Fix: [AEA-0000] - move to common workflows (#302)

## Summary

- Routine Change

### Details

- move to common workflow

Author: anthony-nhs

.devcontainer/Dockerfile

@@ -1,5 +1,12 @@
 FROM mcr.microsoft.com/devcontainers/base:ubuntu
 
+
+ARG TARGETARCH
+ENV TARGETARCH=${TARGETARCH}
+
+ARG ASDF_VERSION
+COPY .tool-versions.asdf /tmp/.tool-versions.asdf
+
 RUN apt-get update \
     && export DEBIAN_FRONTEND=noninteractive \
     && apt-get -y dist-upgrade \
@@ -11,21 +18,41 @@ RUN apt-get update \
     libreadline-dev libsqlite3-dev wget llvm libncurses5-dev libncursesw5-dev \
     xz-utils tk-dev liblzma-dev netcat libyaml-dev
 
-    # install aws stuff
-RUN wget -O /tmp/awscliv2.zip "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" && \
+
+# Download correct AWS CLI for arch
+RUN if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then \
+      wget -O /tmp/awscliv2.zip "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip"; \
+    else \
+      wget -O /tmp/awscliv2.zip "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip"; \
+    fi && \
     unzip /tmp/awscliv2.zip -d /tmp/aws-cli && \
     /tmp/aws-cli/aws/install && \
-    rm tmp/awscliv2.zip && \
-    rm -rf /tmp/aws-cli
+    rm /tmp/awscliv2.zip && rm -rf /tmp/aws-cli
 
-USER vscode
+# Download correct SAM CLI for arch
+RUN if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then \
+      wget -O /tmp/aws-sam-cli.zip "https://github.com/aws/aws-sam-cli/releases/latest/download/aws-sam-cli-linux-arm64.zip"; \
+    else \
+      wget -O /tmp/aws-sam-cli.zip "https://github.com/aws/aws-sam-cli/releases/latest/download/aws-sam-cli-linux-x86_64.zip"; \
+    fi && \
+    unzip /tmp/aws-sam-cli.zip -d /tmp/aws-sam-cli && \
+    /tmp/aws-sam-cli/install && \
+    rm /tmp/aws-sam-cli.zip && rm -rf /tmp/aws-sam-cli
 
 # Install ASDF
-RUN git clone https://github.com/asdf-vm/asdf.git ~/.asdf --branch v0.14.1; \
-    echo '. $HOME/.asdf/asdf.sh' >> ~/.bashrc; \
-    echo '. $HOME/.asdf/completions/asdf.bash' >> ~/.bashrc;
+RUN ASDF_VERSION=$(awk '!/^#/ && NF {print $1; exit}' /tmp/.tool-versions.asdf) && \
+    if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" = "aarch64" ]; then \
+        wget -O /tmp/asdf.tar.gz https://github.com/asdf-vm/asdf/releases/download/v${ASDF_VERSION}/asdf-v${ASDF_VERSION}-linux-arm64.tar.gz; \
+    else \
+        wget -O /tmp/asdf.tar.gz https://github.com/asdf-vm/asdf/releases/download/v${ASDF_VERSION}/asdf-v${ASDF_VERSION}-linux-amd64.tar.gz; \
+    fi && \
+    tar -xvzf /tmp/asdf.tar.gz && \
+    mv asdf /usr/bin
+
+
+USER vscode
 
-ENV PATH="$PATH:/home/vscode/.asdf/bin/:/workspaces/eps-cdk-utils/node_modules/.bin"
+ENV PATH="$PATH:/home/vscode/.asdf/shims/:/workspaces/eps-cdk-utils/node_modules/.bin"
 
 # Install ASDF plugins
 RUN asdf plugin add python; \
@@ -40,8 +67,5 @@ WORKDIR /workspaces/eps-workflow-quality-checks
 ADD .tool-versions /workspaces/eps-cdk-utils/.tool-versions
 ADD .tool-versions /home/vscode/.tool-versions
 
-RUN asdf install; \
-    asdf reshim python; \
-    asdf reshim poetry; \
-    asdf reshim nodejs; \
-    asdf direnv setup --shell bash --version 2.32.2;
+RUN asdf install python; \
+    asdf install

.github/config/settings.yml

@@ -0,0 +1 @@
+TAG_FORMAT: "v${version}"

.github/workflows/ci.yml

@@ -8,118 +8,59 @@ env:
   BRANCH_NAME: ${{ github.ref_name }}
 
 jobs:
-  quality_checks:
-    uses: NHSDigital/eps-workflow-quality-checks/.github/workflows/[email protected]
-    secrets:
-      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-
   get_commit_id:
     runs-on: ubuntu-22.04
     outputs:
       commit_id: ${{ steps.commit_id.outputs.commit_id }}
+      sha_short: ${{ steps.commit_id.outputs.sha_short }}
+
     steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+        with:
+          ref: ${{ env.BRANCH_NAME }}
+
       - name: Get Commit ID
         id: commit_id
         run: |
+          #  echo "commit_id=${{ github.sha }}" >> "$GITHUB_ENV"
           echo "commit_id=${{ github.sha }}" >> "$GITHUB_OUTPUT"
-
-  tag_release:
-    needs: quality_checks
+          echo "sha_short=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT"
+  get_asdf_version:
     runs-on: ubuntu-22.04
     outputs:
-      version_tag: ${{steps.output_version_tag.outputs.VERSION_TAG}}
+      asdf_version: ${{ steps.asdf-version.outputs.version }}
+      tag_format: ${{ steps.load-config.outputs.TAG_FORMAT }}
     steps:
       - name: Checkout code
         uses: actions/checkout@v5
-        with:
-          ref: ${{ env.BRANCH_NAME }}
-          fetch-depth: 0
 
-      # using git commit sha for version of action to ensure we have stable version
-      - name: Install asdf
-        uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302
-        with:
-          asdf_branch: v0.14.1
-
-      - name: Cache asdf
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~/.asdf
-          key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}
-          restore-keys: |
-            ${{ runner.os }}-asdf-
-
-      - name: Install asdf dependencies in .tool-versions
-        uses: asdf-vm/actions/install@1902764435ca0dd2f3388eea723a4f92a4eb8302
-        with:
-          asdf_branch: v0.14.1
-        env:
-          PYTHON_CONFIGURE_OPTS: --enable-shared
-
-      - name: Setting up .npmrc
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Get asdf version
+        id: asdf-version
+        run: echo "version=$(awk '!/^#/ && NF {print $1; exit}' .tool-versions.asdf)" >> "$GITHUB_OUTPUT"
+      - name: Load config value
+        id: load-config
         run: |
-          echo "//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}" >> ~/.npmrc
-          echo "@NHSDigital:registry=https://npm.pkg.github.com" >> ~/.npmrc
-
-      - name: Install node packages
-        run: |
-          make install-node
-
-      - name: Set VERSION_TAG env var to be short git SHA and get next tag version
-        id: output_version_tag
-        run: |
-          VERSION_TAG=$(git rev-parse --short HEAD)
-          npx semantic-release --dry-run > semantic-release-output.log
-          NEXT_VERSION=$(grep -i 'The next release version is' semantic-release-output.log | sed -E 's/.* ([[:digit:].]+)$/\1/')
-          if [ -z "${NEXT_VERSION}" ]
-          then
-            echo "Could not get next tag. Here is the log from semantic-release"
-            cat semantic-release-output.log
-            exit 1
-          fi
-          tagFormat=$(node -e "const config=require('./release.config.js'); console.log(config.tagFormat)")
-          if [ "${tagFormat}" = "null" ]
-          then
-            tagFormat="v\${version}"
-          fi
-          # disabling shellcheck as replace does not work
-          # shellcheck disable=SC2001
-          VERSION_TAG=$(echo "$tagFormat" | sed "s/\${version}/$NEXT_VERSION/")
-          echo "## VERSION TAG : ${VERSION_TAG}" >> "$GITHUB_STEP_SUMMARY"
-          echo "VERSION_TAG=${VERSION_TAG}" >> "$GITHUB_OUTPUT"
-          echo "VERSION_TAG=${VERSION_TAG}" >> "$GITHUB_ENV"
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-
-      - name: tag release
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          npx semantic-release
-
-      - name: Get release for editing
-        id: get_release
-        # version 1.2.4
-        uses: cardinalby/git-get-release-action@5172c3a026600b1d459b117738c605fabc9e4e44
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-        with:
-          tag: ${{ env.VERSION_TAG }}
+          TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml)
+          echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT"
+  quality_checks:
+    uses: NHSDigital/eps-workflow-quality-checks/.github/workflows/quality-checks.yml@4a6d03ad51516eddc448daf454805f85fe2025b9
+    needs: [get_asdf_version, get_commit_id]
+    with:
+      asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}
+    secrets:
+      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
-      - name: Edit Release
-        # version 1.2.0
-        uses: irongut/EditRelease@ccf529ad26dddf9996e7dd0f24ca5da4ea507cc2
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          id: ${{ steps.get_release.outputs.id }}
-          body: |
-            ## Info
-            [See code diff](${{ github.event.compare }})
-            [Release workflow run](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})
-            It was initialized by [${{ github.event.sender.login }}](${{ github.event.sender.html_url }})
+  tag_release:
+    needs: [quality_checks, get_commit_id, get_asdf_version]
+    uses: NHSDigital/eps-workflow-semantic-release/.github/workflows/tag-release.yml@f80157cecce288dd175e61b477a1d2dbe9c88b99
+    with:
+      dry_run: false
+      asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}
+      branch_name: main
+      publish_package: false
+      tag_format: ${{ needs.get_asdf_version.outputs.tag_format }}
+    secrets: inherit
 
   package_code:
     needs: [tag_release, quality_checks, get_commit_id]
@@ -141,73 +82,49 @@ jobs:
       CDK_PUSH_IMAGE_ROLE: ${{ secrets.DEV_CDK_PUSH_IMAGE_ROLE }}
 
   release_qa:
-    needs:
-      [
-        tag_release,
-        release_dev,
-        package_code,
-        get_commit_id,
-      ]
+    needs: [tag_release, release_dev, package_code, get_commit_id]
     uses: ./.github/workflows/docker_image_upload.yml
     with:
-        AWS_ENVIRONMENT: qa
-        VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}}
-        COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }}
-        TAG_LATEST: true
-        DOCKER_IMAGE_TAG: ${{needs.tag_release.outputs.version_tag}}
+      AWS_ENVIRONMENT: qa
+      VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}}
+      COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }}
+      TAG_LATEST: true
+      DOCKER_IMAGE_TAG: ${{needs.tag_release.outputs.version_tag}}
     secrets:
-        CDK_PUSH_IMAGE_ROLE: ${{ secrets.QA_CDK_PUSH_IMAGE_ROLE }}
-  
+      CDK_PUSH_IMAGE_ROLE: ${{ secrets.QA_CDK_PUSH_IMAGE_ROLE }}
+
   release_ref:
-    needs:
-      [
-        tag_release,
-        release_dev,
-        package_code,
-        get_commit_id,
-      ]
+    needs: [tag_release, release_dev, package_code, get_commit_id]
     uses: ./.github/workflows/docker_image_upload.yml
     with:
-        AWS_ENVIRONMENT: ref
-        VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}}
-        COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }}
-        TAG_LATEST: true
-        DOCKER_IMAGE_TAG: ${{needs.tag_release.outputs.version_tag}}
+      AWS_ENVIRONMENT: ref
+      VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}}
+      COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }}
+      TAG_LATEST: true
+      DOCKER_IMAGE_TAG: ${{needs.tag_release.outputs.version_tag}}
     secrets:
-        CDK_PUSH_IMAGE_ROLE: ${{ secrets.REF_CDK_PUSH_IMAGE_ROLE }}
-  
+      CDK_PUSH_IMAGE_ROLE: ${{ secrets.REF_CDK_PUSH_IMAGE_ROLE }}
+
   release_int:
-    needs:
-      [
-        tag_release,
-        release_qa,
-        package_code,
-        get_commit_id,
-      ]
+    needs: [tag_release, release_qa, package_code, get_commit_id]
     uses: ./.github/workflows/docker_image_upload.yml
     with:
-        AWS_ENVIRONMENT: int
-        VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}}
-        COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }}
-        TAG_LATEST: true
-        DOCKER_IMAGE_TAG: ${{needs.tag_release.outputs.version_tag}}
+      AWS_ENVIRONMENT: int
+      VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}}
+      COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }}
+      TAG_LATEST: true
+      DOCKER_IMAGE_TAG: ${{needs.tag_release.outputs.version_tag}}
     secrets:
-        CDK_PUSH_IMAGE_ROLE: ${{ secrets.INT_CDK_PUSH_IMAGE_ROLE }}
-  
+      CDK_PUSH_IMAGE_ROLE: ${{ secrets.INT_CDK_PUSH_IMAGE_ROLE }}
+
   release_prod:
-    needs:
-      [
-        tag_release,
-        release_int,
-        package_code,
-        get_commit_id,
-      ]
+    needs: [tag_release, release_int, package_code, get_commit_id]
     uses: ./.github/workflows/docker_image_upload.yml
     with:
-        AWS_ENVIRONMENT: prod
-        VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}}
-        COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }}
-        TAG_LATEST: true
-        DOCKER_IMAGE_TAG: ${{needs.tag_release.outputs.version_tag}}
+      AWS_ENVIRONMENT: prod
+      VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}}
+      COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }}
+      TAG_LATEST: true
+      DOCKER_IMAGE_TAG: ${{needs.tag_release.outputs.version_tag}}
     secrets:
-        CDK_PUSH_IMAGE_ROLE: ${{ secrets.PROD_CDK_PUSH_IMAGE_ROLE }}
+      CDK_PUSH_IMAGE_ROLE: ${{ secrets.PROD_CDK_PUSH_IMAGE_ROLE }}

.github/workflows/dependabot_auto_approve_and_merge.yml

@@ -6,44 +6,8 @@ permissions:
   contents: write
 
 jobs:
-  dependabot:
-    runs-on: ubuntu-22.04
-    if: ${{ github.actor == 'dependabot[bot]' }}
-    steps:
-      - name: Get token from Github App
-        id: get_app_token
-        uses: actions/create-github-app-token@v2
-        with:
-          app-id: ${{ secrets.AUTOMERGE_APP_ID }}
-          private-key: ${{ secrets.AUTOMERGE_PEM }}    
-      - name: Dependabot metadata
-        id: dependabot-metadata
-        uses: dependabot/fetch-metadata@v2
-        with:
-          github-token: "${{ secrets.GITHUB_TOKEN }}"
-      - name: Approve patch and minor updates
-        if: ${{steps.dependabot-metadata.outputs.update-type == 'version-update:semver-patch' || steps.dependabot-metadata.outputs.update-type == 'version-update:semver-minor'}}
-        run: gh pr review "$PR_URL" --approve -b "I'm **approving** this pull request because **it includes a patch or minor update**"
-        env:
-          PR_URL: ${{github.event.pull_request.html_url}}
-          GITHUB_TOKEN: ${{ steps.get_app_token.outputs.token }}
-      - name: Approve major updates of development dependencies
-        if: ${{steps.dependabot-metadata.outputs.update-type == 'version-update:semver-major' && steps.dependabot-metadata.outputs.dependency-type == 'direct:development'}}
-        run: gh pr review "$PR_URL" --approve -b "I'm **approving** this pull request because **it includes a major update of a dependency used only in development**"
-        env:
-          PR_URL: ${{github.event.pull_request.html_url}}
-          GITHUB_TOKEN: ${{ steps.get_app_token.outputs.token }}
-      - name: Comment on major updates of non-development dependencies
-        if: ${{steps.dependabot-metadata.outputs.update-type == 'version-update:semver-major' && steps.dependabot-metadata.outputs.dependency-type == 'direct:production'}}
-        run: |
-          gh pr comment "$PR_URL" --body "I'm **not approving** this PR because **it includes a major update of a dependency used in production**"
-          gh pr edit "$PR_URL" --add-label "requires-manual-qa"
-        env:
-          PR_URL: ${{github.event.pull_request.html_url}}
-          GITHUB_TOKEN: ${{ steps.get_app_token.outputs.token }}
-      # enable auto merge on all dependabot prs
-      - name: Enable auto-merge for Dependabot PRs
-        run: gh pr merge --auto --squash "$PR_URL"
-        env:
-          PR_URL: ${{github.event.pull_request.html_url}}
-          GITHUB_TOKEN: ${{ steps.get_app_token.outputs.token }}
+  dependabot-auto-approve-and-merge:
+    uses: NHSDigital/eps-workflow-dependabot/.github/workflows/dependabot-auto-approve-and-merge.yml@5dd998ea44b2e412ea51544b565be3d67f54dc41
+    secrets:
+      AUTOMERGE_APP_ID: ${{ secrets.AUTOMERGE_APP_ID }}
+      AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }}