }} + options: --user 1001:1001 runs-on: ubuntu-22.04 container: image: ${{ inputs.runtime_docker_image }} @@ -370,7 +371,7 @@ jobs: docker_vulnerability_scan: runs-on: ubuntu-22.04 container: - image: ghcr.io/nhsdigital/eps-devcontainers/fhir_facade_api:v1.0.0 + image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} needs: get_docker_images_to_scan if: ${{ inputs.run_docker_scan == true }} strategy: From 556712a87d442249a6c41da6a5cdd475c6855576 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 13 Feb 2026 18:34:31 +0000 Subject: [PATCH 06/54] debug --- .github/workflows/quality-checks.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index a8b984e..293c6ce 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -42,7 +42,7 @@ jobs: runs-on: ubuntu-22.04 container: image: ${{ inputs.runtime_docker_image }} - options: --user 0 + options: --user 1001:1001 steps: - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 if: ${{ inputs.install_java }} @@ -77,6 +77,7 @@ jobs: - name: make install run: | + id make install - name: Check language tools used and setup trivy config From 415a828b6bad32b3ab0136f64f50435cd013c45e Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 13 Feb 2026 19:34:15 +0000 Subject: [PATCH 07/54] use new tag --- .devcontainer/devcontainer.json | 2 +- .github/workflows/pull_request.yml | 2 +- .github/workflows/release.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 7ec5ffa..000cb65 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -8,7 +8,7 @@ "context": "..", "args": { "DOCKER_GID": "${env:DOCKER_GID:}", - "IMAGE_VERSION": "pr-15-c27cba7" // This arg is used in the Dockerfile to specify the base image version } + "IMAGE_VERSION": "v1.0.1" // This arg is used in the Dockerfile to specify the base image version } }, "mounts": [ "source=${env:HOME}${env:USERPROFILE}/.aws,target=/home/vscode/.aws,type=bind", diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 0ee0ae8..cba36b7 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -38,7 +38,7 @@ jobs: needs: [get_asdf_version] with: asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }} - runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:pr-15-c27cba7" + runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:v1.0.1" secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} tag_release: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e6aeed8..fa70885 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -30,7 +30,7 @@ jobs: uses: ./.github/workflows/quality-checks.yml with: asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }} - runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:pr-15-c27cba7" + runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:v1.0.1" secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} tag_release: From 97767c6807acceeec76df72f8d4bb91ae3924906 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 13 Feb 2026 19:36:35 +0000 Subject: [PATCH 08/54] try different user --- .github/workflows/quality-checks.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 293c6ce..00e840f 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -42,7 +42,7 @@ jobs: runs-on: ubuntu-22.04 container: image: ${{ inputs.runtime_docker_image }} - options: --user 1001:1001 + options: --user 1000:1000 steps: - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 if: ${{ inputs.install_java }} @@ -302,11 +302,10 @@ jobs: get_docker_images_to_scan: outputs: docker_images: ${{ steps.normalized_docker_images.outputs.images }} - options: --user 1001:1001 runs-on: ubuntu-22.04 container: image: ${{ inputs.runtime_docker_image }} - options: --user 0 + options: --user 1000:1000 steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd @@ -433,7 +432,7 @@ jobs: runs-on: ubuntu-22.04 container: image: ${{ inputs.runtime_docker_image }} - options: --user 1001:1001 + options: --user 1000:1000 steps: - *checkout From a8d306bebd71642594f1814833690ec933f822a4 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sat, 14 Feb 2026 16:22:19 +0000 Subject: [PATCH 09/54] new one --- .devcontainer/Dockerfile | 9 ++++++++- .devcontainer/devcontainer.json | 8 ++++---- .github/workflows/pull_request.yml | 16 +++++++++------- .github/workflows/quality-checks.yml | 18 ------------------ .github/workflows/release.yml | 16 +++++++++------- 5 files changed, 30 insertions(+), 37 deletions(-) diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index 6f9e404..f258f70 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -1,5 +1,6 @@ ARG IMAGE_VERSION=latest -FROM ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:${IMAGE_VERSION} +ARG IMAGE=node_24_python_3_14 +FROM ghcr.io/nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} USER root # specify DOCKER_GID to force container docker group id to match host @@ -12,4 +13,10 @@ RUN if [ -n "${DOCKER_GID}" ]; then \ usermod -aG docker vscode; \ fi +# fix vscode user back to 1000 +RUN usermod -u 1000 vscode; \ + groupmod -g 1000 vscode; \ + chown -R vscode:vscode /home/vscode + +RUN rm -rf /home/vscode/.ssh USER vscode diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 000cb65..6414ab0 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -1,15 +1,14 @@ -// For format details, see https://aka.ms/devcontainer.json. For config options, see the -// README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu { "name": "Ubuntu", - // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile "build": { "dockerfile": "Dockerfile", "context": "..", "args": { "DOCKER_GID": "${env:DOCKER_GID:}", - "IMAGE_VERSION": "v1.0.1" // This arg is used in the Dockerfile to specify the base image version } + "IMAGE_VERSION": "pr-16-69b4bfb", + "IMAGE": "node_24_python_3_14" }, + "postAttachCommand": "git-secrets --register-aws; git-secrets --add-provider -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt", "mounts": [ "source=${env:HOME}${env:USERPROFILE}/.aws,target=/home/vscode/.aws,type=bind", "source=${env:HOME}${env:USERPROFILE}/.ssh,target=/home/vscode/.ssh,type=bind", @@ -43,3 +42,4 @@ } } } +} diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index cba36b7..1090984 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -16,11 +16,12 @@ jobs: AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }} pr_title_format_check: uses: ./.github/workflows/pr_title_check.yml - get_asdf_version: + get_config_values: runs-on: ubuntu-22.04 outputs: asdf_version: ${{ steps.asdf-version.outputs.version }} tag_format: ${{ steps.load-config.outputs.TAG_FORMAT }} + devcontainer_version: ${{ steps.load-config.outputs.DEVCONTAINER_VERSION }} steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd @@ -32,21 +33,22 @@ jobs: id: load-config run: | TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml) + DEVCONTAINER_VERSION=$(jq -r '.build.args.IMAGE_VERSION' .devcontainer/devcontainer.json) echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT" + echo "DEVCONTAINER_VERSION=$DEVCONTAINER_VERSION" >> "$GITHUB_OUTPUT" quality_checks: uses: ./.github/workflows/quality-checks.yml - needs: [get_asdf_version] + needs: [get_config_values] with: - asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }} - runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:v1.0.1" + runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:${{ needs.get_config_values.outputs.devcontainer_version }}" secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} tag_release: - needs: [quality_checks, get_asdf_version] + needs: [quality_checks, get_config_values] uses: ./.github/workflows/tag-release.yml with: dry_run: true - asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }} + asdfVersion: ${{ needs.get_config_values.outputs.asdf_version }} branch_name: ${{ github.event.pull_request.head.ref }} - tag_format: ${{ needs.get_asdf_version.outputs.tag_format }} + tag_format: ${{ needs.get_config_values.outputs.tag_format }} secrets: inherit diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 00e840f..dbb8136 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -6,23 +6,11 @@ on: SONAR_TOKEN: required: false inputs: - install_java: - type: boolean - description: "If true, the action will install java into the runner, separately from ASDF." - default: false - required: false run_sonar: type: boolean description: Toggle to run sonar code analyis on this repository. default: true required: false - asdfVersion: - type: string - required: true - reinstall_poetry: - type: boolean - description: Toggle to reinstall poetry on top of python version installed by asdf. - default: false run_docker_scan: type: boolean description: Toggle to run docker vulnerability scan on this repository. @@ -44,12 +32,6 @@ jobs: image: ${{ inputs.runtime_docker_image }} options: --user 1000:1000 steps: - - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 - if: ${{ inputs.install_java }} - with: - java-version: "21" - distribution: "corretto" - - &checkout name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fa70885..dce12be 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,11 +8,12 @@ env: BRANCH_NAME: ${{ github.event.ref.BRANCH_NAME }} jobs: - get_asdf_version: + get_config_values: runs-on: ubuntu-22.04 outputs: asdf_version: ${{ steps.asdf-version.outputs.version }} tag_format: ${{ steps.load-config.outputs.TAG_FORMAT }} + devcontainer_version: ${{ steps.load-config.outputs.DEVCONTAINER_VERSION }} steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd @@ -24,21 +25,22 @@ jobs: id: load-config run: | TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml) + DEVCONTAINER_VERSION=$(jq -r '.build.args.IMAGE_VERSION' .devcontainer/devcontainer.json) echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT" + echo "DEVCONTAINER_VERSION=$DEVCONTAINER_VERSION" >> "$GITHUB_OUTPUT" quality_checks: - needs: [get_asdf_version] + needs: [get_config_values] uses: ./.github/workflows/quality-checks.yml with: - asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }} - runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:v1.0.1" + runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:${{ needs.get_config_values.outputs.devcontainer_version }}" secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} tag_release: - needs: [quality_checks, get_asdf_version] + needs: [quality_checks, get_config_values] uses: ./.github/workflows/tag-release.yml with: dry_run: false - asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }} + asdfVersion: ${{ needs.get_config_values.outputs.asdf_version }} branch_name: main - tag_format: ${{ needs.get_asdf_version.outputs.tag_format }} + tag_format: ${{ needs.get_config_values.outputs.tag_format }} secrets: inherit From 2e2d45656d97e6539c662dc83be48dd03785721e Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sat, 14 Feb 2026 16:23:40 +0000 Subject: [PATCH 10/54] new user --- .github/workflows/quality-checks.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index dbb8136..4a244e4 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -30,7 +30,7 @@ jobs: runs-on: ubuntu-22.04 container: image: ${{ inputs.runtime_docker_image }} - options: --user 1000:1000 + options: --user 1001:1001 steps: - &checkout name: Checkout code @@ -287,7 +287,7 @@ jobs: runs-on: ubuntu-22.04 container: image: ${{ inputs.runtime_docker_image }} - options: --user 1000:1000 + options: --user 1001:1001 steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd @@ -414,7 +414,7 @@ jobs: runs-on: ubuntu-22.04 container: image: ${{ inputs.runtime_docker_image }} - options: --user 1000:1000 + options: --user 1001:1001 steps: - *checkout From c6a3dc956c047caf2a1f520e0f66ee5c1b28a012 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sat, 14 Feb 2026 16:26:00 +0000 Subject: [PATCH 11/54] add asdf install --- .github/workflows/quality-checks.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 4a244e4..414ebe9 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -60,6 +60,7 @@ jobs: - name: make install run: | id + asdf install make install - name: Check language tools used and setup trivy config From 967dab764016e76fc1e46a366bf927d48f82af1d Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sat, 14 Feb 2026 16:28:22 +0000 Subject: [PATCH 12/54] debug --- .github/workflows/quality-checks.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 414ebe9..35278da 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -60,7 +60,9 @@ jobs: - name: make install run: | id - asdf install + echo "running asdf plugin list" + asdf plugin list + echo "running make install" make install - name: Check language tools used and setup trivy config From ec7e2a907a6961dbb8084097c01c0c9338b99ec0 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sat, 14 Feb 2026 16:32:28 +0000 Subject: [PATCH 13/54] more debug --- .github/workflows/quality-checks.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 35278da..efc5590 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -59,7 +59,11 @@ jobs: - name: make install run: | + echo "Running id" id + echo "Running pwd" + pwd + echo "home is $HOME" echo "running asdf plugin list" asdf plugin list echo "running make install" From 9c8a2a0b3a9e799b22d81c3015c192020bd42d71 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sat, 14 Feb 2026 16:34:30 +0000 Subject: [PATCH 14/54] set home --- .github/workflows/quality-checks.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index efc5590..33e2608 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -30,6 +30,8 @@ jobs: runs-on: ubuntu-22.04 container: image: ${{ inputs.runtime_docker_image }} + env: + HOME: /home/vscode options: --user 1001:1001 steps: - &checkout From 3219587532771a47006fc82aa28e8c0f45df99fb Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sat, 14 Feb 2026 17:46:20 +0000 Subject: [PATCH 15/54] new image --- .devcontainer/devcontainer.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 6414ab0..44d3e6b 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -5,7 +5,7 @@ "context": "..", "args": { "DOCKER_GID": "${env:DOCKER_GID:}", - "IMAGE_VERSION": "pr-16-69b4bfb", + "IMAGE_VERSION": "pr-16-f22b31d", "IMAGE": "node_24_python_3_14" }, "postAttachCommand": "git-secrets --register-aws; git-secrets --add-provider -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt", From d570e15efacb484bd64f4a324ffdec85ba457d95 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sat, 14 Feb 2026 17:54:54 +0000 Subject: [PATCH 16/54] set ASDF_DATA_DIR --- .github/workflows/quality-checks.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 33e2608..575903c 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -31,7 +31,7 @@ jobs: container: image: ${{ inputs.runtime_docker_image }} env: - HOME: /home/vscode + ASDF_DATA_DIR: /home/vscode/.asdf options: --user 1001:1001 steps: - &checkout From 273b9f794b8fe44b14d5236a26108d960b13dfca Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 11:36:53 +0000 Subject: [PATCH 17/54] use container step --- .devcontainer/Dockerfile | 8 - .devcontainer/devcontainer.json | 2 +- .github/workflows/quality-checks.yml | 289 +++++++++++++++++---------- 3 files changed, 184 insertions(+), 115 deletions(-) diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index f258f70..2ef3eba 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -12,11 +12,3 @@ RUN if [ -n "${DOCKER_GID}" ]; then \ fi && \ usermod -aG docker vscode; \ fi - -# fix vscode user back to 1000 -RUN usermod -u 1000 vscode; \ - groupmod -g 1000 vscode; \ - chown -R vscode:vscode /home/vscode - -RUN rm -rf /home/vscode/.ssh -USER vscode diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 44d3e6b..36382ff 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -5,7 +5,7 @@ "context": "..", "args": { "DOCKER_GID": "${env:DOCKER_GID:}", - "IMAGE_VERSION": "pr-16-f22b31d", + "IMAGE_VERSION": "pr-16-d9eab88", "IMAGE": "node_24_python_3_14" }, "postAttachCommand": "git-secrets --register-aws; git-secrets --add-provider -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt", diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 575903c..dc6244f 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -28,11 +28,6 @@ on: jobs: quality_checks: runs-on: ubuntu-22.04 - container: - image: ${{ inputs.runtime_docker_image }} - env: - ASDF_DATA_DIR: /home/vscode/.asdf - options: --user 1001:1001 steps: - &checkout name: Checkout code @@ -60,16 +55,24 @@ jobs: key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} - name: make install - run: | - echo "Running id" - id - echo "Running pwd" - pwd - echo "home is $HOME" - echo "running asdf plugin list" - asdf plugin list - echo "running make install" - make install + uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 + with: + registry: gcr.io + image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + options: > + -v ${{ github.workspace }}:/work + -u vscode + run: | + cd /work + echo "Running id" + id + echo "Running pwd" + pwd + echo "home is $HOME" + echo "running asdf plugin list" + asdf plugin list + echo "running make install" + make install - name: Check language tools used and setup trivy config id: check_languages @@ -125,22 +128,38 @@ jobs: cmd: yq -i '.pkg.include-dev-deps = true' 'trivy.yaml' - name: convert python dependencies to requirements.txt if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} - run: | - POETRY_VERSION=$(poetry --version | awk '{print $3}') - - if [[ "$(printf '%s\n' "2.0.0" "$POETRY_VERSION" "3.0.0" | sort -V | head -n1)" == "2.0.0" ]] \ - && [[ "$(printf '%s\n' "$POETRY_VERSION" "3.0.0" | sort -V | head -n1)" == "$POETRY_VERSION" ]]; then - echo "Poetry version $POETRY_VERSION is >=2.0.0 and <3.0.0 - installing plugin-export" - poetry self add poetry-plugin-export - else - echo "Poetry version $POETRY_VERSION is outside the required range so not installing plugin-export" - fi - poetry export -f requirements.txt --with dev --without-hashes --output=requirements.txt + uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 + with: + registry: gcr.io + image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + options: > + -v ${{ github.workspace }}:/work + -u vscode + run: | + cd /work + POETRY_VERSION=$(poetry --version | awk '{print $3}') + + if [[ "$(printf '%s\n' "2.0.0" "$POETRY_VERSION" "3.0.0" | sort -V | head -n1)" == "2.0.0" ]] \ + && [[ "$(printf '%s\n' "$POETRY_VERSION" "3.0.0" | sort -V | head -n1)" == "$POETRY_VERSION" ]]; then + echo "Poetry version $POETRY_VERSION is >=2.0.0 and <3.0.0 - installing plugin-export" + poetry self add poetry-plugin-export + else + echo "Poetry version $POETRY_VERSION is outside the required range so not installing plugin-export" + fi + poetry export -f requirements.txt --with dev --without-hashes --output=requirements.txt - name: download go dependencies if: ${{ steps.check_languages.outputs.uses_go == 'true' }} - run: | - cd src - go mod vendor + uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 + with: + registry: gcr.io + image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + options: > + -v ${{ github.workspace }}:/work + -u vscode + run: | + cd /work + cd src + go mod vendor - name: Check licenses uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: @@ -171,7 +190,16 @@ jobs: cat license_scan.txt fi - name: Run code lint - run: make lint + uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 + with: + registry: gcr.io + image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + options: > + -v ${{ github.workspace }}:/work + -u vscode + run: | + cd /work + make lint - name: Run ShellCheck uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 @@ -183,7 +211,16 @@ jobs: .git - name: Run unit tests - run: make test + uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 + with: + registry: gcr.io + image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + options: > + -v ${{ github.workspace }}:/work + -u vscode + run: | + cd /work + make test - name: Generate SBOM uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: @@ -294,9 +331,6 @@ jobs: outputs: docker_images: ${{ steps.normalized_docker_images.outputs.images }} runs-on: ubuntu-22.04 - container: - image: ${{ inputs.runtime_docker_image }} - options: --user 1001:1001 steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd @@ -361,8 +395,6 @@ jobs: docker_vulnerability_scan: runs-on: ubuntu-22.04 - container: - image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} needs: get_docker_images_to_scan if: ${{ inputs.run_docker_scan == true }} strategy: @@ -421,9 +453,6 @@ jobs: IaC-validation: runs-on: ubuntu-22.04 - container: - image: ${{ inputs.runtime_docker_image }} - options: --user 1001:1001 steps: - *checkout @@ -474,102 +503,150 @@ jobs: - name: Run cfn-lint if: steps.check_sam_templates.outputs.sam_exists == 'true' || steps.check_cf_templates.outputs.cf_exists == 'true' - run: | - pip install cfn-lint - cfn-lint -I "cloudformation/**/*.y*ml" 2>&1 | awk '/Run scan/ { print } /^[EW][0-9]/ { print; getline; print }' - cfn-lint -I "SAMtemplates/**/*.y*ml" 2>&1 | awk '/Run scan/ { print } /^[EW][0-9]/ { print; getline; print }' + uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 + with: + registry: gcr.io + image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + options: > + -v ${{ github.workspace }}:/work + -u vscode + run: | + cd /work + pip install cfn-lint + cfn-lint -I "cloudformation/**/*.y*ml" 2>&1 | awk '/Run scan/ { print } /^[EW][0-9]/ { print; getline; print }' + cfn-lint -I "SAMtemplates/**/*.y*ml" 2>&1 | awk '/Run scan/ { print } /^[EW][0-9]/ { print; getline; print }' - *cache_npm - *setup_npmrc - name: make install NodeJS if: steps.check_cdk.outputs.cdk_exists == 'true' - run: | - make install-node && make compile + uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 + with: + registry: gcr.io + image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + options: > + -v ${{ github.workspace }}:/work + -u vscode + run: | + cd /work + make install-node && make compile - name: Run cdk-synth if: steps.check_cdk.outputs.cdk_exists == 'true' - run: | - make cdk-synth + uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 + with: + registry: gcr.io + image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + options: > + -v ${{ github.workspace }}:/work + -u vscode + run: | + cd /work + make cdk-synth - - name: Install AWS SAM CLI - if: steps.check_sam_templates.outputs.sam_exists == 'true' - run: | - pip install aws-sam-cli - name: Init cfn-guard - run: | - #!/usr/bin/env bash - set -eou pipefail + uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 + with: + registry: gcr.io + image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + options: > + -v ${{ github.workspace }}:/work + -u vscode + run: | + cd /work + set -eou pipefail - rm -rf /tmp/ruleset - rm -rf cfn_guard_output + rm -rf /tmp/ruleset + rm -rf cfn_guard_output - wget -O /tmp/ruleset.zip https://github.com/aws-cloudformation/aws-guard-rules-registry/releases/download/1.0.2/ruleset-build-v1.0.2.zip >/dev/null 2>&1 - unzip /tmp/ruleset.zip -d /tmp/ruleset/ >/dev/null 2>&1 + wget -O /tmp/ruleset.zip https://github.com/aws-cloudformation/aws-guard-rules-registry/releases/download/1.0.2/ruleset-build-v1.0.2.zip >/dev/null 2>&1 + unzip /tmp/ruleset.zip -d /tmp/ruleset/ >/dev/null 2>&1 - curl --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/aws-cloudformation/cloudformation-guard/main/install-guard.sh | sh >/dev/null 2>&1 + curl --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/aws-cloudformation/cloudformation-guard/main/install-guard.sh | sh >/dev/null 2>&1 - mkdir -p cfn_guard_output + mkdir -p cfn_guard_output - name: Run cfn-guard script for sam templates if: steps.check_sam_templates.outputs.sam_exists == 'true' - run: | - #!/usr/bin/env bash - set -eou pipefail - - declare -a rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar") - for ruleset in "${rulesets[@]}" - do - while IFS= read -r -d '' file + uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 + with: + registry: gcr.io + image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + options: > + -v ${{ github.workspace }}:/work + -u vscode + run: | + cd /work + set -eou pipefail + + declare -a rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar") + for ruleset in "${rulesets[@]}" do - echo "checking SAM template $file with ruleset $ruleset" - mkdir -p "$(dirname cfn_guard_output/"$file")" - - # Transform the SAM template to CloudFormation and then run through cfn-guard - SAM_OUTPUT=$(sam validate -t "$file" --region eu-west-2 --debug 2>&1 | \ - grep -Pazo '(?s)AWSTemplateFormatVersion.*\n\/' | tr -d '\0') - echo "${SAM_OUTPUT::-1}" | ~/.guard/bin/cfn-guard validate \ - --rules "/tmp/ruleset/output/$ruleset.guard" \ - --show-summary fail \ - > "cfn_guard_output/${file}_${ruleset}.txt" + while IFS= read -r -d '' file + do + echo "checking SAM template $file with ruleset $ruleset" + mkdir -p "$(dirname cfn_guard_output/"$file")" + + # Transform the SAM template to CloudFormation and then run through cfn-guard + SAM_OUTPUT=$(sam validate -t "$file" --region eu-west-2 --debug 2>&1 | \ + grep -Pazo '(?s)AWSTemplateFormatVersion.*\n\/' | tr -d '\0') + echo "${SAM_OUTPUT::-1}" | ~/.guard/bin/cfn-guard validate \ + --rules "/tmp/ruleset/output/$ruleset.guard" \ + --show-summary fail \ + > "cfn_guard_output/${file}_${ruleset}.txt" - done < <(find ./SAMtemplates -name '*.y*ml' -print0) - done + done < <(find ./SAMtemplates -name '*.y*ml' -print0) + done - name: Run cfn-guard script for cloudformation templates if: steps.check_cf_templates.outputs.cf_exists == 'true' - run: | - #!/usr/bin/env bash - - declare -a rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar") - for ruleset in "${rulesets[@]}" - do - echo "Checking all templates in cloudformation folder with ruleset $ruleset" + uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 + with: + registry: gcr.io + image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + options: > + -v ${{ github.workspace }}:/work + -u vscode + run: | + cd /work + + declare -a rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar") + for ruleset in "${rulesets[@]}" + do + echo "Checking all templates in cloudformation folder with ruleset $ruleset" - ~/.guard/bin/cfn-guard validate \ - --data cloudformation \ - --rules "/tmp/ruleset/output/$ruleset.guard" \ - --show-summary fail \ - > "cfn_guard_output/cloudformation_$ruleset.txt" - done + ~/.guard/bin/cfn-guard validate \ + --data cloudformation \ + --rules "/tmp/ruleset/output/$ruleset.guard" \ + --show-summary fail \ + > "cfn_guard_output/cloudformation_$ruleset.txt" + done - name: Run cfn-guard script for cdk templates if: steps.check_cdk.outputs.cdk_exists == 'true' - run: | - #!/usr/bin/env bash - - declare -a rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar") - for ruleset in "${rulesets[@]}" - do - echo "Checking all templates in cdk.out folder with ruleset $ruleset" + uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 + with: + registry: gcr.io + image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + options: > + -v ${{ github.workspace }}:/work + -u vscode + run: | + cd /work + + declare -a rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar") + for ruleset in "${rulesets[@]}" + do + echo "Checking all templates in cdk.out folder with ruleset $ruleset" - ~/.guard/bin/cfn-guard validate \ - --data cdk.out \ - --rules "/tmp/ruleset/output/$ruleset.guard" \ - --show-summary fail \ - > "cfn_guard_output/cdk.out_$ruleset.txt" - done + ~/.guard/bin/cfn-guard validate \ + --data cdk.out \ + --rules "/tmp/ruleset/output/$ruleset.guard" \ + --show-summary fail \ + > "cfn_guard_output/cdk.out_$ruleset.txt" + done - name: Download terraform plans uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 From d0191e7cbe992146c0a754882d104b82868798c4 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 11:37:57 +0000 Subject: [PATCH 18/54] use container step --- .github/workflows/quality-checks.yml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index dc6244f..ae22b8a 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -36,8 +36,16 @@ jobs: ref: ${{ env.BRANCH_NAME }} fetch-depth: 0 - name: Run secrets scan - run: | - git-secrets --scan-history . + uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 + with: + registry: gcr.io + image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + options: > + -v ${{ github.workspace }}:/work + -u vscode + run: | + cd /work + git-secrets --scan-history . - &setup_npmrc name: Setting up .npmrc From de720fc2b47e9a9596ca12f0c0ccd198148abbb7 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 11:40:26 +0000 Subject: [PATCH 19/54] fix image --- .github/workflows/quality-checks.yml | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index ae22b8a..476da44 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -39,7 +39,7 @@ jobs: uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: registry: gcr.io - image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -66,7 +66,7 @@ jobs: uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: registry: gcr.io - image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -139,7 +139,7 @@ jobs: uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: registry: gcr.io - image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -160,7 +160,7 @@ jobs: uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: registry: gcr.io - image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -201,7 +201,7 @@ jobs: uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: registry: gcr.io - image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -222,7 +222,7 @@ jobs: uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: registry: gcr.io - image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -514,7 +514,7 @@ jobs: uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: registry: gcr.io - image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -532,7 +532,7 @@ jobs: uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: registry: gcr.io - image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -545,7 +545,7 @@ jobs: uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: registry: gcr.io - image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -558,7 +558,7 @@ jobs: uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: registry: gcr.io - image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -581,7 +581,7 @@ jobs: uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: registry: gcr.io - image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -613,7 +613,7 @@ jobs: uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: registry: gcr.io - image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -637,7 +637,7 @@ jobs: uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: registry: gcr.io - image: nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} + image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode From 0864610ccb65a8519655295e5f9eee0481afa7d2 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 11:43:26 +0000 Subject: [PATCH 20/54] really fix image --- .github/workflows/quality-checks.yml | 39 ++++++++++------------------ 1 file changed, 13 insertions(+), 26 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 476da44..ea1f91f 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -38,8 +38,7 @@ jobs: - name: Run secrets scan uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - registry: gcr.io - image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -65,8 +64,7 @@ jobs: - name: make install uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - registry: gcr.io - image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -138,8 +136,7 @@ jobs: if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - registry: gcr.io - image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -159,8 +156,7 @@ jobs: if: ${{ steps.check_languages.outputs.uses_go == 'true' }} uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - registry: gcr.io - image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -200,8 +196,7 @@ jobs: - name: Run code lint uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - registry: gcr.io - image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -221,8 +216,7 @@ jobs: - name: Run unit tests uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - registry: gcr.io - image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -513,8 +507,7 @@ jobs: if: steps.check_sam_templates.outputs.sam_exists == 'true' || steps.check_cf_templates.outputs.cf_exists == 'true' uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - registry: gcr.io - image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -531,8 +524,7 @@ jobs: if: steps.check_cdk.outputs.cdk_exists == 'true' uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - registry: gcr.io - image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -544,8 +536,7 @@ jobs: if: steps.check_cdk.outputs.cdk_exists == 'true' uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - registry: gcr.io - image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -557,8 +548,7 @@ jobs: - name: Init cfn-guard uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - registry: gcr.io - image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -580,8 +570,7 @@ jobs: if: steps.check_sam_templates.outputs.sam_exists == 'true' uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - registry: gcr.io - image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -612,8 +601,7 @@ jobs: if: steps.check_cf_templates.outputs.cf_exists == 'true' uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - registry: gcr.io - image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -636,8 +624,7 @@ jobs: if: steps.check_cdk.outputs.cdk_exists == 'true' uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - registry: gcr.io - image: nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode From 8001f53457da8a21957a252516cb6aafcd620963 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 11:44:54 +0000 Subject: [PATCH 21/54] really really fix image --- .github/workflows/pull_request.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 1090984..4c45059 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -40,7 +40,7 @@ jobs: uses: ./.github/workflows/quality-checks.yml needs: [get_config_values] with: - runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:${{ needs.get_config_values.outputs.devcontainer_version }}" + runtime_docker_image: "node_24_python_3_14:${{ needs.get_config_values.outputs.devcontainer_version }}" secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} tag_release: From cb42b4649250273cb76b0692c1ee0de59d68557d Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 12:19:40 +0000 Subject: [PATCH 22/54] really really really fix image --- .github/workflows/quality-checks.yml | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index ea1f91f..fdbc132 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -38,7 +38,7 @@ jobs: - name: Run secrets scan uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -64,7 +64,7 @@ jobs: - name: make install uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -136,7 +136,7 @@ jobs: if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -156,7 +156,7 @@ jobs: if: ${{ steps.check_languages.outputs.uses_go == 'true' }} uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -196,7 +196,7 @@ jobs: - name: Run code lint uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -216,7 +216,7 @@ jobs: - name: Run unit tests uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -507,7 +507,7 @@ jobs: if: steps.check_sam_templates.outputs.sam_exists == 'true' || steps.check_cf_templates.outputs.cf_exists == 'true' uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -524,7 +524,7 @@ jobs: if: steps.check_cdk.outputs.cdk_exists == 'true' uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -536,7 +536,7 @@ jobs: if: steps.check_cdk.outputs.cdk_exists == 'true' uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -548,7 +548,7 @@ jobs: - name: Init cfn-guard uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -570,7 +570,7 @@ jobs: if: steps.check_sam_templates.outputs.sam_exists == 'true' uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -601,7 +601,7 @@ jobs: if: steps.check_cf_templates.outputs.cf_exists == 'true' uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode @@ -624,7 +624,7 @@ jobs: if: steps.check_cdk.outputs.cdk_exists == 'true' uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: - image: gcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work -u vscode From 826ee6c1ead729314e0a615184d7fa738fcb892c Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 13:11:00 +0000 Subject: [PATCH 23/54] use image that can write to /work --- .devcontainer/devcontainer.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 36382ff..612a1be 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -5,7 +5,7 @@ "context": "..", "args": { "DOCKER_GID": "${env:DOCKER_GID:}", - "IMAGE_VERSION": "pr-16-d9eab88", + "IMAGE_VERSION": "pr-16-03d6189", "IMAGE": "node_24_python_3_14" }, "postAttachCommand": "git-secrets --register-aws; git-secrets --add-provider -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt", From 2e61b9b33b17afdd732071343e5c977ff1ea58f5 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 14:12:47 +0000 Subject: [PATCH 24/54] use new image --- .devcontainer/devcontainer.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 612a1be..69d3eb6 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -5,7 +5,7 @@ "context": "..", "args": { "DOCKER_GID": "${env:DOCKER_GID:}", - "IMAGE_VERSION": "pr-16-03d6189", + "IMAGE_VERSION": "pr-16-37cee2e", "IMAGE": "node_24_python_3_14" }, "postAttachCommand": "git-secrets --register-aws; git-secrets --add-provider -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt", From 183175a152e45bb258f0acf1fdfb39579ab97ad9 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 14:20:29 +0000 Subject: [PATCH 25/54] more debug --- .github/workflows/quality-checks.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index fdbc132..c72d1d0 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -77,6 +77,8 @@ jobs: echo "home is $HOME" echo "running asdf plugin list" asdf plugin list + echo "Checking mount" + ls -l / echo "running make install" make install From 1e98d6e1fab5689f71733f607f325e789b4083c9 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 16:14:54 +0000 Subject: [PATCH 26/54] new image --- .devcontainer/devcontainer.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 69d3eb6..dbf6f72 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -5,7 +5,7 @@ "context": "..", "args": { "DOCKER_GID": "${env:DOCKER_GID:}", - "IMAGE_VERSION": "pr-16-37cee2e", + "IMAGE_VERSION": "pr-16-c2726ad", "IMAGE": "node_24_python_3_14" }, "postAttachCommand": "git-secrets --register-aws; git-secrets --add-provider -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt", From a06cf2eced143b3c53385581944e8d964783b7b7 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 16:16:25 +0000 Subject: [PATCH 27/54] dont change user --- .github/workflows/quality-checks.yml | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index c72d1d0..e1152d2 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -41,7 +41,6 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work - -u vscode run: | cd /work git-secrets --scan-history . @@ -67,7 +66,6 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work - -u vscode run: | cd /work echo "Running id" @@ -141,7 +139,6 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work - -u vscode run: | cd /work POETRY_VERSION=$(poetry --version | awk '{print $3}') @@ -161,7 +158,6 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work - -u vscode run: | cd /work cd src @@ -201,7 +197,6 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work - -u vscode run: | cd /work make lint @@ -221,7 +216,6 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work - -u vscode run: | cd /work make test @@ -512,7 +506,6 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work - -u vscode run: | cd /work pip install cfn-lint @@ -529,7 +522,6 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work - -u vscode run: | cd /work make install-node && make compile @@ -541,7 +533,6 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work - -u vscode run: | cd /work make cdk-synth @@ -553,7 +544,6 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work - -u vscode run: | cd /work set -eou pipefail @@ -575,7 +565,6 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work - -u vscode run: | cd /work set -eou pipefail @@ -606,7 +595,6 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work - -u vscode run: | cd /work @@ -629,7 +617,6 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work - -u vscode run: | cd /work From c75e255dd7525a4e59a5c6d85e3048c80c137658 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 16:19:50 +0000 Subject: [PATCH 28/54] set user 1001 --- .github/workflows/quality-checks.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index e1152d2..01cecdc 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -41,6 +41,7 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work + -u 1001:1001 run: | cd /work git-secrets --scan-history . @@ -66,6 +67,7 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work + -u 1001:1001 run: | cd /work echo "Running id" @@ -139,6 +141,7 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work + -u 1001:1001 run: | cd /work POETRY_VERSION=$(poetry --version | awk '{print $3}') @@ -158,6 +161,7 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work + -u 1001:1001 run: | cd /work cd src @@ -197,6 +201,7 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work + -u 1001:1001 run: | cd /work make lint @@ -216,6 +221,7 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work + -u 1001:1001 run: | cd /work make test @@ -506,6 +512,7 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work + -u 1001:1001 run: | cd /work pip install cfn-lint @@ -522,6 +529,7 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work + -u 1001:1001 run: | cd /work make install-node && make compile @@ -533,6 +541,7 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work + -u 1001:1001 run: | cd /work make cdk-synth @@ -544,6 +553,7 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work + -u 1001:1001 run: | cd /work set -eou pipefail @@ -565,6 +575,7 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work + -u 1001:1001 run: | cd /work set -eou pipefail @@ -595,6 +606,7 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work + -u 1001:1001 run: | cd /work @@ -617,6 +629,7 @@ jobs: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} options: > -v ${{ github.workspace }}:/work + -u 1001:1001 run: | cd /work From 3f50c134d19dc0cdf4c96001ffce5b2c2d6be632 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 18:06:23 +0000 Subject: [PATCH 29/54] use newer image --- .devcontainer/devcontainer.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index dbf6f72..9067d93 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -5,7 +5,7 @@ "context": "..", "args": { "DOCKER_GID": "${env:DOCKER_GID:}", - "IMAGE_VERSION": "pr-16-c2726ad", + "IMAGE_VERSION": "pr-16-85d8bf7", "IMAGE": "node_24_python_3_14" }, "postAttachCommand": "git-secrets --register-aws; git-secrets --add-provider -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt", From 979b094354bc2c9edb87cfc31453c013d77c428f Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 18:09:47 +0000 Subject: [PATCH 30/54] fix path --- .github/workflows/quality-checks.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 01cecdc..69e4049 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -79,6 +79,8 @@ jobs: asdf plugin list echo "Checking mount" ls -l / + echo $PATH + export PATH="$HOME/.asdf/shims:$PATH" echo "running make install" make install From 24784857cab74fc588ac93ac86365572a279ce15 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 15 Feb 2026 18:54:57 +0000 Subject: [PATCH 31/54] new image --- .devcontainer/Dockerfile | 5 +++++ .devcontainer/devcontainer.json | 2 +- .github/workflows/quality-checks.yml | 1 - 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index 2ef3eba..d1c13bb 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -12,3 +12,8 @@ RUN if [ -n "${DOCKER_GID}" ]; then \ fi && \ usermod -aG docker vscode; \ fi + +# fix vscode user back to 1000 +RUN usermod -u 1000 vscode; \ + groupmod -g 1000 vscode; \ + chown -R vscode:vscode /home/vscode diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 9067d93..a2ce53e 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -5,7 +5,7 @@ "context": "..", "args": { "DOCKER_GID": "${env:DOCKER_GID:}", - "IMAGE_VERSION": "pr-16-85d8bf7", + "IMAGE_VERSION": "pr-16-36dcbc3", "IMAGE": "node_24_python_3_14" }, "postAttachCommand": "git-secrets --register-aws; git-secrets --add-provider -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt", diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 69e4049..89f9661 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -548,7 +548,6 @@ jobs: cd /work make cdk-synth - - name: Init cfn-guard uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 with: From 989120c3b95c8fb382d2c8d2adf5bb91122dce42 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Mon, 16 Feb 2026 17:12:13 +0000 Subject: [PATCH 32/54] use new image again --- .devcontainer/Dockerfile | 9 +-- .devcontainer/devcontainer.json | 71 +++++++++++---------- .github/workflows/quality-checks.yml | 92 ++++------------------------ .pre-commit-config.yaml | 2 +- 4 files changed, 53 insertions(+), 121 deletions(-) diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index d1c13bb..3903c81 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -1,6 +1,6 @@ +ARG IMAGE_NAME=node_24_python_3_14 ARG IMAGE_VERSION=latest -ARG IMAGE=node_24_python_3_14 -FROM ghcr.io/nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION} +FROM ghcr.io/nhsdigital/eps-devcontainers/${IMAGE_NAME}:${IMAGE_VERSION} USER root # specify DOCKER_GID to force container docker group id to match host @@ -12,8 +12,3 @@ RUN if [ -n "${DOCKER_GID}" ]; then \ fi && \ usermod -aG docker vscode; \ fi - -# fix vscode user back to 1000 -RUN usermod -u 1000 vscode; \ - groupmod -g 1000 vscode; \ - chown -R vscode:vscode /home/vscode diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index a2ce53e..a3e6fb8 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -1,44 +1,47 @@ { - "name": "Ubuntu", + "name": "eps-common-workflows", "build": { "dockerfile": "Dockerfile", "context": "..", "args": { "DOCKER_GID": "${env:DOCKER_GID:}", - "IMAGE_VERSION": "pr-16-36dcbc3", - "IMAGE": "node_24_python_3_14" + "IMAGE_NAME": "node_24_python_3_14", + "IMAGE_VERSION": "e0808a3", + "USER_UID": "${localEnv:USER_ID:}", + "USER_GID": "${localEnv:GROUP_ID:}" }, - "postAttachCommand": "git-secrets --register-aws; git-secrets --add-provider -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt", - "mounts": [ - "source=${env:HOME}${env:USERPROFILE}/.aws,target=/home/vscode/.aws,type=bind", - "source=${env:HOME}${env:USERPROFILE}/.ssh,target=/home/vscode/.ssh,type=bind", - "source=${env:HOME}${env:USERPROFILE}/.gnupg,target=/home/vscode/.gnupg,type=bind", - "source=${env:HOME}${env:USERPROFILE}/.npmrc,target=/home/vscode/.npmrc,type=bind" - ], - "containerUser": "vscode", - "remoteEnv": { - "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" - }, - "features": {}, - "customizations": { - "vscode": { - "extensions": [ - "AmazonWebServices.aws-toolkit-vscode", - "redhat.vscode-yaml", - "eamodio.gitlens", - "github.vscode-pull-request-github", - "streetsidesoftware.code-spell-checker", - "timonwong.shellcheck", - "github.vscode-github-actions" - ], - "settings": { - "cSpell.words": [ - "fhir", - "Formik", - "pino", - "serialisation" - ] - } + "updateRemoteUserUID": false + }, + "postAttachCommand": "git-secrets --register-aws; git-secrets --add-provider -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt", + "mounts": [ + "source=${env:HOME}${env:USERPROFILE}/.aws,target=/home/vscode/.aws,type=bind", + "source=${env:HOME}${env:USERPROFILE}/.ssh,target=/home/vscode/.ssh,type=bind", + "source=${env:HOME}${env:USERPROFILE}/.gnupg,target=/home/vscode/.gnupg,type=bind", + "source=${env:HOME}${env:USERPROFILE}/.npmrc,target=/home/vscode/.npmrc,type=bind" + ], + "containerUser": "vscode", + "remoteEnv": { + "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" + }, + "features": {}, + "customizations": { + "vscode": { + "extensions": [ + "AmazonWebServices.aws-toolkit-vscode", + "redhat.vscode-yaml", + "eamodio.gitlens", + "github.vscode-pull-request-github", + "streetsidesoftware.code-spell-checker", + "timonwong.shellcheck", + "github.vscode-github-actions" + ], + "settings": { + "cSpell.words": [ + "fhir", + "Formik", + "pino", + "serialisation" + ] } } } diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 89f9661..8a4668e 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -36,14 +36,10 @@ jobs: ref: ${{ env.BRANCH_NAME }} fetch-depth: 0 - name: Run secrets scan - uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 + uses: anthony-nhs/docker-run-action-fork@4d62f8d0e1ae07c4b0abad4eac02db8fa7bc984b with: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} - options: > - -v ${{ github.workspace }}:/work - -u 1001:1001 run: | - cd /work git-secrets --scan-history . - &setup_npmrc @@ -62,26 +58,10 @@ jobs: key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} - name: make install - uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 + uses: anthony-nhs/docker-run-action-fork@4d62f8d0e1ae07c4b0abad4eac02db8fa7bc984b with: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} - options: > - -v ${{ github.workspace }}:/work - -u 1001:1001 run: | - cd /work - echo "Running id" - id - echo "Running pwd" - pwd - echo "home is $HOME" - echo "running asdf plugin list" - asdf plugin list - echo "Checking mount" - ls -l / - echo $PATH - export PATH="$HOME/.asdf/shims:$PATH" - echo "running make install" make install - name: Check language tools used and setup trivy config @@ -138,14 +118,10 @@ jobs: cmd: yq -i '.pkg.include-dev-deps = true' 'trivy.yaml' - name: convert python dependencies to requirements.txt if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} - uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 + uses: anthony-nhs/docker-run-action-fork@4d62f8d0e1ae07c4b0abad4eac02db8fa7bc984b with: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} - options: > - -v ${{ github.workspace }}:/work - -u 1001:1001 run: | - cd /work POETRY_VERSION=$(poetry --version | awk '{print $3}') if [[ "$(printf '%s\n' "2.0.0" "$POETRY_VERSION" "3.0.0" | sort -V | head -n1)" == "2.0.0" ]] \ @@ -158,14 +134,10 @@ jobs: poetry export -f requirements.txt --with dev --without-hashes --output=requirements.txt - name: download go dependencies if: ${{ steps.check_languages.outputs.uses_go == 'true' }} - uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 + uses: anthony-nhs/docker-run-action-fork@4d62f8d0e1ae07c4b0abad4eac02db8fa7bc984b with: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} - options: > - -v ${{ github.workspace }}:/work - -u 1001:1001 run: | - cd /work cd src go mod vendor - name: Check licenses @@ -198,14 +170,10 @@ jobs: cat license_scan.txt fi - name: Run code lint - uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 + uses: anthony-nhs/docker-run-action-fork@4d62f8d0e1ae07c4b0abad4eac02db8fa7bc984b with: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} - options: > - -v ${{ github.workspace }}:/work - -u 1001:1001 run: | - cd /work make lint - name: Run ShellCheck @@ -218,14 +186,10 @@ jobs: .git - name: Run unit tests - uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 + uses: anthony-nhs/docker-run-action-fork@4d62f8d0e1ae07c4b0abad4eac02db8fa7bc984b with: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} - options: > - -v ${{ github.workspace }}:/work - -u 1001:1001 run: | - cd /work make test - name: Generate SBOM uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 @@ -509,14 +473,10 @@ jobs: - name: Run cfn-lint if: steps.check_sam_templates.outputs.sam_exists == 'true' || steps.check_cf_templates.outputs.cf_exists == 'true' - uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 + uses: anthony-nhs/docker-run-action-fork@4d62f8d0e1ae07c4b0abad4eac02db8fa7bc984b with: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} - options: > - -v ${{ github.workspace }}:/work - -u 1001:1001 run: | - cd /work pip install cfn-lint cfn-lint -I "cloudformation/**/*.y*ml" 2>&1 | awk '/Run scan/ { print } /^[EW][0-9]/ { print; getline; print }' cfn-lint -I "SAMtemplates/**/*.y*ml" 2>&1 | awk '/Run scan/ { print } /^[EW][0-9]/ { print; getline; print }' @@ -526,37 +486,25 @@ jobs: - name: make install NodeJS if: steps.check_cdk.outputs.cdk_exists == 'true' - uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 + uses: anthony-nhs/docker-run-action-fork@4d62f8d0e1ae07c4b0abad4eac02db8fa7bc984b with: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} - options: > - -v ${{ github.workspace }}:/work - -u 1001:1001 run: | - cd /work make install-node && make compile - name: Run cdk-synth if: steps.check_cdk.outputs.cdk_exists == 'true' - uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 + uses: anthony-nhs/docker-run-action-fork@4d62f8d0e1ae07c4b0abad4eac02db8fa7bc984b with: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} - options: > - -v ${{ github.workspace }}:/work - -u 1001:1001 run: | - cd /work make cdk-synth - name: Init cfn-guard - uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 + uses: anthony-nhs/docker-run-action-fork@4d62f8d0e1ae07c4b0abad4eac02db8fa7bc984b with: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} - options: > - -v ${{ github.workspace }}:/work - -u 1001:1001 run: | - cd /work set -eou pipefail rm -rf /tmp/ruleset @@ -571,14 +519,10 @@ jobs: - name: Run cfn-guard script for sam templates if: steps.check_sam_templates.outputs.sam_exists == 'true' - uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 + uses: anthony-nhs/docker-run-action-fork@4d62f8d0e1ae07c4b0abad4eac02db8fa7bc984b with: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} - options: > - -v ${{ github.workspace }}:/work - -u 1001:1001 run: | - cd /work set -eou pipefail declare -a rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar") @@ -602,15 +546,10 @@ jobs: - name: Run cfn-guard script for cloudformation templates if: steps.check_cf_templates.outputs.cf_exists == 'true' - uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 + uses: anthony-nhs/docker-run-action-fork@4d62f8d0e1ae07c4b0abad4eac02db8fa7bc984b with: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} - options: > - -v ${{ github.workspace }}:/work - -u 1001:1001 run: | - cd /work - declare -a rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar") for ruleset in "${rulesets[@]}" do @@ -625,15 +564,10 @@ jobs: - name: Run cfn-guard script for cdk templates if: steps.check_cdk.outputs.cdk_exists == 'true' - uses: addnab/docker-run-action@5ddaad0f7eedd03f64e412b1931852bd3031b273 + uses: anthony-nhs/docker-run-action-fork@4d62f8d0e1ae07c4b0abad4eac02db8fa7bc984b with: image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} - options: > - -v ${{ github.workspace }}:/work - -u 1001:1001 run: | - cd /work - declare -a rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar") for ruleset in "${rulesets[@]}" do diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index db94a2e..f319077 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -23,7 +23,7 @@ repos: entry: bash args: - -c - - 'docker run -v "$LOCAL_WORKSPACE_FOLDER:/src" git-secrets --pre_commit_hook' + - "git-secrets --pre_commit_hook" language: system - id: lint-githubactions name: Lint github actions From 348b59ba4e255feb6edcdf4ca40c93d95311d77f Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Mon, 16 Feb 2026 17:22:50 +0000 Subject: [PATCH 33/54] use new action --- .github/workflows/quality-checks.yml | 39 ++++++++++++++++++---------- 1 file changed, 26 insertions(+), 13 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 8a4668e..6f93f9a 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -36,8 +36,9 @@ jobs: ref: ${{ env.BRANCH_NAME }} fetch-depth: 0 - name: Run secrets scan - uses: anthony-nhs/docker-run-action-fork@4d62f8d0e1ae07c4b0abad4eac02db8fa7bc984b + uses: anthony-nhs/docker-run-action-fork@f56dd4e5c3b9c8b9fa619939c02d809f35ad82c9 with: + workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} run: | git-secrets --scan-history . @@ -58,8 +59,9 @@ jobs: key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} - name: make install - uses: anthony-nhs/docker-run-action-fork@4d62f8d0e1ae07c4b0abad4eac02db8fa7bc984b + uses: anthony-nhs/docker-run-action-fork@f56dd4e5c3b9c8b9fa619939c02d809f35ad82c9 with: + workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} run: | make install @@ -118,8 +120,9 @@ jobs: cmd: yq -i '.pkg.include-dev-deps = true' 'trivy.yaml' - name: convert python dependencies to requirements.txt if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} - uses: anthony-nhs/docker-run-action-fork@4d62f8d0e1ae07c4b0abad4eac02db8fa7bc984b + uses: anthony-nhs/docker-run-action-fork@f56dd4e5c3b9c8b9fa619939c02d809f35ad82c9 with: + workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} run: | POETRY_VERSION=$(poetry --version | awk '{print $3}') @@ -134,8 +137,9 @@ jobs: poetry export -f requirements.txt --with dev --without-hashes --output=requirements.txt - name: download go dependencies if: ${{ steps.check_languages.outputs.uses_go == 'true' }} - uses: anthony-nhs/docker-run-action-fork@4d62f8d0e1ae07c4b0abad4eac02db8fa7bc984b + uses: anthony-nhs/docker-run-action-fork@f56dd4e5c3b9c8b9fa619939c02d809f35ad82c9 with: + workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} run: | cd src @@ -170,8 +174,9 @@ jobs: cat license_scan.txt fi - name: Run code lint - uses: anthony-nhs/docker-run-action-fork@4d62f8d0e1ae07c4b0abad4eac02db8fa7bc984b + uses: anthony-nhs/docker-run-action-fork@f56dd4e5c3b9c8b9fa619939c02d809f35ad82c9 with: + workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} run: | make lint @@ -186,8 +191,9 @@ jobs: .git - name: Run unit tests - uses: anthony-nhs/docker-run-action-fork@4d62f8d0e1ae07c4b0abad4eac02db8fa7bc984b + uses: anthony-nhs/docker-run-action-fork@f56dd4e5c3b9c8b9fa619939c02d809f35ad82c9 with: + workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} run: | make test @@ -473,8 +479,9 @@ jobs: - name: Run cfn-lint if: steps.check_sam_templates.outputs.sam_exists == 'true' || steps.check_cf_templates.outputs.cf_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@4d62f8d0e1ae07c4b0abad4eac02db8fa7bc984b + uses: anthony-nhs/docker-run-action-fork@f56dd4e5c3b9c8b9fa619939c02d809f35ad82c9 with: + workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} run: | pip install cfn-lint @@ -486,23 +493,26 @@ jobs: - name: make install NodeJS if: steps.check_cdk.outputs.cdk_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@4d62f8d0e1ae07c4b0abad4eac02db8fa7bc984b + uses: anthony-nhs/docker-run-action-fork@f56dd4e5c3b9c8b9fa619939c02d809f35ad82c9 with: + workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} run: | make install-node && make compile - name: Run cdk-synth if: steps.check_cdk.outputs.cdk_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@4d62f8d0e1ae07c4b0abad4eac02db8fa7bc984b + uses: anthony-nhs/docker-run-action-fork@f56dd4e5c3b9c8b9fa619939c02d809f35ad82c9 with: + workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} run: | make cdk-synth - name: Init cfn-guard - uses: anthony-nhs/docker-run-action-fork@4d62f8d0e1ae07c4b0abad4eac02db8fa7bc984b + uses: anthony-nhs/docker-run-action-fork@f56dd4e5c3b9c8b9fa619939c02d809f35ad82c9 with: + workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} run: | set -eou pipefail @@ -519,8 +529,9 @@ jobs: - name: Run cfn-guard script for sam templates if: steps.check_sam_templates.outputs.sam_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@4d62f8d0e1ae07c4b0abad4eac02db8fa7bc984b + uses: anthony-nhs/docker-run-action-fork@f56dd4e5c3b9c8b9fa619939c02d809f35ad82c9 with: + workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} run: | set -eou pipefail @@ -546,8 +557,9 @@ jobs: - name: Run cfn-guard script for cloudformation templates if: steps.check_cf_templates.outputs.cf_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@4d62f8d0e1ae07c4b0abad4eac02db8fa7bc984b + uses: anthony-nhs/docker-run-action-fork@f56dd4e5c3b9c8b9fa619939c02d809f35ad82c9 with: + workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} run: | declare -a rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar") @@ -564,8 +576,9 @@ jobs: - name: Run cfn-guard script for cdk templates if: steps.check_cdk.outputs.cdk_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@4d62f8d0e1ae07c4b0abad4eac02db8fa7bc984b + uses: anthony-nhs/docker-run-action-fork@f56dd4e5c3b9c8b9fa619939c02d809f35ad82c9 with: + workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} run: | declare -a rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar") From ca04c89c840b92f6879979f750f04b8f8f5033f7 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Mon, 16 Feb 2026 17:39:19 +0000 Subject: [PATCH 34/54] new action --- .github/workflows/quality-checks.yml | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 6f93f9a..4a71ece 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -36,7 +36,7 @@ jobs: ref: ${{ env.BRANCH_NAME }} fetch-depth: 0 - name: Run secrets scan - uses: anthony-nhs/docker-run-action-fork@f56dd4e5c3b9c8b9fa619939c02d809f35ad82c9 + uses: anthony-nhs/docker-run-action-fork@df2f1ddaa0d7f80e0b95404d81a1ee0919e37985 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -59,7 +59,7 @@ jobs: key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} - name: make install - uses: anthony-nhs/docker-run-action-fork@f56dd4e5c3b9c8b9fa619939c02d809f35ad82c9 + uses: anthony-nhs/docker-run-action-fork@df2f1ddaa0d7f80e0b95404d81a1ee0919e37985 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -120,7 +120,7 @@ jobs: cmd: yq -i '.pkg.include-dev-deps = true' 'trivy.yaml' - name: convert python dependencies to requirements.txt if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} - uses: anthony-nhs/docker-run-action-fork@f56dd4e5c3b9c8b9fa619939c02d809f35ad82c9 + uses: anthony-nhs/docker-run-action-fork@df2f1ddaa0d7f80e0b95404d81a1ee0919e37985 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -137,7 +137,7 @@ jobs: poetry export -f requirements.txt --with dev --without-hashes --output=requirements.txt - name: download go dependencies if: ${{ steps.check_languages.outputs.uses_go == 'true' }} - uses: anthony-nhs/docker-run-action-fork@f56dd4e5c3b9c8b9fa619939c02d809f35ad82c9 + uses: anthony-nhs/docker-run-action-fork@df2f1ddaa0d7f80e0b95404d81a1ee0919e37985 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -174,7 +174,7 @@ jobs: cat license_scan.txt fi - name: Run code lint - uses: anthony-nhs/docker-run-action-fork@f56dd4e5c3b9c8b9fa619939c02d809f35ad82c9 + uses: anthony-nhs/docker-run-action-fork@df2f1ddaa0d7f80e0b95404d81a1ee0919e37985 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -191,7 +191,7 @@ jobs: .git - name: Run unit tests - uses: anthony-nhs/docker-run-action-fork@f56dd4e5c3b9c8b9fa619939c02d809f35ad82c9 + uses: anthony-nhs/docker-run-action-fork@df2f1ddaa0d7f80e0b95404d81a1ee0919e37985 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -479,7 +479,7 @@ jobs: - name: Run cfn-lint if: steps.check_sam_templates.outputs.sam_exists == 'true' || steps.check_cf_templates.outputs.cf_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@f56dd4e5c3b9c8b9fa619939c02d809f35ad82c9 + uses: anthony-nhs/docker-run-action-fork@df2f1ddaa0d7f80e0b95404d81a1ee0919e37985 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -493,7 +493,7 @@ jobs: - name: make install NodeJS if: steps.check_cdk.outputs.cdk_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@f56dd4e5c3b9c8b9fa619939c02d809f35ad82c9 + uses: anthony-nhs/docker-run-action-fork@df2f1ddaa0d7f80e0b95404d81a1ee0919e37985 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -502,7 +502,7 @@ jobs: - name: Run cdk-synth if: steps.check_cdk.outputs.cdk_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@f56dd4e5c3b9c8b9fa619939c02d809f35ad82c9 + uses: anthony-nhs/docker-run-action-fork@df2f1ddaa0d7f80e0b95404d81a1ee0919e37985 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -510,7 +510,7 @@ jobs: make cdk-synth - name: Init cfn-guard - uses: anthony-nhs/docker-run-action-fork@f56dd4e5c3b9c8b9fa619939c02d809f35ad82c9 + uses: anthony-nhs/docker-run-action-fork@df2f1ddaa0d7f80e0b95404d81a1ee0919e37985 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -529,7 +529,7 @@ jobs: - name: Run cfn-guard script for sam templates if: steps.check_sam_templates.outputs.sam_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@f56dd4e5c3b9c8b9fa619939c02d809f35ad82c9 + uses: anthony-nhs/docker-run-action-fork@df2f1ddaa0d7f80e0b95404d81a1ee0919e37985 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -557,7 +557,7 @@ jobs: - name: Run cfn-guard script for cloudformation templates if: steps.check_cf_templates.outputs.cf_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@f56dd4e5c3b9c8b9fa619939c02d809f35ad82c9 + uses: anthony-nhs/docker-run-action-fork@df2f1ddaa0d7f80e0b95404d81a1ee0919e37985 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -576,7 +576,7 @@ jobs: - name: Run cfn-guard script for cdk templates if: steps.check_cdk.outputs.cdk_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@f56dd4e5c3b9c8b9fa619939c02d809f35ad82c9 + uses: anthony-nhs/docker-run-action-fork@df2f1ddaa0d7f80e0b95404d81a1ee0919e37985 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} From 829ca631d0d86bd43b14015501185c84229b9807 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Mon, 16 Feb 2026 17:41:55 +0000 Subject: [PATCH 35/54] newer action --- .github/workflows/quality-checks.yml | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 4a71ece..c204c7c 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -36,7 +36,7 @@ jobs: ref: ${{ env.BRANCH_NAME }} fetch-depth: 0 - name: Run secrets scan - uses: anthony-nhs/docker-run-action-fork@df2f1ddaa0d7f80e0b95404d81a1ee0919e37985 + uses: anthony-nhs/docker-run-action-fork@82ae039ec306b71bcd31d8530985f1fdbd71a39a with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -59,7 +59,7 @@ jobs: key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} - name: make install - uses: anthony-nhs/docker-run-action-fork@df2f1ddaa0d7f80e0b95404d81a1ee0919e37985 + uses: anthony-nhs/docker-run-action-fork@82ae039ec306b71bcd31d8530985f1fdbd71a39a with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -120,7 +120,7 @@ jobs: cmd: yq -i '.pkg.include-dev-deps = true' 'trivy.yaml' - name: convert python dependencies to requirements.txt if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} - uses: anthony-nhs/docker-run-action-fork@df2f1ddaa0d7f80e0b95404d81a1ee0919e37985 + uses: anthony-nhs/docker-run-action-fork@82ae039ec306b71bcd31d8530985f1fdbd71a39a with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -137,7 +137,7 @@ jobs: poetry export -f requirements.txt --with dev --without-hashes --output=requirements.txt - name: download go dependencies if: ${{ steps.check_languages.outputs.uses_go == 'true' }} - uses: anthony-nhs/docker-run-action-fork@df2f1ddaa0d7f80e0b95404d81a1ee0919e37985 + uses: anthony-nhs/docker-run-action-fork@82ae039ec306b71bcd31d8530985f1fdbd71a39a with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -174,7 +174,7 @@ jobs: cat license_scan.txt fi - name: Run code lint - uses: anthony-nhs/docker-run-action-fork@df2f1ddaa0d7f80e0b95404d81a1ee0919e37985 + uses: anthony-nhs/docker-run-action-fork@82ae039ec306b71bcd31d8530985f1fdbd71a39a with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -191,7 +191,7 @@ jobs: .git - name: Run unit tests - uses: anthony-nhs/docker-run-action-fork@df2f1ddaa0d7f80e0b95404d81a1ee0919e37985 + uses: anthony-nhs/docker-run-action-fork@82ae039ec306b71bcd31d8530985f1fdbd71a39a with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -479,7 +479,7 @@ jobs: - name: Run cfn-lint if: steps.check_sam_templates.outputs.sam_exists == 'true' || steps.check_cf_templates.outputs.cf_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@df2f1ddaa0d7f80e0b95404d81a1ee0919e37985 + uses: anthony-nhs/docker-run-action-fork@82ae039ec306b71bcd31d8530985f1fdbd71a39a with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -493,7 +493,7 @@ jobs: - name: make install NodeJS if: steps.check_cdk.outputs.cdk_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@df2f1ddaa0d7f80e0b95404d81a1ee0919e37985 + uses: anthony-nhs/docker-run-action-fork@82ae039ec306b71bcd31d8530985f1fdbd71a39a with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -502,7 +502,7 @@ jobs: - name: Run cdk-synth if: steps.check_cdk.outputs.cdk_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@df2f1ddaa0d7f80e0b95404d81a1ee0919e37985 + uses: anthony-nhs/docker-run-action-fork@82ae039ec306b71bcd31d8530985f1fdbd71a39a with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -510,7 +510,7 @@ jobs: make cdk-synth - name: Init cfn-guard - uses: anthony-nhs/docker-run-action-fork@df2f1ddaa0d7f80e0b95404d81a1ee0919e37985 + uses: anthony-nhs/docker-run-action-fork@82ae039ec306b71bcd31d8530985f1fdbd71a39a with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -529,7 +529,7 @@ jobs: - name: Run cfn-guard script for sam templates if: steps.check_sam_templates.outputs.sam_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@df2f1ddaa0d7f80e0b95404d81a1ee0919e37985 + uses: anthony-nhs/docker-run-action-fork@82ae039ec306b71bcd31d8530985f1fdbd71a39a with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -557,7 +557,7 @@ jobs: - name: Run cfn-guard script for cloudformation templates if: steps.check_cf_templates.outputs.cf_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@df2f1ddaa0d7f80e0b95404d81a1ee0919e37985 + uses: anthony-nhs/docker-run-action-fork@82ae039ec306b71bcd31d8530985f1fdbd71a39a with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -576,7 +576,7 @@ jobs: - name: Run cfn-guard script for cdk templates if: steps.check_cdk.outputs.cdk_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@df2f1ddaa0d7f80e0b95404d81a1ee0919e37985 + uses: anthony-nhs/docker-run-action-fork@82ae039ec306b71bcd31d8530985f1fdbd71a39a with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} From 01a3b54637bff102c7aa3c670bc7ac2c19a2750c Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Mon, 16 Feb 2026 17:49:20 +0000 Subject: [PATCH 36/54] newer action --- .github/workflows/quality-checks.yml | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index c204c7c..373dcbc 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -36,7 +36,7 @@ jobs: ref: ${{ env.BRANCH_NAME }} fetch-depth: 0 - name: Run secrets scan - uses: anthony-nhs/docker-run-action-fork@82ae039ec306b71bcd31d8530985f1fdbd71a39a + uses: anthony-nhs/docker-run-action-fork@83cfde66c34330c3ec4f6270a569a6701530d775 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -59,7 +59,7 @@ jobs: key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} - name: make install - uses: anthony-nhs/docker-run-action-fork@82ae039ec306b71bcd31d8530985f1fdbd71a39a + uses: anthony-nhs/docker-run-action-fork@83cfde66c34330c3ec4f6270a569a6701530d775 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -120,7 +120,7 @@ jobs: cmd: yq -i '.pkg.include-dev-deps = true' 'trivy.yaml' - name: convert python dependencies to requirements.txt if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} - uses: anthony-nhs/docker-run-action-fork@82ae039ec306b71bcd31d8530985f1fdbd71a39a + uses: anthony-nhs/docker-run-action-fork@83cfde66c34330c3ec4f6270a569a6701530d775 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -137,7 +137,7 @@ jobs: poetry export -f requirements.txt --with dev --without-hashes --output=requirements.txt - name: download go dependencies if: ${{ steps.check_languages.outputs.uses_go == 'true' }} - uses: anthony-nhs/docker-run-action-fork@82ae039ec306b71bcd31d8530985f1fdbd71a39a + uses: anthony-nhs/docker-run-action-fork@83cfde66c34330c3ec4f6270a569a6701530d775 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -174,7 +174,7 @@ jobs: cat license_scan.txt fi - name: Run code lint - uses: anthony-nhs/docker-run-action-fork@82ae039ec306b71bcd31d8530985f1fdbd71a39a + uses: anthony-nhs/docker-run-action-fork@83cfde66c34330c3ec4f6270a569a6701530d775 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -191,7 +191,7 @@ jobs: .git - name: Run unit tests - uses: anthony-nhs/docker-run-action-fork@82ae039ec306b71bcd31d8530985f1fdbd71a39a + uses: anthony-nhs/docker-run-action-fork@83cfde66c34330c3ec4f6270a569a6701530d775 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -479,7 +479,7 @@ jobs: - name: Run cfn-lint if: steps.check_sam_templates.outputs.sam_exists == 'true' || steps.check_cf_templates.outputs.cf_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@82ae039ec306b71bcd31d8530985f1fdbd71a39a + uses: anthony-nhs/docker-run-action-fork@83cfde66c34330c3ec4f6270a569a6701530d775 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -493,7 +493,7 @@ jobs: - name: make install NodeJS if: steps.check_cdk.outputs.cdk_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@82ae039ec306b71bcd31d8530985f1fdbd71a39a + uses: anthony-nhs/docker-run-action-fork@83cfde66c34330c3ec4f6270a569a6701530d775 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -502,7 +502,7 @@ jobs: - name: Run cdk-synth if: steps.check_cdk.outputs.cdk_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@82ae039ec306b71bcd31d8530985f1fdbd71a39a + uses: anthony-nhs/docker-run-action-fork@83cfde66c34330c3ec4f6270a569a6701530d775 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -510,7 +510,7 @@ jobs: make cdk-synth - name: Init cfn-guard - uses: anthony-nhs/docker-run-action-fork@82ae039ec306b71bcd31d8530985f1fdbd71a39a + uses: anthony-nhs/docker-run-action-fork@83cfde66c34330c3ec4f6270a569a6701530d775 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -529,7 +529,7 @@ jobs: - name: Run cfn-guard script for sam templates if: steps.check_sam_templates.outputs.sam_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@82ae039ec306b71bcd31d8530985f1fdbd71a39a + uses: anthony-nhs/docker-run-action-fork@83cfde66c34330c3ec4f6270a569a6701530d775 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -557,7 +557,7 @@ jobs: - name: Run cfn-guard script for cloudformation templates if: steps.check_cf_templates.outputs.cf_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@82ae039ec306b71bcd31d8530985f1fdbd71a39a + uses: anthony-nhs/docker-run-action-fork@83cfde66c34330c3ec4f6270a569a6701530d775 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -576,7 +576,7 @@ jobs: - name: Run cfn-guard script for cdk templates if: steps.check_cdk.outputs.cdk_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@82ae039ec306b71bcd31d8530985f1fdbd71a39a + uses: anthony-nhs/docker-run-action-fork@83cfde66c34330c3ec4f6270a569a6701530d775 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} From 611eda51a870b4f3e61e621f2f8e89edbb9e2962 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Mon, 16 Feb 2026 18:14:35 +0000 Subject: [PATCH 37/54] newer action --- .github/workflows/quality-checks.yml | 42 +++++++++++++++++----------- 1 file changed, 25 insertions(+), 17 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 373dcbc..00419cf 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -36,7 +36,7 @@ jobs: ref: ${{ env.BRANCH_NAME }} fetch-depth: 0 - name: Run secrets scan - uses: anthony-nhs/docker-run-action-fork@83cfde66c34330c3ec4f6270a569a6701530d775 + uses: anthony-nhs/docker-run-action-fork@5600f5880dac8d150a7dc10820f5b01922b0b08e with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -59,7 +59,7 @@ jobs: key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} - name: make install - uses: anthony-nhs/docker-run-action-fork@83cfde66c34330c3ec4f6270a569a6701530d775 + uses: anthony-nhs/docker-run-action-fork@5600f5880dac8d150a7dc10820f5b01922b0b08e with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -120,7 +120,7 @@ jobs: cmd: yq -i '.pkg.include-dev-deps = true' 'trivy.yaml' - name: convert python dependencies to requirements.txt if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} - uses: anthony-nhs/docker-run-action-fork@83cfde66c34330c3ec4f6270a569a6701530d775 + uses: anthony-nhs/docker-run-action-fork@5600f5880dac8d150a7dc10820f5b01922b0b08e with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -137,7 +137,7 @@ jobs: poetry export -f requirements.txt --with dev --without-hashes --output=requirements.txt - name: download go dependencies if: ${{ steps.check_languages.outputs.uses_go == 'true' }} - uses: anthony-nhs/docker-run-action-fork@83cfde66c34330c3ec4f6270a569a6701530d775 + uses: anthony-nhs/docker-run-action-fork@5600f5880dac8d150a7dc10820f5b01922b0b08e with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -174,7 +174,7 @@ jobs: cat license_scan.txt fi - name: Run code lint - uses: anthony-nhs/docker-run-action-fork@83cfde66c34330c3ec4f6270a569a6701530d775 + uses: anthony-nhs/docker-run-action-fork@5600f5880dac8d150a7dc10820f5b01922b0b08e with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -191,7 +191,7 @@ jobs: .git - name: Run unit tests - uses: anthony-nhs/docker-run-action-fork@83cfde66c34330c3ec4f6270a569a6701530d775 + uses: anthony-nhs/docker-run-action-fork@5600f5880dac8d150a7dc10820f5b01922b0b08e with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -398,13 +398,21 @@ jobs: ${{ runner.os }}-node- - name: make install - run: | - make install + uses: anthony-nhs/docker-run-action-fork@5600f5880dac8d150a7dc10820f5b01922b0b08e + with: + workspace_folder: ${{ github.workspace }} + image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + run: | + make install - name: Build docker images if: ${{ inputs.run_docker_scan == true }} - run: | - make docker-build + uses: anthony-nhs/docker-run-action-fork@5600f5880dac8d150a7dc10820f5b01922b0b08e + with: + workspace_folder: ${{ github.workspace }} + image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + run: | + make docker-build - name: Check docker vulnerabilities uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 @@ -479,7 +487,7 @@ jobs: - name: Run cfn-lint if: steps.check_sam_templates.outputs.sam_exists == 'true' || steps.check_cf_templates.outputs.cf_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@83cfde66c34330c3ec4f6270a569a6701530d775 + uses: anthony-nhs/docker-run-action-fork@5600f5880dac8d150a7dc10820f5b01922b0b08e with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -493,7 +501,7 @@ jobs: - name: make install NodeJS if: steps.check_cdk.outputs.cdk_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@83cfde66c34330c3ec4f6270a569a6701530d775 + uses: anthony-nhs/docker-run-action-fork@5600f5880dac8d150a7dc10820f5b01922b0b08e with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -502,7 +510,7 @@ jobs: - name: Run cdk-synth if: steps.check_cdk.outputs.cdk_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@83cfde66c34330c3ec4f6270a569a6701530d775 + uses: anthony-nhs/docker-run-action-fork@5600f5880dac8d150a7dc10820f5b01922b0b08e with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -510,7 +518,7 @@ jobs: make cdk-synth - name: Init cfn-guard - uses: anthony-nhs/docker-run-action-fork@83cfde66c34330c3ec4f6270a569a6701530d775 + uses: anthony-nhs/docker-run-action-fork@5600f5880dac8d150a7dc10820f5b01922b0b08e with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -529,7 +537,7 @@ jobs: - name: Run cfn-guard script for sam templates if: steps.check_sam_templates.outputs.sam_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@83cfde66c34330c3ec4f6270a569a6701530d775 + uses: anthony-nhs/docker-run-action-fork@5600f5880dac8d150a7dc10820f5b01922b0b08e with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -557,7 +565,7 @@ jobs: - name: Run cfn-guard script for cloudformation templates if: steps.check_cf_templates.outputs.cf_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@83cfde66c34330c3ec4f6270a569a6701530d775 + uses: anthony-nhs/docker-run-action-fork@5600f5880dac8d150a7dc10820f5b01922b0b08e with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -576,7 +584,7 @@ jobs: - name: Run cfn-guard script for cdk templates if: steps.check_cdk.outputs.cdk_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@83cfde66c34330c3ec4f6270a569a6701530d775 + uses: anthony-nhs/docker-run-action-fork@5600f5880dac8d150a7dc10820f5b01922b0b08e with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} From e05bb4726cd57272f76f7e235bac8879256dc1b2 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Mon, 16 Feb 2026 18:16:54 +0000 Subject: [PATCH 38/54] debug --- .github/workflows/quality-checks.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 00419cf..801b72f 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -64,6 +64,10 @@ jobs: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} run: | + echo "current dir is $(pwd)" + echo "current user is $(whoami)" + echo "listing current dir contents" + ls -la make install - name: Check language tools used and setup trivy config From 2a6bacd686a0e49e274c2e7205aca0421df4c2e6 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Mon, 16 Feb 2026 18:24:46 +0000 Subject: [PATCH 39/54] debug --- .github/workflows/quality-checks.yml | 30 ++++++++++++++-------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 801b72f..c06d6f8 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -36,7 +36,7 @@ jobs: ref: ${{ env.BRANCH_NAME }} fetch-depth: 0 - name: Run secrets scan - uses: anthony-nhs/docker-run-action-fork@5600f5880dac8d150a7dc10820f5b01922b0b08e + uses: anthony-nhs/docker-run-action-fork@a077461d204cb4abe0386e62647bdec8316bffa0 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -59,7 +59,7 @@ jobs: key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} - name: make install - uses: anthony-nhs/docker-run-action-fork@5600f5880dac8d150a7dc10820f5b01922b0b08e + uses: anthony-nhs/docker-run-action-fork@a077461d204cb4abe0386e62647bdec8316bffa0 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -124,7 +124,7 @@ jobs: cmd: yq -i '.pkg.include-dev-deps = true' 'trivy.yaml' - name: convert python dependencies to requirements.txt if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} - uses: anthony-nhs/docker-run-action-fork@5600f5880dac8d150a7dc10820f5b01922b0b08e + uses: anthony-nhs/docker-run-action-fork@a077461d204cb4abe0386e62647bdec8316bffa0 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -141,7 +141,7 @@ jobs: poetry export -f requirements.txt --with dev --without-hashes --output=requirements.txt - name: download go dependencies if: ${{ steps.check_languages.outputs.uses_go == 'true' }} - uses: anthony-nhs/docker-run-action-fork@5600f5880dac8d150a7dc10820f5b01922b0b08e + uses: anthony-nhs/docker-run-action-fork@a077461d204cb4abe0386e62647bdec8316bffa0 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -178,7 +178,7 @@ jobs: cat license_scan.txt fi - name: Run code lint - uses: anthony-nhs/docker-run-action-fork@5600f5880dac8d150a7dc10820f5b01922b0b08e + uses: anthony-nhs/docker-run-action-fork@a077461d204cb4abe0386e62647bdec8316bffa0 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -195,7 +195,7 @@ jobs: .git - name: Run unit tests - uses: anthony-nhs/docker-run-action-fork@5600f5880dac8d150a7dc10820f5b01922b0b08e + uses: anthony-nhs/docker-run-action-fork@a077461d204cb4abe0386e62647bdec8316bffa0 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -402,7 +402,7 @@ jobs: ${{ runner.os }}-node- - name: make install - uses: anthony-nhs/docker-run-action-fork@5600f5880dac8d150a7dc10820f5b01922b0b08e + uses: anthony-nhs/docker-run-action-fork@a077461d204cb4abe0386e62647bdec8316bffa0 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -411,7 +411,7 @@ jobs: - name: Build docker images if: ${{ inputs.run_docker_scan == true }} - uses: anthony-nhs/docker-run-action-fork@5600f5880dac8d150a7dc10820f5b01922b0b08e + uses: anthony-nhs/docker-run-action-fork@a077461d204cb4abe0386e62647bdec8316bffa0 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -491,7 +491,7 @@ jobs: - name: Run cfn-lint if: steps.check_sam_templates.outputs.sam_exists == 'true' || steps.check_cf_templates.outputs.cf_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@5600f5880dac8d150a7dc10820f5b01922b0b08e + uses: anthony-nhs/docker-run-action-fork@a077461d204cb4abe0386e62647bdec8316bffa0 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -505,7 +505,7 @@ jobs: - name: make install NodeJS if: steps.check_cdk.outputs.cdk_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@5600f5880dac8d150a7dc10820f5b01922b0b08e + uses: anthony-nhs/docker-run-action-fork@a077461d204cb4abe0386e62647bdec8316bffa0 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -514,7 +514,7 @@ jobs: - name: Run cdk-synth if: steps.check_cdk.outputs.cdk_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@5600f5880dac8d150a7dc10820f5b01922b0b08e + uses: anthony-nhs/docker-run-action-fork@a077461d204cb4abe0386e62647bdec8316bffa0 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -522,7 +522,7 @@ jobs: make cdk-synth - name: Init cfn-guard - uses: anthony-nhs/docker-run-action-fork@5600f5880dac8d150a7dc10820f5b01922b0b08e + uses: anthony-nhs/docker-run-action-fork@a077461d204cb4abe0386e62647bdec8316bffa0 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -541,7 +541,7 @@ jobs: - name: Run cfn-guard script for sam templates if: steps.check_sam_templates.outputs.sam_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@5600f5880dac8d150a7dc10820f5b01922b0b08e + uses: anthony-nhs/docker-run-action-fork@a077461d204cb4abe0386e62647bdec8316bffa0 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -569,7 +569,7 @@ jobs: - name: Run cfn-guard script for cloudformation templates if: steps.check_cf_templates.outputs.cf_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@5600f5880dac8d150a7dc10820f5b01922b0b08e + uses: anthony-nhs/docker-run-action-fork@a077461d204cb4abe0386e62647bdec8316bffa0 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -588,7 +588,7 @@ jobs: - name: Run cfn-guard script for cdk templates if: steps.check_cdk.outputs.cdk_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@5600f5880dac8d150a7dc10820f5b01922b0b08e + uses: anthony-nhs/docker-run-action-fork@a077461d204cb4abe0386e62647bdec8316bffa0 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} From 0758c7903532666333b867f370f4537b5ef6f0c7 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Mon, 16 Feb 2026 18:35:46 +0000 Subject: [PATCH 40/54] new one --- .github/workflows/quality-checks.yml | 30 ++++++++++++++-------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index c06d6f8..dd263e8 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -36,7 +36,7 @@ jobs: ref: ${{ env.BRANCH_NAME }} fetch-depth: 0 - name: Run secrets scan - uses: anthony-nhs/docker-run-action-fork@a077461d204cb4abe0386e62647bdec8316bffa0 + uses: anthony-nhs/docker-run-action-fork@23700ce663bf05fe4f8d3cb0e8729a24337924e4 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -59,7 +59,7 @@ jobs: key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} - name: make install - uses: anthony-nhs/docker-run-action-fork@a077461d204cb4abe0386e62647bdec8316bffa0 + uses: anthony-nhs/docker-run-action-fork@23700ce663bf05fe4f8d3cb0e8729a24337924e4 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -124,7 +124,7 @@ jobs: cmd: yq -i '.pkg.include-dev-deps = true' 'trivy.yaml' - name: convert python dependencies to requirements.txt if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} - uses: anthony-nhs/docker-run-action-fork@a077461d204cb4abe0386e62647bdec8316bffa0 + uses: anthony-nhs/docker-run-action-fork@23700ce663bf05fe4f8d3cb0e8729a24337924e4 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -141,7 +141,7 @@ jobs: poetry export -f requirements.txt --with dev --without-hashes --output=requirements.txt - name: download go dependencies if: ${{ steps.check_languages.outputs.uses_go == 'true' }} - uses: anthony-nhs/docker-run-action-fork@a077461d204cb4abe0386e62647bdec8316bffa0 + uses: anthony-nhs/docker-run-action-fork@23700ce663bf05fe4f8d3cb0e8729a24337924e4 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -178,7 +178,7 @@ jobs: cat license_scan.txt fi - name: Run code lint - uses: anthony-nhs/docker-run-action-fork@a077461d204cb4abe0386e62647bdec8316bffa0 + uses: anthony-nhs/docker-run-action-fork@23700ce663bf05fe4f8d3cb0e8729a24337924e4 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -195,7 +195,7 @@ jobs: .git - name: Run unit tests - uses: anthony-nhs/docker-run-action-fork@a077461d204cb4abe0386e62647bdec8316bffa0 + uses: anthony-nhs/docker-run-action-fork@23700ce663bf05fe4f8d3cb0e8729a24337924e4 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -402,7 +402,7 @@ jobs: ${{ runner.os }}-node- - name: make install - uses: anthony-nhs/docker-run-action-fork@a077461d204cb4abe0386e62647bdec8316bffa0 + uses: anthony-nhs/docker-run-action-fork@23700ce663bf05fe4f8d3cb0e8729a24337924e4 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -411,7 +411,7 @@ jobs: - name: Build docker images if: ${{ inputs.run_docker_scan == true }} - uses: anthony-nhs/docker-run-action-fork@a077461d204cb4abe0386e62647bdec8316bffa0 + uses: anthony-nhs/docker-run-action-fork@23700ce663bf05fe4f8d3cb0e8729a24337924e4 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -491,7 +491,7 @@ jobs: - name: Run cfn-lint if: steps.check_sam_templates.outputs.sam_exists == 'true' || steps.check_cf_templates.outputs.cf_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@a077461d204cb4abe0386e62647bdec8316bffa0 + uses: anthony-nhs/docker-run-action-fork@23700ce663bf05fe4f8d3cb0e8729a24337924e4 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -505,7 +505,7 @@ jobs: - name: make install NodeJS if: steps.check_cdk.outputs.cdk_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@a077461d204cb4abe0386e62647bdec8316bffa0 + uses: anthony-nhs/docker-run-action-fork@23700ce663bf05fe4f8d3cb0e8729a24337924e4 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -514,7 +514,7 @@ jobs: - name: Run cdk-synth if: steps.check_cdk.outputs.cdk_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@a077461d204cb4abe0386e62647bdec8316bffa0 + uses: anthony-nhs/docker-run-action-fork@23700ce663bf05fe4f8d3cb0e8729a24337924e4 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -522,7 +522,7 @@ jobs: make cdk-synth - name: Init cfn-guard - uses: anthony-nhs/docker-run-action-fork@a077461d204cb4abe0386e62647bdec8316bffa0 + uses: anthony-nhs/docker-run-action-fork@23700ce663bf05fe4f8d3cb0e8729a24337924e4 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -541,7 +541,7 @@ jobs: - name: Run cfn-guard script for sam templates if: steps.check_sam_templates.outputs.sam_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@a077461d204cb4abe0386e62647bdec8316bffa0 + uses: anthony-nhs/docker-run-action-fork@23700ce663bf05fe4f8d3cb0e8729a24337924e4 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -569,7 +569,7 @@ jobs: - name: Run cfn-guard script for cloudformation templates if: steps.check_cf_templates.outputs.cf_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@a077461d204cb4abe0386e62647bdec8316bffa0 + uses: anthony-nhs/docker-run-action-fork@23700ce663bf05fe4f8d3cb0e8729a24337924e4 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -588,7 +588,7 @@ jobs: - name: Run cfn-guard script for cdk templates if: steps.check_cdk.outputs.cdk_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@a077461d204cb4abe0386e62647bdec8316bffa0 + uses: anthony-nhs/docker-run-action-fork@23700ce663bf05fe4f8d3cb0e8729a24337924e4 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} From 2d060fb3d39631f7669ada995985f51a6cd7d190 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Mon, 16 Feb 2026 18:40:22 +0000 Subject: [PATCH 41/54] new one --- .github/workflows/quality-checks.yml | 30 ++++++++++++++-------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index dd263e8..777dd9a 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -36,7 +36,7 @@ jobs: ref: ${{ env.BRANCH_NAME }} fetch-depth: 0 - name: Run secrets scan - uses: anthony-nhs/docker-run-action-fork@23700ce663bf05fe4f8d3cb0e8729a24337924e4 + uses: anthony-nhs/docker-run-action-fork@17e5cbba5071cbed431182ed995f5b1d87de5fce with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -59,7 +59,7 @@ jobs: key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} - name: make install - uses: anthony-nhs/docker-run-action-fork@23700ce663bf05fe4f8d3cb0e8729a24337924e4 + uses: anthony-nhs/docker-run-action-fork@17e5cbba5071cbed431182ed995f5b1d87de5fce with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -124,7 +124,7 @@ jobs: cmd: yq -i '.pkg.include-dev-deps = true' 'trivy.yaml' - name: convert python dependencies to requirements.txt if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} - uses: anthony-nhs/docker-run-action-fork@23700ce663bf05fe4f8d3cb0e8729a24337924e4 + uses: anthony-nhs/docker-run-action-fork@17e5cbba5071cbed431182ed995f5b1d87de5fce with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -141,7 +141,7 @@ jobs: poetry export -f requirements.txt --with dev --without-hashes --output=requirements.txt - name: download go dependencies if: ${{ steps.check_languages.outputs.uses_go == 'true' }} - uses: anthony-nhs/docker-run-action-fork@23700ce663bf05fe4f8d3cb0e8729a24337924e4 + uses: anthony-nhs/docker-run-action-fork@17e5cbba5071cbed431182ed995f5b1d87de5fce with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -178,7 +178,7 @@ jobs: cat license_scan.txt fi - name: Run code lint - uses: anthony-nhs/docker-run-action-fork@23700ce663bf05fe4f8d3cb0e8729a24337924e4 + uses: anthony-nhs/docker-run-action-fork@17e5cbba5071cbed431182ed995f5b1d87de5fce with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -195,7 +195,7 @@ jobs: .git - name: Run unit tests - uses: anthony-nhs/docker-run-action-fork@23700ce663bf05fe4f8d3cb0e8729a24337924e4 + uses: anthony-nhs/docker-run-action-fork@17e5cbba5071cbed431182ed995f5b1d87de5fce with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -402,7 +402,7 @@ jobs: ${{ runner.os }}-node- - name: make install - uses: anthony-nhs/docker-run-action-fork@23700ce663bf05fe4f8d3cb0e8729a24337924e4 + uses: anthony-nhs/docker-run-action-fork@17e5cbba5071cbed431182ed995f5b1d87de5fce with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -411,7 +411,7 @@ jobs: - name: Build docker images if: ${{ inputs.run_docker_scan == true }} - uses: anthony-nhs/docker-run-action-fork@23700ce663bf05fe4f8d3cb0e8729a24337924e4 + uses: anthony-nhs/docker-run-action-fork@17e5cbba5071cbed431182ed995f5b1d87de5fce with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -491,7 +491,7 @@ jobs: - name: Run cfn-lint if: steps.check_sam_templates.outputs.sam_exists == 'true' || steps.check_cf_templates.outputs.cf_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@23700ce663bf05fe4f8d3cb0e8729a24337924e4 + uses: anthony-nhs/docker-run-action-fork@17e5cbba5071cbed431182ed995f5b1d87de5fce with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -505,7 +505,7 @@ jobs: - name: make install NodeJS if: steps.check_cdk.outputs.cdk_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@23700ce663bf05fe4f8d3cb0e8729a24337924e4 + uses: anthony-nhs/docker-run-action-fork@17e5cbba5071cbed431182ed995f5b1d87de5fce with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -514,7 +514,7 @@ jobs: - name: Run cdk-synth if: steps.check_cdk.outputs.cdk_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@23700ce663bf05fe4f8d3cb0e8729a24337924e4 + uses: anthony-nhs/docker-run-action-fork@17e5cbba5071cbed431182ed995f5b1d87de5fce with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -522,7 +522,7 @@ jobs: make cdk-synth - name: Init cfn-guard - uses: anthony-nhs/docker-run-action-fork@23700ce663bf05fe4f8d3cb0e8729a24337924e4 + uses: anthony-nhs/docker-run-action-fork@17e5cbba5071cbed431182ed995f5b1d87de5fce with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -541,7 +541,7 @@ jobs: - name: Run cfn-guard script for sam templates if: steps.check_sam_templates.outputs.sam_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@23700ce663bf05fe4f8d3cb0e8729a24337924e4 + uses: anthony-nhs/docker-run-action-fork@17e5cbba5071cbed431182ed995f5b1d87de5fce with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -569,7 +569,7 @@ jobs: - name: Run cfn-guard script for cloudformation templates if: steps.check_cf_templates.outputs.cf_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@23700ce663bf05fe4f8d3cb0e8729a24337924e4 + uses: anthony-nhs/docker-run-action-fork@17e5cbba5071cbed431182ed995f5b1d87de5fce with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -588,7 +588,7 @@ jobs: - name: Run cfn-guard script for cdk templates if: steps.check_cdk.outputs.cdk_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@23700ce663bf05fe4f8d3cb0e8729a24337924e4 + uses: anthony-nhs/docker-run-action-fork@17e5cbba5071cbed431182ed995f5b1d87de5fce with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} From 8b12d9e90f5c69892e96950dfe3d041bd2ed86a1 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Mon, 16 Feb 2026 18:45:23 +0000 Subject: [PATCH 42/54] new onea --- .github/workflows/quality-checks.yml | 30 ++++++++++++++-------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 777dd9a..b83b85e 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -36,7 +36,7 @@ jobs: ref: ${{ env.BRANCH_NAME }} fetch-depth: 0 - name: Run secrets scan - uses: anthony-nhs/docker-run-action-fork@17e5cbba5071cbed431182ed995f5b1d87de5fce + uses: anthony-nhs/docker-run-action-fork@bb6b9f933e861c124c8d28eec48211c9b45e37ae with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -59,7 +59,7 @@ jobs: key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} - name: make install - uses: anthony-nhs/docker-run-action-fork@17e5cbba5071cbed431182ed995f5b1d87de5fce + uses: anthony-nhs/docker-run-action-fork@bb6b9f933e861c124c8d28eec48211c9b45e37ae with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -124,7 +124,7 @@ jobs: cmd: yq -i '.pkg.include-dev-deps = true' 'trivy.yaml' - name: convert python dependencies to requirements.txt if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} - uses: anthony-nhs/docker-run-action-fork@17e5cbba5071cbed431182ed995f5b1d87de5fce + uses: anthony-nhs/docker-run-action-fork@bb6b9f933e861c124c8d28eec48211c9b45e37ae with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -141,7 +141,7 @@ jobs: poetry export -f requirements.txt --with dev --without-hashes --output=requirements.txt - name: download go dependencies if: ${{ steps.check_languages.outputs.uses_go == 'true' }} - uses: anthony-nhs/docker-run-action-fork@17e5cbba5071cbed431182ed995f5b1d87de5fce + uses: anthony-nhs/docker-run-action-fork@bb6b9f933e861c124c8d28eec48211c9b45e37ae with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -178,7 +178,7 @@ jobs: cat license_scan.txt fi - name: Run code lint - uses: anthony-nhs/docker-run-action-fork@17e5cbba5071cbed431182ed995f5b1d87de5fce + uses: anthony-nhs/docker-run-action-fork@bb6b9f933e861c124c8d28eec48211c9b45e37ae with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -195,7 +195,7 @@ jobs: .git - name: Run unit tests - uses: anthony-nhs/docker-run-action-fork@17e5cbba5071cbed431182ed995f5b1d87de5fce + uses: anthony-nhs/docker-run-action-fork@bb6b9f933e861c124c8d28eec48211c9b45e37ae with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -402,7 +402,7 @@ jobs: ${{ runner.os }}-node- - name: make install - uses: anthony-nhs/docker-run-action-fork@17e5cbba5071cbed431182ed995f5b1d87de5fce + uses: anthony-nhs/docker-run-action-fork@bb6b9f933e861c124c8d28eec48211c9b45e37ae with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -411,7 +411,7 @@ jobs: - name: Build docker images if: ${{ inputs.run_docker_scan == true }} - uses: anthony-nhs/docker-run-action-fork@17e5cbba5071cbed431182ed995f5b1d87de5fce + uses: anthony-nhs/docker-run-action-fork@bb6b9f933e861c124c8d28eec48211c9b45e37ae with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -491,7 +491,7 @@ jobs: - name: Run cfn-lint if: steps.check_sam_templates.outputs.sam_exists == 'true' || steps.check_cf_templates.outputs.cf_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@17e5cbba5071cbed431182ed995f5b1d87de5fce + uses: anthony-nhs/docker-run-action-fork@bb6b9f933e861c124c8d28eec48211c9b45e37ae with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -505,7 +505,7 @@ jobs: - name: make install NodeJS if: steps.check_cdk.outputs.cdk_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@17e5cbba5071cbed431182ed995f5b1d87de5fce + uses: anthony-nhs/docker-run-action-fork@bb6b9f933e861c124c8d28eec48211c9b45e37ae with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -514,7 +514,7 @@ jobs: - name: Run cdk-synth if: steps.check_cdk.outputs.cdk_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@17e5cbba5071cbed431182ed995f5b1d87de5fce + uses: anthony-nhs/docker-run-action-fork@bb6b9f933e861c124c8d28eec48211c9b45e37ae with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -522,7 +522,7 @@ jobs: make cdk-synth - name: Init cfn-guard - uses: anthony-nhs/docker-run-action-fork@17e5cbba5071cbed431182ed995f5b1d87de5fce + uses: anthony-nhs/docker-run-action-fork@bb6b9f933e861c124c8d28eec48211c9b45e37ae with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -541,7 +541,7 @@ jobs: - name: Run cfn-guard script for sam templates if: steps.check_sam_templates.outputs.sam_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@17e5cbba5071cbed431182ed995f5b1d87de5fce + uses: anthony-nhs/docker-run-action-fork@bb6b9f933e861c124c8d28eec48211c9b45e37ae with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -569,7 +569,7 @@ jobs: - name: Run cfn-guard script for cloudformation templates if: steps.check_cf_templates.outputs.cf_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@17e5cbba5071cbed431182ed995f5b1d87de5fce + uses: anthony-nhs/docker-run-action-fork@bb6b9f933e861c124c8d28eec48211c9b45e37ae with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -588,7 +588,7 @@ jobs: - name: Run cfn-guard script for cdk templates if: steps.check_cdk.outputs.cdk_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@17e5cbba5071cbed431182ed995f5b1d87de5fce + uses: anthony-nhs/docker-run-action-fork@bb6b9f933e861c124c8d28eec48211c9b45e37ae with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} From fb03db090db508a56f8cc2cb031efe1c301c877f Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Mon, 16 Feb 2026 18:50:30 +0000 Subject: [PATCH 43/54] new one --- .github/workflows/quality-checks.yml | 30 ++++++++++++++-------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index b83b85e..fb31474 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -36,7 +36,7 @@ jobs: ref: ${{ env.BRANCH_NAME }} fetch-depth: 0 - name: Run secrets scan - uses: anthony-nhs/docker-run-action-fork@bb6b9f933e861c124c8d28eec48211c9b45e37ae + uses: anthony-nhs/docker-run-action-fork@905a59c55183229c385b38da20ecf01111357ee4 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -59,7 +59,7 @@ jobs: key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} - name: make install - uses: anthony-nhs/docker-run-action-fork@bb6b9f933e861c124c8d28eec48211c9b45e37ae + uses: anthony-nhs/docker-run-action-fork@905a59c55183229c385b38da20ecf01111357ee4 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -124,7 +124,7 @@ jobs: cmd: yq -i '.pkg.include-dev-deps = true' 'trivy.yaml' - name: convert python dependencies to requirements.txt if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} - uses: anthony-nhs/docker-run-action-fork@bb6b9f933e861c124c8d28eec48211c9b45e37ae + uses: anthony-nhs/docker-run-action-fork@905a59c55183229c385b38da20ecf01111357ee4 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -141,7 +141,7 @@ jobs: poetry export -f requirements.txt --with dev --without-hashes --output=requirements.txt - name: download go dependencies if: ${{ steps.check_languages.outputs.uses_go == 'true' }} - uses: anthony-nhs/docker-run-action-fork@bb6b9f933e861c124c8d28eec48211c9b45e37ae + uses: anthony-nhs/docker-run-action-fork@905a59c55183229c385b38da20ecf01111357ee4 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -178,7 +178,7 @@ jobs: cat license_scan.txt fi - name: Run code lint - uses: anthony-nhs/docker-run-action-fork@bb6b9f933e861c124c8d28eec48211c9b45e37ae + uses: anthony-nhs/docker-run-action-fork@905a59c55183229c385b38da20ecf01111357ee4 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -195,7 +195,7 @@ jobs: .git - name: Run unit tests - uses: anthony-nhs/docker-run-action-fork@bb6b9f933e861c124c8d28eec48211c9b45e37ae + uses: anthony-nhs/docker-run-action-fork@905a59c55183229c385b38da20ecf01111357ee4 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -402,7 +402,7 @@ jobs: ${{ runner.os }}-node- - name: make install - uses: anthony-nhs/docker-run-action-fork@bb6b9f933e861c124c8d28eec48211c9b45e37ae + uses: anthony-nhs/docker-run-action-fork@905a59c55183229c385b38da20ecf01111357ee4 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -411,7 +411,7 @@ jobs: - name: Build docker images if: ${{ inputs.run_docker_scan == true }} - uses: anthony-nhs/docker-run-action-fork@bb6b9f933e861c124c8d28eec48211c9b45e37ae + uses: anthony-nhs/docker-run-action-fork@905a59c55183229c385b38da20ecf01111357ee4 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -491,7 +491,7 @@ jobs: - name: Run cfn-lint if: steps.check_sam_templates.outputs.sam_exists == 'true' || steps.check_cf_templates.outputs.cf_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@bb6b9f933e861c124c8d28eec48211c9b45e37ae + uses: anthony-nhs/docker-run-action-fork@905a59c55183229c385b38da20ecf01111357ee4 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -505,7 +505,7 @@ jobs: - name: make install NodeJS if: steps.check_cdk.outputs.cdk_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@bb6b9f933e861c124c8d28eec48211c9b45e37ae + uses: anthony-nhs/docker-run-action-fork@905a59c55183229c385b38da20ecf01111357ee4 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -514,7 +514,7 @@ jobs: - name: Run cdk-synth if: steps.check_cdk.outputs.cdk_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@bb6b9f933e861c124c8d28eec48211c9b45e37ae + uses: anthony-nhs/docker-run-action-fork@905a59c55183229c385b38da20ecf01111357ee4 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -522,7 +522,7 @@ jobs: make cdk-synth - name: Init cfn-guard - uses: anthony-nhs/docker-run-action-fork@bb6b9f933e861c124c8d28eec48211c9b45e37ae + uses: anthony-nhs/docker-run-action-fork@905a59c55183229c385b38da20ecf01111357ee4 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -541,7 +541,7 @@ jobs: - name: Run cfn-guard script for sam templates if: steps.check_sam_templates.outputs.sam_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@bb6b9f933e861c124c8d28eec48211c9b45e37ae + uses: anthony-nhs/docker-run-action-fork@905a59c55183229c385b38da20ecf01111357ee4 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -569,7 +569,7 @@ jobs: - name: Run cfn-guard script for cloudformation templates if: steps.check_cf_templates.outputs.cf_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@bb6b9f933e861c124c8d28eec48211c9b45e37ae + uses: anthony-nhs/docker-run-action-fork@905a59c55183229c385b38da20ecf01111357ee4 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -588,7 +588,7 @@ jobs: - name: Run cfn-guard script for cdk templates if: steps.check_cdk.outputs.cdk_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@bb6b9f933e861c124c8d28eec48211c9b45e37ae + uses: anthony-nhs/docker-run-action-fork@905a59c55183229c385b38da20ecf01111357ee4 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} From 70e2b442bfc70c61590ebc9be2aedf8229b3d0e7 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Mon, 16 Feb 2026 18:52:33 +0000 Subject: [PATCH 44/54] new one --- .github/workflows/quality-checks.yml | 30 ++++++++++++++-------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index fb31474..125cf39 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -36,7 +36,7 @@ jobs: ref: ${{ env.BRANCH_NAME }} fetch-depth: 0 - name: Run secrets scan - uses: anthony-nhs/docker-run-action-fork@905a59c55183229c385b38da20ecf01111357ee4 + uses: anthony-nhs/docker-run-action-fork@4f922233a795baf81c0af3b46459a0e49388f2f5 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -59,7 +59,7 @@ jobs: key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} - name: make install - uses: anthony-nhs/docker-run-action-fork@905a59c55183229c385b38da20ecf01111357ee4 + uses: anthony-nhs/docker-run-action-fork@4f922233a795baf81c0af3b46459a0e49388f2f5 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -124,7 +124,7 @@ jobs: cmd: yq -i '.pkg.include-dev-deps = true' 'trivy.yaml' - name: convert python dependencies to requirements.txt if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} - uses: anthony-nhs/docker-run-action-fork@905a59c55183229c385b38da20ecf01111357ee4 + uses: anthony-nhs/docker-run-action-fork@4f922233a795baf81c0af3b46459a0e49388f2f5 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -141,7 +141,7 @@ jobs: poetry export -f requirements.txt --with dev --without-hashes --output=requirements.txt - name: download go dependencies if: ${{ steps.check_languages.outputs.uses_go == 'true' }} - uses: anthony-nhs/docker-run-action-fork@905a59c55183229c385b38da20ecf01111357ee4 + uses: anthony-nhs/docker-run-action-fork@4f922233a795baf81c0af3b46459a0e49388f2f5 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -178,7 +178,7 @@ jobs: cat license_scan.txt fi - name: Run code lint - uses: anthony-nhs/docker-run-action-fork@905a59c55183229c385b38da20ecf01111357ee4 + uses: anthony-nhs/docker-run-action-fork@4f922233a795baf81c0af3b46459a0e49388f2f5 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -195,7 +195,7 @@ jobs: .git - name: Run unit tests - uses: anthony-nhs/docker-run-action-fork@905a59c55183229c385b38da20ecf01111357ee4 + uses: anthony-nhs/docker-run-action-fork@4f922233a795baf81c0af3b46459a0e49388f2f5 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -402,7 +402,7 @@ jobs: ${{ runner.os }}-node- - name: make install - uses: anthony-nhs/docker-run-action-fork@905a59c55183229c385b38da20ecf01111357ee4 + uses: anthony-nhs/docker-run-action-fork@4f922233a795baf81c0af3b46459a0e49388f2f5 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -411,7 +411,7 @@ jobs: - name: Build docker images if: ${{ inputs.run_docker_scan == true }} - uses: anthony-nhs/docker-run-action-fork@905a59c55183229c385b38da20ecf01111357ee4 + uses: anthony-nhs/docker-run-action-fork@4f922233a795baf81c0af3b46459a0e49388f2f5 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -491,7 +491,7 @@ jobs: - name: Run cfn-lint if: steps.check_sam_templates.outputs.sam_exists == 'true' || steps.check_cf_templates.outputs.cf_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@905a59c55183229c385b38da20ecf01111357ee4 + uses: anthony-nhs/docker-run-action-fork@4f922233a795baf81c0af3b46459a0e49388f2f5 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -505,7 +505,7 @@ jobs: - name: make install NodeJS if: steps.check_cdk.outputs.cdk_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@905a59c55183229c385b38da20ecf01111357ee4 + uses: anthony-nhs/docker-run-action-fork@4f922233a795baf81c0af3b46459a0e49388f2f5 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -514,7 +514,7 @@ jobs: - name: Run cdk-synth if: steps.check_cdk.outputs.cdk_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@905a59c55183229c385b38da20ecf01111357ee4 + uses: anthony-nhs/docker-run-action-fork@4f922233a795baf81c0af3b46459a0e49388f2f5 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -522,7 +522,7 @@ jobs: make cdk-synth - name: Init cfn-guard - uses: anthony-nhs/docker-run-action-fork@905a59c55183229c385b38da20ecf01111357ee4 + uses: anthony-nhs/docker-run-action-fork@4f922233a795baf81c0af3b46459a0e49388f2f5 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -541,7 +541,7 @@ jobs: - name: Run cfn-guard script for sam templates if: steps.check_sam_templates.outputs.sam_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@905a59c55183229c385b38da20ecf01111357ee4 + uses: anthony-nhs/docker-run-action-fork@4f922233a795baf81c0af3b46459a0e49388f2f5 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -569,7 +569,7 @@ jobs: - name: Run cfn-guard script for cloudformation templates if: steps.check_cf_templates.outputs.cf_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@905a59c55183229c385b38da20ecf01111357ee4 + uses: anthony-nhs/docker-run-action-fork@4f922233a795baf81c0af3b46459a0e49388f2f5 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -588,7 +588,7 @@ jobs: - name: Run cfn-guard script for cdk templates if: steps.check_cdk.outputs.cdk_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@905a59c55183229c385b38da20ecf01111357ee4 + uses: anthony-nhs/docker-run-action-fork@4f922233a795baf81c0af3b46459a0e49388f2f5 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} From 8d7634d5d00b38dc7a4437cad3effb4b89d952fb Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 17 Feb 2026 09:21:17 +0000 Subject: [PATCH 45/54] fix it --- .devcontainer/devcontainer.json | 2 +- .github/workflows/pull_request.yml | 11 +- .github/workflows/quality-checks.yml | 324 ++++++++------------------- .gitignore | 3 +- Makefile | 3 + 5 files changed, 108 insertions(+), 235 deletions(-) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index a3e6fb8..9b6bf69 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -6,7 +6,7 @@ "args": { "DOCKER_GID": "${env:DOCKER_GID:}", "IMAGE_NAME": "node_24_python_3_14", - "IMAGE_VERSION": "e0808a3", + "IMAGE_VERSION": "pr-18-f24c020", "USER_UID": "${localEnv:USER_ID:}", "USER_GID": "${localEnv:GROUP_ID:}" }, diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 4c45059..7f995f5 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -22,6 +22,7 @@ jobs: asdf_version: ${{ steps.asdf-version.outputs.version }} tag_format: ${{ steps.load-config.outputs.TAG_FORMAT }} devcontainer_version: ${{ steps.load-config.outputs.DEVCONTAINER_VERSION }} + devcontainer_image: ${{ steps.load-config.outputs.DEVCONTAINER_IMAGE }} steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd @@ -33,14 +34,18 @@ jobs: id: load-config run: | TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml) + DEVCONTAINER_IMAGE=$(jq -r '.build.args.IMAGE_NAME' .devcontainer/devcontainer.json) DEVCONTAINER_VERSION=$(jq -r '.build.args.IMAGE_VERSION' .devcontainer/devcontainer.json) - echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT" - echo "DEVCONTAINER_VERSION=$DEVCONTAINER_VERSION" >> "$GITHUB_OUTPUT" + { + echo "TAG_FORMAT=$TAG_FORMAT" + echo "DEVCONTAINER_IMAGE=$DEVCONTAINER_IMAGE" + echo "DEVCONTAINER_VERSION=$DEVCONTAINER_VERSION" + } >> "$GITHUB_OUTPUT" quality_checks: uses: ./.github/workflows/quality-checks.yml needs: [get_config_values] with: - runtime_docker_image: "node_24_python_3_14:${{ needs.get_config_values.outputs.devcontainer_version }}" + runtime_docker_image: "${{ needs.get_config_values.outputs.devcontainer_image }}:github-actions-${{ needs.get_config_values.outputs.devcontainer_version }}" secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} tag_release: diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 125cf39..38ed64d 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -35,13 +35,6 @@ jobs: with: ref: ${{ env.BRANCH_NAME }} fetch-depth: 0 - - name: Run secrets scan - uses: anthony-nhs/docker-run-action-fork@4f922233a795baf81c0af3b46459a0e49388f2f5 - with: - workspace_folder: ${{ github.workspace }} - image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} - run: | - git-secrets --scan-history . - &setup_npmrc name: Setting up .npmrc @@ -59,17 +52,28 @@ jobs: key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} - name: make install - uses: anthony-nhs/docker-run-action-fork@4f922233a795baf81c0af3b46459a0e49388f2f5 + uses: anthony-nhs/docker-run-action-fork@ae1b9fe9351e334cbb984d20945490f808d23160 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} run: | - echo "current dir is $(pwd)" - echo "current user is $(whoami)" - echo "listing current dir contents" - ls -la make install + - name: Run secrets scan + uses: anthony-nhs/docker-run-action-fork@ae1b9fe9351e334cbb984d20945490f808d23160 + with: + workspace_folder: ${{ github.workspace }} + image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + run: | + make secrets-scan + - name: Run actionlint + uses: anthony-nhs/docker-run-action-fork@ae1b9fe9351e334cbb984d20945490f808d23160 + with: + workspace_folder: ${{ github.workspace }} + image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + run: | + make actionlint + - name: Check language tools used and setup trivy config id: check_languages run: | @@ -117,68 +121,22 @@ jobs: echo "****************" echo "uses_go=false" >> "$GITHUB_OUTPUT" fi - touch trivy.yaml - - name: Update trivy config to include dev dependencies - uses: mikefarah/yq@2be0094729a1006f61e8339ce9934bfb3cbb549f - with: - cmd: yq -i '.pkg.include-dev-deps = true' 'trivy.yaml' - - name: convert python dependencies to requirements.txt - if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} - uses: anthony-nhs/docker-run-action-fork@4f922233a795baf81c0af3b46459a0e49388f2f5 - with: - workspace_folder: ${{ github.workspace }} - image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} - run: | - POETRY_VERSION=$(poetry --version | awk '{print $3}') - - if [[ "$(printf '%s\n' "2.0.0" "$POETRY_VERSION" "3.0.0" | sort -V | head -n1)" == "2.0.0" ]] \ - && [[ "$(printf '%s\n' "$POETRY_VERSION" "3.0.0" | sort -V | head -n1)" == "$POETRY_VERSION" ]]; then - echo "Poetry version $POETRY_VERSION is >=2.0.0 and <3.0.0 - installing plugin-export" - poetry self add poetry-plugin-export - else - echo "Poetry version $POETRY_VERSION is outside the required range so not installing plugin-export" - fi - poetry export -f requirements.txt --with dev --without-hashes --output=requirements.txt - - name: download go dependencies - if: ${{ steps.check_languages.outputs.uses_go == 'true' }} - uses: anthony-nhs/docker-run-action-fork@4f922233a795baf81c0af3b46459a0e49388f2f5 + - name: Check licenses + uses: anthony-nhs/docker-run-action-fork@ae1b9fe9351e334cbb984d20945490f808d23160 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} run: | - cd src - go mod vendor - - name: Check licenses - uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 - with: - scan-type: "fs" - scan-ref: "." - severity: "CRITICAL,HIGH" - scanners: "license" - format: "table" - output: "license_scan.txt" - exit-code: "1" - list-all-pkgs: "false" - trivy-config: trivy.yaml - env: - VIRTUAL_ENV: "./.venv/" - - name: remove requirements.txt - if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} - run: | - rm -f requirements.txt - - name: clean go dependencies - if: ${{ steps.check_languages.outputs.uses_go == 'true' }} - run: | - cd src - rm -rf vendor + make trivy-license-check + - name: Show license scan output if: always() run: | if [ -f license_scan.txt ]; then - cat license_scan.txt + cat .trivy_out/license_scan.txt fi - name: Run code lint - uses: anthony-nhs/docker-run-action-fork@4f922233a795baf81c0af3b46459a0e49388f2f5 + uses: anthony-nhs/docker-run-action-fork@ae1b9fe9351e334cbb984d20945490f808d23160 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -186,102 +144,80 @@ jobs: make lint - name: Run ShellCheck - uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 + uses: anthony-nhs/docker-run-action-fork@ae1b9fe9351e334cbb984d20945490f808d23160 with: - ignore_paths: >- - *test* - .venv - node_modules - .git + workspace_folder: ${{ github.workspace }} + image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + run: | + make shellcheck - name: Run unit tests - uses: anthony-nhs/docker-run-action-fork@4f922233a795baf81c0af3b46459a0e49388f2f5 + uses: anthony-nhs/docker-run-action-fork@ae1b9fe9351e334cbb984d20945490f808d23160 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} run: | make test - - name: Generate SBOM - uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 + - name: make generate sbom + uses: anthony-nhs/docker-run-action-fork@ae1b9fe9351e334cbb984d20945490f808d23160 with: - scan-type: "fs" - scan-ref: "." - scanners: "vuln" - format: "cyclonedx" - output: "sbom.cdx.json" - exit-code: "0" - trivy-config: trivy.yaml + workspace_folder: ${{ github.workspace }} + image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + run: | + make trivy-generate-sbom - name: Upload sbom uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f with: name: sbom.cdx.json - path: sbom.cdx.json + path: .trivy_out/sbom.cdx.json - name: Check python vulnerabilities if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} - uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 + uses: anthony-nhs/docker-run-action-fork@ae1b9fe9351e334cbb984d20945490f808d23160 with: - scan-type: "fs" - skip-files: "**/package-lock.json,**/go.mod,**/pom.xml" - scan-ref: "." - severity: "CRITICAL,HIGH" - scanners: "vuln" - format: "table" - output: "dependency_results_python.txt" - exit-code: "1" - trivy-config: trivy.yaml + workspace_folder: ${{ github.workspace }} + image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + run: | + make trivy-scan-python + - name: Check node vulnerabilities if: ${{ steps.check_languages.outputs.uses_node == 'true' }} - uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 + uses: anthony-nhs/docker-run-action-fork@ae1b9fe9351e334cbb984d20945490f808d23160 with: - scan-type: "fs" - skip-files: "**/poetry.lock,**/go.mod,**/pom.xml" - scan-ref: "." - severity: "CRITICAL,HIGH" - scanners: "vuln" - format: "table" - output: "dependency_results_node.txt" - exit-code: "1" - trivy-config: trivy.yaml + workspace_folder: ${{ github.workspace }} + image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + run: | + make trivy-scan-node - name: Check go vulnerabilities if: ${{ steps.check_languages.outputs.uses_go == 'true' }} - uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 + uses: anthony-nhs/docker-run-action-fork@ae1b9fe9351e334cbb984d20945490f808d23160 with: - scan-type: "fs" - skip-files: "**/poetry.lock,**/package-lock.json,**/pom.xml" - scan-ref: "." - severity: "CRITICAL,HIGH" - scanners: "vuln" - format: "table" - output: "dependency_results_go.txt" - exit-code: "1" + workspace_folder: ${{ github.workspace }} + image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + run: | + make trivy-scan-go - name: Check java vulnerabilities if: ${{ steps.check_languages.outputs.uses_java == 'true' }} - uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 + uses: anthony-nhs/docker-run-action-fork@ae1b9fe9351e334cbb984d20945490f808d23160 with: - scan-type: "fs" - skip-files: "**/poetry.lock,**/package-lock.json,**/go.mod" - scan-ref: "." - severity: "CRITICAL,HIGH" - scanners: "vuln" - format: "table" - output: "dependency_results_java.txt" - exit-code: "1" - trivy-config: trivy.yaml + workspace_folder: ${{ github.workspace }} + image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + run: | + make trivy-scan-java - name: Show vulnerability output if: always() run: | - if [ -f dependency_results_python.txt ]; then - cat dependency_results_python.txt + if [ -f .trivy_out/dependency_results_python.txt ]; then + cat .trivy_out/dependency_results_python.txt fi - if [ -f dependency_results_node.txt ]; then - cat dependency_results_node.txt + if [ -f .trivy_out/dependency_results_node.txt ]; then + cat .trivy_out/dependency_results_node.txt fi - if [ -f dependency_results_java.txt ]; then - cat dependency_results_java.txt + if [ -f .trivy_out/dependency_results_java.txt ]; then + cat .trivy_out/dependency_results_java.txt fi - if [ -f dependency_results_go.txt ]; then - cat dependency_results_go.txt + if [ -f .trivy_out/dependency_results_go.txt ]; then + cat .trivy_out/dependency_results_go.txt fi - name: "check is SONAR_TOKEN exists" env: @@ -402,7 +338,7 @@ jobs: ${{ runner.os }}-node- - name: make install - uses: anthony-nhs/docker-run-action-fork@4f922233a795baf81c0af3b46459a0e49388f2f5 + uses: anthony-nhs/docker-run-action-fork@ae1b9fe9351e334cbb984d20945490f808d23160 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -411,7 +347,7 @@ jobs: - name: Build docker images if: ${{ inputs.run_docker_scan == true }} - uses: anthony-nhs/docker-run-action-fork@4f922233a795baf81c0af3b46459a0e49388f2f5 + uses: anthony-nhs/docker-run-action-fork@ae1b9fe9351e334cbb984d20945490f808d23160 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -419,24 +355,21 @@ jobs: make docker-build - name: Check docker vulnerabilities - uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 + uses: anthony-nhs/docker-run-action-fork@ae1b9fe9351e334cbb984d20945490f808d23160 with: - scan-type: "image" - image-ref: ${{ matrix.docker_image }} - severity: "CRITICAL,HIGH" - scanners: "vuln" - vuln-type: "os,library" - format: "table" - output: "dependency_results_docker.txt" - exit-code: "1" - trivy-config: trivy.yaml + workspace_folder: ${{ github.workspace }} + image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + run: | + make trivy-scan-docker + env: + DOCKER_IMAGE: ${{ matrix.docker_image }} - name: Show docker vulnerability output if: always() run: | echo "Scan output for ${{ matrix.docker_image }}" - if [ -f dependency_results_docker.txt ]; then - cat dependency_results_docker.txt + if [ -f .trivy_out/dependency_results_docker.txt ]; then + cat .trivy_out/dependency_results_docker.txt fi IaC-validation: @@ -491,119 +424,58 @@ jobs: - name: Run cfn-lint if: steps.check_sam_templates.outputs.sam_exists == 'true' || steps.check_cf_templates.outputs.cf_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@4f922233a795baf81c0af3b46459a0e49388f2f5 + uses: anthony-nhs/docker-run-action-fork@ae1b9fe9351e334cbb984d20945490f808d23160 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} run: | - pip install cfn-lint - cfn-lint -I "cloudformation/**/*.y*ml" 2>&1 | awk '/Run scan/ { print } /^[EW][0-9]/ { print; getline; print }' - cfn-lint -I "SAMtemplates/**/*.y*ml" 2>&1 | awk '/Run scan/ { print } /^[EW][0-9]/ { print; getline; print }' + make cfn-lint - *cache_npm - *setup_npmrc - name: make install NodeJS if: steps.check_cdk.outputs.cdk_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@4f922233a795baf81c0af3b46459a0e49388f2f5 + uses: anthony-nhs/docker-run-action-fork@ae1b9fe9351e334cbb984d20945490f808d23160 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} run: | - make install-node && make compile + make install-node compile - name: Run cdk-synth if: steps.check_cdk.outputs.cdk_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@4f922233a795baf81c0af3b46459a0e49388f2f5 + uses: anthony-nhs/docker-run-action-fork@ae1b9fe9351e334cbb984d20945490f808d23160 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} run: | make cdk-synth - - name: Init cfn-guard - uses: anthony-nhs/docker-run-action-fork@4f922233a795baf81c0af3b46459a0e49388f2f5 - with: - workspace_folder: ${{ github.workspace }} - image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} - run: | - set -eou pipefail - - rm -rf /tmp/ruleset - rm -rf cfn_guard_output - - wget -O /tmp/ruleset.zip https://github.com/aws-cloudformation/aws-guard-rules-registry/releases/download/1.0.2/ruleset-build-v1.0.2.zip >/dev/null 2>&1 - unzip /tmp/ruleset.zip -d /tmp/ruleset/ >/dev/null 2>&1 - - curl --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/aws-cloudformation/cloudformation-guard/main/install-guard.sh | sh >/dev/null 2>&1 - - mkdir -p cfn_guard_output - - name: Run cfn-guard script for sam templates - if: steps.check_sam_templates.outputs.sam_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@4f922233a795baf81c0af3b46459a0e49388f2f5 + uses: anthony-nhs/docker-run-action-fork@ae1b9fe9351e334cbb984d20945490f808d23160 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} run: | - set -eou pipefail - - declare -a rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar") - for ruleset in "${rulesets[@]}" - do - while IFS= read -r -d '' file - do - echo "checking SAM template $file with ruleset $ruleset" - mkdir -p "$(dirname cfn_guard_output/"$file")" - - # Transform the SAM template to CloudFormation and then run through cfn-guard - SAM_OUTPUT=$(sam validate -t "$file" --region eu-west-2 --debug 2>&1 | \ - grep -Pazo '(?s)AWSTemplateFormatVersion.*\n\/' | tr -d '\0') - echo "${SAM_OUTPUT::-1}" | ~/.guard/bin/cfn-guard validate \ - --rules "/tmp/ruleset/output/$ruleset.guard" \ - --show-summary fail \ - > "cfn_guard_output/${file}_${ruleset}.txt" - - done < <(find ./SAMtemplates -name '*.y*ml' -print0) - done + make cfn-guard-sam-templates - name: Run cfn-guard script for cloudformation templates if: steps.check_cf_templates.outputs.cf_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@4f922233a795baf81c0af3b46459a0e49388f2f5 + uses: anthony-nhs/docker-run-action-fork@ae1b9fe9351e334cbb984d20945490f808d23160 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} run: | - declare -a rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar") - for ruleset in "${rulesets[@]}" - do - echo "Checking all templates in cloudformation folder with ruleset $ruleset" - - ~/.guard/bin/cfn-guard validate \ - --data cloudformation \ - --rules "/tmp/ruleset/output/$ruleset.guard" \ - --show-summary fail \ - > "cfn_guard_output/cloudformation_$ruleset.txt" - done - + make cfn-guard-cloudformation - name: Run cfn-guard script for cdk templates if: steps.check_cdk.outputs.cdk_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@4f922233a795baf81c0af3b46459a0e49388f2f5 + uses: anthony-nhs/docker-run-action-fork@ae1b9fe9351e334cbb984d20945490f808d23160 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} run: | - declare -a rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar") - for ruleset in "${rulesets[@]}" - do - echo "Checking all templates in cdk.out folder with ruleset $ruleset" - - ~/.guard/bin/cfn-guard validate \ - --data cdk.out \ - --rules "/tmp/ruleset/output/$ruleset.guard" \ - --show-summary fail \ - > "cfn_guard_output/cdk.out_$ruleset.txt" - done + make cfn-guard-cdk - name: Download terraform plans uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 @@ -626,28 +498,20 @@ jobs: - name: Run cfn-guard script for terraform plans if: steps.check_terraform_plans.outputs.terraform_plans_exist == 'true' - run: | - #!/usr/bin/env bash - - declare -a rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar") - for ruleset in "${rulesets[@]}" - do - echo "Checking terraform plans with ruleset $ruleset" - - ~/.guard/bin/cfn-guard validate \ - --data terraform_plans \ - --rules "/tmp/ruleset/output/$ruleset.guard" \ - --show-summary fail \ - > "cfn_guard_output/terraform_plans_$ruleset.txt" - done + uses: anthony-nhs/docker-run-action-fork@ae1b9fe9351e334cbb984d20945490f808d23160 + with: + workspace_folder: ${{ github.workspace }} + image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + run: | + make cfn-guard-terraform - name: Show cfn-guard output if: failure() - run: find cfn_guard_output -type f -print0 | xargs -0 cat + run: find .cfn_guard_out -type f -print0 | xargs -0 cat - name: Upload cfn_guard_output if: failure() uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f with: name: cfn_guard_output - path: cfn_guard_output + path: .cfn_guard_out diff --git a/.gitignore b/.gitignore index 5642dae..0ed3cb4 100644 --- a/.gitignore +++ b/.gitignore @@ -6,4 +6,5 @@ .DS_Store release_notes .venv -.asdf \ No newline at end of file +.asdf +.trivy_out diff --git a/Makefile b/Makefile index aae27f8..6c53c65 100644 --- a/Makefile +++ b/Makefile @@ -32,3 +32,6 @@ test: build: echo "Not implemented" + +%: + @$(MAKE) -f /usr/local/share/eps/makefiles/common.mk $@ From d6528dfcbdfb5352f5cb6accd8707abc63d8dcd7 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 17 Feb 2026 09:21:58 +0000 Subject: [PATCH 46/54] use new tag --- .github/workflows/quality-checks.yml | 44 ++++++++++++++-------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 38ed64d..fa8c864 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -52,7 +52,7 @@ jobs: key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} - name: make install - uses: anthony-nhs/docker-run-action-fork@ae1b9fe9351e334cbb984d20945490f808d23160 + uses: anthony-nhs/docker-run-action-fork@e0808a33fe9811938aa5982643b7aa415bf89999 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -60,14 +60,14 @@ jobs: make install - name: Run secrets scan - uses: anthony-nhs/docker-run-action-fork@ae1b9fe9351e334cbb984d20945490f808d23160 + uses: anthony-nhs/docker-run-action-fork@e0808a33fe9811938aa5982643b7aa415bf89999 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} run: | make secrets-scan - name: Run actionlint - uses: anthony-nhs/docker-run-action-fork@ae1b9fe9351e334cbb984d20945490f808d23160 + uses: anthony-nhs/docker-run-action-fork@e0808a33fe9811938aa5982643b7aa415bf89999 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -122,7 +122,7 @@ jobs: echo "uses_go=false" >> "$GITHUB_OUTPUT" fi - name: Check licenses - uses: anthony-nhs/docker-run-action-fork@ae1b9fe9351e334cbb984d20945490f808d23160 + uses: anthony-nhs/docker-run-action-fork@e0808a33fe9811938aa5982643b7aa415bf89999 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -136,7 +136,7 @@ jobs: cat .trivy_out/license_scan.txt fi - name: Run code lint - uses: anthony-nhs/docker-run-action-fork@ae1b9fe9351e334cbb984d20945490f808d23160 + uses: anthony-nhs/docker-run-action-fork@e0808a33fe9811938aa5982643b7aa415bf89999 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -144,7 +144,7 @@ jobs: make lint - name: Run ShellCheck - uses: anthony-nhs/docker-run-action-fork@ae1b9fe9351e334cbb984d20945490f808d23160 + uses: anthony-nhs/docker-run-action-fork@e0808a33fe9811938aa5982643b7aa415bf89999 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -152,14 +152,14 @@ jobs: make shellcheck - name: Run unit tests - uses: anthony-nhs/docker-run-action-fork@ae1b9fe9351e334cbb984d20945490f808d23160 + uses: anthony-nhs/docker-run-action-fork@e0808a33fe9811938aa5982643b7aa415bf89999 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} run: | make test - name: make generate sbom - uses: anthony-nhs/docker-run-action-fork@ae1b9fe9351e334cbb984d20945490f808d23160 + uses: anthony-nhs/docker-run-action-fork@e0808a33fe9811938aa5982643b7aa415bf89999 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -173,7 +173,7 @@ jobs: - name: Check python vulnerabilities if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} - uses: anthony-nhs/docker-run-action-fork@ae1b9fe9351e334cbb984d20945490f808d23160 + uses: anthony-nhs/docker-run-action-fork@e0808a33fe9811938aa5982643b7aa415bf89999 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -182,7 +182,7 @@ jobs: - name: Check node vulnerabilities if: ${{ steps.check_languages.outputs.uses_node == 'true' }} - uses: anthony-nhs/docker-run-action-fork@ae1b9fe9351e334cbb984d20945490f808d23160 + uses: anthony-nhs/docker-run-action-fork@e0808a33fe9811938aa5982643b7aa415bf89999 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -190,7 +190,7 @@ jobs: make trivy-scan-node - name: Check go vulnerabilities if: ${{ steps.check_languages.outputs.uses_go == 'true' }} - uses: anthony-nhs/docker-run-action-fork@ae1b9fe9351e334cbb984d20945490f808d23160 + uses: anthony-nhs/docker-run-action-fork@e0808a33fe9811938aa5982643b7aa415bf89999 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -198,7 +198,7 @@ jobs: make trivy-scan-go - name: Check java vulnerabilities if: ${{ steps.check_languages.outputs.uses_java == 'true' }} - uses: anthony-nhs/docker-run-action-fork@ae1b9fe9351e334cbb984d20945490f808d23160 + uses: anthony-nhs/docker-run-action-fork@e0808a33fe9811938aa5982643b7aa415bf89999 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -338,7 +338,7 @@ jobs: ${{ runner.os }}-node- - name: make install - uses: anthony-nhs/docker-run-action-fork@ae1b9fe9351e334cbb984d20945490f808d23160 + uses: anthony-nhs/docker-run-action-fork@e0808a33fe9811938aa5982643b7aa415bf89999 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -347,7 +347,7 @@ jobs: - name: Build docker images if: ${{ inputs.run_docker_scan == true }} - uses: anthony-nhs/docker-run-action-fork@ae1b9fe9351e334cbb984d20945490f808d23160 + uses: anthony-nhs/docker-run-action-fork@e0808a33fe9811938aa5982643b7aa415bf89999 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -355,7 +355,7 @@ jobs: make docker-build - name: Check docker vulnerabilities - uses: anthony-nhs/docker-run-action-fork@ae1b9fe9351e334cbb984d20945490f808d23160 + uses: anthony-nhs/docker-run-action-fork@e0808a33fe9811938aa5982643b7aa415bf89999 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -424,7 +424,7 @@ jobs: - name: Run cfn-lint if: steps.check_sam_templates.outputs.sam_exists == 'true' || steps.check_cf_templates.outputs.cf_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@ae1b9fe9351e334cbb984d20945490f808d23160 + uses: anthony-nhs/docker-run-action-fork@e0808a33fe9811938aa5982643b7aa415bf89999 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -436,7 +436,7 @@ jobs: - name: make install NodeJS if: steps.check_cdk.outputs.cdk_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@ae1b9fe9351e334cbb984d20945490f808d23160 + uses: anthony-nhs/docker-run-action-fork@e0808a33fe9811938aa5982643b7aa415bf89999 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -445,7 +445,7 @@ jobs: - name: Run cdk-synth if: steps.check_cdk.outputs.cdk_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@ae1b9fe9351e334cbb984d20945490f808d23160 + uses: anthony-nhs/docker-run-action-fork@e0808a33fe9811938aa5982643b7aa415bf89999 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -453,7 +453,7 @@ jobs: make cdk-synth - name: Run cfn-guard script for sam templates - uses: anthony-nhs/docker-run-action-fork@ae1b9fe9351e334cbb984d20945490f808d23160 + uses: anthony-nhs/docker-run-action-fork@e0808a33fe9811938aa5982643b7aa415bf89999 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -462,7 +462,7 @@ jobs: - name: Run cfn-guard script for cloudformation templates if: steps.check_cf_templates.outputs.cf_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@ae1b9fe9351e334cbb984d20945490f808d23160 + uses: anthony-nhs/docker-run-action-fork@e0808a33fe9811938aa5982643b7aa415bf89999 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -470,7 +470,7 @@ jobs: make cfn-guard-cloudformation - name: Run cfn-guard script for cdk templates if: steps.check_cdk.outputs.cdk_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@ae1b9fe9351e334cbb984d20945490f808d23160 + uses: anthony-nhs/docker-run-action-fork@e0808a33fe9811938aa5982643b7aa415bf89999 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -498,7 +498,7 @@ jobs: - name: Run cfn-guard script for terraform plans if: steps.check_terraform_plans.outputs.terraform_plans_exist == 'true' - uses: anthony-nhs/docker-run-action-fork@ae1b9fe9351e334cbb984d20945490f808d23160 + uses: anthony-nhs/docker-run-action-fork@e0808a33fe9811938aa5982643b7aa415bf89999 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} From 38f40a329ad7905b6343fe04dee8f490432e0fff Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 17 Feb 2026 09:28:04 +0000 Subject: [PATCH 47/54] use correct commit --- .github/workflows/quality-checks.yml | 44 ++++++++++++++-------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index fa8c864..d85adb4 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -52,7 +52,7 @@ jobs: key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} - name: make install - uses: anthony-nhs/docker-run-action-fork@e0808a33fe9811938aa5982643b7aa415bf89999 + uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -60,14 +60,14 @@ jobs: make install - name: Run secrets scan - uses: anthony-nhs/docker-run-action-fork@e0808a33fe9811938aa5982643b7aa415bf89999 + uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} run: | make secrets-scan - name: Run actionlint - uses: anthony-nhs/docker-run-action-fork@e0808a33fe9811938aa5982643b7aa415bf89999 + uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -122,7 +122,7 @@ jobs: echo "uses_go=false" >> "$GITHUB_OUTPUT" fi - name: Check licenses - uses: anthony-nhs/docker-run-action-fork@e0808a33fe9811938aa5982643b7aa415bf89999 + uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -136,7 +136,7 @@ jobs: cat .trivy_out/license_scan.txt fi - name: Run code lint - uses: anthony-nhs/docker-run-action-fork@e0808a33fe9811938aa5982643b7aa415bf89999 + uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -144,7 +144,7 @@ jobs: make lint - name: Run ShellCheck - uses: anthony-nhs/docker-run-action-fork@e0808a33fe9811938aa5982643b7aa415bf89999 + uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -152,14 +152,14 @@ jobs: make shellcheck - name: Run unit tests - uses: anthony-nhs/docker-run-action-fork@e0808a33fe9811938aa5982643b7aa415bf89999 + uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} run: | make test - name: make generate sbom - uses: anthony-nhs/docker-run-action-fork@e0808a33fe9811938aa5982643b7aa415bf89999 + uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -173,7 +173,7 @@ jobs: - name: Check python vulnerabilities if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} - uses: anthony-nhs/docker-run-action-fork@e0808a33fe9811938aa5982643b7aa415bf89999 + uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -182,7 +182,7 @@ jobs: - name: Check node vulnerabilities if: ${{ steps.check_languages.outputs.uses_node == 'true' }} - uses: anthony-nhs/docker-run-action-fork@e0808a33fe9811938aa5982643b7aa415bf89999 + uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -190,7 +190,7 @@ jobs: make trivy-scan-node - name: Check go vulnerabilities if: ${{ steps.check_languages.outputs.uses_go == 'true' }} - uses: anthony-nhs/docker-run-action-fork@e0808a33fe9811938aa5982643b7aa415bf89999 + uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -198,7 +198,7 @@ jobs: make trivy-scan-go - name: Check java vulnerabilities if: ${{ steps.check_languages.outputs.uses_java == 'true' }} - uses: anthony-nhs/docker-run-action-fork@e0808a33fe9811938aa5982643b7aa415bf89999 + uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -338,7 +338,7 @@ jobs: ${{ runner.os }}-node- - name: make install - uses: anthony-nhs/docker-run-action-fork@e0808a33fe9811938aa5982643b7aa415bf89999 + uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -347,7 +347,7 @@ jobs: - name: Build docker images if: ${{ inputs.run_docker_scan == true }} - uses: anthony-nhs/docker-run-action-fork@e0808a33fe9811938aa5982643b7aa415bf89999 + uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -355,7 +355,7 @@ jobs: make docker-build - name: Check docker vulnerabilities - uses: anthony-nhs/docker-run-action-fork@e0808a33fe9811938aa5982643b7aa415bf89999 + uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -424,7 +424,7 @@ jobs: - name: Run cfn-lint if: steps.check_sam_templates.outputs.sam_exists == 'true' || steps.check_cf_templates.outputs.cf_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@e0808a33fe9811938aa5982643b7aa415bf89999 + uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -436,7 +436,7 @@ jobs: - name: make install NodeJS if: steps.check_cdk.outputs.cdk_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@e0808a33fe9811938aa5982643b7aa415bf89999 + uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -445,7 +445,7 @@ jobs: - name: Run cdk-synth if: steps.check_cdk.outputs.cdk_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@e0808a33fe9811938aa5982643b7aa415bf89999 + uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -453,7 +453,7 @@ jobs: make cdk-synth - name: Run cfn-guard script for sam templates - uses: anthony-nhs/docker-run-action-fork@e0808a33fe9811938aa5982643b7aa415bf89999 + uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -462,7 +462,7 @@ jobs: - name: Run cfn-guard script for cloudformation templates if: steps.check_cf_templates.outputs.cf_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@e0808a33fe9811938aa5982643b7aa415bf89999 + uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -470,7 +470,7 @@ jobs: make cfn-guard-cloudformation - name: Run cfn-guard script for cdk templates if: steps.check_cdk.outputs.cdk_exists == 'true' - uses: anthony-nhs/docker-run-action-fork@e0808a33fe9811938aa5982643b7aa415bf89999 + uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} @@ -498,7 +498,7 @@ jobs: - name: Run cfn-guard script for terraform plans if: steps.check_terraform_plans.outputs.terraform_plans_exist == 'true' - uses: anthony-nhs/docker-run-action-fork@e0808a33fe9811938aa5982643b7aa415bf89999 + uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: workspace_folder: ${{ github.workspace }} image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} From 0c8410e9917f9bb311b6c5d6a96bc587d6779fce Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 17 Feb 2026 09:29:23 +0000 Subject: [PATCH 48/54] fix name --- .github/workflows/pull_request.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 7f995f5..8d046ae 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -45,7 +45,7 @@ jobs: uses: ./.github/workflows/quality-checks.yml needs: [get_config_values] with: - runtime_docker_image: "${{ needs.get_config_values.outputs.devcontainer_image }}:github-actions-${{ needs.get_config_values.outputs.devcontainer_version }}" + runtime_docker_image: "${{ needs.get_config_values.outputs.devcontainer_image }}:githubactions-${{ needs.get_config_values.outputs.devcontainer_version }}" secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} tag_release: From d81961d23c24b6bf52d8239f4838db50343794db Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 17 Feb 2026 09:33:03 +0000 Subject: [PATCH 49/54] dont use full image --- .github/workflows/quality-checks.yml | 44 ++++++++++++++-------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index d85adb4..8d2d24c 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -55,7 +55,7 @@ jobs: uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: workspace_folder: ${{ github.workspace }} - image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ${{ inputs.runtime_docker_image }} run: | make install @@ -63,14 +63,14 @@ jobs: uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: workspace_folder: ${{ github.workspace }} - image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ${{ inputs.runtime_docker_image }} run: | make secrets-scan - name: Run actionlint uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: workspace_folder: ${{ github.workspace }} - image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ${{ inputs.runtime_docker_image }} run: | make actionlint @@ -125,7 +125,7 @@ jobs: uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: workspace_folder: ${{ github.workspace }} - image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ${{ inputs.runtime_docker_image }} run: | make trivy-license-check @@ -139,7 +139,7 @@ jobs: uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: workspace_folder: ${{ github.workspace }} - image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ${{ inputs.runtime_docker_image }} run: | make lint @@ -147,7 +147,7 @@ jobs: uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: workspace_folder: ${{ github.workspace }} - image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ${{ inputs.runtime_docker_image }} run: | make shellcheck @@ -155,14 +155,14 @@ jobs: uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: workspace_folder: ${{ github.workspace }} - image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ${{ inputs.runtime_docker_image }} run: | make test - name: make generate sbom uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: workspace_folder: ${{ github.workspace }} - image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ${{ inputs.runtime_docker_image }} run: | make trivy-generate-sbom - name: Upload sbom @@ -176,7 +176,7 @@ jobs: uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: workspace_folder: ${{ github.workspace }} - image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ${{ inputs.runtime_docker_image }} run: | make trivy-scan-python @@ -185,7 +185,7 @@ jobs: uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: workspace_folder: ${{ github.workspace }} - image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ${{ inputs.runtime_docker_image }} run: | make trivy-scan-node - name: Check go vulnerabilities @@ -193,7 +193,7 @@ jobs: uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: workspace_folder: ${{ github.workspace }} - image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ${{ inputs.runtime_docker_image }} run: | make trivy-scan-go - name: Check java vulnerabilities @@ -201,7 +201,7 @@ jobs: uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: workspace_folder: ${{ github.workspace }} - image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ${{ inputs.runtime_docker_image }} run: | make trivy-scan-java - name: Show vulnerability output @@ -341,7 +341,7 @@ jobs: uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: workspace_folder: ${{ github.workspace }} - image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ${{ inputs.runtime_docker_image }} run: | make install @@ -350,7 +350,7 @@ jobs: uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: workspace_folder: ${{ github.workspace }} - image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ${{ inputs.runtime_docker_image }} run: | make docker-build @@ -358,7 +358,7 @@ jobs: uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: workspace_folder: ${{ github.workspace }} - image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ${{ inputs.runtime_docker_image }} run: | make trivy-scan-docker env: @@ -427,7 +427,7 @@ jobs: uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: workspace_folder: ${{ github.workspace }} - image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ${{ inputs.runtime_docker_image }} run: | make cfn-lint @@ -439,7 +439,7 @@ jobs: uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: workspace_folder: ${{ github.workspace }} - image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ${{ inputs.runtime_docker_image }} run: | make install-node compile @@ -448,7 +448,7 @@ jobs: uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: workspace_folder: ${{ github.workspace }} - image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ${{ inputs.runtime_docker_image }} run: | make cdk-synth @@ -456,7 +456,7 @@ jobs: uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: workspace_folder: ${{ github.workspace }} - image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ${{ inputs.runtime_docker_image }} run: | make cfn-guard-sam-templates @@ -465,7 +465,7 @@ jobs: uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: workspace_folder: ${{ github.workspace }} - image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ${{ inputs.runtime_docker_image }} run: | make cfn-guard-cloudformation - name: Run cfn-guard script for cdk templates @@ -473,7 +473,7 @@ jobs: uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: workspace_folder: ${{ github.workspace }} - image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ${{ inputs.runtime_docker_image }} run: | make cfn-guard-cdk @@ -501,7 +501,7 @@ jobs: uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: workspace_folder: ${{ github.workspace }} - image: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.runtime_docker_image }} + image: ${{ inputs.runtime_docker_image }} run: | make cfn-guard-terraform From 875e7591ad4bd49607b2a408c38579bc82baa173 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 17 Feb 2026 09:59:45 +0000 Subject: [PATCH 50/54] new image --- .devcontainer/devcontainer.json | 2 +- Makefile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 9b6bf69..5257c4d 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -6,7 +6,7 @@ "args": { "DOCKER_GID": "${env:DOCKER_GID:}", "IMAGE_NAME": "node_24_python_3_14", - "IMAGE_VERSION": "pr-18-f24c020", + "IMAGE_VERSION": "pr-18-fce01b4", "USER_UID": "${localEnv:USER_ID:}", "USER_GID": "${localEnv:GROUP_ID:}" }, diff --git a/Makefile b/Makefile index 6c53c65..864b5bb 100644 --- a/Makefile +++ b/Makefile @@ -34,4 +34,4 @@ build: echo "Not implemented" %: - @$(MAKE) -f /usr/local/share/eps/makefiles/common.mk $@ + @$(MAKE) -f /usr/local/share/eps/Mk/common.mk $@ From 2a2d5acfa23c8191590053a57c97c5c7a70b7ed1 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 17 Feb 2026 10:08:09 +0000 Subject: [PATCH 51/54] fix secret scan --- .github/workflows/quality-checks.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 8d2d24c..6cd634f 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -65,7 +65,7 @@ jobs: workspace_folder: ${{ github.workspace }} image: ${{ inputs.runtime_docker_image }} run: | - make secrets-scan + make secret-scan - name: Run actionlint uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: From 31a1a17e33c9beeb8bce1ffc19eef24273e69748 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 17 Feb 2026 10:08:24 +0000 Subject: [PATCH 52/54] test failure --- .github/workflows/quality-checks.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 6cd634f..147ebc9 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -58,6 +58,7 @@ jobs: image: ${{ inputs.runtime_docker_image }} run: | make install + exit 1 - name: Run secrets scan uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 From 4688236896cfd04087ce0904dfd0b0e96a430efc Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 17 Feb 2026 10:11:28 +0000 Subject: [PATCH 53/54] it will all work --- .github/workflows/quality-checks.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 147ebc9..50363d6 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -58,8 +58,6 @@ jobs: image: ${{ inputs.runtime_docker_image }} run: | make install - exit 1 - - name: Run secrets scan uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: From 87b711242612bf488aac08e63d9c139377cf61df Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 17 Feb 2026 10:48:03 +0000 Subject: [PATCH 54/54] testing vars --- .github/workflows/quality-checks.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 50363d6..ee9dbda 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -58,6 +58,12 @@ jobs: image: ${{ inputs.runtime_docker_image }} run: | make install + echo "These are env vars" + echo "VAR1 is $VAR1" + echo "VAR2 is $VAR2" + env: + VAR1: value1 + VAR2: value2 - name: Run secrets scan uses: anthony-nhs/docker-run-action-fork@80b8bf1eaca8275e1c2b848cf7ea5fabb2443d78 with: