build nhsd_git_secrets

anthony-nhs · anthony-nhs · commit 46623108a32a · 2025-10-23T07:46:20.000Z
diff --git a/.github/workflows/build_nhsd_git_secrets.yml b/.github/workflows/build_nhsd_git_secrets.yml
@@ -0,0 +1,184 @@
+name: Build nhsd git secrets
+
+on:
+    workflow_call:
+        secrets:
+            SONAR_TOKEN:
+                required: false
+            PUSH_IMAGE_ROLE:
+                required: true
+        inputs:
+            git_secrets_container_ecr:
+                type: string
+                description: "The name of the ECR repository to push the dev container image to."
+                required: true
+            git_secrets_container_image_tag:
+                type: string
+                description: "The tag to use for the dev container image."
+                required: true
+            check_ecr_image_scan_results_script_tag:
+                type: string
+                description: "The tag to download check_ecr_image_scan_results.sh script."
+                required: false
+                default: "dev_container_build"
+jobs:
+    build_nhsd_git_secrets_x64:
+        permissions:
+            id-token: write
+        runs-on: ubuntu-22.04
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@v5
+              with:
+                  fetch-depth: 0
+
+            - name: Download check_ecr_image_scan_results.sh script
+              env:
+                  SCRIPT_TAG: ${{ inputs.check_ecr_image_scan_results_script_tag }}
+              run: |
+                  curl -L "https://raw.githubusercontent.com/NHSDigital/eps-workflow-quality-checks/refs/heads/${SCRIPT_TAG}/.github/scripts/check_ecr_image_scan_results.sh" -o check_ecr_image_scan_results.sh
+                  chmod +x check_ecr_image_scan_results.sh
+            - name: Build dev container
+              run: |
+                  docker build -f dockerfiles/nhsd-git-secrets.dockerfile -t nhsd-git-secrets-image .
+
+            - name: Configure AWS Credentials
+              uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8
+              id: connect-aws-deploy
+              with:
+                  aws-region: eu-west-2
+                  role-to-assume: ${{ secrets.PUSH_IMAGE_ROLE }}
+                  role-session-name: dev-container-build-x64
+                  output-credentials: true
+
+            - name: Retrieve AWS Account ID
+              id: retrieve-deploy-account-id
+              run: |
+                  ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+                  echo "account_id=$ACCOUNT_ID" >> "$GITHUB_OUTPUT"
+
+            - name: Login to Amazon ECR
+              run: |
+                  aws ecr get-login-password --region eu-west-2 | docker login --username AWS --password-stdin ${{ steps.retrieve-deploy-account-id.outputs.account_id }}.dkr.ecr.eu-west-2.amazonaws.com
+
+            - name: Push x64 image to Amazon ECR
+              env:
+                  ECR_REPOSITORY: ${{ inputs.git_secrets_container_ecr }}
+                  IMAGE_TAG: ${{ inputs.git_secrets_container_image_tag }}
+                  ACCOUNT_ID: ${{ steps.retrieve-deploy-account-id.outputs.account_id }}
+              run: |
+                  docker tag "dev-container-image" "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}-amd64"
+                  docker push "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}-amd64"
+            - name: Check dev container scan results
+              env:
+                  REPOSITORY_NAME: ${{ inputs.git_secrets_container_ecr }}
+                  IMAGE_TAG: ${{ inputs.git_secrets_container_image_tag }}-amd64
+                  ACCOUNT_ID: ${{ steps.retrieve-deploy-account-id.outputs.account_id }}
+              run: |
+                  sleep 30
+                  ./check_ecr_image_scan_results.sh
+
+    build_nhsd_git_secrets_arm64:
+        permissions:
+            id-token: write
+        runs-on: ubuntu-22.04-arm
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@v5
+              with:
+                  fetch-depth: 0
+
+            - name: Download check_ecr_image_scan_results.sh script
+              env:
+                  SCRIPT_TAG: ${{ inputs.check_ecr_image_scan_results_script_tag }}
+              run: |
+                  curl -L "https://raw.githubusercontent.com/NHSDigital/eps-workflow-quality-checks/refs/heads/${SCRIPT_TAG}/.github/scripts/check_ecr_image_scan_results.sh" -o check_ecr_image_scan_results.sh
+                  chmod +x check_ecr_image_scan_results.sh
+
+            - name: Build dev container
+              run: |
+                  docker build -f dockerfiles/nhsd-git-secrets.dockerfile -t nhsd-git-secrets-image-arm .
+
+            - name: Configure AWS Credentials
+              uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8
+              id: connect-aws-deploy
+              with:
+                  aws-region: eu-west-2
+                  role-to-assume: ${{ secrets.PUSH_IMAGE_ROLE }}
+                  role-session-name: dev-container-build-arm64
+                  output-credentials: true
+
+            - name: Retrieve AWS Account ID
+              id: retrieve-deploy-account-id
+              run: |
+                  ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+                  echo "account_id=$ACCOUNT_ID" >> "$GITHUB_OUTPUT"
+
+            - name: Login to Amazon ECR
+              run: |
+                  aws ecr get-login-password --region eu-west-2 | docker login --username AWS --password-stdin ${{ steps.retrieve-deploy-account-id.outputs.account_id }}.dkr.ecr.eu-west-2.amazonaws.com
+
+            - name: Push ARM64 image to Amazon ECR
+              env:
+                  ECR_REPOSITORY: ${{ inputs.git_secrets_container_ecr }}
+                  IMAGE_TAG: ${{ inputs.git_secrets_container_image_tag }}
+                  ACCOUNT_ID: ${{ steps.retrieve-deploy-account-id.outputs.account_id }}
+              run: |
+                  docker tag "dev-container-image-arm" "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}-arm64"
+                  docker push "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}-arm64"
+            - name: Check dev container scan results
+              env:
+                  REPOSITORY_NAME: ${{ inputs.git_secrets_container_ecr }}
+                  IMAGE_TAG: ${{ inputs.git_secrets_container_image_tag }}-arm64
+                  ACCOUNT_ID: ${{ steps.retrieve-deploy-account-id.outputs.account_id }}
+              run: |
+                  # Wait a moment for ECR to process the new manifest
+                  sleep 30
+                  ./check_ecr_image_scan_results.sh
+
+    create_multi_arch_manifest:
+        permissions:
+            id-token: write
+        runs-on: ubuntu-22.04
+        needs: [build_nhsd_git_secrets_x64, build_nhsd_git_secrets_arm64]
+        steps:
+            - name: Set up Docker Buildx
+              uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435
+
+            - name: Configure AWS Credentials
+              uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8
+              with:
+                  aws-region: eu-west-2
+                  role-to-assume: ${{ secrets.PUSH_IMAGE_ROLE }}
+                  role-session-name: multi-arch-manifest
+                  output-credentials: true
+
+            - name: Retrieve AWS Account ID
+              id: retrieve-deploy-account-id
+              run: |
+                  ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+                  echo "account_id=$ACCOUNT_ID" >> "$GITHUB_OUTPUT"
+
+            - name: Login to Amazon ECR
+              run: |
+                  aws ecr get-login-password --region eu-west-2 | docker login --username AWS --password-stdin ${{ steps.retrieve-deploy-account-id.outputs.account_id }}.dkr.ecr.eu-west-2.amazonaws.com
+
+            - name: Create and push multi-architecture manifest for tag
+              env:
+                  ECR_REPOSITORY: ${{ inputs.git_secrets_container_ecr }}
+                  IMAGE_TAG: ${{ inputs.git_secrets_container_image_tag }}
+                  ACCOUNT_ID: ${{ steps.retrieve-deploy-account-id.outputs.account_id }}
+              run: |
+                  # Create manifest list combining both architectures
+                  docker buildx imagetools create -t "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}" \
+                    "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}-amd64" \
+                    "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}-arm64"
+
+            - name: Verify multi-architecture manifest
+              env:
+                  ECR_REPOSITORY: ${{ inputs.git_secrets_container_ecr }}
+                  IMAGE_TAG: ${{ inputs.git_secrets_container_image_tag }}
+                  ACCOUNT_ID: ${{ steps.retrieve-deploy-account-id.outputs.account_id }}
+              run: |
+                  echo "=== Verifying multi-architecture manifest ==="
+                  docker buildx imagetools inspect "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}"
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
@@ -77,6 +77,16 @@ jobs:
     secrets:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
       PUSH_IMAGE_ROLE: ${{ secrets.PUSH_IMAGE_ROLE }}
+
+  build_nhsd_git_secrets_x64:
+    uses: ./.github/workflows/build_nhsd_git_secrets.yml
+    needs: [get_asdf_version, get_issue_number_and_commit_id]
+    with:
+      git_secrets_container_ecr: dev-container-quality-checks
+      git_secrets_container_image_tag: PR-${{ needs.get_issue_number_and_commit_id.outputs.issue_number }}-${{ needs.get_issue_number_and_commit_id.outputs.sha_short }}
+    secrets:
+      PUSH_IMAGE_ROLE: ${{ secrets.PUSH_IMAGE_ROLE }}
+
   tag_latest_dev_container:
     needs: [quality_checks, get_issue_number_and_commit_id]
     uses: ./.github/workflows/tag_latest_dev_container.yml
diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml
@@ -417,9 +417,6 @@ jobs:
         run: |
           curl -L "https://raw.githubusercontent.com/NHSDigital/eps-workflow-quality-checks/refs/heads/${SCRIPT_TAG}/.github/scripts/check_ecr_image_scan_results.sh" -o check_ecr_image_scan_results.sh
           chmod +x check_ecr_image_scan_results.sh
-      - name: Build dev container
-        run: |
-          docker build -f .devcontainer/Dockerfile -t dev-container-image .
 
       - name: Build dev container
         run: |
