common workflow for build and push

anthony-nhs · anthony-nhs · commit 4a14f7dbfef2 · 2025-11-25T11:26:17.000Z
diff --git a/.github/workflows/build_and_push_docker_image.yml b/.github/workflows/build_and_push_docker_image.yml
@@ -1,23 +1,31 @@
-name: Build nhsd git secrets
+name: Build and push docker image
 
 on:
     workflow_call:
         secrets:
-            SONAR_TOKEN:
-                required: false
             PUSH_IMAGE_ROLE:
                 required: true
         inputs:
-            git_secrets_container_ecr:
+            container_ecr:
+                type: string
+                description: "The name of the ECR repository to push the container image to."
+                required: true
+            container_image_tag:
                 type: string
-                description: "The name of the ECR repository to push the dev container image to."
+                description: "The tag to use for the container image."
                 required: true
-            git_secrets_container_image_tag:
+            docker_file:
                 type: string
-                description: "The tag to use for the dev container image."
+                description: "The Dockerfile to use for building the container image."
                 required: true
+            check_ecr_image_scan_results_script_tag:
+                type: string
+                description: "The tag to download check_ecr_image_scan_results.sh script."
+                required: false
+                default: "dev_container_build"
+
 jobs:
-    build_nhsd_git_secrets_x64:
+    build_image_amd64:
         permissions:
             id-token: write
         runs-on: ubuntu-22.04
@@ -27,17 +35,19 @@ jobs:
               with:
                   fetch-depth: 0
 
-            - name: Build dev container
+            - name: Build container
               run: |
-                  docker build -f dockerfiles/nhsd-git-secrets.dockerfile -t nhsd-git-secrets-image .
+                  docker build -f "${DOCKER_FILE}" -t x64-image .
+              env:
+                  DOCKER_FILE: ${{ inputs.docker_file }}
 
             - name: Configure AWS Credentials
               uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8
               id: connect-aws-deploy
               with:
                   aws-region: eu-west-2
                   role-to-assume: ${{ secrets.PUSH_IMAGE_ROLE }}
-                  role-session-name: dev-container-build-x64
+                  role-session-name: dev-container-build-amd64
                   output-credentials: true
 
             - name: Retrieve AWS Account ID
@@ -52,22 +62,26 @@ jobs:
 
             - name: Push x64 image to Amazon ECR
               env:
-                  ECR_REPOSITORY: ${{ inputs.git_secrets_container_ecr }}
-                  IMAGE_TAG: ${{ inputs.git_secrets_container_image_tag }}
+                  ECR_REPOSITORY: ${{ inputs.container_ecr }}
+                  IMAGE_TAG: ${{ inputs.container_image_tag }}
                   ACCOUNT_ID: ${{ steps.retrieve-deploy-account-id.outputs.account_id }}
               run: |
-                  docker tag "nhsd-git-secrets-image" "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}-amd64"
+                  docker tag "amd64-image" "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}-amd64"
                   docker push "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}-amd64"
+
             - name: Check dev container scan results
               env:
-                  REPOSITORY_NAME: ${{ inputs.git_secrets_container_ecr }}
-                  IMAGE_TAG: ${{ inputs.git_secrets_container_image_tag }}-amd64
+                  REPOSITORY_NAME: ${{ inputs.container_ecr }}
+                  IMAGE_TAG: ${{ inputs.container_image_tag }}-amd64
                   ACCOUNT_ID: ${{ steps.retrieve-deploy-account-id.outputs.account_id }}
+                  SCRIPT_TAG: ${{ inputs.check_ecr_image_scan_results_script_tag }}
               run: |
+                  curl -L "https://raw.githubusercontent.com/NHSDigital/eps-common-workflows/refs/heads/${SCRIPT_TAG}/.github/scripts/check_ecr_image_scan_results.sh" -o /tmp/check_ecr_image_scan_results.sh
+                  chmod +x /tmp/check_ecr_image_scan_results.sh
                   sleep 30
-                  ./.github/scripts/check_ecr_image_scan_results.sh
+                  /tmp/check_ecr_image_scan_results.sh
 
-    build_nhsd_git_secrets_arm64:
+    build_image_arm64:
         permissions:
             id-token: write
         runs-on: ubuntu-22.04-arm
@@ -77,9 +91,11 @@ jobs:
               with:
                   fetch-depth: 0
 
-            - name: Build dev container
+            - name: Build container
               run: |
-                  docker build -f dockerfiles/nhsd-git-secrets.dockerfile -t nhsd-git-secrets-image-arm .
+                  docker build -f "${DOCKER_FILE}" -t arm64-image .
+              env:
+                  DOCKER_FILE: ${{ inputs.docker_file }}
 
             - name: Configure AWS Credentials
               uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8
@@ -102,27 +118,29 @@ jobs:
 
             - name: Push ARM64 image to Amazon ECR
               env:
-                  ECR_REPOSITORY: ${{ inputs.git_secrets_container_ecr }}
-                  IMAGE_TAG: ${{ inputs.git_secrets_container_image_tag }}
+                  ECR_REPOSITORY: ${{ inputs.container_ecr }}
+                  IMAGE_TAG: ${{ inputs.container_image_tag }}
                   ACCOUNT_ID: ${{ steps.retrieve-deploy-account-id.outputs.account_id }}
               run: |
-                  docker tag "nhsd-git-secrets-image-arm" "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}-arm64"
+                  docker tag "arm64-image" "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}-arm64"
                   docker push "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}-arm64"
             - name: Check dev container scan results
               env:
-                  REPOSITORY_NAME: ${{ inputs.git_secrets_container_ecr }}
-                  IMAGE_TAG: ${{ inputs.git_secrets_container_image_tag }}-arm64
+                  REPOSITORY_NAME: ${{ inputs.container_ecr }}
+                  IMAGE_TAG: ${{ inputs.container_image_tag }}-arm64
                   ACCOUNT_ID: ${{ steps.retrieve-deploy-account-id.outputs.account_id }}
+                  SCRIPT_TAG: ${{ inputs.check_ecr_image_scan_results_script_tag }}
               run: |
-                  # Wait a moment for ECR to process the new manifest
+                  curl -L "https://raw.githubusercontent.com/NHSDigital/eps-common-workflows/refs/heads/${SCRIPT_TAG}/.github/scripts/check_ecr_image_scan_results.sh" -o /tmp/check_ecr_image_scan_results.sh
+                  chmod +x /tmp/check_ecr_image_scan_results.sh
                   sleep 30
-                  ./.github/scripts/check_ecr_image_scan_results.sh
+                  /tmp/check_ecr_image_scan_results.sh
 
     create_multi_arch_manifest:
         permissions:
             id-token: write
         runs-on: ubuntu-22.04
-        needs: [build_nhsd_git_secrets_x64, build_nhsd_git_secrets_arm64]
+        needs: [build_image_amd64, build_image_arm64]
         steps:
             - name: Set up Docker Buildx
               uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435
@@ -147,8 +165,8 @@ jobs:
 
             - name: Create and push multi-architecture manifest for tag
               env:
-                  ECR_REPOSITORY: ${{ inputs.git_secrets_container_ecr }}
-                  IMAGE_TAG: ${{ inputs.git_secrets_container_image_tag }}
+                  ECR_REPOSITORY: ${{ inputs.container_ecr }}
+                  IMAGE_TAG: ${{ inputs.container_image_tag }}
                   ACCOUNT_ID: ${{ steps.retrieve-deploy-account-id.outputs.account_id }}
               run: |
                   # Create manifest list combining both architectures
@@ -158,8 +176,8 @@ jobs:
 
             - name: Verify multi-architecture manifest
               env:
-                  ECR_REPOSITORY: ${{ inputs.git_secrets_container_ecr }}
-                  IMAGE_TAG: ${{ inputs.git_secrets_container_image_tag }}
+                  ECR_REPOSITORY: ${{ inputs.container_ecr }}
+                  IMAGE_TAG: ${{ inputs.container_image_tag }}
                   ACCOUNT_ID: ${{ steps.retrieve-deploy-account-id.outputs.account_id }}
               run: |
                   echo "=== Verifying multi-architecture manifest ==="
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
@@ -84,11 +84,12 @@ jobs:
       PUSH_IMAGE_ROLE: ${{ secrets.DEV_CONTAINER_PUSH_IMAGE_ROLE }}
 
   build_nhsd_git_secrets:
-    uses: ./.github/workflows/build_nhsd_git_secrets.yml
+    uses: ./.github/workflows/build_and_push_docker_image.yml
     needs: [get_asdf_version, get_issue_number_and_commit_id]
     with:
-      git_secrets_container_ecr: git-secrets
-      git_secrets_container_image_tag: PR-${{ needs.get_issue_number_and_commit_id.outputs.issue_number }}-${{ needs.get_issue_number_and_commit_id.outputs.sha_short }}-nhsd-git-secrets
+      container_ecr: git-secrets
+      container_image_tag: PR-${{ needs.get_issue_number_and_commit_id.outputs.issue_number }}-${{ needs.get_issue_number_and_commit_id.outputs.sha_short }}-nhsd-git-secrets
+      docker_file: dockerfiles/nhsd-git-secrets.dockerfile
     secrets:
       PUSH_IMAGE_ROLE: ${{ secrets.DEV_CONTAINER_PUSH_IMAGE_ROLE }}
 
diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml
@@ -420,163 +420,12 @@ jobs:
           name: cfn_guard_output
           path: cfn_guard_output
 
-  build_dev_container_x64:
-    permissions:
-      id-token: write
-    runs-on: ubuntu-22.04
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v5
-        with:
-          fetch-depth: 0
-
-      - name: Download check_ecr_image_scan_results.sh script
-        env:
-          SCRIPT_TAG: ${{ inputs.check_ecr_image_scan_results_script_tag }}
-        run: |
-          curl -L "https://raw.githubusercontent.com/NHSDigital/eps-workflow-quality-checks/refs/heads/${SCRIPT_TAG}/.github/scripts/check_ecr_image_scan_results.sh" -o check_ecr_image_scan_results.sh
-          chmod +x check_ecr_image_scan_results.sh
-      - name: Build dev container
-        run: |
-          docker build -f .devcontainer/Dockerfile -t dev-container-image .
-
-      - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8
-        id: connect-aws-deploy
-        with:
-          aws-region: eu-west-2
-          role-to-assume: ${{ secrets.PUSH_IMAGE_ROLE }}
-          role-session-name: dev-container-build-x64
-          output-credentials: true
-
-      - name: Retrieve AWS Account ID
-        id: retrieve-deploy-account-id
-        run: |
-          ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
-          echo "account_id=$ACCOUNT_ID" >> "$GITHUB_OUTPUT"
-
-      - name: Login to Amazon ECR
-        run: |
-          aws ecr get-login-password --region eu-west-2 | docker login --username AWS --password-stdin ${{ steps.retrieve-deploy-account-id.outputs.account_id }}.dkr.ecr.eu-west-2.amazonaws.com
-
-      - name: Push x64 image to Amazon ECR
-        env:
-          ECR_REPOSITORY: ${{ inputs.dev_container_ecr }}
-          IMAGE_TAG: ${{ inputs.dev_container_image_tag }}
-          ACCOUNT_ID: ${{ steps.retrieve-deploy-account-id.outputs.account_id }}
-        run: |
-          docker tag "dev-container-image" "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}-amd64"
-          docker push "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}-amd64"
-      - name: Check dev container scan results
-        env:
-          REPOSITORY_NAME: ${{ inputs.dev_container_ecr }}
-          IMAGE_TAG: ${{ inputs.dev_container_image_tag }}-amd64
-          ACCOUNT_ID: ${{ steps.retrieve-deploy-account-id.outputs.account_id }}
-        run: |
-          sleep 30
-          ./check_ecr_image_scan_results.sh
-
-  build_dev_container_arm64:
-    permissions:
-      id-token: write
-    runs-on: ubuntu-22.04-arm
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3
-        with:
-          fetch-depth: 0
-
-      - name: Download check_ecr_image_scan_results.sh script
-        env:
-          SCRIPT_TAG: ${{ inputs.check_ecr_image_scan_results_script_tag }}
-        run: |
-          curl -L "https://raw.githubusercontent.com/NHSDigital/eps-common-workflows/refs/heads/${SCRIPT_TAG}/.github/scripts/check_ecr_image_scan_results.sh" -o check_ecr_image_scan_results.sh
-          chmod +x check_ecr_image_scan_results.sh
-
-      - name: Build dev container
-        run: |
-          docker build -f .devcontainer/Dockerfile -t dev-container-image-arm .
-
-      - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8
-        id: connect-aws-deploy
-        with:
-          aws-region: eu-west-2
-          role-to-assume: ${{ secrets.PUSH_IMAGE_ROLE }}
-          role-session-name: dev-container-build-arm64
-          output-credentials: true
-
-      - name: Retrieve AWS Account ID
-        id: retrieve-deploy-account-id
-        run: |
-          ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
-          echo "account_id=$ACCOUNT_ID" >> "$GITHUB_OUTPUT"
-
-      - name: Login to Amazon ECR
-        run: |
-          aws ecr get-login-password --region eu-west-2 | docker login --username AWS --password-stdin ${{ steps.retrieve-deploy-account-id.outputs.account_id }}.dkr.ecr.eu-west-2.amazonaws.com
-
-      - name: Push ARM64 image to Amazon ECR
-        env:
-          ECR_REPOSITORY: ${{ inputs.dev_container_ecr }}
-          IMAGE_TAG: ${{ inputs.dev_container_image_tag }}
-          ACCOUNT_ID: ${{ steps.retrieve-deploy-account-id.outputs.account_id }}
-        run: |
-          docker tag "dev-container-image-arm" "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}-arm64"
-          docker push "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}-arm64"
-      - name: Check dev container scan results
-        env:
-          REPOSITORY_NAME: ${{ inputs.dev_container_ecr }}
-          IMAGE_TAG: ${{ inputs.dev_container_image_tag }}-arm64
-          ACCOUNT_ID: ${{ steps.retrieve-deploy-account-id.outputs.account_id }}
-        run: |
-          # Wait a moment for ECR to process the new manifest
-          sleep 30
-          ./check_ecr_image_scan_results.sh
-
-  create_multi_arch_manifest:
-    permissions:
-      id-token: write
-    runs-on: ubuntu-22.04
-    needs: [build_dev_container_x64, build_dev_container_arm64]
-    steps:
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435
-
-      - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8
-        with:
-          aws-region: eu-west-2
-          role-to-assume: ${{ secrets.PUSH_IMAGE_ROLE }}
-          role-session-name: multi-arch-manifest
-          output-credentials: true
-
-      - name: Retrieve AWS Account ID
-        id: retrieve-deploy-account-id
-        run: |
-          ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
-          echo "account_id=$ACCOUNT_ID" >> "$GITHUB_OUTPUT"
-
-      - name: Login to Amazon ECR
-        run: |
-          aws ecr get-login-password --region eu-west-2 | docker login --username AWS --password-stdin ${{ steps.retrieve-deploy-account-id.outputs.account_id }}.dkr.ecr.eu-west-2.amazonaws.com
-
-      - name: Create and push multi-architecture manifest for tag
-        env:
-          ECR_REPOSITORY: ${{ inputs.dev_container_ecr }}
-          IMAGE_TAG: ${{ inputs.dev_container_image_tag }}
-          ACCOUNT_ID: ${{ steps.retrieve-deploy-account-id.outputs.account_id }}
-        run: |
-          # Create manifest list combining both architectures
-          docker buildx imagetools create -t "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}" \
-            "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}-amd64" \
-            "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}-arm64"
-
-      - name: Verify multi-architecture manifest
-        env:
-          ECR_REPOSITORY: ${{ inputs.dev_container_ecr }}
-          IMAGE_TAG: ${{ inputs.dev_container_image_tag }}
-          ACCOUNT_ID: ${{ steps.retrieve-deploy-account-id.outputs.account_id }}
-        run: |
-          echo "=== Verifying multi-architecture manifest ==="
-          docker buildx imagetools inspect "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}"
+  build_and_push_dev_container_image:
+    uses: ./.github/workflows/build_and_push_docker_image.yml
+    with:
+      container_ecr: ${{ inputs.dev_container_ecr }}
+      container_image_tag: ${{ inputs.dev_container_image_tag }}
+      docker_file: ".devcontainer/Dockerfile"
+      check_ecr_image_scan_results_script_tag: ${{ inputs.check_ecr_image_scan_results_script_tag }}
+    secrets:
+      PUSH_IMAGE_ROLE: ${{ secrets.PUSH_IMAGE_ROLE }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -54,11 +54,12 @@ jobs:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
       PUSH_IMAGE_ROLE: ${{ secrets.DEV_CONTAINER_PUSH_IMAGE_ROLE }}
   build_nhsd_git_secrets:
-    uses: ./.github/workflows/build_nhsd_git_secrets.yml
+    uses: ./.github/workflows/build_and_push_docker_image.yml
     needs: [get_asdf_version, get_commit_id]
     with:
-      git_secrets_container_ecr: git-secrets
-      git_secrets_container_image_tag: release-${{ needs.get_commit_id.outputs.sha_short }}
+      container_ecr: git-secrets
+      container_image_tag: release-${{ needs.get_commit_id.outputs.sha_short }}
+      docker_file: dockerfiles/nhsd-git-secrets.dockerfile
     secrets:
       PUSH_IMAGE_ROLE: ${{ secrets.DEV_CONTAINER_PUSH_IMAGE_ROLE }}
   tag_release:
