NHSDigital · MWClayson-NHS · Dec 23, 2025 · Dec 30, 2025 · Jan 5, 2026 · Jan 5, 2026
diff --git a/.github/workflows/cicd-1-pull-request.yaml b/.github/workflows/cicd-1-pull-request.yaml
@@ -133,7 +133,8 @@ jobs:
     permissions:
       contents: read
       id-token: write
-      pull-requests: read
+      pull-requests: write
+      packages: write
     secrets:
       client_id: ${{ secrets.AZURE_CLIENT_ID }}
       tenant_id: ${{ secrets.AZURE_TENANT_ID }}

diff --git a/.github/workflows/stage-3-build-images.yaml b/.github/workflows/stage-3-build-images.yaml
@@ -77,13 +77,88 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: bash scripts/deployment/get-docker-names.sh
 
+  build-base-images:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+      id-token: write
+      packages: write
+    outputs:
+      DOTNET_BASE_IMAGE: ${{ steps.set-image-tags.outputs.DOTNET_BASE_IMAGE }}
+      FUNCTION_BASE_IMAGE:  ${{ steps.set-image-tags.outputs.FUNCTION_BASE_IMAGE }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          fetch-depth: 1
+          submodules: 'true'
+
+      - name: log in to GHCR
+        uses: docker/login-action@v3
+        continue-on-error: false
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Detect base image changes
+        id: detect-base-image-changes
+        continue-on-error: false
+        run: bash scripts/deployment/check-base-image-changes.sh
+
+      - name: Build Base Images
+        id: build-base-images
+        working-directory: ./
+        if: ${{ steps.detect-base-image-changes.outputs.BASE_IMAGE_CHANGE == 'true' || github.ref == 'refs/heads/main'  }}
+        continue-on-error: false
+        run: |
+          PR_NUM_TAG=$(echo "${GITHUB_REF}" | sed 's/refs\/pull\/\([0-9]*\)\/merge/\1/')
+          SHORT_COMMIT_HASH=$(git rev-parse --short ${GITHUB_SHA})
+
+          docker build -f Dockerfile.dotnet.base -t cohort-manager-dotnet-base:latest .
+          docker tag cohort-manager-dotnet-base:latest "ghcr.io/nhsdigital/cohort-manager-dotnet-base:${PR_NUM_TAG}"
           GH_IMAGE="${{ inputs.gh_registry }}/${{ github.repository_owner }}/${{ inputs.project_name }}-${{ matrix.function }}:latest" 
           GH_IMAGE="${{ inputs.gh_registry }}/${{ github.repository_owner }}/${{ inputs.project_name }}-${{ matrix.function }}:latest" 
+          docker tag cohort-manager-dotnet-base:latest "ghcr.io/nhsdigital/cohort-manager-dotnet-base:${SHORT_COMMIT_HASH}"
+
+          docker build -f Dockerfile.function.base -t cohort-manager-function-base:latest .
+          docker tag cohort-manager-function-base:latest "ghcr.io/nhsdigital/cohort-manager-function-base:${PR_NUM_TAG}"
+          docker tag cohort-manager-function-base:latest "ghcr.io/nhsdigital/cohort-manager-function-base:${SHORT_COMMIT_HASH}"
+
+          docker push "ghcr.io/nhsdigital/cohort-manager-dotnet-base:${PR_NUM_TAG}"
+          docker push "ghcr.io/nhsdigital/cohort-manager-dotnet-base:${SHORT_COMMIT_HASH}"
+          docker push "ghcr.io/nhsdigital/cohort-manager-function-base:${PR_NUM_TAG}"
+          docker push "ghcr.io/nhsdigital/cohort-manager-function-base:${SHORT_COMMIT_HASH}"
+          if [ "${GITHUB_REF}" == 'refs/heads/main' ]; then
+              docker push "ghcr.io/nhsdigital/cohort-manager-dotnet-base:latest"
+              docker push "ghcr.io/nhsdigital/cohort-manager-function-base:latest"
+          fi
+
+      - name: Set Image Tags
+        id: set-image-tags
+        run: |
+
+          PR_NUM_TAG=$(echo "${GITHUB_REF}" | sed 's/refs\/pull\/\([0-9]*\)\/merge/\1/')
+          IMAGE_TAG="latest"
+
+          if [[ ${{steps.detect-base-image-changes.outputs.BASE_IMAGE_CHANGE}} == 'true' ]]; then
+            IMAGE_TAG="${PR_NUM_TAG}"
+          fi
+          echo "Image Tag = ${IMAGE_TAG}"
+
+          echo "DOTNET_BASE_IMAGE=ghcr.io/nhsdigital/cohort-manager-dotnet-base:${IMAGE_TAG}" >> "${GITHUB_OUTPUT}"
+          echo "FUNCTION_BASE_IMAGE=ghcr.io/nhsdigital/cohort-manager-function-base:${IMAGE_TAG}" >> "${GITHUB_OUTPUT}"
+
+
+
+
+
   build-and-push:
     runs-on: ubuntu-latest
     permissions:
       id-token: write
       contents: read
       pull-requests: read
-    needs: get-functions
+    needs: [get-functions, build-base-images]
     strategy:
       matrix:
         function: ${{ fromJSON(needs.get-functions.outputs.FUNC_NAMES) }}
@@ -145,25 +220,32 @@ jobs:
 
           echo "ENVIRONMENT_TAG=${ENVIRONMENT_TAG}" >> ${GITHUB_ENV}
 
+
       - name: Build and Push Image
         working-directory: ${{ steps.get-function-names.outputs.DOCKER_COMPOSE_DIR }}
         continue-on-error: false
         env:
           COMPOSE_FILE: ${{ inputs.docker_compose_file }}
           PROJECT_NAME: ${{ inputs.project_name }}
           ACR_NAME: ${{ secrets.acr_name }}
+          DOTNET_BASE_IMAGE : ${{ needs.build-base-images.outputs.DOTNET_BASE_IMAGE }}
+          FUNCTION_BASE_IMAGE: ${{ needs.build-base-images.outputs.FUNCTION_BASE_IMAGE }}
         run: |
           function=${{ matrix.function }}
 
+
+
           echo PROJECT_NAME: ${PROJECT_NAME}
 
           if [ -z "${function}" ]; then
             echo "Function variable is empty. Skipping Docker build."
             exit 0
           fi
 
-          # Build the image
-          docker compose -f ${COMPOSE_FILE//,/ -f } -p ${PROJECT_NAME} --profile "*" build --no-cache --pull ${function}
+
+          docker compose -f ${COMPOSE_FILE//,/ -f } \
+            -p ${PROJECT_NAME} \
+            --profile "*" build --no-cache --pull ${function}
 
           repo_name="${ACR_NAME}.azurecr.io/${PROJECT_NAME}-${function}"
           echo $(repo_name)

diff --git a/Directory.Build.props b/Directory.Build.props
@@ -0,0 +1,7 @@
+<Project>
+  <PropertyGroup Condition="'$(MSBuildProjectName)' == 'WorkerExtensions'">
+    <ManagePackageVersionsCentrally>false</ManagePackageVersionsCentrally>
+    <TreatWarningsAsErrors>false</TreatWarningsAsErrors>
+    <NoWarn>$(NoWarn);NU1605;NU1701;NU1507</NoWarn>
+  </PropertyGroup>
+</Project>
diff --git a/Directory.Build.targets b/Directory.Build.targets
@@ -0,0 +1,8 @@
+<Project>
+    <PropertyGroup Condition="
+    '$(UsingMicrosoftNETSdkWorker)' == 'true'
+    and '$(IsTestProject)' == 'true'
+  ">
+    <FunctionsGenerateWorkerExtensions>false</FunctionsGenerateWorkerExtensions>
+  </PropertyGroup>
+</Project>
diff --git a/Directory.Packages.props b/Directory.Packages.props
@@ -0,0 +1,69 @@
+<Project>
+  <PropertyGroup>
+    <!-- Enable central package management,
+    https://learn.microsoft.com/en-us/nuget/consume-packages/Central-Package-Management -->
+    <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
+  </PropertyGroup>
+  <ItemGroup>
+    <PackageVersion Include="Azure.Messaging.ServiceBus" Version="7.20.1" />
+    <PackageVersion Include="Microsoft.Azure.Functions.Worker" Version="2.0.0" />
+    <PackageVersion Include="Microsoft.Azure.Functions.Worker.Extensions.Http" Version="3.3.0" />
+    <PackageVersion Include="Microsoft.Azure.Functions.Worker.Extensions.Storage.Blobs"
+      Version="6.7.0" />
+    <PackageVersion Include="Microsoft.Azure.Functions.Worker.Sdk" Version="2.0.4" />
+    <PackageVersion Include="Microsoft.Azure.Functions.Worker.ApplicationInsights" Version="2.0.0" />
+    <PackageVersion Include="Microsoft.Extensions.Diagnostics.HealthChecks" Version="9.0.2" />
+    <PackageVersion Include="Polly" Version="8.5.0" />
+    <PackageVersion Include="Azure.Extensions.AspNetCore.Configuration.Secrets" Version="1.4.0" />
+    <PackageVersion Include="Azure.Identity" Version="1.14.1" />
+    <PackageVersion Include="Azure.Security.KeyVault.Certificates" Version="4.6.0" />
+    <PackageVersion Include="Azure.Security.KeyVault.Secrets" Version="4.6.0" />
+    <PackageVersion Include="Azure.Storage.Blobs" Version="12.20.0" />
+    <PackageVersion Include="Azure.Storage.Queues" Version="12.20.1" />
+    <PackageVersion Include="Azure.Messaging.EventGrid" Version="4.28.0" />
+    <PackageVersion Include="Microsoft.ApplicationInsights.DependencyCollector" Version="2.23.0" />
+    <PackageVersion Include="Microsoft.ApplicationInsights.WorkerService" Version="2.23.0" />
+    <PackageVersion Include="Microsoft.AspNetCore.WebUtilities" Version="8.0.7" />
+    <PackageVersion Include="Microsoft.Extensions.Azure" Version="1.12.0" />
+    <PackageVersion Include="Microsoft.Extensions.Options.DataAnnotations" Version="9.0.6" />
+    <PackageVersion Include="Microsoft.Identity.Client" Version="4.74.0" />
+    <PackageVersion Include="Microsoft.IdentityModel.Tokens" Version="8.12.1" />
+    <PackageVersion Include="Hl7.Fhir.R4" Version="5.11.4" />
+    <PackageVersion Include="System.IdentityModel.Tokens.Jwt" Version="8.12.1" />
+    <PackageVersion Include="Microsoft.Extensions.Hosting" Version="9.0.6" />
+    <PackageVersion Include="System.Linq.Dynamic.Core" Version="1.7.1" />
+    <PackageVersion Include="ParquetSharp" Version="17.0.0-beta1" />
+    <PackageVersion Include="RulesEngine" Version="5.0.5" />
+    <PackageVersion Include="Microsoft.EntityFrameworkCore.Tools" Version="10.0.1" />
+    <PackageVersion Include="Microsoft.Extensions.HealthChecks.AzureStorage" Version="1.0.0" />
+    <PackageVersion Include="Microsoft.Extensions.Logging" Version="9.0.6" />
+    <PackageVersion Include="Microsoft.Extensions.Caching.Memory" Version="9.0.3" />
+    <PackageVersion Include="System.Runtime.Caching" Version="8.0.1" />
+    <PackageVersion Include="Microsoft.Azure.Functions.Worker.Extensions.Http.AspNetCore"
+      Version="2.0.2" />
+    <PackageVersion Include="Microsoft.Azure.Functions.Worker.Extensions.Timer" Version="4.3.1" />
+    <PackageVersion Include="Microsoft.Azure.Functions.Worker.Extensions.DurableTask"
+      Version="1.4.0" />
+    <PackageVersion Include="Microsoft.Azure.Functions.Worker.Extensions.ServiceBus"
+      Version="5.23.0" />
+    <PackageVersion Include="Grpc.Net.Client" Version="2.70.0" />
+    <PackageVersion Include="Contrib.Grpc.Core.M1" Version="2.41.0" />
+    <PackageVersion Include="Hl7.Fhir.STU3" Version="4.3.0" />
+    <PackageVersion Include="Microsoft.EntityFrameworkCore" Version="9.0.3" />
+    <PackageVersion Include="Microsoft.EntityFrameworkCore.Design" Version="9.0.3" />
+    <PackageVersion Include="Microsoft.EntityFrameworkCore.SqlServer.NetTopologySuite"
+      Version="9.0.3" />
+    <PackageVersion Include="Microsoft.EntityFrameworkCore.SqlServer" Version="9.0.3" />
+    <PackageVersion Include="Microsoft.Extensions.DependencyInjection" Version="9.0.8" />
+    <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="17.12.0" />
+    <PackageVersion Include="Moq" Version="4.20.72" />
+    <PackageVersion Include="MSTest" Version="3.6.4" />
+    <PackageVersion Include="MSTest.TestAdapter" Version="3.1.1" />
+    <PackageVersion Include="MSTest.TestFramework" Version="3.1.1" />
+    <PackageVersion Include="coverlet.collector" Version="6.0.0" />
+    <PackageVersion Include="FluentAssertions" Version="6.12.2" />
+    <PackageVersion Include="Microsoft.EntityFrameworkCore.InMemory" Version="9.0.3" />
+    <PackageVersion Include="Microsoft.EntityFrameworkCore.Sqlite" Version="9.0.3" />
+    <PackageVersion Include="Microsoft.Extensions.Logging.Abstractions" Version="10.0.1" />
+  </ItemGroup>
+</Project>
diff --git a/Dockerfile.dotnet.base b/Dockerfile.dotnet.base
@@ -0,0 +1,10 @@
+FROM mcr.microsoft.com/dotnet/sdk:8.0 AS base
+
+COPY Directory.Build.props /app/Directory.Build.props
+COPY Directory.Build.targets /app/Directory.Build.targets
+COPY Directory.Packages.props /app/Directory.Packages.props
+
+COPY ./application/CohortManager/src/Functions/Shared/ /app/Shared
+
+
+
diff --git a/Dockerfile.function.base b/Dockerfile.function.base
@@ -0,0 +1,20 @@
+FROM mcr.microsoft.com/dotnet/sdk:8.0 AS base
+
+# Copy Build and Package Properties
+COPY Directory.Build.props /app/Directory.Build.props
+COPY Directory.Build.targets /app/Directory.Build.targets
+COPY Directory.Packages.props /app/Directory.Packages.props
+
+
+COPY ./application/CohortManager/src/Functions/Shared/ /app/Shared
+
+WORKDIR /app/Shared
+
+RUN mkdir -p /home/site/wwwroot && \
+    dotnet publish ./Common/Common.csproj --output /home/site/wwwroot && \
+    dotnet publish ./Model/Model.csproj --output /home/site/wwwroot && \
+    dotnet publish ./Data/Data.csproj --output /home/site/wwwroot && \
+    dotnet publish ./Utilities/Utilities.csproj --output /home/site/wwwroot && \
+    dotnet publish ./DataServices.Client/DataServices.Client.csproj --output /home/site/wwwroot && \
+    dotnet publish ./DataServices.Core/DataServices.Core.csproj --output /home/site/wwwroot && \
+    dotnet publish ./DataServices.Database/DataServices.Database.csproj --output /home/site/wwwroot
diff --git a/application/CohortManager/.env.example b/application/CohortManager/.env.example
@@ -13,6 +13,10 @@ MESHKEYPASSPHRASE="" #Passpharse for the private key for authenticating against
 NEMS_CERT_PASSWORD="" # Password for the NEMS client certificate - change for production
 NEMS_MESH_MAILBOX_ID="" # MESH Mailbox ID for NEMS subscription delivery - will be provided by project for production
 
+# Container Base Images, These are used to define the image to be used by docker when building the function images
+DOTNET_BASE_IMAGE="dotnet-base:local"
+FUNCTION_BASE_IMAGE="function-base:local"
+
 # ManageCaasSubscription Mesh base URL
 # Unset to use the default local mesh in docker-compose (https://localhost:8700/messageexchange)
 # For WireMock runs, set to http://wiremock:8080/messageexchange

diff --git a/application/CohortManager/compose.cohort-distribution.yaml b/application/CohortManager/compose.cohort-distribution.yaml
@@ -8,6 +8,8 @@ services:
     build:
       context: ./src/Functions/
       dockerfile: CohortDistributionServices/DistributeParticipant/Dockerfile
+      args:
+        BASE_IMAGE: ${FUNCTION_BASE_IMAGE}
     environment:
       - ServiceBusConnectionString_internal=Endpoint=sb://service-bus;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=SAS_KEY_VALUE;UseDevelopmentEmulator=true;
       - CohortDistributionTopic=cohort-distribution-topic
@@ -34,6 +36,8 @@ services:
     build:
       context: ./src/Functions/
       dockerfile: CohortDistributionServices/RetrieveCohortDistribution/Dockerfile
+      args:
+        BASE_IMAGE: ${FUNCTION_BASE_IMAGE}
     profiles: [bs-select]
     ports:
       - 7078:7078
@@ -53,6 +57,8 @@ services:
     build:
       context: ./src/Functions/
       dockerfile: CohortDistributionServices/RetrieveCohortRequestAudit/Dockerfile
+      args:
+        BASE_IMAGE: ${FUNCTION_BASE_IMAGE}
     profiles: [bs-select]
     ports:
       - 7086:7086
@@ -70,6 +76,8 @@ services:
     build:
       context: ./src/Functions/
       dockerfile: CohortDistributionServices/TransformDataService/Dockerfile
+      args:
+        BASE_IMAGE: ${FUNCTION_BASE_IMAGE}
     environment:
       - ASPNETCORE_URLS=http://*:7080
       - ExceptionFunctionURL=http://create-exception:7070/api/CreateException
@@ -88,6 +96,8 @@ services:
     build:
       context: ./src/Functions/
       dockerfile: ScreeningValidationService/RemoveValidationException/Dockerfile
+      args:
+        BASE_IMAGE: ${FUNCTION_BASE_IMAGE}
     environment:
       - ASPNETCORE_URLS=http://*:7085
       - ExceptionFunctionURL=http://create-exception:7070/api/CreateException