diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile deleted file mode 100644 index 0e7ee62..0000000 --- a/.devcontainer/Dockerfile +++ /dev/null @@ -1,98 +0,0 @@ -FROM mcr.microsoft.com/devcontainers/base:ubuntu-22.04 -ARG TARGETARCH -ENV TARGETARCH=${TARGETARCH} - -# Install essential packages first -RUN apt-get update && apt-get install -y \ - curl \ - wget \ - git \ - sudo \ - unzip \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* - -# Copy ASDF version file -ARG ASDF_VERSION -COPY .tool-versions.asdf /tmp/.tool-versions.asdf - -# Add amd64 architecture if on arm64 -RUN if [ "$TARGETARCH" == "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then dpkg --add-architecture amd64; fi - -RUN apt-get update \ - && export DEBIAN_FRONTEND=noninteractive \ - && apt-get -y dist-upgrade \ - && apt-get -y install --no-install-recommends htop vim curl git build-essential \ - libffi-dev libssl-dev libxml2-dev libxslt1-dev libjpeg8-dev libbz2-dev \ - zlib1g-dev unixodbc unixodbc-dev libsecret-1-0 libsecret-1-dev libsqlite3-dev \ - jq apt-transport-https ca-certificates gnupg-agent \ - software-properties-common bash-completion python3-pip make libbz2-dev \ - libreadline-dev libsqlite3-dev wget llvm libncurses5-dev libncursesw5-dev \ - xz-utils tk-dev liblzma-dev netcat-traditional libyaml-dev uuid-runtime xxd unzip - -# install aws stuff -# Download correct AWS CLI for arch -RUN if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then \ - wget -O /tmp/awscliv2.zip "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip"; \ - else \ - wget -O /tmp/awscliv2.zip "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip"; \ - fi && \ - unzip /tmp/awscliv2.zip -d /tmp/aws-cli && \ - /tmp/aws-cli/aws/install && \ - rm /tmp/awscliv2.zip && rm -rf /tmp/aws-cli - -# Install ASDF -RUN ASDF_VERSION=$(awk '!/^#/ && NF {print $1; exit}' /tmp/.tool-versions.asdf) && \ - if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then \ - wget -O /tmp/asdf.tar.gz "https://github.com/asdf-vm/asdf/releases/download/v${ASDF_VERSION}/asdf-v${ASDF_VERSION}-linux-arm64.tar.gz"; \ - else \ - wget -O /tmp/asdf.tar.gz "https://github.com/asdf-vm/asdf/releases/download/v${ASDF_VERSION}/asdf-v${ASDF_VERSION}-linux-amd64.tar.gz"; \ - fi && \ - tar -xzf /tmp/asdf.tar.gz -C /tmp && \ - mkdir -p /usr/bin && \ - mv /tmp/asdf /usr/bin/asdf && \ - chmod +x /usr/bin/asdf && \ - rm -rf /tmp/asdf.tar.gz - -# install gitsecrets -RUN git clone https://github.com/awslabs/git-secrets.git /tmp/git-secrets && \ - cd /tmp/git-secrets && \ - make install && \ - cd && \ - rm -rf /tmp/git-secrets && \ - mkdir -p /usr/share/secrets-scanner && \ - chmod 755 /usr/share/secrets-scanner && \ - curl -L https://raw.githubusercontent.com/NHSDigital/software-engineering-quality-framework/main/tools/nhsd-git-secrets/nhsd-rules-deny.txt -o /usr/share/secrets-scanner/nhsd-rules-deny.txt - -USER vscode - -ENV PATH="/home/vscode/.asdf/shims/:$PATH:/workspaces/eps-devcontainers/node_modules/.bin" -RUN \ - echo 'PATH="/home/vscode/.asdf/shims/:$PATH:/workspaces/eps-devcontainers/node_modules/.bin"' >> ~/.bashrc; \ - echo '. <(asdf completion bash)' >> ~/.bashrc; \ - echo '# Install Ruby Gems to ~/gems' >> ~/.bashrc; \ - echo 'export GEM_HOME="$HOME/gems"' >> ~/.bashrc; \ - echo 'export PATH="$HOME/gems/bin:$PATH"' >> ~/.bashrc; - -# Install ASDF plugins -RUN asdf plugin add python; \ - asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git; \ - asdf plugin add shellcheck https://github.com/luizm/asdf-shellcheck.git; \ - asdf plugin add nodejs https://github.com/asdf-vm/asdf-nodejs.git; \ - asdf plugin add direnv; \ - asdf plugin add actionlint; \ - asdf plugin add ruby https://github.com/asdf-vm/asdf-ruby.git; \ - asdf plugin add trivy https://github.com/zufardhiyaulhaq/asdf-trivy.git; \ - asdf plugin add yq https://github.com/sudermanjr/asdf-yq.git - - -WORKDIR /workspaces/eps-devcontainers -COPY .tool-versions /workspaces/eps-devcontainers/.tool-versions -COPY .tool-versions /home/vscode/.tool-versions - -# install python before poetry to ensure correct python version is used -RUN asdf install python; \ - asdf install - -RUN git-secrets --register-aws --global && \ - git-secrets --add-provider --global -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json deleted file mode 100644 index b08221a..0000000 --- a/.devcontainer/devcontainer.json +++ /dev/null @@ -1,86 +0,0 @@ -// For format details, see https://aka.ms/devcontainer.json. For config options, see the -// README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu -{ - "name": "eps-devcontainers", - // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile - "build": { - "dockerfile": "Dockerfile", - "context": "..", - "args": {} - }, - "mounts": [ - "source=${env:HOME}${env:USERPROFILE}/.aws,target=/home/vscode/.aws,type=bind", - "source=${env:HOME}${env:USERPROFILE}/.ssh,target=/home/vscode/.ssh,type=bind", - "source=${env:HOME}${env:USERPROFILE}/.gnupg,target=/home/vscode/.gnupg,type=bind", - "source=${env:HOME}${env:USERPROFILE}/.npmrc,target=/home/vscode/.npmrc,type=bind" - ], - "runArgs": [ - "--network=host" - ], - "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" }, - "postAttachCommand": "docker build -f https://raw.githubusercontent.com/NHSDigital/eps-workflow-quality-checks/refs/tags/v4.0.4/dockerfiles/nhsd-git-secrets.dockerfile -t git-secrets . && poetry run pre-commit install --install-hooks -f", - "features": { - "ghcr.io/devcontainers/features/docker-outside-of-docker:1": { - "version": "latest", - "moby": "true", - "installDockerBuildx": "true" - }, - "ghcr.io/devcontainers/features/github-cli:1": {} - }, - "customizations": { - "vscode": { - "extensions": [ - "AmazonWebServices.aws-toolkit-vscode", - "redhat.vscode-yaml", - "ms-python.python", - "ms-python.flake8", - "eamodio.gitlens", - "github.vscode-pull-request-github", - "orta.vscode-jest", - "42crunch.vscode-openapi", - "mermade.openapi-lint", - "christian-kohler.npm-intellisense", - "dbaeumer.vscode-eslint", - "lfm.vscode-makefile-term", - "GrapeCity.gc-excelviewer", - "redhat.vscode-xml", - "streetsidesoftware.code-spell-checker", - "timonwong.shellcheck", - "mkhl.direnv", - "github.vscode-github-actions", - "Gruntfuggly.todo-tree", - "ms-vscode.makefile-tools" - ], - "settings": { - "python.defaultInterpreterPath": "/workspaces/eps-devcontainers/.venv/bin/python", - "python.analysis.autoSearchPaths": true, - "python.analysis.extraPaths": [], - "python.testing.unittestEnabled": false, - "python.testing.pytestEnabled": true, - "pylint.enabled": false, - "python.linting.flake8Enabled": true, - "python.linting.enabled": true, // required to format on save - "editor.formatOnPaste": false, // required - "editor.formatOnType": false, // required - "editor.formatOnSave": true, // optional - "editor.formatOnSaveMode": "file", - "cSpell.words": ["fhir", "Formik", "pino", "serialisation"], - "editor.defaultFormatter": "dbaeumer.vscode-eslint" - - }, - "eslint.useFlatConfig": true, - "eslint.format.enable": true - } - }, - "postCreateCommand": "rm -f ~/.docker/config.json; git config --global --add safe.directory /workspaces/eps-devcontainers; make install; direnv allow ." - // "features": {}, - // Use 'forwardPorts' to make a list of ports inside the container available locally. - // "forwardPorts": [], - // Use 'postCreateCommand' to run commands after the container is created. - // "postCreateCommand": "" - // Configure tool-specific properties. - // "customizations": {}, - // Uncomment to connect as root instead. More info: https://aka.ms/dev-containers-non-root. - // "remoteUser": "root" - } - diff --git a/.dockerignore b/.dockerignore deleted file mode 100644 index 740676e..0000000 --- a/.dockerignore +++ /dev/null @@ -1,4 +0,0 @@ -.git -node_modules -.venv -.out diff --git a/.gitallowed b/.gitallowed deleted file mode 100644 index bb5927a..0000000 --- a/.gitallowed +++ /dev/null @@ -1,3 +0,0 @@ -id-token: write -password: \${{secrets\.GITHUB_TOKEN}} -\.gitallowed diff --git a/.github/config/settings.yml b/.github/config/settings.yml deleted file mode 100644 index 05dbcda..0000000 --- a/.github/config/settings.yml +++ /dev/null @@ -1 +0,0 @@ -TAG_FORMAT: "v${version}" diff --git a/.github/dependabot.yml b/.github/dependabot.yml deleted file mode 100644 index 4a87436..0000000 --- a/.github/dependabot.yml +++ /dev/null @@ -1,46 +0,0 @@ -######################################################################### -# Dependabot configuration file -######################################################################### - -version: 2 - -updates: - - package-ecosystem: "github-actions" - # Workflow files stored in the - # default location of `.github/workflows` - directory: "/" - schedule: - interval: "weekly" - day: "friday" - time: "18:00" # UTC - open-pull-requests-limit: 20 - commit-message: - prefix: "Upgrade: [dependabot] - " - - ################################### - # NPM workspace ################## - ################################### - - package-ecosystem: "npm" - directory: "/" - schedule: - interval: "weekly" - day: "friday" - time: "18:00" - open-pull-requests-limit: 20 - versioning-strategy: increase - commit-message: - prefix: "Upgrade: [dependabot] - " - - ################################### - # Poetry ######################### - ################################### - - package-ecosystem: "pip" - directory: "/" - schedule: - interval: "weekly" - day: "friday" - time: "18:00" - open-pull-requests-limit: 20 - versioning-strategy: increase - commit-message: - prefix: "Upgrade: [dependabot] - " diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md deleted file mode 100644 index 203df63..0000000 --- a/.github/pull_request_template.md +++ /dev/null @@ -1,59 +0,0 @@ -## Summary - -**Remove items from this list if they are not relevant. Remove this line once this has been done** - -- Routine Change -- :exclamation: Breaking Change -- :robot: Operational or Infrastructure Change -- :sparkles: New Feature -- :warning: Potential issues that might be caused by this change - -### Details - -Add any summary information of what is in the change. **Remove this line if you have nothing to add.** - -## Pull Request Naming - -Pull requests should be named using the following format: - -```text -Tag: [AEA-NNNN] - Short description -``` - -Tag can be one of: - -- `Fix` - for a bug fix. (Patch release) -- `Update` - either for a backwards-compatible enhancement or for a rule change that adds reported problems. (Patch release) -- `New` - implemented a new feature. (Minor release) -- `Breaking` - for a backwards-incompatible enhancement or feature. (Major release) -- `Docs` - changes to documentation only. (Patch release) -- `Build` - changes to build process only. (No release) -- `Upgrade` - for a dependency upgrade. (Patch release) -- `Chore` - for refactoring, adding tests, etc. (anything that isn't user-facing). (Patch release) - -If the current release is x.y.z then -- a patch release increases z by 1 -- a minor release increases y by 1 -- a major release increases x by 1 - -Correct tagging is necessary for our automated versioning and release process. - -The description of your pull request will be used as the commit message for the merge, and also be included in the changelog. Please ensure that your title is sufficiently descriptive. - -### Rerunning Checks - -If you need to rename your pull request, you can restart the checks by either: - -- Closing and reopening the pull request -- pushing an empty commit - ```bash - git commit --allow-empty -m 'trigger build' - git push - ``` -- Amend your last commit and force push to the branch - ```bash - git commit --amend --no-edit - git push --force - ``` - -Rerunning the checks from within the pull request will not use the updated title. diff --git a/.github/scripts/delete_unused_images.sh b/.github/scripts/delete_unused_images.sh deleted file mode 100755 index d16919d..0000000 --- a/.github/scripts/delete_unused_images.sh +++ /dev/null @@ -1,252 +0,0 @@ -#!/usr/bin/env bash - -DRY_RUN=false -DELETE_PR=false -DELETE_CI=false -DELETE_UNTAGGED=false - -while [[ $# -gt 0 ]]; do - case "$1" in - --dry-run|-n) - DRY_RUN=true - shift - ;; - --delete-pr) - DELETE_PR=true - shift - ;; - --delete-ci) - DELETE_CI=true - shift - ;; - --delete-untagged) - DELETE_UNTAGGED=true - shift - ;; - --help|-h) - echo "Usage: $0 [--dry-run] [--delete-pr] [--delete-ci] [--delete-untagged]" - exit 0 - ;; - *) - echo "Unknown option: $1" >&2 - echo "Usage: $0 [--dry-run] [--delete-pr] [--delete-ci] [--delete-untagged]" >&2 - exit 1 - ;; - esac -done - -if [[ "${DELETE_PR}" == "false" && "${DELETE_CI}" == "false" ]]; then - DELETE_PR=true -fi - -get_container_package_name() { - local container_name=$1 - - if [[ -z "${container_name}" ]]; then - echo "Container name is required" >&2 - return 1 - fi - - # URL-encode the package path (eps-devcontainers/${container_name}) for the GH API - printf 'eps-devcontainers/%s' "${container_name}" | jq -sRr @uri -} - -get_container_versions_json() { - local container_name=$1 - local package_name - - package_name=$(get_container_package_name "${container_name}") - - gh api \ - -H "Accept: application/vnd.github+json" \ - "/orgs/nhsdigital/packages/container/${package_name}/versions" \ - --paginate -} - -delete_pr_images() { - local container_name=$1 - local package_name - local versions_json - local tags - - if [[ -z "${container_name}" ]]; then - echo "Container name is required" >&2 - return 1 - fi - - package_name=$(get_container_package_name "${container_name}") - versions_json=$(get_container_versions_json "${container_name}") - tags=$(jq -r '[.[].metadata.container.tags[]?] | unique | .[]' <<<"${versions_json}") - - if [[ -z "${tags}" ]]; then - echo "No tags found for container ${container_name}, skipping." - return 0 - fi - - while IFS= read -r tag; do - local pull_request - if [[ "${tag}" =~ ^pr-([0-9]+)(-.+)?$ ]]; then - pull_request=${BASH_REMATCH[1]} - elif [[ "${tag}" =~ ^githubactions-pr-([0-9]+)(-.+)?$ ]]; then - pull_request=${BASH_REMATCH[1]} - else - echo "Tag ${tag} does not match expected PR tag format for container ${container_name}, skipping." - continue - fi - - local pr_json - local pr_state - - if ! pr_json=$(gh api \ - -H "Accept: application/vnd.github+json" \ - "/repos/NHSDigital/eps-devcontainers/pulls/${pull_request}"); then - continue - fi - echo "Checking PR #${pull_request} for tag ${tag} in container ${container_name}..." - pr_state=$(jq -r '.state // empty' <<<"${pr_json}") - if [[ "${pr_state}" != "closed" ]]; then - echo "State is not closed - not deleting images" - continue - fi - - jq -r --arg tag "${tag}" '.[] | select(.metadata.container.tags[]? == $tag) | .id' \ - <<<"${versions_json}" \ - | while IFS= read -r version_id; do - if [[ -n "${version_id}" ]]; then - if [[ "${DRY_RUN}" == "true" ]]; then - echo "[DRY RUN] Would delete image with tag ${tag} (version ID: ${version_id}) from container ${container_name}." - else - echo "Deleting image with tag ${tag} (version ID: ${version_id}) from container ${container_name}..." - gh api \ - -H "Accept: application/vnd.github+json" \ - -X DELETE \ - "/orgs/nhsdigital/packages/container/${package_name}/versions/${version_id}" - fi - fi - done - done <<<"${tags}" -} - -delete_ci_images() { - local container_name=$1 - local package_name - local versions_json - local tags - - if [[ -z "${container_name}" ]]; then - echo "Container name is required" >&2 - return 1 - fi - - package_name=$(get_container_package_name "${container_name}") - versions_json=$(get_container_versions_json "${container_name}") - tags=$(jq -r '[.[].metadata.container.tags[]?] | unique | .[]' <<<"${versions_json}") - - if [[ -z "${tags}" ]]; then - echo "No tags found for container ${container_name}, skipping." - return 0 - fi - - while IFS= read -r tag; do - if [[ ! "${tag}" =~ ^ci-[0-9a-fA-F]{8}.*$ ]] && [[ ! "${tag}" =~ ^githubactions-ci-[0-9a-fA-F]{8}.*$ ]]; then - echo "Tag ${tag} does not match expected CI tag format for container ${container_name}, skipping." - continue - fi - - jq -r --arg tag "${tag}" '.[] | select(.metadata.container.tags[]? == $tag) | .id' \ - <<<"${versions_json}" \ - | while IFS= read -r version_id; do - if [[ -n "${version_id}" ]]; then - if [[ "${DRY_RUN}" == "true" ]]; then - echo "[DRY RUN] Would delete CI image with tag ${tag} (version ID: ${version_id}) from container ${container_name}." - else - echo "Deleting CI image with tag ${tag} (version ID: ${version_id}) from container ${container_name}..." - gh api \ - -H "Accept: application/vnd.github+json" \ - -X DELETE \ - "/orgs/nhsdigital/packages/container/${package_name}/versions/${version_id}" - fi - fi - done - done <<<"${tags}" -} - -delete_untagged_images() { - local container_name=$1 - local package_name - local versions_json - - if [[ -z "${container_name}" ]]; then - echo "Container name is required" >&2 - return 1 - fi - - package_name=$(get_container_package_name "${container_name}") - versions_json=$(get_container_versions_json "${container_name}") - - jq -r '.[] | select(((.metadata.container.tags // []) | length) == 0) | .id' \ - <<<"${versions_json}" \ - | while IFS= read -r version_id; do - if [[ -n "${version_id}" ]]; then - if [[ "${DRY_RUN}" == "true" ]]; then - echo "[DRY RUN] Would delete untagged image version ID ${version_id} from container ${container_name}." - else - echo "Deleting untagged image version ID ${version_id} from container ${container_name}..." - gh api \ - -H "Accept: application/vnd.github+json" \ - -X DELETE \ - "/orgs/nhsdigital/packages/container/${package_name}/versions/${version_id}" - fi - fi - done -} - -base_node_folders=$(find src/base_node -mindepth 1 -maxdepth 1 -type d -printf '%f\n' | jq -R -s -c 'split("\n")[:-1]') -language_folders=$(find src/languages -mindepth 1 -maxdepth 1 -type d -printf '%f\n' | jq -R -s -c 'split("\n")[:-1]') -project_folders=$(find src/projects -mindepth 1 -maxdepth 1 -type d -printf '%f\n' | jq -R -s -c 'split("\n")[:-1]') - -for container_name in $(jq -r '.[]' <<<"${project_folders}"); do - if [[ "${DELETE_PR}" == "true" ]]; then - delete_pr_images "${container_name}" - fi - if [[ "${DELETE_CI}" == "true" ]]; then - delete_ci_images "${container_name}" - fi - if [[ "${DELETE_UNTAGGED}" == "true" ]]; then - delete_untagged_images "${container_name}" - fi -done - -for container_name in $(jq -r '.[]' <<<"${base_node_folders}"); do - if [[ "${DELETE_PR}" == "true" ]]; then - delete_pr_images "${container_name}" - fi - if [[ "${DELETE_CI}" == "true" ]]; then - delete_ci_images "${container_name}" - fi - if [[ "${DELETE_UNTAGGED}" == "true" ]]; then - delete_untagged_images "${container_name}" - fi -done - -for container_name in $(jq -r '.[]' <<<"${language_folders}"); do - if [[ "${DELETE_PR}" == "true" ]]; then - delete_pr_images "${container_name}" - fi - if [[ "${DELETE_CI}" == "true" ]]; then - delete_ci_images "${container_name}" - fi - if [[ "${DELETE_UNTAGGED}" == "true" ]]; then - delete_untagged_images "${container_name}" - fi -done - -if [[ "${DELETE_PR}" == "true" ]]; then - delete_pr_images "base" -fi -if [[ "${DELETE_CI}" == "true" ]]; then - delete_ci_images "base" -fi -if [[ "${DELETE_UNTAGGED}" == "true" ]]; then - delete_untagged_images "base" -fi diff --git a/.github/workflows/build_all_images.yml b/.github/workflows/build_all_images.yml deleted file mode 100644 index 111abf8..0000000 --- a/.github/workflows/build_all_images.yml +++ /dev/null @@ -1,92 +0,0 @@ -name: build_all_images -'on': - workflow_call: - inputs: - docker_tag: - required: true - type: string - tag_latest: - required: true - type: boolean - NO_CACHE: - required: true - type: boolean -env: - BRANCH_NAME: '${{ github.event.pull_request.head.ref }}' -jobs: - discover_folders: - runs-on: ubuntu-latest - outputs: - base_node_folders: ${{ steps.find-folders.outputs.base_node }} - node_24_language_folders: ${{ steps.find-folders.outputs.node_24_languages }} - project_folders: ${{ steps.find-folders.outputs.projects }} - steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - - - id: find-folders - run: | - base_node_folders=$(find src/base_node -mindepth 1 -maxdepth 1 -type d -printf '%f\n' | jq -R -s -c 'split("\n")[:-1]') - node_24_language_folders=$(find src/languages -mindepth 1 -maxdepth 1 -type d -name 'node_24*' -printf '%f\n' | jq -R -s -c 'split("\n")[:-1]') - project_folders=$(find src/projects -mindepth 1 -maxdepth 1 -type d -printf '%f\n' | jq -R -s -c 'split("\n")[:-1]') - { - echo "base_node=$base_node_folders" - echo "node_24_languages=$node_24_language_folders" - echo "projects=$project_folders" - } >> "$GITHUB_OUTPUT" - package_base_docker_image: - uses: ./.github/workflows/build_multi_arch_image.yml - with: - tag_latest: ${{ inputs.tag_latest }} - docker_tag: ${{ inputs.docker_tag }} - container_name: base - base_folder: "." - NO_CACHE: ${{ inputs.NO_CACHE }} - package_base_node_images: - needs: - - package_base_docker_image - - discover_folders - strategy: - fail-fast: false - matrix: - container_name: ${{ fromJson(needs.discover_folders.outputs.base_node_folders) }} - uses: ./.github/workflows/build_multi_arch_image.yml - with: - tag_latest: ${{ inputs.tag_latest }} - docker_tag: ${{ inputs.docker_tag }} - container_name: ${{ matrix.container_name }} - base_folder: "base_node" - NO_CACHE: ${{ inputs.NO_CACHE }} - EXTRA_COMMON: "common_node_24" - package_node_24_language_docker_images: - needs: - - package_base_docker_image - - package_base_node_images - - discover_folders - strategy: - fail-fast: false - matrix: - container_name: ${{ fromJson(needs.discover_folders.outputs.node_24_language_folders) }} - uses: ./.github/workflows/build_multi_arch_image.yml - with: - tag_latest: ${{ inputs.tag_latest }} - docker_tag: ${{ inputs.docker_tag }} - container_name: ${{ matrix.container_name }} - base_folder: "languages" - NO_CACHE: ${{ inputs.NO_CACHE }} - EXTRA_COMMON: "common_node_24" - package_project_docker_images: - needs: - - package_node_24_language_docker_images - - discover_folders - strategy: - fail-fast: false - matrix: - container_name: ${{ fromJson(needs.discover_folders.outputs.project_folders) }} - uses: ./.github/workflows/build_multi_arch_image.yml - with: - tag_latest: ${{ inputs.tag_latest }} - docker_tag: ${{ inputs.docker_tag }} - container_name: ${{ matrix.container_name }} - base_folder: "projects" - NO_CACHE: ${{ inputs.NO_CACHE }} - EXTRA_COMMON: "common_node_24" diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml deleted file mode 100644 index ce560f0..0000000 --- a/.github/workflows/build_multi_arch_image.yml +++ /dev/null @@ -1,422 +0,0 @@ -name: Build and push docker image -'on': - workflow_call: - inputs: - tag_latest: - required: true - type: boolean - docker_tag: - required: true - type: string - container_name: - required: true - type: string - base_folder: - required: true - type: string - NO_CACHE: - required: true - type: boolean - EXTRA_COMMON: - required: false - type: string - -jobs: - build_and_push_image: - name: Build image for ${{ inputs.container_name }} on ${{ matrix.arch }} - permissions: - contents: read - packages: write - attestations: write - id-token: write - runs-on: '${{ matrix.runner }}' - - strategy: - fail-fast: false - matrix: - include: - - arch: amd64 - runner: ubuntu-22.04 - - arch: arm64 - runner: ubuntu-22.04-arm - steps: - - name: Free Disk Space for Docker - uses: endersonmenezes/free-disk-space@e6ed9b02e683a3b55ed0252f1ee469ce3b39a885 - with: - remove_android: true - remove_dotnet: true - remove_haskell: true - remove_tool_cache: true - rm_cmd: rm - remove_packages: >- - azure-cli google-cloud-cli microsoft-edge-stable - google-chrome-stable firefox postgresql* temurin-* *llvm* mysql* - dotnet-sdk-* - remove_packages_one_command: true - - name: Login to github container registry - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 - with: - registry: ghcr.io - username: ${{github.actor}} - password: ${{secrets.GITHUB_TOKEN}} - - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - with: - fetch-depth: 0 - - name: setup trivy - uses: aquasecurity/setup-trivy@3fb12ec12f41e471780db15c232d5dd185dcb514 - with: - version: v0.69.1 - - name: setup node - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 - with: - node-version-file: .tool-versions - - - name: make install - run: | - make install-node - - - name: Build container - run: | - echo "Building image..." - make build-image - env: - ARCHITECTURE: '${{ matrix.arch }}' - CONTAINER_NAME: '${{ inputs.container_name }}' - MULTI_ARCH_TAG: '${{ inputs.docker_tag }}' - BASE_VERSION_TAG: ${{ inputs.docker_tag}} - IMAGE_TAG: "${{ inputs.docker_tag }}-${{ matrix.arch }}" - BASE_FOLDER: "${{ inputs.base_folder }}" - NO_CACHE: '${{ inputs.NO_CACHE }}' - BUILDX_NO_DEFAULT_ATTESTATIONS: "1" - - name: Check docker vulnerabilities - json output - run: | - make scan-image-json - env: - CONTAINER_NAME: '${{ inputs.container_name }}' - BASE_FOLDER: "${{ inputs.base_folder }}" - IMAGE_TAG: "${{ inputs.docker_tag }}-${{ matrix.arch }}" - EXIT_CODE: 0 - EXTRA_COMMON: "${{ inputs.extra_common }}" - - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f - name: Upload scan results - with: - name: "scan_results_docker_${{ inputs.container_name }}_${{ matrix.arch }}.json" - path: .out/scan_results_docker.json - - name: Check docker vulnerabilities - table output - run: | - make scan-image - env: - CONTAINER_NAME: '${{ inputs.container_name }}' - BASE_FOLDER: "${{ inputs.base_folder }}" - IMAGE_TAG: "${{ inputs.docker_tag }}-${{ matrix.arch }}" - EXIT_CODE: "1" - EXTRA_COMMON: "${{ inputs.extra_common }}" - - name: Show docker vulnerability output - if: always() - run: | - echo "Scan output for ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-${ARCHITECTURE}" - if [ -f .out/scan_results_docker.txt ]; then - cat .out/scan_results_docker.txt - fi - env: - ARCHITECTURE: '${{ matrix.arch }}' - DOCKER_TAG: '${{ inputs.docker_tag }}' - - name: Push tagged image and rebuild for github actions - run: | - echo "Pushing image..." - docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" - echo "## PUSHED IMAGE : ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" >> "$GITHUB_STEP_SUMMARY" - - echo "Rebuilding image for github actions with tag githubactions-${DOCKER_TAG}-${ARCHITECTURE}" - make build-githubactions-image BASE_IMAGE_NAME="${CONTAINER_NAME}" BASE_IMAGE_TAG="${DOCKER_TAG}-${ARCHITECTURE}" IMAGE_TAG="${DOCKER_TAG}-${ARCHITECTURE}" NO_CACHE="${{ inputs.NO_CACHE }}" - echo "Pushing github actions image..." - docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:githubactions-${DOCKER_TAG}-${ARCHITECTURE}" - echo "## PUSHED IMAGE : ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:githubactions-${DOCKER_TAG}-${ARCHITECTURE}" >> "$GITHUB_STEP_SUMMARY" - env: - DOCKER_TAG: ${{ inputs.docker_tag }} - CONTAINER_NAME: '${{ inputs.container_name }}' - ARCHITECTURE: '${{ matrix.arch }}' - BUILDX_NO_DEFAULT_ATTESTATIONS: "1" - - name: Resolve image digest - id: resolve_arch_digest - run: | - DIGEST=$(docker buildx imagetools inspect "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" | awk '/^Digest:/ {print $2; exit}') - echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT" - echo "Resolved digest ${DIGEST} for ${DOCKER_TAG}-${ARCHITECTURE}" - env: - DOCKER_TAG: ${{ inputs.docker_tag }} - CONTAINER_NAME: '${{ inputs.container_name }}' - ARCHITECTURE: '${{ matrix.arch }}' - - name: Attest image - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f - with: - subject-name: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }} - subject-digest: ${{ steps.resolve_arch_digest.outputs.digest }} - push-to-registry: false - - name: Summarise attested image - run: | - echo "## ATTESTED IMAGE : ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}@${DIGEST}" >> "$GITHUB_STEP_SUMMARY" - env: - DOCKER_TAG: ${{ inputs.docker_tag }} - CONTAINER_NAME: '${{ inputs.container_name }}' - ARCHITECTURE: '${{ matrix.arch }}' - DIGEST: ${{ steps.resolve_arch_digest.outputs.digest }} - - name: Resolve github actions image digest - id: resolve_githubactions_arch_digest - run: | - DIGEST=$(docker buildx imagetools inspect "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:githubactions-${DOCKER_TAG}-${ARCHITECTURE}" | awk '/^Digest:/ {print $2; exit}') - echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT" - echo "Resolved digest ${DIGEST} for githubactions-${DOCKER_TAG}-${ARCHITECTURE}" - env: - DOCKER_TAG: ${{ inputs.docker_tag }} - CONTAINER_NAME: '${{ inputs.container_name }}' - ARCHITECTURE: '${{ matrix.arch }}' - - name: Attest github actions image - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f - with: - subject-name: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }} - subject-digest: ${{ steps.resolve_githubactions_arch_digest.outputs.digest }} - push-to-registry: false - - name: Summarise attested github actions image - run: | - echo "## ATTESTED IMAGE : ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:githubactions-${DOCKER_TAG}-${ARCHITECTURE}@${DIGEST}" >> "$GITHUB_STEP_SUMMARY" - env: - DOCKER_TAG: ${{ inputs.docker_tag }} - CONTAINER_NAME: '${{ inputs.container_name }}' - ARCHITECTURE: '${{ matrix.arch }}' - DIGEST: ${{ steps.resolve_githubactions_arch_digest.outputs.digest }} - - name: Push latest image - if: ${{ inputs.tag_latest }} - run: | - docker tag "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-${ARCHITECTURE}" - echo "Pushing latest image..." - docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-${ARCHITECTURE}" - echo "## PUSHED IMAGE : ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-${ARCHITECTURE}" >> "$GITHUB_STEP_SUMMARY" - - docker tag "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:githubactions-${DOCKER_TAG}-${ARCHITECTURE}" "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:githubactions-latest-${ARCHITECTURE}" - echo "Pushing github actions latest image..." - docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:githubactions-latest-${ARCHITECTURE}" - echo "## PUSHED IMAGE : ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:githubactions-latest-${ARCHITECTURE}" >> "$GITHUB_STEP_SUMMARY" - env: - DOCKER_TAG: ${{ inputs.docker_tag }} - CONTAINER_NAME: '${{ inputs.container_name }}' - ARCHITECTURE: '${{ matrix.arch }}' - - name: Resolve github actions latest image digest - if: ${{ inputs.tag_latest }} - id: resolve_githubactions_latest_arch_digest - run: | - DIGEST=$(docker buildx imagetools inspect "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:githubactions-latest-${ARCHITECTURE}" | awk '/^Digest:/ {print $2; exit}') - echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT" - echo "Resolved digest ${DIGEST} for githubactions-latest-${ARCHITECTURE}" - env: - CONTAINER_NAME: '${{ inputs.container_name }}' - ARCHITECTURE: '${{ matrix.arch }}' - - name: Attest github actions latest image - if: ${{ inputs.tag_latest }} - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f - with: - subject-name: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }} - subject-digest: ${{ steps.resolve_githubactions_latest_arch_digest.outputs.digest }} - push-to-registry: false - - name: Summarise attested github actions latest image - if: ${{ inputs.tag_latest }} - run: | - echo "## ATTESTED IMAGE : ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:githubactions-latest-${ARCHITECTURE}@${DIGEST}" >> "$GITHUB_STEP_SUMMARY" - env: - CONTAINER_NAME: '${{ inputs.container_name }}' - ARCHITECTURE: '${{ matrix.arch }}' - DIGEST: ${{ steps.resolve_githubactions_latest_arch_digest.outputs.digest }} - - name: Resolve latest image digest - if: ${{ inputs.tag_latest }} - id: resolve_latest_arch_digest - run: | - DIGEST=$(docker buildx imagetools inspect "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-${ARCHITECTURE}" | awk '/^Digest:/ {print $2; exit}') - echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT" - echo "Resolved digest ${DIGEST} for latest-${ARCHITECTURE}" - env: - CONTAINER_NAME: '${{ inputs.container_name }}' - ARCHITECTURE: '${{ matrix.arch }}' - - name: Attest latest image - if: ${{ inputs.tag_latest }} - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f - with: - subject-name: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }} - subject-digest: ${{ steps.resolve_latest_arch_digest.outputs.digest }} - push-to-registry: false - - name: Summarise attested latest image - if: ${{ inputs.tag_latest }} - run: | - echo "## ATTESTED IMAGE : ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-${ARCHITECTURE}@${DIGEST}" >> "$GITHUB_STEP_SUMMARY" - env: - CONTAINER_NAME: '${{ inputs.container_name }}' - ARCHITECTURE: '${{ matrix.arch }}' - DIGEST: ${{ steps.resolve_latest_arch_digest.outputs.digest }} - publish_combined_image: - name: Publish combined image for ${{ inputs.container_name }} - runs-on: ubuntu-22.04 - needs: build_and_push_image - permissions: - contents: read - packages: write - attestations: write - id-token: write - steps: - - name: Login to github container registry - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 - with: - registry: ghcr.io - username: ${{github.actor}} - password: ${{secrets.GITHUB_TOKEN}} - - - name: Push multi-arch tagged image - run: | - BUILD_TIMESTAMP=$(date -u +"%Y-%m-%dT%H:%M:%SZ") - export BUILD_TIMESTAMP - echo "Creating combined image for tag ${DOCKER_TAG}" - docker buildx imagetools create \ - --annotation "index:org.opencontainers.image.source=https://github.com/NHSDigital/eps-devcontainers" \ - --annotation "index:org.opencontainers.image.description=EPS devcontainer ${CONTAINER_NAME}:${DOCKER_TAG}" \ - --annotation "index:org.opencontainers.image.licenses=MIT" \ - --annotation "index:org.opencontainers.image.version=${DOCKER_TAG}" \ - --annotation "index:org.opencontainers.image.containerName=${CONTAINER_NAME}" \ - --annotation "index:org.opencontainers.image.created=${BUILD_TIMESTAMP}" \ - --annotation "index:org.opencontainers.image.authors=NHS England EPS Team" \ - --tag "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}" \ - "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-amd64" \ - "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-arm64" - echo "## PUSHED IMAGE : ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}" >> "$GITHUB_STEP_SUMMARY" - - echo "Creating combined image for tag githubactions-${DOCKER_TAG}" - docker buildx imagetools create \ - --annotation "index:org.opencontainers.image.source=https://github.com/NHSDigital/eps-devcontainers" \ - --annotation "index:org.opencontainers.image.description=EPS devcontainer ${CONTAINER_NAME}:${DOCKER_TAG}" \ - --annotation "index:org.opencontainers.image.licenses=MIT" \ - --annotation "index:org.opencontainers.image.version=${DOCKER_TAG}" \ - --annotation "index:org.opencontainers.image.containerName=${CONTAINER_NAME}" \ - --annotation "index:org.opencontainers.image.created=${BUILD_TIMESTAMP}" \ - --annotation "index:org.opencontainers.image.authors=NHS England EPS Team" \ - --tag "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:githubactions-${DOCKER_TAG}" \ - "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:githubactions-${DOCKER_TAG}-amd64" \ - "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:githubactions-${DOCKER_TAG}-arm64" - echo "## PUSHED IMAGE : ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:githubactions-${DOCKER_TAG}" >> "$GITHUB_STEP_SUMMARY" - env: - DOCKER_TAG: ${{ inputs.docker_tag }} - CONTAINER_NAME: '${{ inputs.container_name }}' - - - name: Push multi-arch latest image - if: ${{ inputs.tag_latest }} - run: | - echo "Creating combined image for tag latest" - docker buildx imagetools create -t "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest" \ - "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-amd64" \ - "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-arm64" - echo "## PUSHED COMBINED IMAGE : ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest" >> "$GITHUB_STEP_SUMMARY" - - echo "Creating combined image for tag githubactions-latest" - docker buildx imagetools create -t "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:githubactions-latest" \ - "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:githubactions-latest-amd64" \ - "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:githubactions-latest-arm64" - echo "## PUSHED COMBINED IMAGE : ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:githubactions-latest" >> "$GITHUB_STEP_SUMMARY" - - env: - DOCKER_TAG: ${{ inputs.docker_tag }} - CONTAINER_NAME: '${{ inputs.container_name }}' - - - name: Resolve combined image digest - id: resolve_combined_digest - run: | - DIGEST=$(docker buildx imagetools inspect "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}" | awk '/^Digest:/ {print $2; exit}') - echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT" - echo "Resolved digest ${DIGEST} for ${DOCKER_TAG}" - env: - DOCKER_TAG: ${{ inputs.docker_tag }} - CONTAINER_NAME: '${{ inputs.container_name }}' - - - name: Attest combined image - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f - with: - subject-name: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }} - subject-digest: ${{ steps.resolve_combined_digest.outputs.digest }} - push-to-registry: false - - name: Summarise attested combined image - run: | - echo "## ATTESTED IMAGE : ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}@${DIGEST}" >> "$GITHUB_STEP_SUMMARY" - env: - DOCKER_TAG: ${{ inputs.docker_tag }} - CONTAINER_NAME: '${{ inputs.container_name }}' - DIGEST: ${{ steps.resolve_combined_digest.outputs.digest }} - - - name: Resolve combined github actions image digest - id: resolve_githubactions_combined_digest - run: | - DIGEST=$(docker buildx imagetools inspect "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:githubactions-${DOCKER_TAG}" | awk '/^Digest:/ {print $2; exit}') - echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT" - echo "Resolved digest ${DIGEST} for githubactions-${DOCKER_TAG}" - env: - DOCKER_TAG: ${{ inputs.docker_tag }} - CONTAINER_NAME: '${{ inputs.container_name }}' - - - name: Attest combined github actions image - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f - with: - subject-name: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }} - subject-digest: ${{ steps.resolve_githubactions_combined_digest.outputs.digest }} - push-to-registry: false - - name: Summarise attested combined github actions image - run: | - echo "## ATTESTED IMAGE : ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:githubactions-${DOCKER_TAG}@${DIGEST}" >> "$GITHUB_STEP_SUMMARY" - env: - DOCKER_TAG: ${{ inputs.docker_tag }} - CONTAINER_NAME: '${{ inputs.container_name }}' - DIGEST: ${{ steps.resolve_githubactions_combined_digest.outputs.digest }} - - - name: Resolve latest github actions image digest - if: ${{ inputs.tag_latest }} - id: resolve_githubactions_latest_digest - run: | - DIGEST=$(docker buildx imagetools inspect "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:githubactions-latest" | awk '/^Digest:/ {print $2; exit}') - echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT" - echo "Resolved digest ${DIGEST} for githubactions-latest" - env: - CONTAINER_NAME: '${{ inputs.container_name }}' - - - name: Attest latest github actions image - if: ${{ inputs.tag_latest }} - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f - with: - subject-name: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }} - subject-digest: ${{ steps.resolve_githubactions_latest_digest.outputs.digest }} - push-to-registry: false - - name: Summarise attested latest github actions image - if: ${{ inputs.tag_latest }} - run: | - echo "## ATTESTED IMAGE : ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:githubactions-latest@${DIGEST}" >> "$GITHUB_STEP_SUMMARY" - env: - CONTAINER_NAME: '${{ inputs.container_name }}' - DIGEST: ${{ steps.resolve_githubactions_latest_digest.outputs.digest }} - - - name: Resolve latest image digest - if: ${{ inputs.tag_latest }} - id: resolve_latest_digest - run: | - DIGEST=$(docker buildx imagetools inspect "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest" | awk '/^Digest:/ {print $2; exit}') - echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT" - echo "Resolved digest ${DIGEST} for latest" - env: - CONTAINER_NAME: '${{ inputs.container_name }}' - - - name: Attest latest image - if: ${{ inputs.tag_latest }} - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f - with: - subject-name: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }} - subject-digest: ${{ steps.resolve_latest_digest.outputs.digest }} - push-to-registry: false - - name: Summarise attested latest image - if: ${{ inputs.tag_latest }} - run: | - echo "## ATTESTED IMAGE : ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest@${DIGEST}" >> "$GITHUB_STEP_SUMMARY" - env: - CONTAINER_NAME: '${{ inputs.container_name }}' - DIGEST: ${{ steps.resolve_latest_digest.outputs.digest }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml deleted file mode 100644 index 2f2ddc9..0000000 --- a/.github/workflows/ci.yml +++ /dev/null @@ -1,49 +0,0 @@ -name: merge to main workflow -on: - push: - branches: [main] - -jobs: - get_asdf_version: - runs-on: ubuntu-22.04 - outputs: - asdf_version: '${{ steps.asdf-version.outputs.version }}' - tag_format: '${{ steps.load-config.outputs.TAG_FORMAT }}' - steps: - - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - - name: Get asdf version - id: asdf-version - run: >- - echo "version=$(awk '!/^#/ && NF {print $1; exit}' - .tool-versions.asdf)" >> "$GITHUB_OUTPUT" - - name: Load config value - id: load-config - run: | - TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml) - echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT" - quality_checks: - uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@d215f841eb18b803e339e4ed597ed1f30e086e17 - needs: - - get_asdf_version - with: - asdfVersion: '${{ needs.get_asdf_version.outputs.asdf_version }}' - secrets: - SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}' - tag_release: - needs: [quality_checks, get_asdf_version] - uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml@d215f841eb18b803e339e4ed597ed1f30e086e17 - with: - dry_run: true - asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }} - branch_name: main - tag_format: ${{ needs.get_asdf_version.outputs.tag_format }} - secrets: inherit - build_all_images: - needs: - - tag_release - uses: ./.github/workflows/build_all_images.yml - with: - docker_tag: 'ci-${{ needs.tag_release.outputs.version_tag }}' - tag_latest: false - NO_CACHE: false diff --git a/.github/workflows/delete_old_images.yml b/.github/workflows/delete_old_images.yml deleted file mode 100644 index 96438b5..0000000 --- a/.github/workflows/delete_old_images.yml +++ /dev/null @@ -1,38 +0,0 @@ -name: "Delete old images" - -# Controls when the action will run - in this case triggered manually and on schedule -on: - workflow_dispatch: - schedule: - - cron: "0 1 * * 6" - push: - branches: [main] - -jobs: - delete-old-pushed-images: - runs-on: ubuntu-22.04 - permissions: - contents: read - packages: write - attestations: write - id-token: write - - steps: - - name: Checkout local code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - with: - ref: ${{ env.BRANCH_NAME }} - fetch-depth: 0 - - - name: delete unused images - shell: bash - run: | - if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then - .github/scripts/delete_unused_images.sh --delete-pr - elif [[ "${{ github.event_name }}" == "schedule" ]]; then - .github/scripts/delete_unused_images.sh --delete-ci --delete-untagged - else - .github/scripts/delete_unused_images.sh - fi - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml deleted file mode 100644 index 830dc13..0000000 --- a/.github/workflows/pull_request.yml +++ /dev/null @@ -1,95 +0,0 @@ -name: pull_request -'on': - pull_request: - branches: - - main -env: - BRANCH_NAME: '${{ github.event.pull_request.head.ref }}' -jobs: - dependabot-auto-approve-and-merge: - needs: quality_checks - uses: >- - NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@d215f841eb18b803e339e4ed597ed1f30e086e17 - secrets: - AUTOMERGE_APP_ID: '${{ secrets.AUTOMERGE_APP_ID }}' - AUTOMERGE_PEM: '${{ secrets.AUTOMERGE_PEM }}' - get_asdf_version: - runs-on: ubuntu-22.04 - outputs: - asdf_version: '${{ steps.asdf-version.outputs.version }}' - tag_format: '${{ steps.load-config.outputs.TAG_FORMAT }}' - steps: - - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - - name: Get asdf version - id: asdf-version - run: >- - echo "version=$(awk '!/^#/ && NF {print $1; exit}' - .tool-versions.asdf)" >> "$GITHUB_OUTPUT" - - name: Load config value - id: load-config - run: | - TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml) - echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT" - quality_checks: - uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@d215f841eb18b803e339e4ed597ed1f30e086e17 - needs: - - get_asdf_version - with: - asdfVersion: '${{ needs.get_asdf_version.outputs.asdf_version }}' - secrets: - SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}' - pr_title_format_check: - uses: >- - NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@d215f841eb18b803e339e4ed597ed1f30e086e17 - get_issue_number: - runs-on: ubuntu-22.04 - needs: quality_checks - outputs: - issue_number: '${{ steps.get_issue_number.outputs.result }}' - version: '${{ steps.get_issue_number.outputs.version_number }}' - steps: - - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd - name: get issue number - id: get_issue_number - with: - script: | - if (context.issue.number) { - // Return issue number if present - return context.issue.number; - } else { - // Otherwise return issue number from commit - return ( - await github.rest.repos.listPullRequestsAssociatedWithCommit({ - commit_sha: context.sha, - owner: context.repo.owner, - repo: context.repo.repo, - }) - ).data[0].number; - } - result-encoding: string - get_commit_id: - runs-on: ubuntu-22.04 - outputs: - commit_id: '${{ steps.commit_id.outputs.commit_id }}' - sha_short: '${{ steps.commit_id.outputs.sha_short }}' - steps: - - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - with: - ref: '${{ env.BRANCH_NAME }}' - - name: Get Commit ID - id: commit_id - run: | - # echo "commit_id=${{ github.sha }}" >> "$GITHUB_ENV" - echo "commit_id=${{ github.sha }}" >> "$GITHUB_OUTPUT" - echo "sha_short=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT" - build_all_images: - needs: - - get_issue_number - - get_commit_id - uses: ./.github/workflows/build_all_images.yml - with: - docker_tag: 'pr-${{ needs.get_issue_number.outputs.issue_number }}-${{ needs.get_commit_id.outputs.sha_short }}' - tag_latest: false - NO_CACHE: false diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml deleted file mode 100644 index 0607cfe..0000000 --- a/.github/workflows/release.yml +++ /dev/null @@ -1,50 +0,0 @@ -name: release workflow -on: - workflow_dispatch: - schedule: - - cron: "0 18 * * 4" - -jobs: - get_asdf_version: - runs-on: ubuntu-22.04 - outputs: - asdf_version: '${{ steps.asdf-version.outputs.version }}' - tag_format: '${{ steps.load-config.outputs.TAG_FORMAT }}' - steps: - - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - - name: Get asdf version - id: asdf-version - run: >- - echo "version=$(awk '!/^#/ && NF {print $1; exit}' - .tool-versions.asdf)" >> "$GITHUB_OUTPUT" - - name: Load config value - id: load-config - run: | - TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml) - echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT" - quality_checks: - uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@d215f841eb18b803e339e4ed597ed1f30e086e17 - needs: - - get_asdf_version - with: - asdfVersion: '${{ needs.get_asdf_version.outputs.asdf_version }}' - secrets: - SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}' - tag_release: - needs: [quality_checks, get_asdf_version] - uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml@d215f841eb18b803e339e4ed597ed1f30e086e17 - with: - dry_run: false - asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }} - branch_name: main - tag_format: ${{ needs.get_asdf_version.outputs.tag_format }} - secrets: inherit - build_all_images: - needs: - - tag_release - uses: ./.github/workflows/build_all_images.yml - with: - docker_tag: '${{ needs.tag_release.outputs.version_tag }}' - tag_latest: true - NO_CACHE: true diff --git a/.gitignore b/.gitignore deleted file mode 100644 index 7061e3a..0000000 --- a/.gitignore +++ /dev/null @@ -1,5 +0,0 @@ -node_modules/ -.venv/ -src/base/.devcontainer/language_versions/ -.trivyignore_combined.yaml -.out/ diff --git a/.gitkeep b/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml deleted file mode 100644 index a4aafc5..0000000 --- a/.pre-commit-config.yaml +++ /dev/null @@ -1,54 +0,0 @@ -repos: - - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v5.0.0 - hooks: - - id: check-merge-conflict - name: Check for merge conflict strings - - - id: end-of-file-fixer - name: Fix missing newline at the end of files - - - id: check-shebang-scripts-are-executable - name: Check shell scripts are executable - files: \.(sh)$ - - - id: check-yaml - name: Check pipelines configuration - files: ^(.github) - - - repo: https://github.com/pycqa/flake8 - rev: "7ef0350a439c93166bc8ba89fcc3de6a9a664e6c" # release 6.1.0 - hooks: - - id: flake8 - - - repo: local - hooks: - - id: lint-githubactions - name: Lint github actions - entry: make - args: ["lint-githubactions"] - language: system - files: ^.github - types_or: [yaml] - pass_filenames: false - - - id: lint-githubaction-scripts - name: Lint github action scripts - entry: make - args: ["lint-githubaction-scripts"] - language: system - files: ^.github/scripts - types_or: [sh, shell] - pass_filenames: false - - - id: git-secrets - name: Git Secrets - description: git-secrets scans commits, commit messages, and --no-ff merges to prevent adding secrets into your git repositories. - entry: bash - args: - - -c - - 'git-secrets --pre_commit_hook' - language: system - -fail_fast: true -default_stages: [pre-commit] diff --git a/.tool-versions b/.tool-versions deleted file mode 100644 index e4a19f0..0000000 --- a/.tool-versions +++ /dev/null @@ -1,9 +0,0 @@ -nodejs 24.12.0 -python 3.14.2 -poetry 2.2.1 -shellcheck 0.11.0 -direnv 2.37.1 -actionlint 1.7.10 -ruby 3.3.0 -trivy 0.69.1 -yq 4.52.2 diff --git a/.tool-versions.asdf b/.tool-versions.asdf deleted file mode 100644 index 4921076..0000000 --- a/.tool-versions.asdf +++ /dev/null @@ -1,2 +0,0 @@ -# define the .asdf-version to use here -0.18.0 diff --git a/.trivyignore.yaml b/.trivyignore.yaml deleted file mode 100644 index 62fcf7b..0000000 --- a/.trivyignore.yaml +++ /dev/null @@ -1,529 +0,0 @@ -vulnerabilities: - - id: CVE-2026-25547 - statement: "@isaacs/brace-expansion has Uncontrolled Resource Consumption" - purls: - - "pkg:npm/%40isaacs/brace-expansion@5.0.0" - expired_at: 2026-06-01 - - id: CVE-2021-3807 - statement: "nodejs-ansi-regex Regular expression denial of service (ReDoS) matching ANSI escape codes" - purls: - - "pkg:npm/ansi-regex@3.0.0" - expired_at: 2026-06-01 - - id: CVE-2021-3807 - statement: "nodejs-ansi-regex Regular expression denial of service (ReDoS) matching ANSI escape codes" - purls: - - "pkg:npm/ansi-regex@5.0.0" - expired_at: 2026-06-01 - - id: CVE-2025-64756 - statement: "glob glob Command Injection Vulnerability via Malicious Filenames" - purls: - - "pkg:npm/glob@10.4.5" - expired_at: 2026-06-01 - - id: CVE-2025-64756 - statement: "glob glob Command Injection Vulnerability via Malicious Filenames" - purls: - - "pkg:npm/glob@11.0.3" - expired_at: 2026-06-01 - - id: CVE-2022-25881 - statement: "http-cache-semantics Regular Expression Denial of Service (ReDoS) vulnerability" - purls: - - "pkg:npm/http-cache-semantics@4.1.0" - expired_at: 2026-06-01 - - id: CVE-2024-29415 - statement: "node-ip Incomplete fix for CVE-2023-42282" - purls: - - "pkg:npm/ip@1.1.5" - expired_at: 2026-06-01 - - id: CVE-2022-3517 - statement: "nodejs-minimatch ReDoS via the braceExpand function" - purls: - - "pkg:npm/minimatch@3.0.4" - expired_at: 2026-06-01 - - id: CVE-2026-0775 - statement: "npmcli npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability" - purls: - - "pkg:npm/npm@11.6.2" - expired_at: 2026-06-01 - - id: CVE-2022-29244 - statement: "nodejs npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace" - purls: - - "pkg:npm/npm@8.5.0" - expired_at: 2026-06-01 - - id: CVE-2026-0775 - statement: "npmcli npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability" - purls: - - "pkg:npm/npm@8.5.0" - expired_at: 2026-06-01 - - id: CVE-2022-25883 - statement: "nodejs-semver Regular expression denial of service" - purls: - - "pkg:npm/semver@7.3.5" - expired_at: 2026-06-01 - - id: CVE-2026-23745 - statement: "node-tar tar node-tar Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" - purls: - - "pkg:npm/tar@6.1.11" - expired_at: 2026-06-01 - - id: CVE-2026-23950 - statement: "node-tar tar node-tar Arbitrary file overwrite via Unicode path collision race condition" - purls: - - "pkg:npm/tar@6.1.11" - expired_at: 2026-06-01 - - id: CVE-2026-24842 - statement: "node-tar tar node-tar Arbitrary file creation via path traversal bypass in hardlink security check" - purls: - - "pkg:npm/tar@6.1.11" - expired_at: 2026-06-01 - - id: CVE-2026-23745 - statement: "node-tar tar node-tar Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-06-01 - - id: CVE-2026-23950 - statement: "node-tar tar node-tar Arbitrary file overwrite via Unicode path collision race condition" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-06-01 - - id: CVE-2026-24842 - statement: "node-tar tar node-tar Arbitrary file creation via path traversal bypass in hardlink security check" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-06-01 - - id: CVE-2022-40897 - statement: "pypa-setuptools Regular Expression Denial of Service (ReDoS) in package_index.py" - purls: - - "pkg:pypi/setuptools@56.0.0" - expired_at: 2026-06-01 - - id: CVE-2024-6345 - statement: "pypa/setuptools Remote code execution via download functions in the package_index module in pypa/setuptools" - purls: - - "pkg:pypi/setuptools@56.0.0" - expired_at: 2026-06-01 - - id: CVE-2025-47273 - statement: "setuptools Path Traversal Vulnerability in setuptools PackageIndex" - purls: - - "pkg:pypi/setuptools@56.0.0" - expired_at: 2026-06-01 - - id: CVE-2022-40897 - statement: "pypa-setuptools Regular Expression Denial of Service (ReDoS) in package_index.py" - purls: - - "pkg:pypi/setuptools@65.5.0" - expired_at: 2026-06-01 - - id: CVE-2024-6345 - statement: "pypa/setuptools Remote code execution via download functions in the package_index module in pypa/setuptools" - purls: - - "pkg:pypi/setuptools@65.5.0" - expired_at: 2026-06-01 - - id: CVE-2025-47273 - statement: "setuptools Path Traversal Vulnerability in setuptools PackageIndex" - purls: - - "pkg:pypi/setuptools@65.5.0" - expired_at: 2026-06-01 - - id: CVE-2024-49761 - statement: "rexml REXML ReDoS vulnerability" - purls: - - "pkg:gem/rexml@3.2.6" - expired_at: 2026-06-01 - - id: CVE-2025-61726 - statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" - purls: - - "pkg:golang/stdlib@v1.25.5" - expired_at: 2026-06-01 - - id: CVE-2025-61728 - statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" - purls: - - "pkg:golang/stdlib@v1.25.5" - expired_at: 2026-06-01 - - id: CVE-2025-47907 - statement: "database/sql Postgres Scan Race Condition" - purls: - - "pkg:golang/stdlib@v1.24.4" - expired_at: 2026-06-01 - - id: CVE-2025-58183 - statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" - purls: - - "pkg:golang/stdlib@v1.24.4" - expired_at: 2026-06-01 - - id: CVE-2025-61726 - statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" - purls: - - "pkg:golang/stdlib@v1.24.4" - expired_at: 2026-06-01 - - id: CVE-2025-61728 - statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" - purls: - - "pkg:golang/stdlib@v1.24.4" - expired_at: 2026-06-01 - - id: CVE-2025-61729 - statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" - purls: - - "pkg:golang/stdlib@v1.24.4" - expired_at: 2026-06-01 - - id: CVE-2025-22874 - statement: "crypto/x509 Usage of ExtKeyUsageAny disables policy validation in crypto/x509" - purls: - - "pkg:golang/stdlib@v1.24.3" - expired_at: 2026-06-01 - - id: CVE-2025-47907 - statement: "database/sql Postgres Scan Race Condition" - purls: - - "pkg:golang/stdlib@v1.24.3" - expired_at: 2026-06-01 - - id: CVE-2025-58183 - statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" - purls: - - "pkg:golang/stdlib@v1.24.3" - expired_at: 2026-06-01 - - id: CVE-2025-61726 - statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" - purls: - - "pkg:golang/stdlib@v1.24.3" - expired_at: 2026-06-01 - - id: CVE-2025-61728 - statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" - purls: - - "pkg:golang/stdlib@v1.24.3" - expired_at: 2026-06-01 - - id: CVE-2025-61729 - statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" - purls: - - "pkg:golang/stdlib@v1.24.3" - expired_at: 2026-06-01 - - id: CVE-2025-66564 - statement: "github.com/sigstore/timestamp-authority Sigstore Timestamp Authority Denial of Service via excessive OID or Content-Type header parsing" - purls: - - "pkg:golang/github.com/sigstore/timestamp-authority@v1.2.2" - expired_at: 2026-06-01 - - id: CVE-2025-47907 - statement: "database/sql Postgres Scan Race Condition" - purls: - - "pkg:golang/stdlib@v1.23.4" - expired_at: 2026-06-01 - - id: CVE-2025-58183 - statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" - purls: - - "pkg:golang/stdlib@v1.23.4" - expired_at: 2026-06-01 - - id: CVE-2025-61726 - statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" - purls: - - "pkg:golang/stdlib@v1.23.4" - expired_at: 2026-06-01 - - id: CVE-2025-61728 - statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" - purls: - - "pkg:golang/stdlib@v1.23.4" - expired_at: 2026-06-01 - - id: CVE-2025-61729 - statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" - purls: - - "pkg:golang/stdlib@v1.23.4" - expired_at: 2026-06-01 - - id: CVE-2023-24538 - statement: "golang html/template backticks not treated as string delimiters" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-24540 - statement: "golang html/template improper handling of JavaScript whitespace" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2024-24790 - statement: "golang net/netip Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-24675 - statement: "golang encoding/pem fix stack overflow in Decode" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-27664 - statement: "golang net/http handle server errors after sending GOAWAY" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-28131 - statement: "golang encoding/xml stack exhaustion in Decoder.Skip" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-28327 - statement: "golang crypto/elliptic panic caused by oversized scalar" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-2879 - statement: "golang archive/tar github.com/vbatts/tar-split unbounded memory consumption when reading headers" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-2880 - statement: "golang net/http/httputil ReverseProxy should not forward unparseable query parameters" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-29804 - statement: "ELSA-2022-17957 ol8addon security update (IMPORTANT)" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-30580 - statement: "golang os/exec Code injection in Cmd.Start" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-30630 - statement: "golang io/fs stack exhaustion in Glob" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-30631 - statement: "golang compress/gzip stack exhaustion in Reader.Read" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-30632 - statement: "golang path/filepath stack exhaustion in Glob" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-30633 - statement: "golang encoding/xml stack exhaustion in Unmarshal" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-30634 - statement: "ELSA-2022-17957 ol8addon security update (IMPORTANT)" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-30635 - statement: "golang encoding/gob stack exhaustion in Decoder.Decode" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-32189 - statement: "golang math/big decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-41715 - statement: "golang regexp/syntax limit memory used by parsing regexps" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-41716 - statement: "Due to unsanitized NUL values, attackers may be able to maliciously se ..." - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-41720 - statement: "golang os, net/http avoid escapes from os.DirFS and http.Dir on Windows" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-41722 - statement: "golang path/filepath path-filepath filepath.Clean path traversal" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-41723 - statement: "golang.org/x/net/http2 avoid quadratic complexity in HPACK decoding" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-41724 - statement: "golang crypto/tls large handshake records may cause panics" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-41725 - statement: "golang net/http, mime/multipart denial of service from excessive resource consumption" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-24534 - statement: "golang net/http, net/textproto denial of service from excessive memory allocation" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-24536 - statement: "golang net/http, net/textproto, mime/multipart denial of service from excessive resource consumption" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-24537 - statement: "golang go/parser Infinite loop in parsing" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-24539 - statement: "golang html/template improper sanitization of CSS values" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-29400 - statement: "golang html/template improper handling of empty HTML attributes" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-29403 - statement: "golang runtime unexpected behavior of setuid/setgid binaries" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-39325 - statement: "golang net/http, x/net/http2 rapid stream resets can cause excessive work (CVE-2023-44487)" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-45283 - statement: "The filepath package does not recognize paths with a prefix as sp ..." - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-45287 - statement: "golang crypto/tls Timing Side Channel attack in RSA based TLS key exchanges." - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-45288 - statement: "golang net/http, x/net/http2 unlimited number of CONTINUATION frames causes DoS" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2024-34156 - statement: "encoding/gob golang Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2025-47907 - statement: "database/sql Postgres Scan Race Condition" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2025-58183 - statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2025-61726 - statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2025-61728 - statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2025-61729 - statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2024-25621 - statement: "github.com/containerd/containerd containerd local privilege escalation" - purls: - - "pkg:golang/github.com/containerd/containerd/v2@v2.1.4" - expired_at: 2026-06-01 - - id: CVE-2025-61726 - statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" - purls: - - "pkg:golang/stdlib@v1.24.9" - expired_at: 2026-06-01 - - id: CVE-2025-61728 - statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" - purls: - - "pkg:golang/stdlib@v1.24.9" - expired_at: 2026-06-01 - - id: CVE-2025-61729 - statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" - purls: - - "pkg:golang/stdlib@v1.24.9" - expired_at: 2026-06-01 - - id: CVE-2024-35870 - statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2024-53179 - statement: "kernel: smb: client: fix use-after-free of signing key" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2025-21780 - statement: "kernel: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2025-37899 - statement: "kernel: ksmbd: fix use-after-free in session logoff" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2025-38118 - statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2024-35870 - statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2024-53179 - statement: "kernel: smb: client: fix use-after-free of signing key" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2025-21780 - statement: "kernel: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table() " - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2025-37899 - statement: "kernel: ksmbd: fix use-after-free in session logoff" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2025-38118 - statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2025-68121 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2025-61730 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2024-35870 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2024-53179 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2025-37849 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2025-37899 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2025-38118 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2026-26007 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2026-24842 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2026-23949 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2026-24049 - statement: "CHANGE ME" - expired_at: 2026-06-01 diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md deleted file mode 100644 index 65cf5ff..0000000 --- a/CODE_OF_CONDUCT.md +++ /dev/null @@ -1,76 +0,0 @@ -# Contributor Covenant Code of Conduct - -## Our Pledge - -In the interest of fostering an open and welcoming environment, we as -contributors and maintainers pledge to making participation in our project and -our community a harassment-free experience for everyone, regardless of age, body -size, disability, ethnicity, sex characteristics, gender identity and expression, -level of experience, education, socio-economic status, nationality, personal -appearance, race, religion, or sexual identity and orientation. - -## Our Standards - -Examples of behavior that contributes to creating a positive environment -include: - -* Using welcoming and inclusive language -* Being respectful of differing viewpoints and experiences -* Gracefully accepting constructive criticism -* Focusing on what is best for the community -* Showing empathy towards other community members - -Examples of unacceptable behavior by participants include: - -* The use of sexualized language or imagery and unwelcome sexual attention or - advances -* Trolling, insulting/derogatory comments, and personal or political attacks -* Public or private harassment -* Publishing others' private information, such as a physical or electronic - address, without explicit permission -* Other conduct which could reasonably be considered inappropriate in a - professional setting - -## Our Responsibilities - -Project maintainers are responsible for clarifying the standards of acceptable -behavior and are expected to take appropriate and fair corrective action in -response to any instances of unacceptable behavior. - -Project maintainers have the right and responsibility to remove, edit, or -reject comments, commits, code, wiki edits, issues, and other contributions -that are not aligned to this Code of Conduct, or to ban temporarily or -permanently any contributor for other behaviors that they deem inappropriate, -threatening, offensive, or harmful. - -## Scope - -This Code of Conduct applies both within project spaces and in public spaces -when an individual is representing the project or its community. Examples of -representing a project or community include using an official project e-mail -address, posting via an official social media account, or acting as an appointed -representative at an online or offline event. Representation of a project may be -further defined and clarified by project maintainers. - -## Enforcement - -Instances of abusive, harassing, or otherwise unacceptable behavior may be -reported by contacting the project team. All -complaints will be reviewed and investigated and will result in a response that -is deemed necessary and appropriate to the circumstances. The project team is -obligated to maintain confidentiality with regard to the reporter of an incident. -Further details of specific enforcement policies may be posted separately. - -Project maintainers who do not follow or enforce the Code of Conduct in good -faith may face temporary or permanent repercussions as determined by other -members of the project's leadership. - -## Attribution - -This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, -available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html - -[homepage]: https://www.contributor-covenant.org - -For answers to common questions about this code of conduct, see -https://www.contributor-covenant.org/faq diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md deleted file mode 100644 index 9f62523..0000000 --- a/CONTRIBUTING.md +++ /dev/null @@ -1,61 +0,0 @@ -# Contribution Guidelines - -## Raising an Issue - -If you raise an issue against this repository, please include as much information as possible to reproduce any bugs, -or specific locations in the case of content errors. - -## Contributing code - -To contribute code, please fork the repository and raise a pull request. - -Ideally pull requests should be fairly granular and aim to solve one problem each. It would also be helpful if they -linked to an issue. If the maintainers cannot understand why a pull request was raised, it will be rejected, -so please explain why the changes need to be made (unless it is self-evident). - -### Merge responsibility - -- It is the responsibility of the reviewer to merge branches they have approved. -- It is the responsibility of the author of the merge to ensure their merge is in a mergeable state. -- It is the responsibility of the maintainers to ensure the merge process is unambiguous and automated where possible. - -### Branch naming - -Branch names should be of the format: - -`aea-nnn-short-issue-description` - -Multiple branches are permitted for the same ticket. - -### Commit messages - -We do not enforce any conventions on commit messages to a branch, as we use squash commits when merging to main branch. - -Commits from a pull request get squashed into a single commit on merge, using the pull request title as the commit message. -Please format your pull request title using tags from [ESLint Convention](https://github.com/conventional-changelog/conventional-changelog/tree/master/packages/conventional-changelog-eslint) as follows: - -```text -Tag: [AEA-NNNN] - Short description -``` - -Tag can be one of: - -- `Fix` - for a bug fix. (Patch release) -- `Update` - either for a backwards-compatible enhancement or for a rule change that adds reported problems. (Patch release) -- `New` - implemented a new feature. (Minor release) -- `Breaking` - for a backwards-incompatible enhancement or feature. (Major release) -- `Docs` - changes to documentation only. (Patch release) -- `Build` - changes to build process only. (No release) -- `Upgrade` - for a dependency upgrade. (Patch release) -- `Chore` - for refactoring, adding tests, etc. (anything that isn't user-facing). (Patch release) - -If the current release is x.y.z then -- a patch release increases z by 1 -- a minor release increases y by 1 -- a major release increases x by 1 - -Correct tagging is necessary for our automated versioning and release process ([Release](./RELEASE.md)). - -### Changelog - -Release changelogs are generated from the titles of pull requests merged into the `main` branch. Please ensure that your pull request title is sufficiently descriptive of the changes made. diff --git a/LICENSE b/LICENSE deleted file mode 100644 index 0ba95e8..0000000 --- a/LICENSE +++ /dev/null @@ -1,21 +0,0 @@ -MIT License - -Crown Copyright (c) - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. diff --git a/Makefile b/Makefile deleted file mode 100644 index c829f69..0000000 --- a/Makefile +++ /dev/null @@ -1,104 +0,0 @@ -CONTAINER_PREFIX=ghcr.io/nhsdigital/eps-devcontainers/ - -ifeq ($(strip $(NO_CACHE)),true) -NO_CACHE_FLAG=--no-cache -endif - -guard-%: - @ if [ "${${*}}" = "" ]; then \ - echo "Environment variable $* not set"; \ - exit 1; \ - fi - -install: install-python install-node install-hooks - -install-python: - poetry install - -install-node: - npm install - -install-hooks: install-python - poetry run pre-commit install --install-hooks --overwrite - -build-image: guard-CONTAINER_NAME guard-BASE_VERSION_TAG guard-BASE_FOLDER guard-IMAGE_TAG - npx devcontainer build \ - --workspace-folder ./src/$${BASE_FOLDER}/$${CONTAINER_NAME} \ - $(NO_CACHE_FLAG) \ - --push false \ - --output type=image,name="${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}",push=false,compression=zstd \ - --cache-from "${CONTAINER_PREFIX}$${CONTAINER_NAME}:latest" \ - --image-name "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" - -build-githubactions-image: guard-BASE_IMAGE_NAME guard-BASE_IMAGE_TAG guard-IMAGE_TAG - docker buildx build \ - -f src/githubactions/Dockerfile \ - $(NO_CACHE_FLAG) \ - --build-arg BASE_IMAGE_NAME="$${BASE_IMAGE_NAME}" \ - --build-arg BASE_IMAGE_TAG="$${BASE_IMAGE_TAG}" \ - --load \ - -t "${CONTAINER_PREFIX}$${BASE_IMAGE_NAME}:githubactions-$${IMAGE_TAG}" \ - . - -scan-image: guard-CONTAINER_NAME guard-BASE_FOLDER - mkdir -p .out - @combined="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore_combined.yaml"; \ - common="src/common/.trivyignore.yaml"; \ - extra_common="src/$${EXTRA_COMMON}/.trivyignore.yaml"; \ - specific="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore.yaml"; \ - exit_code="$${EXIT_CODE:-1}"; \ - echo "vulnerabilities:" > "$$combined"; \ - if [ -f "$$common" ]; then sed -n '2,$$p' "$$common" >> "$$combined"; fi; \ - if [ -f "$$extra_common" ]; then sed -n '2,$$p' "$$extra_common" >> "$$combined"; fi; \ - if [ -f "$$specific" ]; then sed -n '2,$$p' "$$specific" >> "$$combined"; fi; \ - trivy image \ - --severity HIGH,CRITICAL \ - --config src/${BASE_FOLDER}/${CONTAINER_NAME}/trivy.yaml \ - --scanners vuln \ - --exit-code $$exit_code \ - --format table \ - --output .out/scan_results_docker.txt "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" - -scan-image-json: guard-CONTAINER_NAME guard-BASE_FOLDER guard-IMAGE_TAG - mkdir -p .out - @combined="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore_combined.yaml"; \ - common="src/common/.trivyignore.yaml"; \ - extra_common="src/$${EXTRA_COMMON}/.trivyignore.yaml"; \ - specific="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore.yaml"; \ - exit_code="$${EXIT_CODE:-1}"; \ - echo "vulnerabilities:" > "$$combined"; \ - if [ -f "$$common" ]; then sed -n '2,$$p' "$$common" >> "$$combined"; fi; \ - if [ -f "$$extra_common" ]; then sed -n '2,$$p' "$$extra_common" >> "$$combined"; fi; \ - if [ -f "$$specific" ]; then sed -n '2,$$p' "$$specific" >> "$$combined"; fi; \ - trivy image \ - --severity HIGH,CRITICAL \ - --config src/${BASE_FOLDER}/${CONTAINER_NAME}/trivy.yaml \ - --scanners vuln \ - --exit-code "$$exit_code" \ - --format json \ - --output .out/scan_results_docker.json "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" - -shell-image: guard-CONTAINER_NAME guard-IMAGE_TAG - docker run -it \ - --rm \ - "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" \ - bash - -lint: lint-githubactions - -test: - echo "Not implemented" - -lint-githubactions: - actionlint - -github-login: - gh auth login --scopes read:packages - -lint-githubaction-scripts: - shellcheck .github/scripts/*.sh - -clean: - rm -rf .out - find . -type f -name '.trivyignore_combined.yaml' -delete - diff --git a/README.md b/README.md deleted file mode 100644 index ac47623..0000000 --- a/README.md +++ /dev/null @@ -1,390 +0,0 @@ -EPS DEV CONTAINERS -================== - -## Index -- [Introduction](#introduction) -- [Using the images](#using-the-images) - - [Project setup](#project-setup) - - [Getting image name and version in GitHub Actions from local config](#getting-image-name-and-version-in-github-actions) - - [Using images in GitHub Actions](#using-images-in-github-actions) - - [Using local or pull request images in Visual Studio Code and GitHub Actions](#using-local-or-pull-request-images-in-visual-studio-code-and-github-actions) -- [Common Makefile targets](#common-makefile-targets) - - [Defined Targets](#targets) - -- [Project structure](#project-structure) -- [Pull requests and merge to main process](#pull-requests-and-merge-to-main-process) -- [Release workflow](#release-workflow) -- [Local testing](#local-testing) - - [Building images](#building-images) - - [Scanning images](#scanning-images) - - [Interactive shell on image](#interactive-shell-on-image) -- [Generating a .trivyignore file](#generating-a-trivyignore-file) -- [Cleaning up unused container images](#cleaning-up-unused-container-images) - -# Introduction -This repository contains code to build VS Code devcontainers that can be used as a base image for all EPS projects. -Images are built for AMD64 and ARM64, and a manifest file is created that can be pulled for both architectures. This is then pushed to GitHub Container Registry and an attestation created that can be used to verify the images before being used. -Images are built using https://github.com/devcontainers/cli. - -We build a base image based on mcr.microsoft.com/devcontainers/base:ubuntu-22.04 that other images are then based on - -The base image contains - - latest os packages - - asdf - - aws cli - - aws sam cli - - It installs the following dev container features - - docker outside of docker - - GitHub CLI - -As the vscode user the following also happens - -asdf install and setup for these so they are available globally as vscode user - - shellcheck - - direnv - - actionlint - - ruby (for GitHub Pages) - - Trivy - - yq - -Install and setup git-secrets - -# Using the images -## Project setup -In each EPS project, `.devcontainer/Dockerfile` should be set to -``` -ARG IMAGE_NAME=node_24_python_3_14 -ARG IMAGE_VERSION=latest -FROM ghcr.io/nhsdigital/eps-devcontainers/${IMAGE_NAME}:${IMAGE_VERSION} - -USER root -# specify DOCKER_GID to force container docker group id to match host -RUN if [ -n "${DOCKER_GID}" ]; then \ - if ! getent group docker; then \ - groupadd -g ${DOCKER_GID} docker; \ - else \ - groupmod -g ${DOCKER_GID} docker; \ - fi && \ - usermod -aG docker vscode; \ - fi -``` -`.devcontainer/devcontainer.json` should be set to: -``` -{ - "name": "eps-common-workflows", - "build": { - "dockerfile": "Dockerfile", - "context": "..", - "args": { - "DOCKER_GID": "${env:DOCKER_GID:}", - "IMAGE_NAME": "node_24_python_3_14", - "IMAGE_VERSION": "local-build", - "USER_UID": "${localEnv:USER_ID:}", - "USER_GID": "${localEnv:GROUP_ID:}" - }, - "updateRemoteUserUID": false, - }, - "postAttachCommand": "git-secrets --register-aws; git-secrets --add-provider -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt", - "mounts": [ - "source=${env:HOME}${env:USERPROFILE}/.aws,target=/home/vscode/.aws,type=bind", - "source=${env:HOME}${env:USERPROFILE}/.ssh,target=/home/vscode/.ssh,type=bind", - "source=${env:HOME}${env:USERPROFILE}/.gnupg,target=/home/vscode/.gnupg,type=bind", - "source=${env:HOME}${env:USERPROFILE}/.npmrc,target=/home/vscode/.npmrc,type=bind" - ], - "containerUser": "vscode", - "remoteEnv": { - "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" - }, - "features": {}, - "customizations": { - .... - } -} -``` -Note - this file will be used in GitHub workflows to calculate the version of container to use in builds, so it must be valid JSON (no comments). -The name should be changed to match the name of the project. -IMAGE_NAME and IMAGE_VERSION should be changed as appropriate. -You should not need to add any features as these are already baked into the image - -## Getting image name and version in GitHub Actions -This job should be used in GitHub Actions wherever you need to get the dev container name or tag - -``` - get_config_values: - runs-on: ubuntu-22.04 - outputs: - devcontainer_image_name: ${{ steps.load-config.outputs.DEVCONTAINER_IMAGE_NAME }} - devcontainer_image_version: ${{ steps.load-config.outputs.DEVCONTAINER_VERSION }} - steps: - - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - - name: Load config value - id: load-config - run: | - DEVCONTAINER_IMAGE_NAME=$(jq -r '.build.args.IMAGE_NAME' .devcontainer/devcontainer.json) - DEVCONTAINER_IMAGE_VERSION=$(jq -r '.build.args.IMAGE_VERSION' .devcontainer/devcontainer.json) - echo "DEVCONTAINER_IMAGE_NAME=$DEVCONTAINER_IMAGE_NAME" >> "$GITHUB_OUTPUT" - echo "DEVCONTAINER_IMAGE_VERSION=$DEVCONTAINER_VERSION" >> "$GITHUB_OUTPUT" -``` -## Using images in GitHub Actions -To use the image in GitHub Actions, you should first verify the attestation of the image and reference the image by the digest -For CI and release pipelines, you should set verify_published_from_main_image to ensure that only images published from main are used. -``` -jobs: - verify_attestation: - uses: NHSDigital/eps-common-workflows/.github/workflows/verify-attestation.yml@ - with: - runtime_docker_image: "${{ inputs.runtime_docker_image }}" - verify_published_from_main_image: false - my_job_name: - runs-on: ubuntu-22.04 - needs: verify_attestation - container: - image: ${{ needs.verify_attestation.outputs.pinned_image }} - options: --user 1001:1001 --group-add 128 - defaults: - run: - shell: bash - steps: - - name: copy .tool-versions - run: | - cp /home/vscode/.tool-versions "$HOME/.tool-versions" - ... other steps .... -``` -It is important that: -- the image specified uses the tag starting githubactions- -- there is `options: --user 1001:1001 --group-add 128` below image to ensure it uses the correct user id and is added to the docker group -- the default shell is set to be bash -- the first step copies .tool-versions from /home/vscode to $HOME/.tool-versions -## Using local or pull request images in Visual Studio Code and GitHub Actions -You can use local or pull request images by changing IMAGE_VERSION in devcontainer.json. -For an image built locally following instructions below, you should put the IMAGE_VERSION=local-build. -For an image built from a pull request, you should put the IMAGE_VERSION=. -You can only use images built from a pull request for testing changes in GitHub Actions. - -# Common Makefile targets -There is a set of common Makefiles that are defined in `src/base/.devcontainer/Mk` and are included from `common.mk`. These are installed to /usr/local/share/eps/Mk on the base image, so they are available for all containers. - -This should be added to the end of each project's Makefile to include them -``` -%: - @$(MAKE) -f /usr/local/share/eps/Mk/common.mk $@ -``` -# Targets -The following targets are defined. These are needed for quality checks to run. Some targets are project-specific and should be overridden in the project's Makefile. - -Build targets (`build.mk`) -- `install` - placeholder target - should be overridden locally -- `install-node` - placeholder target - should be overridden locally -- `docker-build` - placeholder target - should be overridden locally -- `compile` - placeholder target - should be overridden locally - -Check targets (`check.mk`) -- `lint` - placeholder target - should be overridden locally -- `test` - placeholder target - should be overridden locally -- `shellcheck` - runs shellcheck on `scripts/*.sh` and `.github/scripts/*.sh` when files exist -- `cfn-lint` - runs `cfn-lint` against `cloudformation/**/*.yml|yaml` and `SAMtemplates/**/*.yml|yaml` -- `cdk-synth` - placeholder target - should be overridden locally -- `cfn-guard-sam-templates` - validates SAM templates against cfn-guard rulesets and writes outputs to `.cfn_guard_out/` -- `cfn-guard-cloudformation` - validates `cloudformation` templates against cfn-guard rulesets and writes outputs to `.cfn_guard_out/` -- `cfn-guard-cdk` - validates `cdk.out` against cfn-guard rulesets and writes outputs to `.cfn_guard_out/` -- `cfn-guard-terraform` - validates `terraform_plans` against cfn-guard rulesets and writes outputs to `.cfn_guard_out/` -- `actionlint` - runs actionlint against GitHub Actions -- `secret-scan` - runs git-secrets (including scanning history) against the repository -- `guard-` - checks if an environment variable is set and errors if it is not - -Credentials targets (`credentials.mk`) -- `aws-configure` - configures an AWS SSO session -- `aws-login` - Authorizes an SSO session with AWS so AWS CLI tools can be used. You may still need to set AWS_PROFILE before running commands -- `github-login` - Authorizes GitHub CLI to GitHub with scope to read packages -- `create-npmrc` - depends on `github-login`, then writes `.npmrc` with a GitHub Packages auth token and `@nhsdigital` registry - -Trivy targets (`trivy.mk`) -- `trivy-license-check` - runs Trivy license scan (HIGH/CRITICAL) and writes `.trivy_out/license_scan.txt` -- `trivy-generate-sbom` - generates CycloneDX SBOM at `.trivy_out/sbom.cdx.json` -- `trivy-scan-python` - scans Python dependencies (HIGH/CRITICAL) and writes `.trivy_out/dependency_results_python.txt` -- `trivy-scan-node` - scans Node dependencies (HIGH/CRITICAL) and writes `.trivy_out/dependency_results_node.txt` -- `trivy-scan-go` - scans Go dependencies (HIGH/CRITICAL) and writes `.trivy_out/dependency_results_go.txt` -- `trivy-scan-java` - scans Java dependencies (HIGH/CRITICAL) and writes `.trivy_out/dependency_results_java.txt` -- `trivy-scan-docker` - scans a built image (HIGH/CRITICAL) and writes `.trivy_out/dependency_results_docker.txt` (requires `DOCKER_IMAGE`), for example: - -# Project structure -We have 5 types of dev container. These are defined under src - -`base` - this is the base image that all others are based on. -`base_node` - images that install node - most language projects rely on one of these -`languages` - this installs specific versions of python - normally based off a node image -`projects` - this is used for projects where more customization is needed than just a base language image. -`githubactions` - this just takes an existing image and remaps vscode user to be 1001 so it can be used by GitHub Actions. - -Each image to be built contains a .devcontainer folder that defines how the devcontainer should be built. At a minimum, this should contain a devcontainer.json file. See https://containers.dev/implementors/json_reference/ for options for this - -Images under languages should point to a Dockerfile under src/common or src/common_node_24 that is based off the base or node image. This also runs `.devcontainer/scripts/root_install.sh` and `.devcontainer/scripts/vscode_install.sh` as vscode user as part of the build. These files should be in the language specific folder. - -We use Trivy to scan for vulnerabilities in the built Docker images. Known vulnerabilities in the base image are in `src/common/.trivyignore.yaml`. Vulnerabilities in specific images are in `.trivyignore.yaml` files in each image folder. These are combined before running a scan to exclude all known vulnerabilities - -# Pull requests and merge to main process -For each pull request, and merge to main, images are built and scanned using Trivy, and pushed to GitHub Container Registry. -Docker images are built for AMD64 and ARM64 architecture, and a combined manifest is created and pushed as part of the build. -The main images have a vscode user with ID 1000. A separately tagged image is also created with the vscode user mapped to user ID 1001 so it can be used by GitHub Actions. - -The base image is built first, and then language images, and finally project images. - -Docker images are scanned for vulnerabilities using Trivy as part of a build step, and the build fails if vulnerabilities are found that are not in the .trivyignore file. - -For pull requests, images are tagged with the pr-{pull request id}-{short commit sha}. -For merges to main, images are tagged with the ci-{short commit sha}. -GitHub Actions images are tagged with githubactions-{full tag} -AMD64 images are tagged with {tag}-amd64 -ARM64 images are tagged with {tag}-arm64 -The combined image manifest is tagged with {tag}, so it can be included in devcontainer.json and the correct image is pulled based on the host architecture. - -When a pull request is merged to main or closed, all associated images are deleted from the registry using the GitHub workflow delete_old_images - -# Release workflow -There is a release workflow that runs weekly at 18:00 on Thursday and on demand. -This creates a new release tag, builds all images, and pushes them to GitHub Container Registry. -Images are tagged with the release tag, and also with latest - -# Local testing -## Building images -You can use these commands to build images - -Base image -``` -CONTAINER_NAME=base \ - BASE_VERSION_TAG=latest \ - BASE_FOLDER=. \ - IMAGE_TAG=local-build \ - make build-image -``` -Base node 24 image -``` -CONTAINER_NAME=node_24 \ - BASE_VERSION_TAG=local-build \ - BASE_FOLDER=base_node \ - IMAGE_TAG=local-build \ - make build-image -``` -Language images -``` -CONTAINER_NAME=node_24_python_3_14 \ - BASE_VERSION_TAG=local-build \ - BASE_FOLDER=languages \ - IMAGE_TAG=local-build \ - make build-image -``` -Project images -``` -CONTAINER_NAME=fhir_facade_api \ - BASE_VERSION_TAG=local-build \ - BASE_FOLDER=projects \ - IMAGE_TAG=local-build \ - make build-image -``` -GitHub Actions image -``` -BASE_IMAGE_NAME=base \ - BASE_IMAGE_TAG=local-build \ - IMAGE_TAG=local-build \ - make build-githubactions-image -``` -## Scanning images -You can use these commands to scan images -Base image -``` -CONTAINER_NAME=base \ - BASE_FOLDER=. \ - IMAGE_TAG=local-build \ - make scan-image -``` -Base node 24 image -``` -CONTAINER_NAME=node_24 \ - BASE_FOLDER=base_node \ - IMAGE_TAG=local-build \ - EXTRA_COMMON=common_node_24 \ - make scan-image -``` -Language images -``` -CONTAINER_NAME=node_24_python_3_14 \ - BASE_FOLDER=languages \ - IMAGE_TAG=local-build \ - EXTRA_COMMON=common_node_24 \ - make scan-image -``` -Project images -``` -CONTAINER_NAME=fhir_facade_api \ - BASE_FOLDER=projects \ - IMAGE_TAG=local-build \ - make scan-image -``` - -## Interactive shell on image -You can use this to start an interactive shell in built images -base image -``` -CONTAINER_NAME=base \ - IMAGE_TAG=local-build \ - make shell-image -``` -Language images -``` -CONTAINER_NAME=node_24_python_3_12 \ - IMAGE_TAG=local-build \ - make shell-image -``` -Project images -``` -CONTAINER_NAME=fhir_facade_api \ - IMAGE_TAG=local-build \ - make shell-image -``` -GitHub Actions image -``` -CONTAINER_NAME=base \ - IMAGE_TAG=githubactions-local-build \ - make shell-image -``` - -# Generating a .trivyignore file -You can generate a .trivyignore file for known vulnerabilities by either downloading the JSON scan output generated by the build, or by generating it locally using the scanning images commands above with a make target of scan-image-json - -If generated locally, then the output goes into .out/scan_results_docker.json. -You can use GitHub CLI tools to download the scan output file. Replace the run ID from the URL, and the -n with the filename to download -``` -gh run download -n scan_results_docker_fhir_facade_api_arm64.json -``` - -Once you have the scan output, use the following to generate a new .trivyignore file called .trivyignore.new.yaml. Note this will overwrite the output file when run so it should point to a new file and the contents merged with existing .trivyignore file - - -``` -poetry run python \ - scripts/trivy_to_trivyignore.py \ - --input .out/scan_results_docker.json \ - --output src/projects/fhir_facade_api/.trivyignore.new.yaml -``` - -# Cleaning up unused container images - -There is a script to delete unused container images. This runs on every merge to main and deletes pull request images, and on a weekly schedule it deletes images created by CI. -You can run it manually using the following. Using the `dry-run` flag just shows what would be deleted - -``` -make github-login -# or gh auth login --scopes read:packages,delete:packages if you want to be able to delete images -bash .github/scripts/delete_unused_images.sh --delete-pr --dry-run -bash .github/scripts/delete_unused_images.sh --delete-ci --dry-run -bash .github/scripts/delete_unused_images.sh --delete-pr --delete-ci -``` - -Flags: -- `--dry-run` (`-n`) shows what would be deleted without deleting anything. -- `--delete-pr` deletes images tagged with `pr-...` or `githubactions-pr-...` only when the PR is closed. -- `--delete-ci` deletes images tagged with `ci-<8 hex sha>...` or `githubactions-ci-<8 hex sha>...`. - -If neither `--delete-pr` nor `--delete-ci` is set, the script defaults to `--delete-pr`. diff --git a/SECURITY.md b/SECURITY.md deleted file mode 100644 index 15baeac..0000000 --- a/SECURITY.md +++ /dev/null @@ -1,35 +0,0 @@ -# Security - -NHS England takes security and the protection of private data extremely seriously. If you believe you have found a vulnerability or other issue which has compromised or could compromise the security of any of our systems and/or private data managed by our systems, please do not hesitate to contact us using the methods outlined below. - -## Table of Contents - -- [Security](#security) - - [Table of Contents](#table-of-contents) - - [Reporting a vulnerability](#reporting-a-vulnerability) - - [Email](#email) - - [NCSC](#ncsc) - - [General Security Enquiries](#general-security-enquiries) - -## Reporting a vulnerability - -Please note, email is our preferred method of receiving reports. - -### Email - -If you wish to notify us of a vulnerability via email, please include detailed information on the nature of the vulnerability and any steps required to reproduce it. - -You can reach us at: - -- [epssupport@nhs.net](epssupport@nhs.net) -- [cybersecurity@nhs.net](cybersecurity@nhs.net) - -### NCSC - -You can send your report to the National Cyber Security Centre, who will assess your report and pass it on to NHS England if necessary. - -You can report vulnerabilities here: [https://www.ncsc.gov.uk/information/vulnerability-reporting](https://www.ncsc.gov.uk/information/vulnerability-reporting) - -## General Security Enquiries - -If you have general enquiries regarding our cybersecurity, please reach out to us at [cybersecurity@nhs.net](cybersecurity@nhs.net) diff --git a/package-lock.json b/package-lock.json deleted file mode 100644 index 495830b..0000000 --- a/package-lock.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "name": "eps-devcontainers", - "version": "1.0.0", - "lockfileVersion": 3, - "requires": true, - "packages": { - "": { - "name": "eps-devcontainers", - "version": "1.0.0", - "license": "ISC", - "dependencies": { - "@devcontainers/cli": "^0.83.0" - } - }, - "node_modules/@devcontainers/cli": { - "version": "0.83.0", - "resolved": "https://registry.npmjs.org/@devcontainers/cli/-/cli-0.83.0.tgz", - "integrity": "sha512-F5imPWyugs1rpsIStcI8lGCLb+KI69RBqHCmIBeYdG7aTczn6U6zr5iC6ZR1Y6Nb2TEz/LfQw1xJzaabSetaPg==", - "license": "MIT", - "bin": { - "devcontainer": "devcontainer.js" - }, - "engines": { - "node": "^16.13.0 || >=18.0.0" - } - } - } -} diff --git a/package.json b/package.json deleted file mode 100644 index a41a1f0..0000000 --- a/package.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "name": "eps-devcontainers", - "version": "1.0.0", - "main": "index.js", - "scripts": { - "test": "echo \"Error: no test specified\" && exit 1" - }, - "author": "", - "license": "ISC", - "description": "", - "dependencies": { - "@devcontainers/cli": "^0.83.0" - } -} diff --git a/poetry.lock b/poetry.lock deleted file mode 100644 index e19dfdd..0000000 --- a/poetry.lock +++ /dev/null @@ -1,204 +0,0 @@ -# This file is automatically @generated by Poetry 2.2.1 and should not be changed by hand. - -[[package]] -name = "cfgv" -version = "3.5.0" -description = "Validate configuration and produce human readable error messages." -optional = false -python-versions = ">=3.10" -groups = ["dev"] -files = [ - {file = "cfgv-3.5.0-py2.py3-none-any.whl", hash = "sha256:a8dc6b26ad22ff227d2634a65cb388215ce6cc96bbcc5cfde7641ae87e8dacc0"}, - {file = "cfgv-3.5.0.tar.gz", hash = "sha256:d5b1034354820651caa73ede66a6294d6e95c1b00acc5e9b098e917404669132"}, -] - -[[package]] -name = "distlib" -version = "0.4.0" -description = "Distribution utilities" -optional = false -python-versions = "*" -groups = ["dev"] -files = [ - {file = "distlib-0.4.0-py2.py3-none-any.whl", hash = "sha256:9659f7d87e46584a30b5780e43ac7a2143098441670ff0a49d5f9034c54a6c16"}, - {file = "distlib-0.4.0.tar.gz", hash = "sha256:feec40075be03a04501a973d81f633735b4b69f98b05450592310c0f401a4e0d"}, -] - -[[package]] -name = "filelock" -version = "3.21.2" -description = "A platform independent file lock." -optional = false -python-versions = ">=3.10" -groups = ["dev"] -files = [ - {file = "filelock-3.21.2-py3-none-any.whl", hash = "sha256:d6cd4dbef3e1bb63bc16500fc5aa100f16e405bbff3fb4231711851be50c1560"}, - {file = "filelock-3.21.2.tar.gz", hash = "sha256:cfd218cfccf8b947fce7837da312ec3359d10ef2a47c8602edd59e0bacffb708"}, -] - -[[package]] -name = "identify" -version = "2.6.16" -description = "File identification library for Python" -optional = false -python-versions = ">=3.10" -groups = ["dev"] -files = [ - {file = "identify-2.6.16-py2.py3-none-any.whl", hash = "sha256:391ee4d77741d994189522896270b787aed8670389bfd60f326d677d64a6dfb0"}, - {file = "identify-2.6.16.tar.gz", hash = "sha256:846857203b5511bbe94d5a352a48ef2359532bc8f6727b5544077a0dcfb24980"}, -] - -[package.extras] -license = ["ukkonen"] - -[[package]] -name = "nodeenv" -version = "1.10.0" -description = "Node.js virtual environment builder" -optional = false -python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.*,!=3.6.*,>=2.7" -groups = ["dev"] -files = [ - {file = "nodeenv-1.10.0-py2.py3-none-any.whl", hash = "sha256:5bb13e3eed2923615535339b3c620e76779af4cb4c6a90deccc9e36b274d3827"}, - {file = "nodeenv-1.10.0.tar.gz", hash = "sha256:996c191ad80897d076bdfba80a41994c2b47c68e224c542b48feba42ba00f8bb"}, -] - -[[package]] -name = "platformdirs" -version = "4.7.0" -description = "A small Python package for determining appropriate platform-specific dirs, e.g. a `user data dir`." -optional = false -python-versions = ">=3.10" -groups = ["dev"] -files = [ - {file = "platformdirs-4.7.0-py3-none-any.whl", hash = "sha256:1ed8db354e344c5bb6039cd727f096af975194b508e37177719d562b2b540ee6"}, - {file = "platformdirs-4.7.0.tar.gz", hash = "sha256:fd1a5f8599c85d49b9ac7d6e450bc2f1aaf4a23f1fe86d09952fe20ad365cf36"}, -] - -[[package]] -name = "pre-commit" -version = "4.5.1" -description = "A framework for managing and maintaining multi-language pre-commit hooks." -optional = false -python-versions = ">=3.10" -groups = ["dev"] -files = [ - {file = "pre_commit-4.5.1-py2.py3-none-any.whl", hash = "sha256:3b3afd891e97337708c1674210f8eba659b52a38ea5f822ff142d10786221f77"}, - {file = "pre_commit-4.5.1.tar.gz", hash = "sha256:eb545fcff725875197837263e977ea257a402056661f09dae08e4b149b030a61"}, -] - -[package.dependencies] -cfgv = ">=2.0.0" -identify = ">=1.0.0" -nodeenv = ">=0.11.1" -pyyaml = ">=5.1" -virtualenv = ">=20.10.0" - -[[package]] -name = "pyyaml" -version = "6.0.3" -description = "YAML parser and emitter for Python" -optional = false -python-versions = ">=3.8" -groups = ["dev"] -files = [ - {file = "PyYAML-6.0.3-cp38-cp38-macosx_10_13_x86_64.whl", hash = "sha256:c2514fceb77bc5e7a2f7adfaa1feb2fb311607c9cb518dbc378688ec73d8292f"}, - {file = "PyYAML-6.0.3-cp38-cp38-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:9c57bb8c96f6d1808c030b1687b9b5fb476abaa47f0db9c0101f5e9f394e97f4"}, - {file = "PyYAML-6.0.3-cp38-cp38-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:efd7b85f94a6f21e4932043973a7ba2613b059c4a000551892ac9f1d11f5baf3"}, - {file = "PyYAML-6.0.3-cp38-cp38-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:22ba7cfcad58ef3ecddc7ed1db3409af68d023b7f940da23c6c2a1890976eda6"}, - {file = "PyYAML-6.0.3-cp38-cp38-musllinux_1_2_x86_64.whl", hash = "sha256:6344df0d5755a2c9a276d4473ae6b90647e216ab4757f8426893b5dd2ac3f369"}, - {file = "PyYAML-6.0.3-cp38-cp38-win32.whl", hash = "sha256:3ff07ec89bae51176c0549bc4c63aa6202991da2d9a6129d7aef7f1407d3f295"}, - {file = "PyYAML-6.0.3-cp38-cp38-win_amd64.whl", hash = "sha256:5cf4e27da7e3fbed4d6c3d8e797387aaad68102272f8f9752883bc32d61cb87b"}, - {file = "pyyaml-6.0.3-cp310-cp310-macosx_10_13_x86_64.whl", hash = "sha256:214ed4befebe12df36bcc8bc2b64b396ca31be9304b8f59e25c11cf94a4c033b"}, - {file = "pyyaml-6.0.3-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:02ea2dfa234451bbb8772601d7b8e426c2bfa197136796224e50e35a78777956"}, - {file = "pyyaml-6.0.3-cp310-cp310-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:b30236e45cf30d2b8e7b3e85881719e98507abed1011bf463a8fa23e9c3e98a8"}, - {file = "pyyaml-6.0.3-cp310-cp310-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:66291b10affd76d76f54fad28e22e51719ef9ba22b29e1d7d03d6777a9174198"}, - {file = "pyyaml-6.0.3-cp310-cp310-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:9c7708761fccb9397fe64bbc0395abcae8c4bf7b0eac081e12b809bf47700d0b"}, - {file = "pyyaml-6.0.3-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:418cf3f2111bc80e0933b2cd8cd04f286338bb88bdc7bc8e6dd775ebde60b5e0"}, - {file = "pyyaml-6.0.3-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:5e0b74767e5f8c593e8c9b5912019159ed0533c70051e9cce3e8b6aa699fcd69"}, - {file = "pyyaml-6.0.3-cp310-cp310-win32.whl", hash = "sha256:28c8d926f98f432f88adc23edf2e6d4921ac26fb084b028c733d01868d19007e"}, - {file = "pyyaml-6.0.3-cp310-cp310-win_amd64.whl", hash = "sha256:bdb2c67c6c1390b63c6ff89f210c8fd09d9a1217a465701eac7316313c915e4c"}, - {file = "pyyaml-6.0.3-cp311-cp311-macosx_10_13_x86_64.whl", hash = "sha256:44edc647873928551a01e7a563d7452ccdebee747728c1080d881d68af7b997e"}, - {file = "pyyaml-6.0.3-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:652cb6edd41e718550aad172851962662ff2681490a8a711af6a4d288dd96824"}, - {file = "pyyaml-6.0.3-cp311-cp311-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:10892704fc220243f5305762e276552a0395f7beb4dbf9b14ec8fd43b57f126c"}, - {file = "pyyaml-6.0.3-cp311-cp311-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:850774a7879607d3a6f50d36d04f00ee69e7fc816450e5f7e58d7f17f1ae5c00"}, - {file = "pyyaml-6.0.3-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:b8bb0864c5a28024fac8a632c443c87c5aa6f215c0b126c449ae1a150412f31d"}, - {file = "pyyaml-6.0.3-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:1d37d57ad971609cf3c53ba6a7e365e40660e3be0e5175fa9f2365a379d6095a"}, - {file = "pyyaml-6.0.3-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:37503bfbfc9d2c40b344d06b2199cf0e96e97957ab1c1b546fd4f87e53e5d3e4"}, - {file = "pyyaml-6.0.3-cp311-cp311-win32.whl", hash = "sha256:8098f252adfa6c80ab48096053f512f2321f0b998f98150cea9bd23d83e1467b"}, - {file = "pyyaml-6.0.3-cp311-cp311-win_amd64.whl", hash = "sha256:9f3bfb4965eb874431221a3ff3fdcddc7e74e3b07799e0e84ca4a0f867d449bf"}, - {file = "pyyaml-6.0.3-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:7f047e29dcae44602496db43be01ad42fc6f1cc0d8cd6c83d342306c32270196"}, - {file = "pyyaml-6.0.3-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:fc09d0aa354569bc501d4e787133afc08552722d3ab34836a80547331bb5d4a0"}, - {file = "pyyaml-6.0.3-cp312-cp312-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:9149cad251584d5fb4981be1ecde53a1ca46c891a79788c0df828d2f166bda28"}, - {file = "pyyaml-6.0.3-cp312-cp312-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:5fdec68f91a0c6739b380c83b951e2c72ac0197ace422360e6d5a959d8d97b2c"}, - {file = "pyyaml-6.0.3-cp312-cp312-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:ba1cc08a7ccde2d2ec775841541641e4548226580ab850948cbfda66a1befcdc"}, - {file = "pyyaml-6.0.3-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:8dc52c23056b9ddd46818a57b78404882310fb473d63f17b07d5c40421e47f8e"}, - {file = "pyyaml-6.0.3-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:41715c910c881bc081f1e8872880d3c650acf13dfa8214bad49ed4cede7c34ea"}, - {file = "pyyaml-6.0.3-cp312-cp312-win32.whl", hash = "sha256:96b533f0e99f6579b3d4d4995707cf36df9100d67e0c8303a0c55b27b5f99bc5"}, - {file = "pyyaml-6.0.3-cp312-cp312-win_amd64.whl", hash = "sha256:5fcd34e47f6e0b794d17de1b4ff496c00986e1c83f7ab2fb8fcfe9616ff7477b"}, - {file = "pyyaml-6.0.3-cp312-cp312-win_arm64.whl", hash = "sha256:64386e5e707d03a7e172c0701abfb7e10f0fb753ee1d773128192742712a98fd"}, - {file = "pyyaml-6.0.3-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:8da9669d359f02c0b91ccc01cac4a67f16afec0dac22c2ad09f46bee0697eba8"}, - {file = "pyyaml-6.0.3-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:2283a07e2c21a2aa78d9c4442724ec1eb15f5e42a723b99cb3d822d48f5f7ad1"}, - {file = "pyyaml-6.0.3-cp313-cp313-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:ee2922902c45ae8ccada2c5b501ab86c36525b883eff4255313a253a3160861c"}, - {file = "pyyaml-6.0.3-cp313-cp313-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:a33284e20b78bd4a18c8c2282d549d10bc8408a2a7ff57653c0cf0b9be0afce5"}, - {file = "pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:0f29edc409a6392443abf94b9cf89ce99889a1dd5376d94316ae5145dfedd5d6"}, - {file = "pyyaml-6.0.3-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:f7057c9a337546edc7973c0d3ba84ddcdf0daa14533c2065749c9075001090e6"}, - {file = "pyyaml-6.0.3-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:eda16858a3cab07b80edaf74336ece1f986ba330fdb8ee0d6c0d68fe82bc96be"}, - {file = "pyyaml-6.0.3-cp313-cp313-win32.whl", hash = "sha256:d0eae10f8159e8fdad514efdc92d74fd8d682c933a6dd088030f3834bc8e6b26"}, - {file = "pyyaml-6.0.3-cp313-cp313-win_amd64.whl", hash = "sha256:79005a0d97d5ddabfeeea4cf676af11e647e41d81c9a7722a193022accdb6b7c"}, - {file = "pyyaml-6.0.3-cp313-cp313-win_arm64.whl", hash = "sha256:5498cd1645aa724a7c71c8f378eb29ebe23da2fc0d7a08071d89469bf1d2defb"}, - {file = "pyyaml-6.0.3-cp314-cp314-macosx_10_13_x86_64.whl", hash = "sha256:8d1fab6bb153a416f9aeb4b8763bc0f22a5586065f86f7664fc23339fc1c1fac"}, - {file = "pyyaml-6.0.3-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:34d5fcd24b8445fadc33f9cf348c1047101756fd760b4dacb5c3e99755703310"}, - {file = "pyyaml-6.0.3-cp314-cp314-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:501a031947e3a9025ed4405a168e6ef5ae3126c59f90ce0cd6f2bfc477be31b7"}, - {file = "pyyaml-6.0.3-cp314-cp314-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:b3bc83488de33889877a0f2543ade9f70c67d66d9ebb4ac959502e12de895788"}, - {file = "pyyaml-6.0.3-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:c458b6d084f9b935061bc36216e8a69a7e293a2f1e68bf956dcd9e6cbcd143f5"}, - {file = "pyyaml-6.0.3-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:7c6610def4f163542a622a73fb39f534f8c101d690126992300bf3207eab9764"}, - {file = "pyyaml-6.0.3-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:5190d403f121660ce8d1d2c1bb2ef1bd05b5f68533fc5c2ea899bd15f4399b35"}, - {file = "pyyaml-6.0.3-cp314-cp314-win_amd64.whl", hash = "sha256:4a2e8cebe2ff6ab7d1050ecd59c25d4c8bd7e6f400f5f82b96557ac0abafd0ac"}, - {file = "pyyaml-6.0.3-cp314-cp314-win_arm64.whl", hash = "sha256:93dda82c9c22deb0a405ea4dc5f2d0cda384168e466364dec6255b293923b2f3"}, - {file = "pyyaml-6.0.3-cp314-cp314t-macosx_10_13_x86_64.whl", hash = "sha256:02893d100e99e03eda1c8fd5c441d8c60103fd175728e23e431db1b589cf5ab3"}, - {file = "pyyaml-6.0.3-cp314-cp314t-macosx_11_0_arm64.whl", hash = "sha256:c1ff362665ae507275af2853520967820d9124984e0f7466736aea23d8611fba"}, - {file = "pyyaml-6.0.3-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:6adc77889b628398debc7b65c073bcb99c4a0237b248cacaf3fe8a557563ef6c"}, - {file = "pyyaml-6.0.3-cp314-cp314t-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:a80cb027f6b349846a3bf6d73b5e95e782175e52f22108cfa17876aaeff93702"}, - {file = "pyyaml-6.0.3-cp314-cp314t-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:00c4bdeba853cc34e7dd471f16b4114f4162dc03e6b7afcc2128711f0eca823c"}, - {file = "pyyaml-6.0.3-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:66e1674c3ef6f541c35191caae2d429b967b99e02040f5ba928632d9a7f0f065"}, - {file = "pyyaml-6.0.3-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:16249ee61e95f858e83976573de0f5b2893b3677ba71c9dd36b9cf8be9ac6d65"}, - {file = "pyyaml-6.0.3-cp314-cp314t-win_amd64.whl", hash = "sha256:4ad1906908f2f5ae4e5a8ddfce73c320c2a1429ec52eafd27138b7f1cbe341c9"}, - {file = "pyyaml-6.0.3-cp314-cp314t-win_arm64.whl", hash = "sha256:ebc55a14a21cb14062aa4162f906cd962b28e2e9ea38f9b4391244cd8de4ae0b"}, - {file = "pyyaml-6.0.3-cp39-cp39-macosx_10_13_x86_64.whl", hash = "sha256:b865addae83924361678b652338317d1bd7e79b1f4596f96b96c77a5a34b34da"}, - {file = "pyyaml-6.0.3-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:c3355370a2c156cffb25e876646f149d5d68f5e0a3ce86a5084dd0b64a994917"}, - {file = "pyyaml-6.0.3-cp39-cp39-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:3c5677e12444c15717b902a5798264fa7909e41153cdf9ef7ad571b704a63dd9"}, - {file = "pyyaml-6.0.3-cp39-cp39-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:5ed875a24292240029e4483f9d4a4b8a1ae08843b9c54f43fcc11e404532a8a5"}, - {file = "pyyaml-6.0.3-cp39-cp39-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:0150219816b6a1fa26fb4699fb7daa9caf09eb1999f3b70fb6e786805e80375a"}, - {file = "pyyaml-6.0.3-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:fa160448684b4e94d80416c0fa4aac48967a969efe22931448d853ada8baf926"}, - {file = "pyyaml-6.0.3-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:27c0abcb4a5dac13684a37f76e701e054692a9b2d3064b70f5e4eb54810553d7"}, - {file = "pyyaml-6.0.3-cp39-cp39-win32.whl", hash = "sha256:1ebe39cb5fc479422b83de611d14e2c0d3bb2a18bbcb01f229ab3cfbd8fee7a0"}, - {file = "pyyaml-6.0.3-cp39-cp39-win_amd64.whl", hash = "sha256:2e71d11abed7344e42a8849600193d15b6def118602c4c176f748e4583246007"}, - {file = "pyyaml-6.0.3.tar.gz", hash = "sha256:d76623373421df22fb4cf8817020cbb7ef15c725b9d5e45f17e189bfc384190f"}, -] - -[[package]] -name = "virtualenv" -version = "20.36.1" -description = "Virtual Python Environment builder" -optional = false -python-versions = ">=3.8" -groups = ["dev"] -files = [ - {file = "virtualenv-20.36.1-py3-none-any.whl", hash = "sha256:575a8d6b124ef88f6f51d56d656132389f961062a9177016a50e4f507bbcc19f"}, - {file = "virtualenv-20.36.1.tar.gz", hash = "sha256:8befb5c81842c641f8ee658481e42641c68b5eab3521d8e092d18320902466ba"}, -] - -[package.dependencies] -distlib = ">=0.3.7,<1" -filelock = {version = ">=3.20.1,<4", markers = "python_version >= \"3.10\""} -platformdirs = ">=3.9.1,<5" - -[package.extras] -docs = ["furo (>=2023.7.26)", "proselint (>=0.13)", "sphinx (>=7.1.2,!=7.3)", "sphinx-argparse (>=0.4)", "sphinxcontrib-towncrier (>=0.2.1a0)", "towncrier (>=23.6)"] -test = ["covdefaults (>=2.3)", "coverage (>=7.2.7)", "coverage-enable-subprocess (>=1)", "flaky (>=3.7)", "packaging (>=23.1)", "pytest (>=7.4)", "pytest-env (>=0.8.2)", "pytest-freezer (>=0.4.8) ; platform_python_implementation == \"PyPy\" or platform_python_implementation == \"GraalVM\" or platform_python_implementation == \"CPython\" and sys_platform == \"win32\" and python_version >= \"3.13\"", "pytest-mock (>=3.11.1)", "pytest-randomly (>=3.12)", "pytest-timeout (>=2.1)", "setuptools (>=68)", "time-machine (>=2.10) ; platform_python_implementation == \"CPython\""] - -[metadata] -lock-version = "2.1" -python-versions = "^3.12" -content-hash = "b9409587b1a45c43c5c5c6b2f4941370209c42af0e047d8ffbcda380bedcd4cd" diff --git a/poetry.toml b/poetry.toml deleted file mode 100644 index 5fcef8c..0000000 --- a/poetry.toml +++ /dev/null @@ -1,3 +0,0 @@ -[virtualenvs] -in-project = true -prefer-active-python = true diff --git a/pyproject.toml b/pyproject.toml deleted file mode 100644 index 9216be8..0000000 --- a/pyproject.toml +++ /dev/null @@ -1,24 +0,0 @@ - -[project] -python = "^3.12" -name = "eps-devcontainers" - -[tool.poetry] -name = "eps-devcontainers" -version = "0.0.1-alpha" -description = "EPS Dev Containers" -license = "MIT" -authors = [ - "EPS" -] -readme = "README.md" -repository = "https://github.com/NHSDigital/eps-devcontainers" -package-mode = false - -[tool.poetry.dependencies] -python = "^3.12" - -[tool.poetry.scripts] - -[tool.poetry.group.dev.dependencies] -pre-commit = "^4.5.1" diff --git a/release_notes/v1.0.1.md b/release_notes/v1.0.1.md new file mode 100644 index 0000000..0b2541b --- /dev/null +++ b/release_notes/v1.0.1.md @@ -0,0 +1,27 @@ +## [1.0.1](https://github.com/NHSDigital/eps-devcontainers/compare/v1.0.0...v1.0.1) (2026-02-13) + + +### Chore + +* [AEA-0000] - finish as root (#15) ([1b54f96](https://github.com/NHSDigital/eps-devcontainers/commit/1b54f96499fa8afa50bdf810b27b406c67de2b51)) +* [AEA-0000] - Workflow to clean up old images (#14) ([1d64aa7](https://github.com/NHSDigital/eps-devcontainers/commit/1d64aa77d845d9b73a42e4bf2962f593f55547a1)) + +### Upgrade + +* [dependabot] - Bump actions/checkout from 6.0.1 to 6.0.2 (#9) ([6c46f08](https://github.com/NHSDigital/eps-devcontainers/commit/6c46f086e2f0886d4e00999372921da9669ca9b4)) +* [dependabot] - Bump actions/setup-node from 6.1.0 to 6.2.0 (#12) ([ce9199a](https://github.com/NHSDigital/eps-devcontainers/commit/ce9199a661dec19c9e3e7c7ea2c14e03c8d37ff9)) +* [dependabot] - Bump aquasecurity/trivy-action from 0.33.1 to 0.34.0 (#7) ([87a215d](https://github.com/NHSDigital/eps-devcontainers/commit/87a215d619051554bfb17ac40375e8edb7976dfd)) +* [dependabot] - Bump NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml from 5.3.12 to 5.4.1 (#13) ([42bd2fa](https://github.com/NHSDigital/eps-devcontainers/commit/42bd2fae091e8059ddb13b2b4d6e0c94d00fba3a)) +* [dependabot] - Bump NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml from 5.3.12 to 5.4.1 (#10) ([b7823e9](https://github.com/NHSDigital/eps-devcontainers/commit/b7823e93fcc5a4d1ef128a31bf52bb3031d376ae)) +* [dependabot] - Bump NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml from 5.3.12 to 5.4.1 (#6) ([b4a4f42](https://github.com/NHSDigital/eps-devcontainers/commit/b4a4f4287ba5ffc5655236d5b063d3c9451d5859)) +* [dependabot] - Bump NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml from 5.3.5 to 5.4.1 (#11) ([42bcdf7](https://github.com/NHSDigital/eps-devcontainers/commit/42bcdf7f60c985ba324ba93a24cd2fb01cb9b07c)) + + + + +## Info +[Release workflow run](https://github.com/NHSDigital/eps-devcontainers/actions/runs/21998324078) - Workflow ID: 21998324078 + +It was initialized by [anthony-nhs](https://github.com/anthony-nhs) + + diff --git a/release_notes/v1.0.2.md b/release_notes/v1.0.2.md new file mode 100644 index 0000000..d737684 --- /dev/null +++ b/release_notes/v1.0.2.md @@ -0,0 +1,20 @@ +## [1.0.2](https://github.com/NHSDigital/eps-devcontainers/compare/v1.0.1...v1.0.2) (2026-02-16) + + +### Fix + +* [AEA-0000] - set vscode user to be 1001 (#16) ([2cdcba2](https://github.com/NHSDigital/eps-devcontainers/commit/2cdcba2a35bcd5433622cefc23fec52b6b194f0a)) + +### Upgrade + +* [dependabot] - Bump @devcontainers/cli from 0.80.3 to 0.83.0 (#8) ([d4f77d5](https://github.com/NHSDigital/eps-devcontainers/commit/d4f77d579ba52915d68b53c07dd4e29f432dfa03)) + + + + +## Info +[Release workflow run](https://github.com/NHSDigital/eps-devcontainers/actions/runs/22057522568) - Workflow ID: 22057522568 + +It was initialized by [anthony-nhs](https://github.com/anthony-nhs) + + diff --git a/release_notes/v1.0.3.md b/release_notes/v1.0.3.md new file mode 100644 index 0000000..4cccd02 --- /dev/null +++ b/release_notes/v1.0.3.md @@ -0,0 +1,17 @@ +## [1.0.3](https://github.com/NHSDigital/eps-devcontainers/compare/v1.0.2...v1.0.3) (2026-02-17) + + +### Chore + +* [AEA-0000] - add no cache (#17) ([e0808a3](https://github.com/NHSDigital/eps-devcontainers/commit/e0808a33fe9811938aa5982643b7aa415bf89999)) +* [AEA-0000] - setup common makefile (#18) ([c73f412](https://github.com/NHSDigital/eps-devcontainers/commit/c73f4123f8ab9af0ac978007a69ff56e5b9295e8)) + + + + +## Info +[Release workflow run](https://github.com/NHSDigital/eps-devcontainers/actions/runs/22102643551) - Workflow ID: 22102643551 + +It was initialized by [anthony-nhs](https://github.com/anthony-nhs) + + diff --git a/release_notes/v1.0.4.md b/release_notes/v1.0.4.md new file mode 100644 index 0000000..c153fe1 --- /dev/null +++ b/release_notes/v1.0.4.md @@ -0,0 +1,17 @@ +## [1.0.4](https://github.com/NHSDigital/eps-devcontainers/compare/v1.0.3...v1.0.4) (2026-02-18) + + +### Chore + +* [AEA-0000] - delete old images fix (#19) ([242823d](https://github.com/NHSDigital/eps-devcontainers/commit/242823d43bf31ae94106e907e3604fa25cd8dca3)) +* [AEA-0000] - various fixes (#20) ([a68181c](https://github.com/NHSDigital/eps-devcontainers/commit/a68181c543c3ff107206fe2fa09ecbed3db60c41)) + + + + +## Info +[Release workflow run](https://github.com/NHSDigital/eps-devcontainers/actions/runs/22135180096) - Workflow ID: 22135180096 + +It was initialized by [anthony-nhs](https://github.com/anthony-nhs) + + diff --git a/release_notes/v1.0.5.md b/release_notes/v1.0.5.md new file mode 100644 index 0000000..954022b --- /dev/null +++ b/release_notes/v1.0.5.md @@ -0,0 +1,17 @@ +## [1.0.5](https://github.com/NHSDigital/eps-devcontainers/compare/v1.0.4...v1.0.5) (2026-02-19) + + +### Fix + +* [AEA-0000] - Base node image (#21) ([469314c](https://github.com/NHSDigital/eps-devcontainers/commit/469314c1e373afe4365953c074001e66a8725d9f)) +* [AEA-0000] - build attestation (#22) ([228a6e2](https://github.com/NHSDigital/eps-devcontainers/commit/228a6e215ff0599fa1779c2b911aad4b732be7c0)) + + + + +## Info +[Release workflow run](https://github.com/NHSDigital/eps-devcontainers/actions/runs/22164156802) - Workflow ID: 22164156802 + +It was initialized by [anthony-nhs](https://github.com/anthony-nhs) + + diff --git a/release_notes/v1.0.6.md b/release_notes/v1.0.6.md new file mode 100644 index 0000000..d937016 --- /dev/null +++ b/release_notes/v1.0.6.md @@ -0,0 +1,16 @@ +## [1.0.6](https://github.com/NHSDigital/eps-devcontainers/compare/v1.0.5...v1.0.6) (2026-02-19) + + +### Chore + +* [AEA-0000] - another update to trivyignore (#23) ([3a2957a](https://github.com/NHSDigital/eps-devcontainers/commit/3a2957a5d2cc739f395218ca8e7c79c6ac722915)) + + + + +## Info +[Release workflow run](https://github.com/NHSDigital/eps-devcontainers/actions/runs/22173647474) - Workflow ID: 22173647474 + +It was initialized by [anthony-nhs](https://github.com/anthony-nhs) + + diff --git a/release_notes/v1.0.7.md b/release_notes/v1.0.7.md new file mode 100644 index 0000000..f426d24 --- /dev/null +++ b/release_notes/v1.0.7.md @@ -0,0 +1,16 @@ +## [1.0.7](https://github.com/NHSDigital/eps-devcontainers/compare/v1.0.6...v1.0.7) (2026-02-19) + + +### Docs + +* [AEA-0000] - Update readme (#24) ([608c746](https://github.com/NHSDigital/eps-devcontainers/commit/608c7468d428e685589fb10daad91226cf46de4b)) + + + + +## Info +[Release workflow run](https://github.com/NHSDigital/eps-devcontainers/actions/runs/22194460359) - Workflow ID: 22194460359 + +It was initialized by []() + + diff --git a/scripts/manually_delete_old_tags.sh b/scripts/manually_delete_old_tags.sh deleted file mode 100755 index d3655ab..0000000 --- a/scripts/manually_delete_old_tags.sh +++ /dev/null @@ -1,199 +0,0 @@ -#!/usr/bin/env bash -set -euo pipefail - -# Script to interactively review and delete old container package versions from GitHub Packages. -# By default, it will review all container packages based on the folder structure in src/. -# You can specify a single container to review with --container . -# Use --dry-run to see what would be deleted without actually performing deletions. -# To use it, you must have authenticated with github using this command -# gh auth login --scopes read:packages,delete:packages -# - -DRY_RUN=false -TARGET_CONTAINER="" - -while [[ $# -gt 0 ]]; do - case "$1" in - --dry-run|-n) - DRY_RUN=true - shift - ;; - --container) - if [[ $# -lt 2 || -z "$2" ]]; then - echo "--container requires a value" >&2 - echo "Usage: $0 [--dry-run] [--container ]" >&2 - exit 1 - fi - TARGET_CONTAINER="$2" - shift 2 - ;; - --help|-h) - echo "Usage: $0 [--dry-run] [--container ]" - echo "Interactively review every container package version and delete selected versions." - exit 0 - ;; - *) - echo "Unknown option: $1" >&2 - echo "Usage: $0 [--dry-run] [--container ]" >&2 - exit 1 - ;; - esac -done - -if ! command -v gh >/dev/null 2>&1; then - echo "gh CLI is required" >&2 - exit 1 -fi - -if ! command -v jq >/dev/null 2>&1; then - echo "jq is required" >&2 - exit 1 -fi - -get_container_package_name() { - local container_name=$1 - - if [[ -z "${container_name}" ]]; then - echo "Container name is required" >&2 - return 1 - fi - - printf 'eps-devcontainers/%s' "${container_name}" | jq -sRr @uri -} - -get_container_versions_json() { - local container_name=$1 - local package_name - - package_name=$(get_container_package_name "${container_name}") - - gh api \ - -H "Accept: application/vnd.github+json" \ - "/orgs/nhsdigital/packages/container/${package_name}/versions" \ - --paginate -} - -confirm_delete() { - local prompt=$1 - local reply - - if [[ -r /dev/tty ]]; then - read -r -p "${prompt} [y/N]: " reply < /dev/tty - else - echo "No interactive terminal available; defaulting to 'No'." - return 1 - fi - [[ "${reply}" == "y" || "${reply}" == "Y" ]] -} - -review_and_delete_container_versions() { - local container_name=$1 - local package_name - local versions_json - local version_count - - package_name=$(get_container_package_name "${container_name}") - versions_json=$(get_container_versions_json "${container_name}") - version_count=$(jq 'length' <<<"${versions_json}") - - echo "" - echo "=== Container: ${container_name} (${version_count} versions) ===" - - if [[ "${version_count}" -eq 0 ]]; then - echo "No versions found, skipping." - return 0 - fi - - while IFS= read -r version; do - local version_id - local created_at - local updated_at - local tags - local is_untagged - local has_sha256_tag - local keep_without_prompt - - version_id=$(jq -r '.id' <<<"${version}") - created_at=$(jq -r '.created_at // "unknown"' <<<"${version}") - updated_at=$(jq -r '.updated_at // "unknown"' <<<"${version}") - tags=$(jq -r '(.metadata.container.tags // []) | if length == 0 then "" else join(", ") end' <<<"${version}") - is_untagged=$(jq -r '((.metadata.container.tags // []) | length) == 0' <<<"${version}") - has_sha256_tag=$(jq -r 'any((.metadata.container.tags // [])[]?; test("^sha256-.+"))' <<<"${version}") - keep_without_prompt=$(jq -r ' - any((.metadata.container.tags // [])[]?; - test("^githubactions-ci-.+") or - test("^ci-.+") or - test("^githubactions-latest$") or - test("^latest$") or - test("^githubactions-v.+") or - test("^v.+") - ) - ' <<<"${version}") - - echo "" - echo "Container: ${container_name}" - echo "Version ID: ${version_id}" - echo "Created: ${created_at}" - echo "Updated: ${updated_at}" - echo "Tags: ${tags}" - - if [[ "${is_untagged}" == "true" ]]; then - if [[ "${DRY_RUN}" == "true" ]]; then - echo "[DRY RUN] Would auto-delete untagged version ID ${version_id} from ${container_name}." - else - echo "Auto-deleting untagged version ID ${version_id} from ${container_name}..." - gh api \ - -H "Accept: application/vnd.github+json" \ - -X DELETE \ - "/orgs/nhsdigital/packages/container/${package_name}/versions/${version_id}" - fi - elif [[ "${has_sha256_tag}" == "true" ]]; then - if [[ "${DRY_RUN}" == "true" ]]; then - echo "[DRY RUN] Would auto-delete sha256-tagged version ID ${version_id} from ${container_name}." - else - echo "Auto-deleting sha256-tagged version ID ${version_id} from ${container_name}..." - gh api \ - -H "Accept: application/vnd.github+json" \ - -X DELETE \ - "/orgs/nhsdigital/packages/container/${package_name}/versions/${version_id}" - fi - elif [[ "${keep_without_prompt}" == "true" ]]; then - echo "Keeping protected version ID ${version_id} (matching keep-tag rule)." - elif confirm_delete "Delete this version?"; then - if [[ "${DRY_RUN}" == "true" ]]; then - echo "[DRY RUN] Would delete version ID ${version_id} from ${container_name}." - else - echo "Deleting version ID ${version_id} from ${container_name}..." - gh api \ - -H "Accept: application/vnd.github+json" \ - -X DELETE \ - "/orgs/nhsdigital/packages/container/${package_name}/versions/${version_id}" - fi - else - echo "Skipping version ID ${version_id}." - fi - done < <(jq -c '.[]' <<<"${versions_json}") -} - -base_node_folders=$(find src/base_node -mindepth 1 -maxdepth 1 -type d -printf '%f\n' | jq -R -s -c 'split("\n")[:-1]') -language_folders=$(find src/languages -mindepth 1 -maxdepth 1 -type d -printf '%f\n' | jq -R -s -c 'split("\n")[:-1]') -project_folders=$(find src/projects -mindepth 1 -maxdepth 1 -type d -printf '%f\n' | jq -R -s -c 'split("\n")[:-1]') - -if [[ -n "${TARGET_CONTAINER}" ]]; then - review_and_delete_container_versions "${TARGET_CONTAINER}" - exit 0 -fi - -for container_name in $(jq -r '.[]' <<<"${project_folders}"); do - review_and_delete_container_versions "${container_name}" -done - -for container_name in $(jq -r '.[]' <<<"${base_node_folders}"); do - review_and_delete_container_versions "${container_name}" -done - -for container_name in $(jq -r '.[]' <<<"${language_folders}"); do - review_and_delete_container_versions "${container_name}" -done - -review_and_delete_container_versions "base" diff --git a/scripts/trivy_to_trivyignore.py b/scripts/trivy_to_trivyignore.py deleted file mode 100644 index bcbb023..0000000 --- a/scripts/trivy_to_trivyignore.py +++ /dev/null @@ -1,151 +0,0 @@ -#!/usr/bin/env python3 -"""Convert Trivy JSON output into a .trivyignore YAML file.""" - -import argparse -import datetime as dt -import json -from pathlib import Path -from typing import Any, Dict, Iterable, List, Optional - - -def add_months(date_value: dt.date, months: int) -> dt.date: - """ - Add months to a date, clamping the day to the last day of the target month. - """ - if months == 0: - return date_value - - month_index = date_value.month - 1 + months - year = date_value.year + month_index // 12 - month = month_index % 12 + 1 - - # Clamp day to the last day of the target month. - next_year = year + (1 if month == 12 else 0) - next_month = 1 if month == 12 else month + 1 - first_of_next = dt.date(next_year, next_month, 1) - last_day = first_of_next - dt.timedelta(days=1) - day = min(date_value.day, last_day.day) - return dt.date(year, month, day) - - -def extract_vulnerabilities(data: Dict[str, Any]) -> List[Dict[str, Any]]: - """Collect vulnerability entries from Trivy JSON output.""" - results = data.get("Results", []) - if not isinstance(results, list): - return [] - - vulnerabilities: List[Dict[str, Any]] = [] - for result in results: - if not isinstance(result, dict): - continue - for vuln in result.get("Vulnerabilities", []) or []: - if isinstance(vuln, dict): - vulnerabilities.append(vuln) - return vulnerabilities - - -def normalize_purl(vuln: Dict[str, Any]) -> Optional[str]: - identifier = vuln.get("PkgIdentifier") - if isinstance(identifier, dict): - purl = identifier.get("PURL") - if isinstance(purl, str) and purl.strip(): - return purl.strip() - return None - - -def build_entries( - vulnerabilities: Iterable[Dict[str, Any]], - expires_on: dt.date -) -> List[Dict[str, Any]]: - """Build YAML entries with de-duplication by CVE, merging PURLs.""" - entries: Dict[str, Dict[str, Any]] = {} - - for vuln in vulnerabilities: - vuln_id = vuln.get("VulnerabilityID") - title = vuln.get("Title") - purl = normalize_purl(vuln) - - if not isinstance(vuln_id, str) or not vuln_id.strip(): - continue - if not isinstance(title, str) or not title.strip(): - continue - - key = vuln_id.strip() - entry = entries.get(key) - if entry is None: - entry = { - "id": key, - "statement": title.strip(), - "purls": set(), - "expired_at": expires_on.isoformat(), - } - entries[key] = entry - - if purl: - entry["purls"].add(purl) - - merged_entries: List[Dict[str, Any]] = [] - for entry in entries.values(): - purls = sorted(entry["purls"]) - if purls: - entry["purls"] = purls - else: - entry.pop("purls", None) - merged_entries.append(entry) - - return merged_entries - - -def write_yaml(entries: List[Dict[str, Any]], output_path: Path) -> None: - """Write entries to a YAML file without external dependencies.""" - lines: List[str] = ["vulnerabilities:"] - for entry in entries: - lines.append(f" - id: {entry['id']}") - lines.append(f" statement: {json.dumps(entry['statement'])}") - if "purls" in entry: - lines.append(" purls:") - for purl in entry["purls"]: - lines.append(f" - {json.dumps(purl)}") - lines.append(f" expired_at: {entry['expired_at']}") - - output_path.parent.mkdir(parents=True, exist_ok=True) - output_path.write_text("\n".join(lines) + "\n", encoding="utf-8") - - -def parse_args() -> argparse.Namespace: - parser = argparse.ArgumentParser( - description="Convert Trivy JSON output to .trivyignore YAML." - ) - parser.add_argument( - "--input", - required=True, - help="Path to the Trivy JSON output file.", - ) - parser.add_argument( - "--output", - required=True, - help="Path to write the .trivyignore YAML file.", - ) - return parser.parse_args() - - -def main() -> int: - args = parse_args() - input_path = Path(args.input) - output_path = Path(args.output) - - if not input_path.is_file(): - raise FileNotFoundError(f"Input file not found: {input_path}") - - data = json.loads(input_path.read_text(encoding="utf-8")) - vulnerabilities = extract_vulnerabilities(data) - - expires_on = add_months(dt.date.today(), 6) - entries = build_entries(vulnerabilities, expires_on) - - write_yaml(entries, output_path) - return 0 - - -if __name__ == "__main__": - raise SystemExit(main()) diff --git a/src/base/.devcontainer/.tool-versions b/src/base/.devcontainer/.tool-versions deleted file mode 100644 index f492e92..0000000 --- a/src/base/.devcontainer/.tool-versions +++ /dev/null @@ -1,6 +0,0 @@ -shellcheck 0.11.0 -direnv 2.37.1 -actionlint 1.7.10 -ruby 3.3.0 -trivy 0.69.1 -yq 4.52.2 diff --git a/src/base/.devcontainer/.tool-versions.asdf b/src/base/.devcontainer/.tool-versions.asdf deleted file mode 100644 index 4921076..0000000 --- a/src/base/.devcontainer/.tool-versions.asdf +++ /dev/null @@ -1,2 +0,0 @@ -# define the .asdf-version to use here -0.18.0 diff --git a/src/base/.devcontainer/Dockerfile b/src/base/.devcontainer/Dockerfile deleted file mode 100644 index 1d39021..0000000 --- a/src/base/.devcontainer/Dockerfile +++ /dev/null @@ -1,38 +0,0 @@ -FROM mcr.microsoft.com/devcontainers/base:ubuntu-22.04 - -ARG SCRIPTS_DIR=/usr/local/share/eps -ARG CONTAINER_NAME -ARG IMAGE_TAG -ARG TARGETARCH - -ENV SCRIPTS_DIR=${SCRIPTS_DIR} -ENV CONTAINER_NAME=${CONTAINER_NAME} -ENV TARGETARCH=${TARGETARCH} - -COPY .tool-versions.asdf ${SCRIPTS_DIR}/${CONTAINER_NAME}/.tool-versions.asdf -COPY --chmod=755 scripts/root_install.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/root_install.sh -COPY --chmod=755 Mk ${SCRIPTS_DIR}/Mk - -WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} -RUN ./root_install.sh - -COPY --chmod=755 scripts/vscode_install.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/vscode_install.sh -USER vscode -COPY --chown=vscode:vscode .tool-versions.asdf /home/vscode/.tool-versions.asdf -COPY --chown=vscode:vscode .tool-versions /home/vscode/.tool-versions - -ENV PATH="/home/vscode/.asdf/shims/:/home/vscode/.guard/bin/:$PATH" -WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} -RUN ./vscode_install.sh - -# Switch back to root to install the devcontainer CLI globally -USER root - -ENV IMAGE_TAG=${IMAGE_TAG} - -LABEL org.opencontainers.image.source=https://github.com/NHSDigital/eps-devcontainers -LABEL org.opencontainers.image.description="EPS devcontainer ${CONTAINER_NAME}:${IMAGE_TAG}" -LABEL org.opencontainers.image.licenses=MIT -LABEL org.opencontainers.image.containerName=${CONTAINER_NAME} -LABEL org.opencontainers.image.authors="NHS England EPS Team" -LABEL org.opencontainers.image.base.image="mcr.microsoft.com/devcontainers/base:ubuntu-22.04" diff --git a/src/base/.devcontainer/Mk/build.mk b/src/base/.devcontainer/Mk/build.mk deleted file mode 100644 index 2e0e0a7..0000000 --- a/src/base/.devcontainer/Mk/build.mk +++ /dev/null @@ -1,16 +0,0 @@ -.PHONY: install install-node docker-build compile -install: - echo "Not implemented" - exit 1 - -install-node: - echo "Not implemented" - exit 1 - -docker-build: - echo "Not implemented" - exit 1 - -compile: - echo "Not implemented" - exit 1 diff --git a/src/base/.devcontainer/Mk/check.mk b/src/base/.devcontainer/Mk/check.mk deleted file mode 100644 index 4beddbf..0000000 --- a/src/base/.devcontainer/Mk/check.mk +++ /dev/null @@ -1,93 +0,0 @@ -.PHONY: lint test shellcheck cfn-lint cdk-synth cfn-guard-sam-templates cfn-guard-cloudformation cfn-guard-cdk cfn-guard-terraform -lint: - echo "Not implemented" - exit 1 - -test: - echo "Not implemented" - exit 1 - -shellcheck: - @if find .github/scripts -maxdepth 1 -type f -name "*.sh" | grep -q .; then \ - shellcheck .github/scripts/*.sh; \ - fi - @if find scripts -maxdepth 1 -type f -name "*.sh" | grep -q .; then \ - shellcheck scripts/*.sh; \ - fi - -cfn-lint: - @if find cloudformation -type f \( -name "*.yaml" -o -name "*.yml" \) 2>/dev/null | grep -q .; then \ - cfn-lint -I "cloudformation/**/*.y*ml" 2>&1 | awk '/Run scan/ { print } /^[EW][0-9]/ { print; getline; print; found=1 } END { exit found }'; \ - fi - @if find SAMtemplates -type f \( -name "*.yaml" -o -name "*.yml" \) 2>/dev/null | grep -q .; then \ - cfn-lint -I "SAMtemplates/**/*.y*ml" 2>&1 | awk '/Run scan/ { print } /^[EW][0-9]/ { print; getline; print; found=1 } END { exit found }'; \ - fi - -cdk-synth: - echo "Not implemented" - exit 1 - -cfn-guard-sam-templates: - @bash -eu -o pipefail -c '\ - rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar"); \ - mkdir -p .cfn_guard_out; \ - for ruleset in "$${rulesets[@]}"; do \ - while IFS= read -r -d "" file; do \ - SAM_OUTPUT=$$(sam validate -t "$$file" --region eu-west-2 --debug 2>&1 | grep -Pazo "(?s)AWSTemplateFormatVersion.*\\n/" | tr -d "\\0"); \ - output_file=".cfn_guard_out/$${file}_$${ruleset}.txt"; \ - mkdir -p "$$(dirname "$$output_file")"; \ - echo "$${SAM_OUTPUT::-1}" | /home/vscode/.guard/bin/cfn-guard validate --rules "/usr/local/share/eps/cfnguard_rulesets/output/$$ruleset.guard" --show-summary fail > "$$output_file"; \ - done < <(find ./SAMtemplates -type f \( -name "*.yaml" -o -name "*.yml" \) -print0); \ - done\ - ' - -cfn-guard-cloudformation: - @bash -eu -o pipefail -c '\ - rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar"); \ - mkdir -p .cfn_guard_out; \ - for ruleset in "$${rulesets[@]}"; do \ - /home/vscode/.guard/bin/cfn-guard validate \ - --data cloudformation \ - --rules "/usr/local/share/eps/cfnguard_rulesets/output/$$ruleset.guard" \ - --show-summary fail \ - > ".cfn_guard_out/cloudformation_$$ruleset.txt"; \ - done\ - ' - -cfn-guard-cdk: - @bash -eu -o pipefail -c '\ - rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar"); \ - mkdir -p .cfn_guard_out; \ - for ruleset in "$${rulesets[@]}"; do \ - /home/vscode/.guard/bin/cfn-guard validate \ - --data cdk.out \ - --rules "/usr/local/share/eps/cfnguard_rulesets/output/$$ruleset.guard" \ - --show-summary fail \ - > ".cfn_guard_out/cdk_$$ruleset.txt"; \ - done\ - ' - -cfn-guard-terraform: - @bash -eu -o pipefail -c '\ - rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar"); \ - mkdir -p .cfn_guard_out; \ - for ruleset in "$${rulesets[@]}"; do \ - /home/vscode/.guard/bin/cfn-guard validate \ - --data terraform_plans \ - --rules "/usr/local/share/eps/cfnguard_rulesets/output/$$ruleset.guard" \ - --show-summary fail \ - > ".cfn_guard_out/terraform_$$ruleset.txt"; \ - done\ - ' - -actionlint: - actionlint - -secret-scan: - git-secrets --scan-history . - -guard-%: - @ if [ "${${*}}" = "" ]; then \ - echo "Environment variable $* not set"; \ - exit 1; \ - fi diff --git a/src/base/.devcontainer/Mk/common.mk b/src/base/.devcontainer/Mk/common.mk deleted file mode 100644 index 7045c74..0000000 --- a/src/base/.devcontainer/Mk/common.mk +++ /dev/null @@ -1,4 +0,0 @@ -include /usr/local/share/eps/Mk/build.mk -include /usr/local/share/eps/Mk/check.mk -include /usr/local/share/eps/Mk/trivy.mk -include /usr/local/share/eps/Mk/credentials.mk diff --git a/src/base/.devcontainer/Mk/credentials.mk b/src/base/.devcontainer/Mk/credentials.mk deleted file mode 100644 index ab0c292..0000000 --- a/src/base/.devcontainer/Mk/credentials.mk +++ /dev/null @@ -1,14 +0,0 @@ -.PHONY: aws-configure aws-login create-npmrc github-login - -aws-configure: - aws configure sso --region eu-west-2 - -aws-login: - aws sso login --sso-session sso-session - -create-npmrc: github-login - echo "//npm.pkg.github.com/:_authToken=$$(gh auth token)" > .npmrc - echo "@nhsdigital:registry=https://npm.pkg.github.com" >> .npmrc - -github-login: - gh auth login --scopes read:packages diff --git a/src/base/.devcontainer/Mk/trivy.mk b/src/base/.devcontainer/Mk/trivy.mk deleted file mode 100644 index 6d323a2..0000000 --- a/src/base/.devcontainer/Mk/trivy.mk +++ /dev/null @@ -1,91 +0,0 @@ -.PHONY: trivy-license-check trivy-generate-sbom trivy-scan-python trivy-scan-node trivy-scan-go trivy-scan-java - -trivy-license-check: - mkdir -p .trivy_out/ - @if [ -f poetry.lock ]; then \ - poetry self add poetry-plugin-export; \ - poetry export -f requirements.txt --with dev --without-hashes --output=requirements.txt; \ - fi - @if [ -f src/go.sum ]; then \ - cd src && go mod vendor; \ - fi - VIRTUAL_ENV=./.venv/ trivy fs . \ - --scanners license \ - --severity HIGH,CRITICAL \ - --config trivy.yaml \ - --include-dev-deps \ - --pkg-types library \ - --exit-code 1 \ - --output .trivy_out/license_scan.txt \ - --format table - @if [ -f poetry.lock ]; then rm -f requirements.txt; fi - @if [ -f src/go.sum ]; then rm -rf src/vendor; fi - -trivy-generate-sbom: - mkdir -p .trivy_out/ - trivy fs . \ - --scanners vuln \ - --config trivy.yaml \ - --include-dev-deps \ - --exit-code 0 \ - --output .trivy_out/sbom.cdx.json \ - --format cyclonedx - -trivy-scan-python: - mkdir -p .trivy_out/ - trivy fs . \ - --scanners vuln \ - --severity HIGH,CRITICAL \ - --config trivy.yaml \ - --include-dev-deps \ - --exit-code 1 \ - --skip-files "**/package-lock.json,**/go.mod,**/pom.xml" \ - --output .trivy_out/dependency_results_python.txt \ - --format table - -trivy-scan-node: - mkdir -p .trivy_out/ - trivy fs . \ - --scanners vuln \ - --severity HIGH,CRITICAL \ - --config trivy.yaml \ - --include-dev-deps \ - --exit-code 1 \ - --skip-files "**/poetry.lock,**/go.mod,**/pom.xml" \ - --output .trivy_out/dependency_results_node.txt \ - --format table - -trivy-scan-go: - mkdir -p .trivy_out/ - trivy fs . \ - --scanners vuln \ - --severity HIGH,CRITICAL \ - --config trivy.yaml \ - --include-dev-deps \ - --exit-code 1 \ - --skip-files "**/poetry.lock,**/package-lock.json,**/pom.xml" \ - --output .trivy_out/dependency_results_go.txt \ - --format table - -trivy-scan-java: - mkdir -p .trivy_out/ - trivy fs . \ - --scanners vuln \ - --severity HIGH,CRITICAL \ - --config trivy.yaml \ - --include-dev-deps \ - --exit-code 1 \ - --skip-files "**/poetry.lock,**/package-lock.json,**/go.mod" \ - --output .trivy_out/dependency_results_java.txt \ - --format table - -trivy-scan-docker: guard-DOCKER_IMAGE - mkdir -p .trivy_out/ - trivy image $${DOCKER_IMAGE} \ - --scanners vuln \ - --severity HIGH,CRITICAL \ - --config trivy.yaml \ - --exit-code 1 \ - --pkg-types os,library \ - --output .trivy_out/dependency_results_docker.txt \ - --format table diff --git a/src/base/.devcontainer/devcontainer.json b/src/base/.devcontainer/devcontainer.json deleted file mode 100644 index 7e75348..0000000 --- a/src/base/.devcontainer/devcontainer.json +++ /dev/null @@ -1,27 +0,0 @@ -// For format details, see https://aka.ms/devcontainer.json. For config options, see the -// README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu -{ - "name": "EPS Devcontainer Base", - // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile - "build": { - "dockerfile": "Dockerfile", - "args": { - "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", - "MULTI_ARCH_TAG": "${localEnv:MULTI_ARCH_TAG}", - "BASE_VERSION_TAG": "${localEnv:BASE_VERSION_TAG}", - "IMAGE_TAG": "${localEnv:IMAGE_TAG}" - } - }, - "features": { - "ghcr.io/devcontainers/features/docker-outside-of-docker:1": { - "version": "latest", - "moby": "true", - "installDockerBuildx": "true" - }, - "ghcr.io/devcontainers/features/github-cli:1": {}, - "ghcr.io/devcontainers/features/aws-cli:1": { - "version": "latest" - } - } - } - diff --git a/src/base/.devcontainer/scripts/root_install.sh b/src/base/.devcontainer/scripts/root_install.sh deleted file mode 100755 index 386f398..0000000 --- a/src/base/.devcontainer/scripts/root_install.sh +++ /dev/null @@ -1,78 +0,0 @@ -#!/usr/bin/env bash -set -e -export DEBIAN_FRONTEND=noninteractive - -# Add amd64 architecture if on arm64 -if [ "$TARGETARCH" == "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then - echo "Adding amd64 architecture support" - dpkg --add-architecture amd64 - - # Update sources.list to include amd64 repositories - echo "Configuring sources.list for amd64 and arm64" - sed -i.bak '/^deb / s|http://ports.ubuntu.com/ubuntu-ports|[arch=arm64] http://ports.ubuntu.com/ubuntu-ports|' /etc/apt/sources.list - # shellcheck disable=SC2129 - echo "deb [arch=amd64] http://archive.ubuntu.com/ubuntu jammy main universe" >> /etc/apt/sources.list - echo "deb [arch=amd64] http://archive.ubuntu.com/ubuntu jammy-updates main universe" >> /etc/apt/sources.list - echo "deb [arch=amd64] http://archive.ubuntu.com/ubuntu jammy-security main universe" >> /etc/apt/sources.list -fi - -# update and upgrade packages -echo "Running apt-get update" -apt-get update -apt-get upgrade -y - -# install necessary libraries for asdf and language runtimes -echo "Installing necessary packages" -apt-get -y install --no-install-recommends htop vim curl git build-essential \ - libffi-dev libssl-dev libxml2-dev libxslt1-dev libjpeg8-dev libbz2-dev \ - zlib1g-dev unixodbc unixodbc-dev libsecret-1-0 libsecret-1-dev libsqlite3-dev \ - jq apt-transport-https ca-certificates gnupg-agent \ - software-properties-common bash-completion make parallel \ - libreadline-dev wget llvm libncurses5-dev libncursesw5-dev \ - xz-utils tk-dev liblzma-dev netcat-traditional libyaml-dev uuid-runtime xxd unzip - -# Download correct SAM CLI for arch -echo "Installing aws-sam cli" -if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" = "aarch64" ]; then - wget -O /tmp/aws-sam-cli.zip --no-verbose "https://github.com/aws/aws-sam-cli/releases/latest/download/aws-sam-cli-linux-arm64.zip" - else - wget -O /tmp/aws-sam-cli.zip --no-verbose "https://github.com/aws/aws-sam-cli/releases/latest/download/aws-sam-cli-linux-x86_64.zip" - fi - unzip -q /tmp/aws-sam-cli.zip -d /tmp/aws-sam-cli - /tmp/aws-sam-cli/install - rm /tmp/aws-sam-cli.zip - rm -rf /tmp/aws-sam-cli - -# Install ASDF -echo "Installing asdf" -ASDF_VERSION=$(awk '!/^#/ && NF {print $1; exit}' "${SCRIPTS_DIR}/${CONTAINER_NAME}/.tool-versions.asdf") -if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then - wget -O /tmp/asdf.tar.gz --no-verbose "https://github.com/asdf-vm/asdf/releases/download/v${ASDF_VERSION}/asdf-v${ASDF_VERSION}-linux-arm64.tar.gz" -else - wget -O /tmp/asdf.tar.gz --no-verbose "https://github.com/asdf-vm/asdf/releases/download/v${ASDF_VERSION}/asdf-v${ASDF_VERSION}-linux-amd64.tar.gz" -fi -tar -xzf /tmp/asdf.tar.gz -C /tmp -mkdir -p /usr/bin -mv /tmp/asdf /usr/bin/asdf -chmod +x /usr/bin/asdf -rm -rf /tmp/asdf.tar.gz - -# install gitsecrets -git clone https://github.com/awslabs/git-secrets.git /tmp/git-secrets -cd /tmp/git-secrets -make install -cd -rm -rf /tmp/git-secrets -mkdir -p /usr/share/secrets-scanner -chmod 755 /usr/share/secrets-scanner -curl -L https://raw.githubusercontent.com/NHSDigital/software-engineering-quality-framework/main/tools/nhsd-git-secrets/nhsd-rules-deny.txt -o /usr/share/secrets-scanner/nhsd-rules-deny.txt - -# get cfn-guard ruleset -wget -O /tmp/ruleset.zip https://github.com/aws-cloudformation/aws-guard-rules-registry/releases/download/1.0.2/ruleset-build-v1.0.2.zip >/dev/null 2>&1 -mkdir -p "${SCRIPTS_DIR}/cfnguard_rulesets" -unzip /tmp/ruleset.zip -d "${SCRIPTS_DIR}/cfnguard_rulesets" >/dev/null 2>&1 -rm /tmp/ruleset.zip - -# clean up -apt-get clean -rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* diff --git a/src/base/.devcontainer/scripts/vscode_install.sh b/src/base/.devcontainer/scripts/vscode_install.sh deleted file mode 100755 index b1b66de..0000000 --- a/src/base/.devcontainer/scripts/vscode_install.sh +++ /dev/null @@ -1,29 +0,0 @@ -#!/usr/bin/env bash - -set -e - -# shellcheck disable=SC2129 -# shellcheck disable=SC2016 -echo 'PATH="/home/vscode/.asdf/shims/:$PATH"' >> ~/.bashrc -echo '. <(asdf completion bash)' >> ~/.bashrc -echo '# Install Ruby Gems to ~/gems' >> ~/.bashrc -# shellcheck disable=SC2016 -echo 'export GEM_HOME="$HOME/gems"' >> ~/.bashrc -# shellcheck disable=SC2016 -echo 'export PATH="$HOME/gems/bin:$PATH"' >> ~/.bashrc - -# Install ASDF plugins -asdf plugin add shellcheck https://github.com/luizm/asdf-shellcheck.git -asdf plugin add direnv -asdf plugin add actionlint -asdf plugin add ruby https://github.com/asdf-vm/asdf-ruby.git -asdf plugin add terraform https://github.com/asdf-community/asdf-hashicorp.git -asdf plugin add trivy https://github.com/zufardhiyaulhaq/asdf-trivy.git -asdf plugin add yq https://github.com/sudermanjr/asdf-yq.git - -# install cfn-guard -curl --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/aws-cloudformation/cloudformation-guard/main/install-guard.sh | sh - -# install base asdf versions of common tools -cd /home/vscode -asdf install diff --git a/src/base/.trivyignore.yaml b/src/base/.trivyignore.yaml deleted file mode 100644 index 8697da6..0000000 --- a/src/base/.trivyignore.yaml +++ /dev/null @@ -1 +0,0 @@ -vulnerabilities: diff --git a/src/base/trivy.yaml b/src/base/trivy.yaml deleted file mode 100644 index 48343ee..0000000 --- a/src/base/trivy.yaml +++ /dev/null @@ -1 +0,0 @@ -ignorefile: "src/base/.trivyignore_combined.yaml" diff --git a/src/base_node/node_24/.devcontainer/.tool-versions b/src/base_node/node_24/.devcontainer/.tool-versions deleted file mode 100644 index 1b05724..0000000 --- a/src/base_node/node_24/.devcontainer/.tool-versions +++ /dev/null @@ -1 +0,0 @@ -nodejs 24.13.0 diff --git a/src/base_node/node_24/.devcontainer/devcontainer.json b/src/base_node/node_24/.devcontainer/devcontainer.json deleted file mode 100644 index 90d861a..0000000 --- a/src/base_node/node_24/.devcontainer/devcontainer.json +++ /dev/null @@ -1,18 +0,0 @@ -// For format details, see https://aka.ms/devcontainer.json. For config options, see the -// README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu -{ - "name": "EPS Devcontainer node_24", - // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile - "build": { - "dockerfile": "../../../common/Dockerfile", - "args": { - "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", - "MULTI_ARCH_TAG": "${localEnv:MULTI_ARCH_TAG}", - "BASE_VERSION_TAG": "${localEnv:BASE_VERSION_TAG}", - "IMAGE_TAG": "${localEnv:IMAGE_TAG}" - }, - "context": "." - }, - "features": {} - } - diff --git a/src/base_node/node_24/.devcontainer/scripts/root_install.sh b/src/base_node/node_24/.devcontainer/scripts/root_install.sh deleted file mode 100755 index 52fa2b1..0000000 --- a/src/base_node/node_24/.devcontainer/scripts/root_install.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/usr/bin/env bash -set -e -export DEBIAN_FRONTEND=noninteractive - -# clean up -apt-get clean -rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* diff --git a/src/base_node/node_24/.devcontainer/scripts/vscode_install.sh b/src/base_node/node_24/.devcontainer/scripts/vscode_install.sh deleted file mode 100755 index ea370f1..0000000 --- a/src/base_node/node_24/.devcontainer/scripts/vscode_install.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/usr/bin/env bash -set -e - -asdf plugin add nodejs https://github.com/asdf-vm/asdf-nodejs.git -asdf install diff --git a/src/base_node/node_24/trivy.yaml b/src/base_node/node_24/trivy.yaml deleted file mode 100644 index 20e8f24..0000000 --- a/src/base_node/node_24/trivy.yaml +++ /dev/null @@ -1 +0,0 @@ -ignorefile: "src/base_node/node_24/.trivyignore_combined.yaml" diff --git a/src/common/.trivyignore.yaml b/src/common/.trivyignore.yaml deleted file mode 100644 index bd4d87e..0000000 --- a/src/common/.trivyignore.yaml +++ /dev/null @@ -1,309 +0,0 @@ -vulnerabilities: - - id: CVE-2024-35870 - statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2024-53179 - statement: "kernel: smb: client: fix use-after-free of signing key" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2025-37849 - statement: "kernel: KVM: arm64: Tear down vGIC on failed vCPU creation" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2025-37899 - statement: "kernel: ksmbd: fix use-after-free in session logoff" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2025-38118 - statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2026-26007 - statement: "cryptography: cryptography Subgroup Attack Due to Missing Subgroup Validation for SECT Curves" - purls: - - "pkg:pypi/cryptography@46.0.3" - expired_at: 2026-08-12 - - id: CVE-2024-49761 - statement: "rexml: REXML ReDoS vulnerability" - purls: - - "pkg:gem/rexml@3.2.6" - expired_at: 2026-08-12 - - id: CVE-2025-68121 - statement: "During session resumption in crypto/tls, if the underlying Config has ..." - purls: - - "pkg:golang/stdlib@v1.16.15" - - "pkg:golang/stdlib@v1.23.4" - - "pkg:golang/stdlib@v1.24.4" - - "pkg:golang/stdlib@v1.24.9" - - "pkg:golang/stdlib@v1.25.5" - expired_at: 2026-08-12 - - id: CVE-2025-61726 - statement: "golang: net/url: Memory exhaustion in query parameter parsing in net/url" - purls: - - "pkg:golang/stdlib@v1.16.15" - - "pkg:golang/stdlib@v1.23.4" - - "pkg:golang/stdlib@v1.24.4" - - "pkg:golang/stdlib@v1.24.9" - - "pkg:golang/stdlib@v1.25.5" - expired_at: 2026-08-12 - - id: CVE-2025-61728 - statement: "golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip" - purls: - - "pkg:golang/stdlib@v1.16.15" - - "pkg:golang/stdlib@v1.23.4" - - "pkg:golang/stdlib@v1.24.4" - - "pkg:golang/stdlib@v1.24.9" - - "pkg:golang/stdlib@v1.25.5" - expired_at: 2026-08-12 - - id: CVE-2025-61730 - statement: "During the TLS 1.3 handshake if multiple messages are sent in records ..." - purls: - - "pkg:golang/stdlib@v1.16.15" - - "pkg:golang/stdlib@v1.23.4" - - "pkg:golang/stdlib@v1.24.4" - - "pkg:golang/stdlib@v1.24.9" - - "pkg:golang/stdlib@v1.25.5" - expired_at: 2026-08-12 - - id: CVE-2025-47907 - statement: "database/sql: Postgres Scan Race Condition" - purls: - - "pkg:golang/stdlib@v1.16.15" - - "pkg:golang/stdlib@v1.23.4" - - "pkg:golang/stdlib@v1.24.4" - expired_at: 2026-08-12 - - id: CVE-2025-58183 - statement: "golang: archive/tar: Unbounded allocation when parsing GNU sparse map" - purls: - - "pkg:golang/stdlib@v1.16.15" - - "pkg:golang/stdlib@v1.23.4" - - "pkg:golang/stdlib@v1.24.4" - expired_at: 2026-08-12 - - id: CVE-2025-61729 - statement: "crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate" - purls: - - "pkg:golang/stdlib@v1.16.15" - - "pkg:golang/stdlib@v1.23.4" - - "pkg:golang/stdlib@v1.24.4" - - "pkg:golang/stdlib@v1.24.9" - expired_at: 2026-08-12 - - id: CVE-2023-24538 - statement: "golang: html/template: backticks not treated as string delimiters" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2023-24540 - statement: "golang: html/template: improper handling of JavaScript whitespace" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2024-24790 - statement: "golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-24675 - statement: "golang: encoding/pem: fix stack overflow in Decode" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-27664 - statement: "golang: net/http: handle server errors after sending GOAWAY" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-28131 - statement: "golang: encoding/xml: stack exhaustion in Decoder.Skip" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-28327 - statement: "golang: crypto/elliptic: panic caused by oversized scalar" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-2879 - statement: "golang: archive/tar: github.com/vbatts/tar-split: unbounded memory consumption when reading headers" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-2880 - statement: "golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-29804 - statement: "ELSA-2022-17957: ol8addon security update (IMPORTANT)" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-30580 - statement: "golang: os/exec: Code injection in Cmd.Start" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-30630 - statement: "golang: io/fs: stack exhaustion in Glob" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-30631 - statement: "golang: compress/gzip: stack exhaustion in Reader.Read" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-30632 - statement: "golang: path/filepath: stack exhaustion in Glob" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-30633 - statement: "golang: encoding/xml: stack exhaustion in Unmarshal" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-30634 - statement: "ELSA-2022-17957: ol8addon security update (IMPORTANT)" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-30635 - statement: "golang: encoding/gob: stack exhaustion in Decoder.Decode" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-32189 - statement: "golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-41715 - statement: "golang: regexp/syntax: limit memory used by parsing regexps" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-41716 - statement: "Due to unsanitized NUL values, attackers may be able to maliciously se ..." - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-41720 - statement: "golang: os, net/http: avoid escapes from os.DirFS and http.Dir on Windows" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-41722 - statement: "golang: path/filepath: path-filepath filepath.Clean path traversal" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-41723 - statement: "golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-41724 - statement: "golang: crypto/tls: large handshake records may cause panics" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-41725 - statement: "golang: net/http, mime/multipart: denial of service from excessive resource consumption" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2023-24534 - statement: "golang: net/http, net/textproto: denial of service from excessive memory allocation" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2023-24536 - statement: "golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2023-24537 - statement: "golang: go/parser: Infinite loop in parsing" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2023-24539 - statement: "golang: html/template: improper sanitization of CSS values" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2023-29400 - statement: "golang: html/template: improper handling of empty HTML attributes" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2023-29403 - statement: "golang: runtime: unexpected behavior of setuid/setgid binaries" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2023-39325 - statement: "golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2023-45283 - statement: "The filepath package does not recognize paths with a \\??\\ prefix as sp ..." - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2023-45287 - statement: "golang: crypto/tls: Timing Side Channel attack in RSA based TLS key exchanges." - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2023-45288 - statement: "golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2024-34156 - statement: "encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2024-25621 - statement: "github.com/containerd/containerd: containerd local privilege escalation" - purls: - - "pkg:golang/github.com/containerd/containerd/v2@v2.1.4" - expired_at: 2026-08-12 - - id: CVE-2024-35870 - statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2024-53179 - statement: "kernel: smb: client: fix use-after-free of signing key" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2025-37849 - statement: "kernel: KVM: arm64: Tear down vGIC on failed vCPU creation" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2025-37899 - statement: "kernel: ksmbd: fix use-after-free in session logoff" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2025-38118 - statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2025-68121 - statement: "crypto/tls: Unexpected session resumption in crypto/tls" - purls: - - "pkg:golang/stdlib@v1.25.6" - expired_at: 2026-08-13 diff --git a/src/common/Dockerfile b/src/common/Dockerfile deleted file mode 100644 index a894e18..0000000 --- a/src/common/Dockerfile +++ /dev/null @@ -1,44 +0,0 @@ -ARG BASE_VERSION_TAG=latest -ARG BASE_IMAGE=ghcr.io/nhsdigital/eps-devcontainers/base:${BASE_VERSION_TAG} - -FROM ${BASE_IMAGE} - -ARG BASE_VERSION_TAG=latest -ARG BASE_IMAGE=ghcr.io/nhsdigital/eps-devcontainers/base:${BASE_VERSION_TAG} -ARG SCRIPTS_DIR=/usr/local/share/eps -ARG CONTAINER_NAME -ARG MULTI_ARCH_TAG -ARG BASE_VERSION_TAG -ARG IMAGE_TAG -ARG TARGETARCH - -ENV SCRIPTS_DIR=${SCRIPTS_DIR} -ENV TARGETARCH=${TARGETARCH} - -USER root -COPY --chmod=755 scripts/root_install.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/root_install.sh -WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} -RUN ./root_install.sh - -COPY --chmod=755 scripts/vscode_install.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/vscode_install.sh -USER vscode - -WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} -COPY .tool-versions /tmp/.tool-versions -RUN cat /tmp/.tool-versions >> /home/vscode/.tool-versions - -RUN ./vscode_install.sh - -# Switch back to root to install the devcontainer CLI globally -USER root - -ENV CONTAINER_NAME=${CONTAINER_NAME} -ENV MULTI_ARCH_TAG=${MULTI_ARCH_TAG} -ENV BASE_VERSION_TAG=${BASE_VERSION_TAG} -ENV IMAGE_TAG=${IMAGE_TAG} -ENV BASE_IMAGE=${BASE_IMAGE} - -LABEL org.opencontainers.image.description="EPS devcontainer ${CONTAINER_NAME}:${IMAGE_TAG}" -LABEL org.opencontainers.image.version=${IMAGE_TAG} -LABEL org.opencontainers.image.base.name=${BASE_IMAGE} -LABEL org.opencontainers.image.containerName=${CONTAINER_NAME} diff --git a/src/common_node_24/.trivyignore.yaml b/src/common_node_24/.trivyignore.yaml deleted file mode 100644 index 3109eaf..0000000 --- a/src/common_node_24/.trivyignore.yaml +++ /dev/null @@ -1,43 +0,0 @@ -vulnerabilities: - - id: CVE-2026-25547 - statement: "brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion" - purls: - - "pkg:npm/%40isaacs/brace-expansion@5.0.0" - expired_at: 2026-08-12 - - id: CVE-2025-64756 - statement: "glob: glob: Command Injection Vulnerability via Malicious Filenames" - purls: - - "pkg:npm/glob@10.4.5" - - "pkg:npm/glob@11.0.3" - expired_at: 2026-08-12 - - id: CVE-2026-23745 - statement: "node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-08-12 - - id: CVE-2026-23950 - statement: "node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-08-12 - - id: CVE-2026-24842 - statement: "node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-08-12 - - id: CVE-2026-26960 - statement: "Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-08-18 - - id: CVE-2026-26960 - statement: "Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-08-18 - - id: CVE-2026-26996 - statement: "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern" - purls: - - "pkg:npm/minimatch@10.0.3" - - "pkg:npm/minimatch@9.0.5" - expired_at: 2026-08-19 diff --git a/src/common_node_24/Dockerfile b/src/common_node_24/Dockerfile deleted file mode 100644 index 9227065..0000000 --- a/src/common_node_24/Dockerfile +++ /dev/null @@ -1,44 +0,0 @@ -ARG BASE_VERSION_TAG=latest -ARG BASE_IMAGE=ghcr.io/nhsdigital/eps-devcontainers/node_24:${BASE_VERSION_TAG} - -FROM ${BASE_IMAGE} - -ARG BASE_VERSION_TAG=latest -ARG BASE_IMAGE=ghcr.io/nhsdigital/eps-devcontainers/node_24:${BASE_VERSION_TAG} -ARG SCRIPTS_DIR=/usr/local/share/eps -ARG CONTAINER_NAME -ARG MULTI_ARCH_TAG -ARG BASE_VERSION_TAG -ARG IMAGE_TAG -ARG TARGETARCH - -ENV SCRIPTS_DIR=${SCRIPTS_DIR} -ENV TARGETARCH=${TARGETARCH} - -USER root -COPY --chmod=755 scripts/root_install.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/root_install.sh -WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} -RUN ./root_install.sh - -COPY --chmod=755 scripts/vscode_install.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/vscode_install.sh -USER vscode - -WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} -COPY .tool-versions /tmp/.tool-versions -RUN cat /tmp/.tool-versions >> /home/vscode/.tool-versions - -RUN ./vscode_install.sh - -# Switch back to root to install the devcontainer CLI globally -USER root - -ENV CONTAINER_NAME=${CONTAINER_NAME} -ENV MULTI_ARCH_TAG=${MULTI_ARCH_TAG} -ENV BASE_VERSION_TAG=${BASE_VERSION_TAG} -ENV IMAGE_TAG=${IMAGE_TAG} -ENV BASE_IMAGE=${BASE_IMAGE} - -LABEL org.opencontainers.image.description="EPS devcontainer ${CONTAINER_NAME}:${IMAGE_TAG}" -LABEL org.opencontainers.image.version=${IMAGE_TAG} -LABEL org.opencontainers.image.base.name=${BASE_IMAGE} -LABEL org.opencontainers.image.containerName=${CONTAINER_NAME} diff --git a/src/githubactions/Dockerfile b/src/githubactions/Dockerfile deleted file mode 100644 index 78e9eaa..0000000 --- a/src/githubactions/Dockerfile +++ /dev/null @@ -1,19 +0,0 @@ -ARG BASE_IMAGE_NAME=base -ARG BASE_IMAGE_TAG=latest -FROM ghcr.io/nhsdigital/eps-devcontainers/${BASE_IMAGE_NAME}:${BASE_IMAGE_TAG} - -# changes needed so that it can be used by github actions -## change vscode user and group id to be 1001 -## change and move vscode home dir to be /github/home - -RUN requested_uid=1001 \ - && requested_gid=1001 \ - && current_uid="$(id -u vscode)" \ - && current_gid="$(id -g vscode)" \ - && if [ "${current_gid}" != "${requested_gid}" ]; then groupmod -g "${requested_gid}" vscode; fi \ - && if [ "${current_uid}" != "${requested_uid}" ]; then usermod -u "${requested_uid}" -g "${requested_gid}" vscode; fi - -USER vscode -ENV PATH="/home/vscode/.asdf/shims/:/home/vscode/.guard/bin/:$PATH:/vscode_path_mod" -ENV ASDF_DATA_DIR=/home/vscode/.asdf -USER root diff --git a/src/languages/node_24_python_3_10/.devcontainer/.tool-versions b/src/languages/node_24_python_3_10/.devcontainer/.tool-versions deleted file mode 100644 index deac4f1..0000000 --- a/src/languages/node_24_python_3_10/.devcontainer/.tool-versions +++ /dev/null @@ -1,2 +0,0 @@ -python 3.10.12 -poetry 2.1.3 diff --git a/src/languages/node_24_python_3_10/.devcontainer/devcontainer.json b/src/languages/node_24_python_3_10/.devcontainer/devcontainer.json deleted file mode 100644 index a810718..0000000 --- a/src/languages/node_24_python_3_10/.devcontainer/devcontainer.json +++ /dev/null @@ -1,18 +0,0 @@ -// For format details, see https://aka.ms/devcontainer.json. For config options, see the -// README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu -{ - "name": "EPS Devcontainer node_24 python_3.10", - // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile - "build": { - "dockerfile": "../../../common_node_24/Dockerfile", - "args": { - "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", - "MULTI_ARCH_TAG": "${localEnv:MULTI_ARCH_TAG}", - "BASE_VERSION_TAG": "${localEnv:BASE_VERSION_TAG}", - "IMAGE_TAG": "${localEnv:IMAGE_TAG}" - }, - "context": "." - }, - "features": {} - } - diff --git a/src/languages/node_24_python_3_10/.devcontainer/scripts/root_install.sh b/src/languages/node_24_python_3_10/.devcontainer/scripts/root_install.sh deleted file mode 100755 index 52fa2b1..0000000 --- a/src/languages/node_24_python_3_10/.devcontainer/scripts/root_install.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/usr/bin/env bash -set -e -export DEBIAN_FRONTEND=noninteractive - -# clean up -apt-get clean -rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* diff --git a/src/languages/node_24_python_3_10/.devcontainer/scripts/vscode_install.sh b/src/languages/node_24_python_3_10/.devcontainer/scripts/vscode_install.sh deleted file mode 100755 index f13cedf..0000000 --- a/src/languages/node_24_python_3_10/.devcontainer/scripts/vscode_install.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/usr/bin/env bash -set -e - -asdf plugin add python -asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git - -asdf install python -asdf install diff --git a/src/languages/node_24_python_3_10/.trivyignore.yaml b/src/languages/node_24_python_3_10/.trivyignore.yaml deleted file mode 100644 index dfaba04..0000000 --- a/src/languages/node_24_python_3_10/.trivyignore.yaml +++ /dev/null @@ -1,16 +0,0 @@ -vulnerabilities: - - id: CVE-2022-40897 - statement: "pypa-setuptools: Regular Expression Denial of Service (ReDoS) in package_index.py" - purls: - - "pkg:pypi/setuptools@65.5.0" - expired_at: 2026-08-12 - - id: CVE-2024-6345 - statement: "pypa/setuptools: Remote code execution via download functions in the package_index module in pypa/setuptools" - purls: - - "pkg:pypi/setuptools@65.5.0" - expired_at: 2026-08-12 - - id: CVE-2025-47273 - statement: "setuptools: Path Traversal Vulnerability in setuptools PackageIndex" - purls: - - "pkg:pypi/setuptools@65.5.0" - expired_at: 2026-08-12 diff --git a/src/languages/node_24_python_3_10/trivy.yaml b/src/languages/node_24_python_3_10/trivy.yaml deleted file mode 100644 index 549851b..0000000 --- a/src/languages/node_24_python_3_10/trivy.yaml +++ /dev/null @@ -1 +0,0 @@ -ignorefile: "src/languages/node_24_python_3_10/.trivyignore_combined.yaml" diff --git a/src/languages/node_24_python_3_12/.devcontainer/.tool-versions b/src/languages/node_24_python_3_12/.devcontainer/.tool-versions deleted file mode 100644 index 9dedcf5..0000000 --- a/src/languages/node_24_python_3_12/.devcontainer/.tool-versions +++ /dev/null @@ -1,2 +0,0 @@ -python 3.12.12 -poetry 2.3.2 diff --git a/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json b/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json deleted file mode 100644 index 0ac0328..0000000 --- a/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json +++ /dev/null @@ -1,18 +0,0 @@ -// For format details, see https://aka.ms/devcontainer.json. For config options, see the -// README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu -{ - "name": "EPS Devcontainer node_24 python_3.13", - // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile - "build": { - "dockerfile": "../../../common_node_24/Dockerfile", - "args": { - "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", - "MULTI_ARCH_TAG": "${localEnv:MULTI_ARCH_TAG}", - "BASE_VERSION_TAG": "${localEnv:BASE_VERSION_TAG}", - "IMAGE_TAG": "${localEnv:IMAGE_TAG}" - }, - "context": "." - }, - "features": {} - } - diff --git a/src/languages/node_24_python_3_12/.devcontainer/scripts/root_install.sh b/src/languages/node_24_python_3_12/.devcontainer/scripts/root_install.sh deleted file mode 100755 index 52fa2b1..0000000 --- a/src/languages/node_24_python_3_12/.devcontainer/scripts/root_install.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/usr/bin/env bash -set -e -export DEBIAN_FRONTEND=noninteractive - -# clean up -apt-get clean -rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* diff --git a/src/languages/node_24_python_3_12/.devcontainer/scripts/vscode_install.sh b/src/languages/node_24_python_3_12/.devcontainer/scripts/vscode_install.sh deleted file mode 100755 index 2ef142b..0000000 --- a/src/languages/node_24_python_3_12/.devcontainer/scripts/vscode_install.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/usr/bin/env bash -set -e - -asdf plugin add python -asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git - -asdf install python -asdf install - -# install cfn-lint -pip install --user cfn-lint diff --git a/src/languages/node_24_python_3_12/.trivyignore.yaml b/src/languages/node_24_python_3_12/.trivyignore.yaml deleted file mode 100644 index 8697da6..0000000 --- a/src/languages/node_24_python_3_12/.trivyignore.yaml +++ /dev/null @@ -1 +0,0 @@ -vulnerabilities: diff --git a/src/languages/node_24_python_3_12/trivy.yaml b/src/languages/node_24_python_3_12/trivy.yaml deleted file mode 100644 index 48cfe23..0000000 --- a/src/languages/node_24_python_3_12/trivy.yaml +++ /dev/null @@ -1 +0,0 @@ -ignorefile: "src/languages/node_24_python_3_12/.trivyignore_combined.yaml" diff --git a/src/languages/node_24_python_3_13/.devcontainer/.tool-versions b/src/languages/node_24_python_3_13/.devcontainer/.tool-versions deleted file mode 100644 index 85e2d7a..0000000 --- a/src/languages/node_24_python_3_13/.devcontainer/.tool-versions +++ /dev/null @@ -1,2 +0,0 @@ -python 3.13.12 -poetry 2.3.2 diff --git a/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json b/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json deleted file mode 100644 index 0ac0328..0000000 --- a/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json +++ /dev/null @@ -1,18 +0,0 @@ -// For format details, see https://aka.ms/devcontainer.json. For config options, see the -// README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu -{ - "name": "EPS Devcontainer node_24 python_3.13", - // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile - "build": { - "dockerfile": "../../../common_node_24/Dockerfile", - "args": { - "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", - "MULTI_ARCH_TAG": "${localEnv:MULTI_ARCH_TAG}", - "BASE_VERSION_TAG": "${localEnv:BASE_VERSION_TAG}", - "IMAGE_TAG": "${localEnv:IMAGE_TAG}" - }, - "context": "." - }, - "features": {} - } - diff --git a/src/languages/node_24_python_3_13/.devcontainer/scripts/root_install.sh b/src/languages/node_24_python_3_13/.devcontainer/scripts/root_install.sh deleted file mode 100755 index 52fa2b1..0000000 --- a/src/languages/node_24_python_3_13/.devcontainer/scripts/root_install.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/usr/bin/env bash -set -e -export DEBIAN_FRONTEND=noninteractive - -# clean up -apt-get clean -rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* diff --git a/src/languages/node_24_python_3_13/.devcontainer/scripts/vscode_install.sh b/src/languages/node_24_python_3_13/.devcontainer/scripts/vscode_install.sh deleted file mode 100755 index 2ef142b..0000000 --- a/src/languages/node_24_python_3_13/.devcontainer/scripts/vscode_install.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/usr/bin/env bash -set -e - -asdf plugin add python -asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git - -asdf install python -asdf install - -# install cfn-lint -pip install --user cfn-lint diff --git a/src/languages/node_24_python_3_13/.trivyignore.yaml b/src/languages/node_24_python_3_13/.trivyignore.yaml deleted file mode 100644 index 8697da6..0000000 --- a/src/languages/node_24_python_3_13/.trivyignore.yaml +++ /dev/null @@ -1 +0,0 @@ -vulnerabilities: diff --git a/src/languages/node_24_python_3_13/trivy.yaml b/src/languages/node_24_python_3_13/trivy.yaml deleted file mode 100644 index 6af84d8..0000000 --- a/src/languages/node_24_python_3_13/trivy.yaml +++ /dev/null @@ -1 +0,0 @@ -ignorefile: "src/languages/node_24_python_3_13/.trivyignore_combined.yaml" diff --git a/src/languages/node_24_python_3_14/.devcontainer/.tool-versions b/src/languages/node_24_python_3_14/.devcontainer/.tool-versions deleted file mode 100644 index 65e66b7..0000000 --- a/src/languages/node_24_python_3_14/.devcontainer/.tool-versions +++ /dev/null @@ -1,2 +0,0 @@ -python 3.14.3 -poetry 2.3.2 diff --git a/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json b/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json deleted file mode 100644 index 8580944..0000000 --- a/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json +++ /dev/null @@ -1,18 +0,0 @@ -// For format details, see https://aka.ms/devcontainer.json. For config options, see the -// README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu -{ - "name": "EPS Devcontainer node_24 python_3.14", - // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile - "build": { - "dockerfile": "../../../common_node_24/Dockerfile", - "args": { - "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", - "MULTI_ARCH_TAG": "${localEnv:MULTI_ARCH_TAG}", - "BASE_VERSION_TAG": "${localEnv:BASE_VERSION_TAG}", - "IMAGE_TAG": "${localEnv:IMAGE_TAG}" - }, - "context": "." - }, - "features": {} - } - diff --git a/src/languages/node_24_python_3_14/.devcontainer/scripts/root_install.sh b/src/languages/node_24_python_3_14/.devcontainer/scripts/root_install.sh deleted file mode 100755 index 52fa2b1..0000000 --- a/src/languages/node_24_python_3_14/.devcontainer/scripts/root_install.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/usr/bin/env bash -set -e -export DEBIAN_FRONTEND=noninteractive - -# clean up -apt-get clean -rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* diff --git a/src/languages/node_24_python_3_14/.devcontainer/scripts/vscode_install.sh b/src/languages/node_24_python_3_14/.devcontainer/scripts/vscode_install.sh deleted file mode 100755 index 2ef142b..0000000 --- a/src/languages/node_24_python_3_14/.devcontainer/scripts/vscode_install.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/usr/bin/env bash -set -e - -asdf plugin add python -asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git - -asdf install python -asdf install - -# install cfn-lint -pip install --user cfn-lint diff --git a/src/languages/node_24_python_3_14/.trivyignore.yaml b/src/languages/node_24_python_3_14/.trivyignore.yaml deleted file mode 100644 index 8799951..0000000 --- a/src/languages/node_24_python_3_14/.trivyignore.yaml +++ /dev/null @@ -1,11 +0,0 @@ -vulnerabilities: - - id: CVE-2026-23949 - statement: "jaraco.context: jaraco.context: Path traversal via malicious tar archives" - purls: - - "pkg:pypi/jaraco.context@5.3.0" - expired_at: 2026-08-12 - - id: CVE-2026-24049 - statement: "wheel: wheel: Privilege Escalation or Arbitrary Code Execution via malicious wheel file unpacking" - purls: - - "pkg:pypi/wheel@0.45.1" - expired_at: 2026-08-12 diff --git a/src/languages/node_24_python_3_14/trivy.yaml b/src/languages/node_24_python_3_14/trivy.yaml deleted file mode 100644 index e786be4..0000000 --- a/src/languages/node_24_python_3_14/trivy.yaml +++ /dev/null @@ -1 +0,0 @@ -ignorefile: "src/languages/node_24_python_3_14/.trivyignore_combined.yaml" diff --git a/src/projects/fhir_facade_api/.devcontainer/.tool-versions b/src/projects/fhir_facade_api/.devcontainer/.tool-versions deleted file mode 100644 index af19266..0000000 --- a/src/projects/fhir_facade_api/.devcontainer/.tool-versions +++ /dev/null @@ -1 +0,0 @@ -java openjdk-20 diff --git a/src/projects/fhir_facade_api/.devcontainer/Dockerfile b/src/projects/fhir_facade_api/.devcontainer/Dockerfile deleted file mode 100644 index 8226af2..0000000 --- a/src/projects/fhir_facade_api/.devcontainer/Dockerfile +++ /dev/null @@ -1,39 +0,0 @@ -ARG BASE_VERSION_TAG=latest -ARG BASE_IMAGE=ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_13:${BASE_VERSION_TAG} - -FROM ${BASE_IMAGE} - -ARG SCRIPTS_DIR=/usr/local/share/eps -ARG CONTAINER_NAME -ARG MULTI_ARCH_TAG -ARG BASE_VERSION_TAG -ARG IMAGE_TAG -ARG TARGETARCH - -ENV SCRIPTS_DIR=${SCRIPTS_DIR} -ENV CONTAINER_NAME=${CONTAINER_NAME} -ENV MULTI_ARCH_TAG=${MULTI_ARCH_TAG} -ENV BASE_VERSION_TAG=${BASE_VERSION_TAG} -ENV IMAGE_TAG=${IMAGE_TAG} -ENV TARGETARCH=${TARGETARCH} - -LABEL org.opencontainers.image.description="EPS devcontainer ${CONTAINER_NAME}:${IMAGE_TAG}" -LABEL org.opencontainers.image.version=${IMAGE_TAG} -LABEL org.opencontainers.image.base.name=${BASE_IMAGE} -LABEL org.opencontainers.image.containerName=${CONTAINER_NAME} - -USER root -COPY --chmod=755 scripts ${SCRIPTS_DIR}/${CONTAINER_NAME} -WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} -RUN ./root_install.sh - -USER vscode - -WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} -COPY .tool-versions /tmp/.tool-versions -RUN cat /tmp/.tool-versions >> /home/vscode/.tool-versions - -RUN ./vscode_install.sh - -# Switch back to root to install the devcontainer CLI globally -USER root diff --git a/src/projects/fhir_facade_api/.devcontainer/devcontainer.json b/src/projects/fhir_facade_api/.devcontainer/devcontainer.json deleted file mode 100644 index 95c0a22..0000000 --- a/src/projects/fhir_facade_api/.devcontainer/devcontainer.json +++ /dev/null @@ -1,18 +0,0 @@ -// For format details, see https://aka.ms/devcontainer.json. For config options, see the -// README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu -{ - "name": "EPS Devcontainer node_24 python_3.13", - // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile - "build": { - "dockerfile": "Dockerfile", - "args": { - "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", - "MULTI_ARCH_TAG": "${localEnv:MULTI_ARCH_TAG}", - "BASE_VERSION_TAG": "${localEnv:BASE_VERSION_TAG}", - "IMAGE_TAG": "${localEnv:IMAGE_TAG}" - }, - "context": "." - }, - "features": {} - } - diff --git a/src/projects/fhir_facade_api/.devcontainer/scripts/root_install.sh b/src/projects/fhir_facade_api/.devcontainer/scripts/root_install.sh deleted file mode 100755 index f8ddcd1..0000000 --- a/src/projects/fhir_facade_api/.devcontainer/scripts/root_install.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/usr/bin/env bash - -set -e -export DEBIAN_FRONTEND=noninteractive -# install non snap version of firefox -add-apt-repository -y ppa:mozillateam/ppa -cat < /etc/apt/preferences.d/mozilla-firefox -Package: * -Pin: release o=LP-PPA-mozillateam -Pin-Priority: 1001 -EOF - -apt-get -y install firefox - -# clean up -apt-get clean -rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* diff --git a/src/projects/fhir_facade_api/.devcontainer/scripts/vscode_install.sh b/src/projects/fhir_facade_api/.devcontainer/scripts/vscode_install.sh deleted file mode 100755 index dd0f582..0000000 --- a/src/projects/fhir_facade_api/.devcontainer/scripts/vscode_install.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/usr/bin/env bash -set -e - -# install java using asdf -asdf plugin add java -asdf install diff --git a/src/projects/fhir_facade_api/.trivyignore.yaml b/src/projects/fhir_facade_api/.trivyignore.yaml deleted file mode 100644 index 4443daa..0000000 --- a/src/projects/fhir_facade_api/.trivyignore.yaml +++ /dev/null @@ -1,107 +0,0 @@ -vulnerabilities: - - id: CVE-2022-25235 - statement: "expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution" - purls: - - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2022-25236 - statement: "expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution" - purls: - - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2022-26485 - statement: "Mozilla: Use-after-free in XSLT parameter processing" - purls: - - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2022-26486 - statement: "Mozilla: Use-after-free in WebGPU IPC Framework" - purls: - - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2026-25547 - statement: "brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion" - purls: - - "pkg:npm/%40isaacs/brace-expansion@5.0.0" - expired_at: 2026-08-12 - - id: CVE-2025-64756 - statement: "glob: glob: Command Injection Vulnerability via Malicious Filenames" - purls: - - "pkg:npm/glob@10.4.5" - - "pkg:npm/glob@11.0.3" - expired_at: 2026-08-12 - - id: CVE-2026-23745 - statement: "node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-08-12 - - id: CVE-2026-23950 - statement: "node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-08-12 - - id: CVE-2026-24842 - statement: "node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-08-12 - - id: CVE-2022-25235 - statement: "expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution" - purls: - - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-13 - - id: CVE-2022-25236 - statement: "expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution" - purls: - - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-13 - - id: CVE-2022-26485 - statement: "Mozilla: Use-after-free in XSLT parameter processing" - purls: - - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-13 - - id: CVE-2022-26486 - statement: "Mozilla: Use-after-free in WebGPU IPC Framework" - purls: - - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-13 - - id: CVE-2022-25235 - statement: "expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution" - purls: - - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-16 - - id: CVE-2022-25236 - statement: "expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution" - purls: - - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-16 - - id: CVE-2022-26485 - statement: "Mozilla: Use-after-free in XSLT parameter processing" - purls: - - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-16 - - id: CVE-2022-26486 - statement: "Mozilla: Use-after-free in WebGPU IPC Framework" - purls: - - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-16 - - id: CVE-2022-25235 - statement: "expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution" - purls: - - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-08-16 - - id: CVE-2022-25236 - statement: "expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution" - purls: - - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-08-16 - - id: CVE-2022-26485 - statement: "Mozilla: Use-after-free in XSLT parameter processing" - purls: - - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-08-16 - - id: CVE-2022-26486 - statement: "Mozilla: Use-after-free in WebGPU IPC Framework" - purls: - - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-08-16 diff --git a/src/projects/fhir_facade_api/trivy.yaml b/src/projects/fhir_facade_api/trivy.yaml deleted file mode 100644 index 1d8a75c..0000000 --- a/src/projects/fhir_facade_api/trivy.yaml +++ /dev/null @@ -1 +0,0 @@ -ignorefile: "src/projects/fhir_facade_api/.trivyignore_combined.yaml" diff --git a/trivy.yaml b/trivy.yaml deleted file mode 100644 index eb24337..0000000 --- a/trivy.yaml +++ /dev/null @@ -1 +0,0 @@ -ignorefile: ".trivyignore.yaml"