add release workflow

anthony-nhs · anthony-nhs · commit d364522f6a64 · 2026-02-06T10:08:17.000Z
diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml
@@ -5,12 +5,17 @@ name: Build and push docker image
       publish_image:
         required: true
         type: boolean
+      docker_tag:
+        required: true
+        type: string
+
 jobs:
   build_image:
     permissions:
       id-token: write
     runs-on: '${{ matrix.runner }}'
     strategy:
+      fail-fast: false
       matrix:
         include:
           - arch: amd64
@@ -33,12 +38,13 @@ jobs:
         run: >
           make build-base-image
 
-          docker tag ghcr.io/nhsdigital/eps-devcontainer-base:latest "ghcr.io/nhsdigital/eps-devcontainers:latest-${ARCHITECTURE}"
+          docker tag ghcr.io/nhsdigital/eps-devcontainer-base:latest "ghcr.io/nhsdigital/eps-devcontainers:{DOCKER_TAG}-${ARCHITECTURE}"
 
           docker save "ghcr.io/nhsdigital/eps-devcontainers:latest-${ARCHITECTURE}" -o "eps-devcontainer-base-latest-${ARCHITECTURE}.img"
         env:
           GH_TOKEN: '${{ github.token }}'
           ARCHITECTURE: '${{ matrix.arch }}'
+          DOCKER_TAG: '${{ inputs.docker_tag }}'
       - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
         name: Upload docker images
         with:
@@ -49,7 +55,7 @@ jobs:
         uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8
         with:
           scan-type: "image"
-          image-ref:  "ghcr.io/nhsdigital/eps-devcontainers:latest-${{ matrix.arch }}"
+          image-ref:  "ghcr.io/nhsdigital/eps-devcontainers:${{ inputs.docker_tag }}-${{ matrix.arch }}"
           severity: "CRITICAL,HIGH"
           scanners: "vuln"
           vuln-type: "os,library"
@@ -61,7 +67,7 @@ jobs:
       - name: Show docker vulnerability output
         if: always()
         run: |
-          echo "Scan output for ghcr.io/nhsdigital/eps-devcontainers:latest-${ARCHITECTURE}"
+          echo "Scan output for ghcr.io/nhsdigital/eps-devcontainers:${{ inputs.docker_tag }}-${ARCHITECTURE}"
           if [ -f dependency_results_docker.txt ]; then
             cat dependency_results_docker.txt
           fi
@@ -102,26 +108,33 @@ jobs:
           name: eps-devcontainer-base-latest-arm64.img
       - name: Load and push multi-arch image
         run: >
-          echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{
-          github.actor }} --password-stdin
-
+          echo "${GITHUB_TOKEN}" | docker login ghcr.io -u "${GITHUB_ACTOR}" --password-stdin
           echo "loading images"
-
           docker load -i eps-devcontainer-base-latest-amd64.img
-
           docker load -i eps-devcontainer-base-latest-arm64.img
 
-          echo "pushing images"
+          echo "Tagging latest images"
+          docker tag "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-amd64" "ghcr.io/nhsdigital/eps-devcontainers:latest-amd64"
+          docker tag "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-arm64" "ghcr.io/nhsdigital/eps-devcontainers:latest-arm64"
 
+          echo "pushing images"
+          docker push "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-amd64"
+          docker push "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-arm64"
           docker push ghcr.io/nhsdigital/eps-devcontainers:latest-amd64
-
           docker push ghcr.io/nhsdigital/eps-devcontainers:latest-arm64
 
           echo "creating manifest"
+          docker manifest create "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}" \
+            --amend "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-amd64" \
+            --amend "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-arm64"
+          docker manifest create "ghcr.io/nhsdigital/eps-devcontainers:latest" \
+            --amend "ghcr.io/nhsdigital/eps-devcontainers:latest-amd64" \
+            --amend "ghcr.io/nhsdigital/eps-devcontainers:latest-arm64"
 
-          docker manifest create ghcr.io/nhsdigital/eps-devcontainers:latest \
-            --amend ghcr.io/nhsdigital/eps-devcontainers:latest-amd64 \
-            --amend ghcr.io/nhsdigital/eps-devcontainers:latest-arm64
           echo "pushing manifest"
-
-          docker manifest push ghcr.io/nhsdigital/eps-devcontainers:latest
+          docker manifest push "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}"
+          docker manifest push "ghcr.io/nhsdigital/eps-devcontainers:latest"
+        env:
+          DOCKER_TAG: '${{ inputs.docker_tag }}'
+          GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
+          GITHUB_ACTOR: '${{ github.actor }}'
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
@@ -86,5 +86,9 @@ jobs:
           echo "sha_short=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT"
   package_docker_image:
     uses: ./.github/workflows/build_multi_arch_image.yml
+    needs:
+      - get_issue_number
+      - get_commit_id
     with:
       publish_image: false
+      docker_tag: 'pr${{ needs.get_issue_number.outputs.issue_number }}-${{ needs.get_commit_id.outputs.sha_short }}'
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,47 @@
+name: merge to main workflow
+on:
+  push:
+    branches: [main]
+
+jobs:
+  get_asdf_version:
+    runs-on: ubuntu-22.04
+    outputs:
+      asdf_version: '${{ steps.asdf-version.outputs.version }}'
+      tag_format: '${{ steps.load-config.outputs.TAG_FORMAT }}'
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      - name: Get asdf version
+        id: asdf-version
+        run: >-
+          echo "version=$(awk '!/^#/ && NF {print $1; exit}'
+          .tool-versions.asdf)" >> "$GITHUB_OUTPUT"
+      - name: Load config value
+        id: load-config
+        run: |
+          TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml)
+          echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT"
+  quality_checks:
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@e31e25273fb87450be4ef763ddbed4f531c45f8e
+    needs:
+      - get_asdf_version
+    with:
+      asdfVersion: '${{ needs.get_asdf_version.outputs.asdf_version }}'
+    secrets:
+      SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}'
+  tag_release:
+    needs: [quality_checks, get_asdf_version]
+    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml@e31e25273fb87450be4ef763ddbed4f531c45f8e
+    with:
+      dry_run: false
+      asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}
+      branch_name: main
+      tag_format: ${{ needs.get_asdf_version.outputs.tag_format }}
+    secrets: inherit
+  package_docker_image:
+    needs: tag_release
+    uses: ./.github/workflows/build_multi_arch_image.yml
+    with:
+      publish_image: true
+      docker_tag: '${{ needs.tag_release.outputs.version_tag }}'
diff --git a/src/base/.devcontainer/scripts/root_install.sh b/src/base/.devcontainer/scripts/root_install.sh
@@ -18,6 +18,7 @@ fi
 
 echo "Running apt-get update"
 apt-get update
+apt-get upgrade -y
 
 # install necessary libraries for asdf and language runtimes
 echo "Installing necessary packages"
