Chore: [AEA-0000] - finish as root (#15)

anthony-nhs · web-flow · commit 1b54f96499fa · 2026-02-13T18:33:16.000Z
## Summary

- Routine Change

### Details

- need to finish as root user
diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
@@ -82,7 +82,8 @@ RUN asdf plugin add python; \
     asdf plugin add direnv; \
     asdf plugin add actionlint; \
     asdf plugin add ruby https://github.com/asdf-vm/asdf-ruby.git; \
-    asdf plugin add trivy https://github.com/zufardhiyaulhaq/asdf-trivy.git
+    asdf plugin add trivy https://github.com/zufardhiyaulhaq/asdf-trivy.git; \
+    asdf plugin add yq https://github.com/sudermanjr/asdf-yq.git
 
 
 WORKDIR /workspaces/eps-devcontainers
diff --git a/.github/scripts/delete_unused_images.sh b/.github/scripts/delete_unused_images.sh
@@ -1,5 +1,4 @@
 #!/usr/bin/env bash
-set -e
 
 get_container_package_name() {
 	local container_name=$1
@@ -71,9 +70,9 @@ delete_pr_images() {
 					if [[ -n "${version_id}" ]]; then
                         echo "Deleting image with tag ${tag} (version ID: ${version_id}) from container ${container_name}..."
 						gh api \
-							-H "Accept: application/vnd.github+json" \
-							-X DELETE \
-							"/orgs/nhsdigital/packages/container/${package_name}/versions/${version_id}"
+						 	-H "Accept: application/vnd.github+json" \
+						 	-X DELETE \
+						 	"/orgs/nhsdigital/packages/container/${package_name}/versions/${version_id}"
 					fi
 				done
 		fi
diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml
@@ -87,6 +87,8 @@ jobs:
           BASE_VERSION: ${{ inputs.docker_tag}}
           IMAGE_TAG: ":${{ inputs.docker_tag }}-${{ matrix.arch }}"
           BASE_FOLDER: "${{ inputs.base_folder }}"
+          VSCODE_UID: "1001"
+          VSCODE_GID: "1001"
       - name: Check docker vulnerabilities - json output
         uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284
         with:
diff --git a/.github/workflows/delete_old_images.yml b/.github/workflows/delete_old_images.yml
@@ -1,4 +1,4 @@
-name: "Delete old cloudformation stacks"
+name: "Delete old images"
 
 # Controls when the action will run - in this case triggered manually and on schedule
 on:
@@ -9,38 +9,13 @@ on:
     branches: [main]
 
 jobs:
-  delete-old-cloudformation-stacks:
+  delete-old-pushed-images:
     runs-on: ubuntu-22.04
     permissions:
-      id-token: write
       contents: read
-
-    steps:
-      - name: Checkout local code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-        with:
-          ref: ${{ env.BRANCH_NAME }}
-          fetch-depth: 0
-
-      - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
-        with:
-          aws-region: eu-west-2
-          role-to-assume: ${{ secrets.DEV_CLOUD_FORMATION_DEPLOY_ROLE }}
-          role-session-name: psu-delete-old-stacks
-
-      - name: delete stacks
-        shell: bash
-        working-directory: .github/scripts
-        run: ./delete_stacks.sh
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-  delete-old-proxygen-deployments:
-    runs-on: ubuntu-22.04
-    permissions:
+      packages: write
+      attestations: write
       id-token: write
-      contents: read
 
     steps:
       - name: Checkout local code
@@ -51,5 +26,6 @@ jobs:
 
       - name: delete unused images
         shell: bash
-        working-directory: .github/scripts
-        run: ./delete_unused_images.sh
+        run: .github/scripts/delete_unused_images.sh
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.tool-versions b/.tool-versions
@@ -6,3 +6,4 @@ direnv 2.37.1
 actionlint 1.7.10
 ruby 3.3.0
 trivy 0.69.1
+yq 4.52.2
diff --git a/Makefile b/Makefile
@@ -57,7 +57,7 @@ scan-image-json: guard-CONTAINER_NAME guard-BASE_FOLDER
 		--scanners vuln \
 		--exit-code 1 \
 		--format json \
-		--output .out/scan.out.json "${CONTAINER_PREFIX}$${CONTAINER_NAME}" 
+		--output .out/scan_results_docker.json "${CONTAINER_PREFIX}$${CONTAINER_NAME}" 
 
 shell-image: guard-CONTAINER_NAME
 	docker run -it \
diff --git a/README.md b/README.md
@@ -26,6 +26,7 @@ asdf install and setup for these so they are available globally as vscode user
  - actionlint
  - ruby (for github pages)
  - trivy
+ - yq
 
 Install and setup git-secrets
 
@@ -147,12 +148,12 @@ CONTAINER_NAME=fhir_facade_api \
 ## Generating a .trivyignore file
 You can generate a .trivyignore file for known vulnerabilities by either downloading the json scan output generated by the build, or by generating it locally using the scanning images commands above with a make target of scan-image-json
 
-If generated locally, then the output goes into .out/scan.out.json
+If generated locally, then the output goes into .out/scan_results_docker.json
 
 Once you have the scan output, use the following to generate a .trivyignore
 ```
 poetry run python \
   scripts/trivy_to_trivyignore.py \
-  --input .out/scan.out.json \
+  --input .out/scan_results_docker.json \
   --output src/common/.trivyignore.yaml 
 ```
diff --git a/src/base/.devcontainer/.tool-versions b/src/base/.devcontainer/.tool-versions
@@ -3,3 +3,4 @@ direnv 2.37.1
 actionlint 1.7.10
 ruby 3.3.0
 trivy 0.69.1
+yq 4.52.2
diff --git a/src/base/.devcontainer/Dockerfile b/src/base/.devcontainer/Dockerfile
@@ -1,29 +1,28 @@
 FROM mcr.microsoft.com/devcontainers/base:ubuntu-22.04
 
+ARG BASE_VERSION=latest
 ARG TARGETARCH
-ENV TARGETARCH=${TARGETARCH}
 ARG SCRIPTS_DIR=/usr/local/share/eps
 ARG CONTAINER_NAME
+ENV TARGETARCH=${TARGETARCH}
 ENV CONTAINER_NAME=${CONTAINER_NAME}
 ENV SCRIPTS_DIR=${SCRIPTS_DIR}
+ENV BASE_VERSION=${BASE_VERSION}
 
 LABEL org.opencontainers.image.source=https://github.com/NHSDigital/eps-devcontainers
 LABEL org.opencontainers.image.description="EPS base devcontainer"
 LABEL org.opencontainers.image.licenses=MIT
 
-ARG ASDF_VERSION
 COPY .tool-versions.asdf ${SCRIPTS_DIR}/${CONTAINER_NAME}/.tool-versions.asdf
-
 COPY --chmod=755 scripts ${SCRIPTS_DIR}/${CONTAINER_NAME}
+
 WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME}
 RUN ./root_install.sh
 
 USER vscode
-
-ENV PATH="/home/vscode/.asdf/shims/:$PATH"
-WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME}
 COPY --chown=vscode:vscode .tool-versions.asdf /home/vscode/.tool-versions.asdf
 COPY --chown=vscode:vscode .tool-versions /home/vscode/.tool-versions
 
+ENV PATH="/home/vscode/.asdf/shims/:$PATH"
+WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME}
 RUN ./vscode_install.sh
-WORKDIR /home/vscode
diff --git a/src/base/.devcontainer/devcontainer.json b/src/base/.devcontainer/devcontainer.json
@@ -6,7 +6,9 @@
     "build": {
       "dockerfile": "Dockerfile",
       "args": {
-        "CONTAINER_NAME": "eps_devcontainer_base"
+        "CONTAINER_NAME": "eps_devcontainer_base",
+        "VSCODE_UID": "${localEnv:VSCODE_UID}",
+        "VSCODE_GID": "${localEnv:VSCODE_GID}"
       }
     },
     "runArgs": [
diff --git a/src/base/.devcontainer/scripts/root_install.sh b/src/base/.devcontainer/scripts/root_install.sh
@@ -16,6 +16,7 @@ if [ "$TARGETARCH" == "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then
     echo "deb [arch=amd64] http://archive.ubuntu.com/ubuntu jammy-security main universe" >> /etc/apt/sources.list
 fi
 
+# update and upgrade packages
 echo "Running apt-get update"
 apt-get update
 apt-get upgrade -y
@@ -65,3 +66,15 @@ rm -rf /tmp/git-secrets
 mkdir -p /usr/share/secrets-scanner
 chmod 755 /usr/share/secrets-scanner
 curl -L https://raw.githubusercontent.com/NHSDigital/software-engineering-quality-framework/main/tools/nhsd-git-secrets/nhsd-rules-deny.txt -o /usr/share/secrets-scanner/nhsd-rules-deny.txt
+
+# fix user and group ids for vscode user to match host, and ensure vscode owns their home directory
+requested_uid="${VSCODE_UID:-1000}"
+requested_gid="${VSCODE_GID:-1000}"
+current_uid="$(id -u vscode)"
+current_gid="$(id -g vscode)"
+if [ "${current_gid}" != "${requested_gid}" ]; then groupmod -g "${requested_gid}" vscode; fi
+if [ "${current_uid}" != "${requested_uid}" ]; then usermod -u "${requested_uid}" -g "${requested_gid}" vscode; fi
+chown -R vscode:vscode /home/vscode
+
+# store base version in VERSION.txt for reference
+echo "VERSION=${BASE_VERSION}" > "${SCRIPTS_DIR}/VERSION.txt"
diff --git a/src/base/.devcontainer/scripts/vscode_install.sh b/src/base/.devcontainer/scripts/vscode_install.sh
@@ -19,6 +19,7 @@ asdf plugin add actionlint
 asdf plugin add ruby https://github.com/asdf-vm/asdf-ruby.git
 asdf plugin add terraform https://github.com/asdf-community/asdf-hashicorp.git
 asdf plugin add trivy https://github.com/zufardhiyaulhaq/asdf-trivy.git
+asdf plugin add yq https://github.com/sudermanjr/asdf-yq.git
 
 # install base asdf versions of common tools
 cd /home/vscode
diff --git a/src/common/.trivyignore.yaml b/src/common/.trivyignore.yaml
@@ -302,3 +302,8 @@ vulnerabilities:
     purls:
       - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=arm64&distro=ubuntu-22.04"
     expired_at: 2026-08-12
+  - id: CVE-2025-68121
+    statement: "crypto/tls: Unexpected session resumption in crypto/tls"
+    purls:
+      - "pkg:golang/stdlib@v1.25.6"
+    expired_at: 2026-08-13
diff --git a/src/projects/fhir_facade_api/.devcontainer/Dockerfile b/src/projects/fhir_facade_api/.devcontainer/Dockerfile
@@ -11,14 +11,10 @@ COPY --chmod=755 scripts ${SCRIPTS_DIR}/${CONTAINER_NAME}
 WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME}
 RUN ./root_install.sh
 
-
-USER vscode
-
 USER vscode
 
 WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME}
 COPY .tool-versions /tmp/.tool-versions
 RUN cat /tmp/.tool-versions >> /home/vscode/.tool-versions
 
 RUN ./vscode_install.sh
-WORKDIR /home/vscode
