changes following feedback

anthony-nhs · anthony-nhs · commit 7d1908d60cff · 2025-11-12T19:32:53.000Z
diff --git a/.github/workflows/build_nhsd_git_secrets.yml b/.github/workflows/build_nhsd_git_secrets.yml
@@ -16,11 +16,6 @@ on:
                 type: string
                 description: "The tag to use for the dev container image."
                 required: true
-            check_ecr_image_scan_results_script_tag:
-                type: string
-                description: "The tag to download check_ecr_image_scan_results.sh script."
-                required: false
-                default: "dev_container_build"
 jobs:
     build_nhsd_git_secrets_x64:
         permissions:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -73,20 +73,20 @@ jobs:
     secrets: inherit
   tag_latest_dev_container:
     needs: [quality_checks, get_commit_id, tag_release]
-    uses: ./.github/workflows/tag_latest_dev_container.yml
+    uses: ./.github/workflows/tag_latest_container_images.yml
     with:
-      dev_container_ecr: dev-container-quality-checks
-      dev_container_image_tag: release-${{ needs.get_commit_id.outputs.sha_short }}
+      ecr_name: dev-container-quality-checks
+      container_image_tag: release-${{ needs.get_commit_id.outputs.sha_short }}
       version_tag_to_apply: ${{ needs.tag_release.outputs.version_tag }}
     secrets:
       PUSH_IMAGE_ROLE: ${{ secrets.DEV_CONTAINER_PUSH_IMAGE_ROLE }}
 
   tag_latest_nhsd_git_secrets:
     needs: [quality_checks, get_commit_id, tag_release]
-    uses: ./.github/workflows/tag_latest_dev_container.yml
+    uses: ./.github/workflows/tag_latest_container_images.yml
     with:
-      dev_container_ecr: dev-container-git-secrets
-      dev_container_image_tag: release-${{ needs.get_commit_id.outputs.sha_short }}
+      ecr_name: git-secrets
+      container_image_tag: release-${{ needs.get_commit_id.outputs.sha_short }}
       version_tag_to_apply: ${{ needs.tag_release.outputs.version_tag }}
     secrets:
       PUSH_IMAGE_ROLE: ${{ secrets.DEV_CONTAINER_PUSH_IMAGE_ROLE }}
diff --git a/.github/workflows/tag_latest_container_images.yml b/.github/workflows/tag_latest_container_images.yml
@@ -0,0 +1,104 @@
+name: Tag Latest container images
+
+on:
+  workflow_call:
+    secrets:
+      PUSH_IMAGE_ROLE:
+        required: true
+    inputs:
+      ecr_name:
+        type: string
+        description: "The name of the ECR repository to push the dev container image to."
+        required: true
+      container_image_tag:
+        type: string
+        description: "The tag to use for the dev container image."
+        required: true
+      version_tag_to_apply:
+        type: string
+        description: "The version tag to apply to the latest dev container image."
+        required: true
+jobs:
+  tag_latest_container_images:
+    permissions:
+      id-token: write
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8
+        with:
+          aws-region: eu-west-2
+          role-to-assume: ${{ secrets.PUSH_IMAGE_ROLE }}
+          role-session-name: multi-arch-manifest
+          output-credentials: true
+
+      - name: Retrieve AWS Account ID
+        id: retrieve-deploy-account-id
+        run: |
+          ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+          echo "account_id=$ACCOUNT_ID" >> "$GITHUB_OUTPUT"
+
+      - name: Login to Amazon ECR
+        run: |
+          aws ecr get-login-password --region eu-west-2 | docker login --username AWS --password-stdin ${{ steps.retrieve-deploy-account-id.outputs.account_id }}.dkr.ecr.eu-west-2.amazonaws.com
+
+      - name: Create and push multi-architecture manifest for tag
+        env:
+          ECR_REPOSITORY: ${{ inputs.ecr_name }}
+          IMAGE_TAG: ${{ inputs.container_image_tag }}
+          ACCOUNT_ID: ${{ steps.retrieve-deploy-account-id.outputs.account_id }}
+          VERSION_TAG_TO_APPLY: ${{ inputs.version_tag_to_apply }}
+        run: |
+          # Create manifest list combining both architectures
+          docker buildx imagetools create -t "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:latest" \
+            "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}-amd64" \
+            "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}-arm64"
+          docker buildx imagetools create -t "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${VERSION_TAG_TO_APPLY}" \
+            "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}-amd64" \
+            "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}-arm64"
+
+      - name: Tag images for individual architectures
+        env:
+          ECR_REPOSITORY: ${{ inputs.ecr_name }}
+          IMAGE_TAG: ${{ inputs.container_image_tag }}
+          ACCOUNT_ID: ${{ steps.retrieve-deploy-account-id.outputs.account_id }}
+          VERSION_TAG_TO_APPLY: ${{ inputs.version_tag_to_apply }}
+        run: |
+          # Get the image manifest
+          MANIFEST=$(aws ecr batch-get-image \
+              --repository-name "${ECR_REPOSITORY}" \
+              --image-ids imageTag="${IMAGE_TAG}-amd64" \
+              --output text --query 'images[].imageManifest')
+
+          # Put the image with a new tag using the same manifest
+          aws ecr put-image --repository-name "${ECR_REPOSITORY}" \
+            --image-manifest "$MANIFEST" \
+            --image-tag "${VERSION_TAG_TO_APPLY}-amd64"
+          aws ecr put-image --repository-name "${ECR_REPOSITORY}" \
+            --image-manifest "$MANIFEST" \
+            --image-tag latest-amd64
+
+          MANIFEST=$(aws ecr batch-get-image \
+              --repository-name "${ECR_REPOSITORY}" \
+              --image-ids imageTag="${IMAGE_TAG}-arm64" \
+              --output text --query 'images[].imageManifest')
+
+          # Put the image with a new tag using the same manifest
+          aws ecr put-image --repository-name "${ECR_REPOSITORY}" \
+            --image-manifest "$MANIFEST" \
+            --image-tag "${VERSION_TAG_TO_APPLY}-arm64"
+          aws ecr put-image --repository-name "${ECR_REPOSITORY}" \
+            --image-manifest "$MANIFEST" \
+            --image-tag latest-arm64
+
+      - name: Verify multi-architecture manifest
+        env:
+          ECR_REPOSITORY: ${{ inputs.ecr_name }}
+          IMAGE_TAG: ${{ inputs.container_image_tag }}
+          ACCOUNT_ID: ${{ steps.retrieve-deploy-account-id.outputs.account_id }}
+        run: |
+          echo "=== Verifying multi-architecture manifest ==="
+          docker buildx imagetools inspect "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:latest"
diff --git a/.github/workflows/tag_latest_dev_container.yml b/.github/workflows/tag_latest_dev_container.yml
