New: [AEA-0000] - build image (#1)

Author: anthony-nhs

.devcontainer/Dockerfile

@@ -0,0 +1,47 @@
+FROM mcr.microsoft.com/devcontainers/base:ubuntu
+
+RUN apt-get update \
+    && export DEBIAN_FRONTEND=noninteractive \
+    && apt-get -y dist-upgrade \
+    && apt-get -y install --no-install-recommends htop vim curl git build-essential \
+    libffi-dev libssl-dev libxml2-dev libxslt1-dev libjpeg8-dev libbz2-dev \
+    zlib1g-dev unixodbc unixodbc-dev libsecret-1-0 libsecret-1-dev libsqlite3-dev \
+    jq apt-transport-https ca-certificates gnupg-agent \
+    software-properties-common bash-completion python3-pip make libbz2-dev \
+    libreadline-dev libsqlite3-dev wget llvm libncurses5-dev libncursesw5-dev \
+    xz-utils tk-dev liblzma-dev netcat libyaml-dev
+
+    # install aws stuff
+RUN wget -O /tmp/awscliv2.zip "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" && \
+    unzip /tmp/awscliv2.zip -d /tmp/aws-cli && \
+    /tmp/aws-cli/aws/install && \
+    rm tmp/awscliv2.zip && \
+    rm -rf /tmp/aws-cli
+
+USER vscode
+
+# Install ASDF
+RUN git clone https://github.com/asdf-vm/asdf.git ~/.asdf --branch v0.14.1; \
+    echo '. $HOME/.asdf/asdf.sh' >> ~/.bashrc; \
+    echo '. $HOME/.asdf/completions/asdf.bash' >> ~/.bashrc;
+
+ENV PATH="$PATH:/home/vscode/.asdf/bin/:/workspaces/eps-cdk-utils/node_modules/.bin"
+
+# Install ASDF plugins
+RUN asdf plugin add python; \
+    asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git; \
+    asdf plugin add shellcheck https://github.com/luizm/asdf-shellcheck.git; \
+    asdf plugin add nodejs https://github.com/asdf-vm/asdf-nodejs.git; \
+    asdf plugin add direnv; \
+    asdf plugin add actionlint;
+
+WORKDIR /workspaces/eps-workflow-quality-checks
+
+ADD .tool-versions /workspaces/eps-cdk-utils/.tool-versions
+ADD .tool-versions /home/vscode/.tool-versions
+
+RUN asdf install; \
+    asdf reshim python; \
+    asdf reshim poetry; \
+    asdf reshim nodejs; \
+    asdf direnv setup --shell bash --version 2.32.2;

.devcontainer/devcontainer.json

@@ -0,0 +1,41 @@
+// For format details, see https://aka.ms/devcontainer.json. For config options, see the
+// README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu
+{
+    "name": "Ubuntu",
+    // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile
+    "build": {
+      "dockerfile": "Dockerfile",
+      "context": "..",
+      "args": {}
+    },
+    "mounts": [
+      "source=${env:HOME}${env:USERPROFILE}/.aws,target=/home/vscode/.aws,type=bind",
+      "source=${env:HOME}${env:USERPROFILE}/.ssh,target=/home/vscode/.ssh,type=bind",
+      "source=${env:HOME}${env:USERPROFILE}/.gnupg,target=/home/vscode/.gnupg,type=bind",
+      "source=${env:HOME}${env:USERPROFILE}/.npmrc,target=/home/vscode/.npmrc,type=bind"
+    ],
+    "features": {
+      "ghcr.io/devcontainers/features/docker-outside-of-docker:1": {
+        "version": "latest",
+        "moby": "true",
+        "installDockerBuildx": "true"
+      }
+    },
+    "containerUser": "vscode",
+    "customizations": {
+      "vscode": {
+        "extensions": [
+          "AmazonWebServices.aws-toolkit-vscode",
+          "redhat.vscode-yaml",
+          "eamodio.gitlens",
+          "github.vscode-pull-request-github",
+          "streetsidesoftware.code-spell-checker",
+          "timonwong.shellcheck",
+          "github.vscode-github-actions"
+        ],
+        "settings": {
+          "cSpell.words": ["fhir", "Formik", "pino", "serialisation"]
+        }
+      }
+    }
+  }

.github/dependabot.yml

@@ -0,0 +1,37 @@
+#########################################################################
+# Dependabot configuration file
+#########################################################################
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    # Workflow files stored in the
+    # default location of `.github/workflows`
+    directory: "/"
+    schedule:
+      interval: "daily"
+    commit-message:
+      prefix: "Upgrade: [dependabot] - "
+
+  ###################################
+  # NPM workspace  ##################
+  ###################################
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    versioning-strategy: increase
+    open-pull-requests-limit: 20
+    commit-message:
+      prefix: "Upgrade: [dependabot] - "
+
+  ###################################
+  # Poetry  #########################
+  ###################################
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    versioning-strategy: increase
+    commit-message:
+      prefix: "Upgrade: [dependabot] - "

.github/pull_request_template.md

@@ -0,0 +1,59 @@
+## Summary
+
+**Remove items from this list if they are not relevant. Remove this line once this has been done**
+
+- Routine Change
+- :exclamation: Breaking Change
+- :robot: Operational or Infrastructure Change
+- :sparkles: New Feature
+- :warning: Potential issues that might be caused by this change
+
+### Details
+
+Add any summary information of what is in the change. **Remove this line if you have nothing to add.**
+
+## Pull Request Naming
+
+Pull requests should be named using the following format:
+
+```text
+Tag: [AEA-NNNN] - Short description
+```
+
+Tag can be one of:
+
+- `Fix` - for a bug fix. (Patch release)
+- `Update` - either for a backwards-compatible enhancement or for a rule change that adds reported problems. (Patch release)
+- `New` - implemented a new feature. (Minor release)
+- `Breaking` - for a backwards-incompatible enhancement or feature. (Major release)
+- `Docs` - changes to documentation only. (Patch release)
+- `Build` - changes to build process only. (No release)
+- `Upgrade` - for a dependency upgrade. (Patch release)
+- `Chore` - for refactoring, adding tests, etc. (anything that isn't user-facing). (Patch release)
+
+If the current release is x.y.z then
+- a patch release increases z by 1
+- a minor release increases y by 1
+- a major release increases x by 1
+
+Correct tagging is necessary for our automated versioning and release process.
+
+The description of your pull request will be used as the commit message for the merge, and also be included in the changelog. Please ensure that your title is sufficiently descriptive.
+
+### Rerunning Checks
+
+If you need to rename your pull request, you can restart the checks by either:
+
+- Closing and reopening the pull request
+- pushing an empty commit 
+  ```bash
+  git commit --allow-empty -m 'trigger build'
+  git push
+  ```
+- Amend your last commit and force push to the branch
+  ```bash
+  git commit --amend --no-edit
+  git push --force
+  ```
+
+Rerunning the checks from within the pull request will not use the updated title.

.github/scripts/check_ecr_image_scan_results.sh

@@ -0,0 +1,61 @@
+#!/bin/bash
+
+if [ -z "${REPOSITORY_NAME}" ]; then
+  echo "REPOSITORY_NAME not set"
+  exit 1
+fi
+
+if [ -z "${IMAGE_TAG}" ]; then
+  echo "IMAGE_TAG not set"
+  exit 1
+fi
+
+function wait_for_scan() {
+  echo "Giving some time for scan to begin..."
+  sleep 3
+  while [[ $(aws ecr describe-image-scan-findings --repository-name "${REPOSITORY_NAME}" --image-id imageTag="${IMAGE_TAG}" | jq -r .imageScanStatus.status) != "COMPLETE" ]];do 
+    echo "SCAN IS NOT YET COMPLETE..."
+    sleep 3
+  done
+}
+
+function check_for_high_critical_vuln() {
+  scan_results=$(aws ecr describe-image-scan-findings --repository-name "${REPOSITORY_NAME}" --image-id imageTag="${IMAGE_TAG}")
+  high=$(echo "$scan_results" | jq .imageScanFindings.findingSeverityCounts.HIGH)
+  critical=$(echo "$scan_results" | jq .imageScanFindings.findingSeverityCounts.CRITICAL)
+}
+
+function return_scan_results() {
+    echo "=== BEGIN IMAGE SCAN RESULTS ==="
+    echo "$scan_results"
+    echo "=== END IMAGE SCAN RESULTS ==="
+}
+
+function return_error() {
+    echo -e "\n**********************************************************"
+    echo "**********************************************************"
+    echo "**********************************************************"
+    echo "ERROR: There are CRITICAL/HIGH vulnerabilties. Stopping build."
+    echo "**********************************************************"
+    echo "**********************************************************"
+    echo "**********************************************************"
+    exit 2
+}
+
+function analyze_scan_results() {
+  if [[ $critical -gt 0 ]]; then
+    echo "ERROR: There are CRITICAL vulnerabilties. Stopping build."
+    return_scan_results
+    return_error
+  elif [[ $high -gt 0 ]]; then
+    echo "ERROR: There are HIGH vulnerabilties. Stopping build."
+    return_scan_results
+    return_error
+  else
+    return_scan_results
+  fi
+}
+
+wait_for_scan
+check_for_high_critical_vuln
+analyze_scan_results