apply latest tag

Author: anthony-nhs

.github/workflows/pull_request.yml

@@ -77,6 +77,15 @@ jobs:
     secrets:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
       PUSH_IMAGE_ROLE: ${{ secrets.PUSH_IMAGE_ROLE }}
+  tag_latest_dev_container:
+    needs: [quality_checks, get_issue_number_and_commit_id]
+    uses: ./.github/workflows/tag_latest_dev_container.yml
+    with:
+      dev_container_ecr: dev-container-quality-checks
+      dev_container_image_tag: PR-${{ needs.get_issue_number_and_commit_id.outputs.issue_number }}-${{ needs.get_issue_number_and_commit_id.outputs.sha_short }}
+      version_tag_to_apply: FooBar
+    secrets:
+      PUSH_IMAGE_ROLE: ${{ secrets.PUSH_IMAGE_ROLE }}
   tag_release:
     needs: [quality_checks, get_asdf_version]
     uses: NHSDigital/eps-workflow-semantic-release/.github/workflows/tag-release.yml@f80157cecce288dd175e61b477a1d2dbe9c88b99

.github/workflows/quality-checks.yml

@@ -467,10 +467,9 @@ jobs:
       id-token: write
     runs-on: ubuntu-22.04
     needs: [build_dev_container_x64, build_dev_container_arm64]
-    if: ${{ inputs.dev_container_ecr != '' && inputs.dev_container_image_tag != '' }}
     steps:
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435
 
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8

.github/workflows/tag_latest_dev_container.yml

@@ -0,0 +1,70 @@
+name: Tag Latest Dev Container
+
+on:
+    workflow_call:
+        secrets:
+            PUSH_IMAGE_ROLE:
+                required: true
+        inputs:
+            dev_container_ecr:
+                type: string
+                description: "The name of the ECR repository to push the dev container image to."
+                required: true
+            dev_container_image_tag:
+                type: string
+                description: "The tag to use for the dev container image."
+                required: true
+            version_tag_to_apply:
+                type: string
+                description: "The version tag to apply to the latest dev container image."
+                required: true
+jobs:
+    create_multi_arch_manifest:
+        permissions:
+            id-token: write
+        runs-on: ubuntu-22.04
+        steps:
+            - name: Set up Docker Buildx
+              uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435
+
+            - name: Configure AWS Credentials
+              uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8
+              with:
+                  aws-region: eu-west-2
+                  role-to-assume: ${{ secrets.PUSH_IMAGE_ROLE }}
+                  role-session-name: multi-arch-manifest
+                  output-credentials: true
+
+            - name: Retrieve AWS Account ID
+              id: retrieve-deploy-account-id
+              run: |
+                  ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+                  echo "account_id=$ACCOUNT_ID" >> "$GITHUB_OUTPUT"
+
+            - name: Login to Amazon ECR
+              run: |
+                  aws ecr get-login-password --region eu-west-2 | docker login --username AWS --password-stdin ${{ steps.retrieve-deploy-account-id.outputs.account_id }}.dkr.ecr.eu-west-2.amazonaws.com
+
+            - name: Create and push multi-architecture manifest for tag
+              env:
+                  ECR_REPOSITORY: ${{ inputs.dev_container_ecr }}
+                  IMAGE_TAG: ${{ inputs.dev_container_image_tag }}
+                  ACCOUNT_ID: ${{ steps.retrieve-deploy-account-id.outputs.account_id }}
+                  VERSION_TAG_TO_APPLY: ${{ inputs.version_tag_to_apply }}
+              run: |
+                  # Create manifest list combining both architectures
+                  docker buildx imagetools create -t "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:latest" \
+                    "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}-amd64" \
+                    "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}-arm64"
+                  docker buildx imagetools create -t "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${VERSION_TAG_TO_APPLY}" \
+                    "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}-amd64" \
+                    "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}-arm64"
+
+            - name: Verify multi-architecture manifest
+              env:
+                  ECR_REPOSITORY: ${{ inputs.dev_container_ecr }}
+                  IMAGE_TAG: ${{ inputs.dev_container_image_tag }}
+                  ACCOUNT_ID: ${{ steps.retrieve-deploy-account-id.outputs.account_id }}
+              run: |
+                  echo "=== Verifying multi-architecture manifest ==="
+                  docker buildx imagetools inspect "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:latest"