try pushing image

anthony-nhs · anthony-nhs · commit 8d18a9d41707 · 2025-10-22T14:05:44.000Z
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
@@ -32,8 +32,11 @@ jobs:
     needs: [get_asdf_version]
     with:
       asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}
+      dev_container_ecr: dev-container-quality-checks
+      dev_container_image_tag: latest
     secrets:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+      CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.CLOUD_FORMATION_DEPLOY_ROLE }}
   tag_release:
     needs: [quality_checks, get_asdf_version]
     uses: NHSDigital/eps-workflow-semantic-release/.github/workflows/tag-release.yml@f80157cecce288dd175e61b477a1d2dbe9c88b99
diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml
@@ -46,7 +46,6 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v5
         with:
-          ref: ${{ env.BRANCH_NAME }}
           fetch-depth: 0
 
       # Must be done before anything installs, or it will check dependencies for secrets too.
@@ -367,137 +366,129 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
-  build_dev_container_cross_compile:
+  build_dev_container_x64:
     runs-on: ubuntu-22.04
+    if: ${{ inputs.dev_container_ecr != '' && inputs.dev_container_image_tag != '' }}
     steps:
       - name: Checkout code
         uses: actions/checkout@v5
         with:
-          ref: ${{ env.BRANCH_NAME }}
           fetch-depth: 0
 
       - name: Build dev container
         run: |
-          docker buildx create --use
-          docker buildx build --platform linux/amd64,linux/arm64 -f .devcontainer/Dockerfile -t dev-container-image .
-      # - name: Configure AWS Credentials
-      #   uses: aws-actions/configure-aws-credentials@v5
-      #   id: connect-aws-deploy
-      #   with:
-      #     aws-region: eu-west-2
-      #     role-to-assume: ${{ secrets.CLOUD_FORMATION_DEPLOY_ROLE }}
-      #     role-session-name: dev-container-build
-      #     output-credentials: true
-
-      # - name: Retrieve AWS Account ID
-      #   id: retrieve-deploy-account-id
-      #   run: echo "ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)" >> "$GITHUB_ENV"
-
-      # - name: Login to Amazon ECR
-      #   id: login-ecr-push-image
-      #   run: |
-      #     aws ecr get-login-password --region eu-west-2 | docker login --username AWS --password-stdin ${{ env.ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com
-
-      # - name: Push FHIR Facade image to Amazon ECR
-      #   run: |
-      #     docker tag "dev-container-image" "${{ env.ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com/${{inputs.DEV_CONTAINER_ECR}}:${{ inputs.DEV_CONTAINER_IMAGE_TAG }}"
-      #     docker push "${{ env.ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com/${{inputs.DEV_CONTAINER_ECR}}:${{ inputs.DEV_CONTAINER_IMAGE_TAG }}"
-
-      # - name: Check dev container scan results
-      #   env:
-      #     REPOSITORY_NAME: ${{inputs.DEV_CONTAINER_ECR}}
-      #     IMAGE_TAG: ${{ inputs.DEV_CONTAINER_IMAGE_TAG }}
-      #   working-directory: .github/scripts
-      #   run: |
-      #     ./check_ecr_image_scan_results.sh
-  build_dev_container_x64:
-    runs-on: ubuntu-22.04
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v5
+          docker build -f .devcontainer/Dockerfile -t dev-container-image .
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v5
+        id: connect-aws-deploy
         with:
-          ref: ${{ env.BRANCH_NAME }}
-          fetch-depth: 0
+          aws-region: eu-west-2
+          role-to-assume: ${{ secrets.CLOUD_FORMATION_DEPLOY_ROLE }}
+          role-session-name: dev-container-build-x64
+          output-credentials: true
 
-      - name: Build dev container
+      - name: Retrieve AWS Account ID
+        id: retrieve-deploy-account-id
         run: |
-          docker build -f .devcontainer/Dockerfile -t dev-container-image .
-      # - name: Configure AWS Credentials
-      #   uses: aws-actions/configure-aws-credentials@v5
-      #   id: connect-aws-deploy
-      #   with:
-      #     aws-region: eu-west-2
-      #     role-to-assume: ${{ secrets.CLOUD_FORMATION_DEPLOY_ROLE }}
-      #     role-session-name: dev-container-build
-      #     output-credentials: true
-
-      # - name: Retrieve AWS Account ID
-      #   id: retrieve-deploy-account-id
-      #   run: echo "ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)" >> "$GITHUB_ENV"
-
-      # - name: Login to Amazon ECR
-      #   id: login-ecr-push-image
-      #   run: |
-      #     aws ecr get-login-password --region eu-west-2 | docker login --username AWS --password-stdin ${{ env.ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com
-
-      # - name: Push FHIR Facade image to Amazon ECR
-      #   run: |
-      #     docker tag "dev-container-image" "${{ env.ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com/${{inputs.DEV_CONTAINER_ECR}}:${{ inputs.DEV_CONTAINER_IMAGE_TAG }}"
-      #     docker push "${{ env.ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com/${{inputs.DEV_CONTAINER_ECR}}:${{ inputs.DEV_CONTAINER_IMAGE_TAG }}"
-
-      # - name: Check dev container scan results
-      #   env:
-      #     REPOSITORY_NAME: ${{inputs.DEV_CONTAINER_ECR}}
-      #     IMAGE_TAG: ${{ inputs.DEV_CONTAINER_IMAGE_TAG }}
-      #   working-directory: .github/scripts
-      #   run: |
-      #     ./check_ecr_image_scan_results.sh
+          ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+          echo "account_id=$ACCOUNT_ID" >> "$GITHUB_OUTPUT"
+
+      - name: Login to Amazon ECR
+        run: |
+          aws ecr get-login-password --region eu-west-2 | docker login --username AWS --password-stdin ${{ steps.retrieve-deploy-account-id.outputs.account_id }}.dkr.ecr.eu-west-2.amazonaws.com
+
+      - name: Push x64 image to Amazon ECR
+        run: |
+          docker tag "dev-container-image" "${{ steps.retrieve-deploy-account-id.outputs.account_id }}.dkr.ecr.eu-west-2.amazonaws.com/${{ inputs.dev_container_ecr }}:${{ inputs.dev_container_image_tag }}-amd64"
+          docker push "${{ steps.retrieve-deploy-account-id.outputs.account_id }}.dkr.ecr.eu-west-2.amazonaws.com/${{ inputs.dev_container_ecr }}:${{ inputs.dev_container_image_tag }}-amd64"
 
   build_dev_container_arm64:
     runs-on: ubuntu-22.04-arm
+    if: ${{ inputs.dev_container_ecr != '' && inputs.dev_container_image_tag != '' }}
     steps:
       - name: Checkout code
         uses: actions/checkout@v5
         with:
-          ref: ${{ env.BRANCH_NAME }}
           fetch-depth: 0
 
       - name: Build dev container
         run: |
           docker build -f .devcontainer/Dockerfile -t dev-container-image-arm .
-          docker save "dev-container-image-arm" -o dev-container-image-arm.img
-      - uses: actions/upload-artifact@v4
-        name: upload build artifact
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v5
+        id: connect-aws-deploy
         with:
-          name: dev-container-image-arm
-          path: dev-container-image-arm.img
-      # - name: Configure AWS Credentials
-      #   uses: aws-actions/configure-aws-credentials@v5
-      #   id: connect-aws-deploy
-      #   with:
-      #     aws-region: eu-west-2
-      #     role-to-assume: ${{ secrets.CLOUD_FORMATION_DEPLOY_ROLE }}
-      #     role-session-name: dev-container-build
-      #     output-credentials: true
-
-      # - name: Retrieve AWS Account ID
-      #   id: retrieve-deploy-account-id
-      #   run: echo "ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)" >> "$GITHUB_ENV"
-
-      # - name: Login to Amazon ECR
-      #   id: login-ecr-push-image
-      #   run: |
-      #     aws ecr get-login-password --region eu-west-2 | docker login --username AWS --password-stdin ${{ env.ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com
-
-      # - name: Push FHIR Facade image to Amazon ECR
-      #   run: |
-      #     docker tag "dev-container-image" "${{ env.ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com/${{inputs.DEV_CONTAINER_ECR}}:${{ inputs.DEV_CONTAINER_IMAGE_TAG }}"
-      #     docker push "${{ env.ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com/${{inputs.DEV_CONTAINER_ECR}}:${{ inputs.DEV_CONTAINER_IMAGE_TAG }}"
-
-      # - name: Check dev container scan results
-      #   env:
-      #     REPOSITORY_NAME: ${{inputs.DEV_CONTAINER_ECR}}
-      #     IMAGE_TAG: ${{ inputs.DEV_CONTAINER_IMAGE_TAG }}
-      #   working-directory: .github/scripts
-      #   run: |
-      #     ./check_ecr_image_scan_results.sh
+          aws-region: eu-west-2
+          role-to-assume: ${{ secrets.CLOUD_FORMATION_DEPLOY_ROLE }}
+          role-session-name: dev-container-build-arm64
+          output-credentials: true
+
+      - name: Retrieve AWS Account ID
+        id: retrieve-deploy-account-id
+        run: |
+          ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+          echo "account_id=$ACCOUNT_ID" >> "$GITHUB_OUTPUT"
+
+      - name: Login to Amazon ECR
+        run: |
+          aws ecr get-login-password --region eu-west-2 | docker login --username AWS --password-stdin ${{ steps.retrieve-deploy-account-id.outputs.account_id }}.dkr.ecr.eu-west-2.amazonaws.com
+
+      - name: Push ARM64 image to Amazon ECR
+        run: |
+          docker tag "dev-container-image-arm" "${{ steps.retrieve-deploy-account-id.outputs.account_id }}.dkr.ecr.eu-west-2.amazonaws.com/${{ inputs.dev_container_ecr }}:${{ inputs.dev_container_image_tag }}-arm64"
+          docker push "${{ steps.retrieve-deploy-account-id.outputs.account_id }}.dkr.ecr.eu-west-2.amazonaws.com/${{ inputs.dev_container_ecr }}:${{ inputs.dev_container_image_tag }}-arm64"
+
+  create_multi_arch_manifest:
+    runs-on: ubuntu-22.04
+    needs: [build_dev_container_x64, build_dev_container_arm64]
+    if: ${{ inputs.dev_container_ecr != '' && inputs.dev_container_image_tag != '' }}
+    steps:
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v5
+        with:
+          aws-region: eu-west-2
+          role-to-assume: ${{ secrets.CLOUD_FORMATION_DEPLOY_ROLE }}
+          role-session-name: multi-arch-manifest
+          output-credentials: true
+
+      - name: Retrieve AWS Account ID
+        id: retrieve-deploy-account-id
+        run: |
+          ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+          echo "account_id=$ACCOUNT_ID" >> "$GITHUB_OUTPUT"
+
+      - name: Login to Amazon ECR
+        run: |
+          aws ecr get-login-password --region eu-west-2 | docker login --username AWS --password-stdin ${{ steps.retrieve-deploy-account-id.outputs.account_id }}.dkr.ecr.eu-west-2.amazonaws.com
+
+      - name: Create and push multi-architecture manifest
+        run: |
+          # Create manifest list combining both architectures
+          docker buildx imagetools create -t ${{ steps.retrieve-deploy-account-id.outputs.account_id }}.dkr.ecr.eu-west-2.amazonaws.com/${{ inputs.dev_container_ecr }}:${{ inputs.dev_container_image_tag }} \
+            ${{ steps.retrieve-deploy-account-id.outputs.account_id }}.dkr.ecr.eu-west-2.amazonaws.com/${{ inputs.dev_container_ecr }}:${{ inputs.dev_container_image_tag }}-amd64 \
+            ${{ steps.retrieve-deploy-account-id.outputs.account_id }}.dkr.ecr.eu-west-2.amazonaws.com/${{ inputs.dev_container_ecr }}:${{ inputs.dev_container_image_tag }}-arm64
+
+          # Also create latest tag
+          docker buildx imagetools create -t ${{ steps.retrieve-deploy-account-id.outputs.account_id }}.dkr.ecr.eu-west-2.amazonaws.com/${{ inputs.dev_container_ecr }}:latest \
+            ${{ steps.retrieve-deploy-account-id.outputs.account_id }}.dkr.ecr.eu-west-2.amazonaws.com/${{ inputs.dev_container_ecr }}:${{ inputs.dev_container_image_tag }}-amd64 \
+            ${{ steps.retrieve-deploy-account-id.outputs.account_id }}.dkr.ecr.eu-west-2.amazonaws.com/${{ inputs.dev_container_ecr }}:${{ inputs.dev_container_image_tag }}-arm64
+
+      - name: Verify multi-architecture manifest
+        run: |
+          echo "=== Verifying multi-architecture manifest ==="
+          docker buildx imagetools inspect ${{ steps.retrieve-deploy-account-id.outputs.account_id }}.dkr.ecr.eu-west-2.amazonaws.com/${{ inputs.dev_container_ecr }}:${{ inputs.dev_container_image_tag }}
+
+      - name: Check dev container scan results
+        env:
+          REPOSITORY_NAME: ${{ inputs.dev_container_ecr }}
+          IMAGE_TAG: ${{ inputs.dev_container_image_tag }}
+        working-directory: .github/scripts
+        run: |
+          # Wait a moment for ECR to process the new manifest
+          sleep 30
+          ./check_ecr_image_scan_results.sh
diff --git a/MULTI_ARCH_DOCKER.md b/MULTI_ARCH_DOCKER.md
@@ -0,0 +1,123 @@
+# Multi-Architecture Docker Images (Separate Build Approach)
+
+This workflow builds multi-architecture Docker images by combining separate architecture-specific builds. This approach is more efficient than cross-compilation when you have native runners for each architecture.
+
+## How It Works
+
+### 1. Separate Architecture Builds
+- **`build_dev_container_x64`**: Builds on `ubuntu-22.04` (native x64)
+- **`build_dev_container_arm64`**: Builds on `ubuntu-22.04-arm` (native ARM64)
+
+Each job:
+1. Builds the Docker image natively for its architecture
+2. Pushes it to ECR with an architecture-specific tag (e.g., `:v1.0.0-amd64`, `:v1.0.0-arm64`)
+
+### 2. Multi-Architecture Manifest Creation
+- **`create_multi_arch_manifest`**: Combines both images into a multi-arch manifest
+- Uses `docker buildx imagetools create` to create a manifest list
+- Creates both versioned tag (`:v1.0.0`) and `:latest` tag
+
+## Usage
+
+### To Build and Push Multi-Architecture Images
+
+Call the workflow with both required inputs:
+
+```yaml
+uses: ./.github/workflows/quality-checks.yml
+with:
+  dev_container_ecr: "your-repo-name"
+  dev_container_image_tag: "v1.0.0"
+  asdfVersion: "v0.10.2"
+secrets:
+  CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.CLOUD_FORMATION_DEPLOY_ROLE }}
+```
+
+This will:
+1. Build x64 image → push as `:v1.0.0-amd64`
+2. Build ARM64 image → push as `:v1.0.0-arm64`  
+3. Create manifest combining both → available as `:v1.0.0` and `:latest`
+
+### To Skip Multi-Architecture Build
+
+Call without ECR inputs to skip the container builds entirely:
+
+```yaml
+uses: ./.github/workflows/quality-checks.yml
+with:
+  asdfVersion: "v0.10.2"
+```
+
+## What Users Get
+
+Users can pull with a single command:
+```bash
+docker pull 123456789012.dkr.ecr.eu-west-2.amazonaws.com/your-repo:v1.0.0
+```
+
+Docker automatically serves:
+- `:v1.0.0-amd64` for Intel/AMD x64 systems
+- `:v1.0.0-arm64` for ARM64 systems (Apple Silicon, ARM servers)
+
+## Benefits of This Approach
+
+✅ **Faster builds**: Native compilation is much faster than cross-compilation  
+✅ **Parallel execution**: Both architectures build simultaneously  
+✅ **Automatic platform detection**: Users get the right architecture transparently  
+✅ **Conditional execution**: Only runs when ECR inputs are provided  
+✅ **Security scanning**: Includes ECR vulnerability scanning  
+✅ **Verification**: Confirms multi-arch manifest was created correctly
+
+## Architecture Flow
+
+```
+┌─────────────────┐    ┌─────────────────┐
+│ build_x64       │    │ build_arm64     │
+│ (ubuntu-22.04)  │    │ (ubuntu-22.04-  │
+│                 │    │  arm)           │
+│ Build & Push    │    │ Build & Push    │
+│ :tag-amd64      │    │ :tag-arm64      │
+└─────────┬───────┘    └─────────┬───────┘
+          │                      │
+          └──────────┬───────────┘
+                     │
+        ┌────────────▼────────────┐
+        │ create_multi_arch_      │
+        │ manifest                │
+        │ (ubuntu-22.04)          │
+        │                         │
+        │ Combine into:           │
+        │ :tag (multi-arch)       │
+        │ :latest (multi-arch)    │
+        └─────────────────────────┘
+```
+
+## Verification
+
+After the workflow completes, you can verify the multi-architecture manifest:
+
+```bash
+# Check the manifest
+docker buildx imagetools inspect 123456789012.dkr.ecr.eu-west-2.amazonaws.com/your-repo:v1.0.0
+
+# Should show both architectures:
+Name:      123456789012.dkr.ecr.eu-west-2.amazonaws.com/your-repo:v1.0.0
+MediaType: application/vnd.docker.distribution.manifest.list.v2+json
+           
+Manifests: 
+  Name:      ...your-repo:v1.0.0@sha256:...
+  MediaType: application/vnd.docker.distribution.manifest.v2+json
+  Platform:  linux/amd64
+             
+  Name:      ...your-repo:v1.0.0@sha256:...
+  MediaType: application/vnd.docker.distribution.manifest.v2+json
+  Platform:  linux/arm64
+```
+
+## Technical Details
+
+- **Job Dependencies**: `create_multi_arch_manifest` waits for both build jobs via `needs:`
+- **Conditional Execution**: All container jobs only run when ECR inputs are provided
+- **AWS Authentication**: Each job authenticates separately to AWS
+- **Build Tools**: Uses Docker Buildx imagetools for manifest creation
+- **Security**: 30-second delay before scanning allows ECR to process new images
