build macos on seperate image

anthony-nhs · anthony-nhs · commit 9dcc3f26ac8a · 2025-10-22T12:55:07.000Z
diff --git a/.github/scripts/check_ecr_image_scan_results.sh b/.github/scripts/check_ecr_image_scan_results.sh
@@ -0,0 +1,138 @@
+#!/usr/bin/env bash
+set -e
+
+AWS_MAX_ATTEMPTS=20
+export AWS_MAX_ATTEMPTS
+
+if [ -z "${REPOSITORY_NAME}" ]; then
+  echo "REPOSITORY_NAME not set"
+  exit 1
+fi
+
+if [ -z "${IMAGE_TAG}" ]; then
+  echo "IMAGE_TAG not set"
+  exit 1
+fi
+
+if [ -z "${AWS_REGION}" ]; then
+  echo "AWS_REGION not set"
+  exit 1
+fi
+
+if [ -z "${ACCOUNT_ID}" ]; then
+  echo "AWS_REGION not set"
+  exit 1
+fi
+
+IMAGE_DIGEST=$(aws ecr describe-images \
+  --repository-name "$REPOSITORY_NAME" \
+  --image-ids imageTag="$IMAGE_TAG" \
+  --query 'imageDetails[0].imageDigest' \
+  --output text)
+
+RESOURCE_ARN="arn:aws:ecr:${AWS_REGION}:${ACCOUNT_ID}:repository/${REPOSITORY_NAME}/${IMAGE_DIGEST}"
+
+echo "Monitoring scan for ${REPOSITORY_NAME}:${IMAGE_TAG}"
+echo "Resource ARN: ${RESOURCE_ARN}"
+echo
+
+# Wait for ECR scan to reach COMPLETE
+STATUS=""
+echo "Waiting for ECR scan to complete..."
+for i in {1..30}; do
+  echo "Checking scan status. Attempt ${i}"
+  STATUS=$(aws ecr describe-image-scan-findings \
+    --repository-name "$REPOSITORY_NAME" \
+    --image-id imageDigest="$IMAGE_DIGEST" \
+    --query 'imageScanStatus.status' \
+    --output text 2>/dev/null || echo "NONE")
+
+  if [[ "$STATUS" == "COMPLETE" ]]; then
+    echo "ECR scan completed."
+    break
+  fi
+
+  if [[ "$STATUS" == "FAILED" ]]; then
+    echo "Scan failed."
+    exit 1
+  fi
+
+  echo "SCAN IS NOT YET COMPLETE. Waiting 10 seconds before checking again..."
+  sleep 10
+done
+
+if [[ "$STATUS" != "COMPLETE" ]]; then
+  echo "Timeout waiting for ECR scan to complete."
+  exit 1
+fi
+
+# Wait for Inspector2 findings to appear & stabilize
+# this is in place as scan may show as complete but findings have not yet stabilize
+echo
+echo "Waiting for Inspector2 findings to stabilize..."
+
+PREV_HASH=""
+for i in {1..12}; do  # ~2 minutes max
+  FINDINGS=$(aws inspector2 list-findings \
+    --filter-criteria "{
+      \"resourceId\": [{\"comparison\": \"EQUALS\", \"value\": \"${RESOURCE_ARN}\"}],
+      \"findingStatus\": [{\"comparison\": \"EQUALS\", \"value\": \"ACTIVE\"}]
+    }" \
+    --output json 2>/dev/null || echo "{}")
+
+  CURR_HASH=$(echo "$FINDINGS" | sha256sum)
+  COUNT=$(echo "$FINDINGS" | jq '.findings | length')
+
+  if [[ "$COUNT" -gt 0 && "$CURR_HASH" == "$PREV_HASH" ]]; then
+    echo "Findings stabilized ($COUNT findings)."
+    break
+  fi
+
+  PREV_HASH="$CURR_HASH"
+  echo "Attempt: ${i}. Still waiting... (${COUNT} findings so far)"
+  sleep 10
+done
+
+# Extract counts and display findings
+echo
+echo "Final Inspector2 findings with suppressions removed:"
+echo
+
+echo "$FINDINGS" | jq '{
+  findings: [
+    .findings[]? | {
+      severity: .severity,
+      title: .title,
+      package: .packageVulnerabilityDetails.vulnerablePackages[0].name,
+      sourceUrl: .packageVulnerabilityDetails.sourceUrl,
+      recommendation: (.remediation.recommendation.text // "N/A")
+    }
+  ]
+}'
+
+echo
+
+# Check for critical/high severity
+CRITICAL_COUNT=$(echo "$FINDINGS" | jq '[.findings[]? | select(.severity=="CRITICAL")] | length')
+HIGH_COUNT=$(echo "$FINDINGS" | jq '[.findings[]? | select(.severity=="HIGH")] | length')
+
+if (( CRITICAL_COUNT > 0 || HIGH_COUNT > 0 )); then
+  echo "${CRITICAL_COUNT} CRITICAL and ${HIGH_COUNT} HIGH vulnerabilities detected!"
+  echo
+  echo "Critical/High vulnerabilities:"
+  echo "$FINDINGS" | jq -r '
+    .findings[]? |
+    select(.severity=="CRITICAL" or .severity=="HIGH") |{
+      severity: .severity,
+      title: .title,
+      package: .packageVulnerabilityDetails.vulnerablePackages[0].name,
+      sourceUrl: .packageVulnerabilityDetails.sourceUrl,
+      recommendation: (.remediation.recommendation.text // "N/A")
+    }'
+  echo
+  echo "Failing pipeline due to Critical/High vulnerabilities."
+  exit 2
+else
+  echo "No Critical or High vulnerabilities found."
+  exit 0
+fi
diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml
@@ -5,6 +5,8 @@ on:
     secrets:
       SONAR_TOKEN:
         required: false
+      CLOUD_FORMATION_DEPLOY_ROLE:
+        required: false
     inputs:
       install_java:
         type: boolean
@@ -23,6 +25,14 @@ on:
         type: boolean
         description: Toggle to reinstall poetry on top of python version installed by asdf.
         default: false
+      dev_container_ecr:
+        type: string
+        description: "The name of the ECR repository to push the dev container image to."
+        required: false
+      dev_container_image_tag:
+        type: string
+        description: "The tag to use for the dev container image."
+        required: false
 jobs:
   quality_checks:
     runs-on: ubuntu-22.04
@@ -357,7 +367,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
-  build_dev_container:
+  build_dev_container_x64:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
@@ -368,5 +378,78 @@ jobs:
 
       - name: Build dev container
         run: |
-          docker buildx create --use
-          docker buildx build --platform linux/amd64,linux/arm64 -f .devcontainer/Dockerfile -t dev-container-image .
+          docker build -f .devcontainer/Dockerfile -t dev-container-image .
+      # - name: Configure AWS Credentials
+      #   uses: aws-actions/configure-aws-credentials@v5
+      #   id: connect-aws-deploy
+      #   with:
+      #     aws-region: eu-west-2
+      #     role-to-assume: ${{ secrets.CLOUD_FORMATION_DEPLOY_ROLE }}
+      #     role-session-name: dev-container-build
+      #     output-credentials: true
+
+      # - name: Retrieve AWS Account ID
+      #   id: retrieve-deploy-account-id
+      #   run: echo "ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)" >> "$GITHUB_ENV"
+
+      # - name: Login to Amazon ECR
+      #   id: login-ecr-push-image
+      #   run: |
+      #     aws ecr get-login-password --region eu-west-2 | docker login --username AWS --password-stdin ${{ env.ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com
+
+      # - name: Push FHIR Facade image to Amazon ECR
+      #   run: |
+      #     docker tag "dev-container-image" "${{ env.ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com/${{inputs.DEV_CONTAINER_ECR}}:${{ inputs.DEV_CONTAINER_IMAGE_TAG }}"
+      #     docker push "${{ env.ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com/${{inputs.DEV_CONTAINER_ECR}}:${{ inputs.DEV_CONTAINER_IMAGE_TAG }}"
+
+      # - name: Check dev container scan results
+      #   env:
+      #     REPOSITORY_NAME: ${{inputs.DEV_CONTAINER_ECR}}
+      #     IMAGE_TAG: ${{ inputs.DEV_CONTAINER_IMAGE_TAG }}
+      #   working-directory: .github/scripts
+      #   run: |
+      #     ./check_ecr_image_scan_results.sh
+
+  build_dev_container_arm64:
+    runs-on: macos-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+        with:
+          ref: ${{ env.BRANCH_NAME }}
+          fetch-depth: 0
+
+      - name: Build dev container
+        run: |
+          docker build -f .devcontainer/Dockerfile -t dev-container-image .
+
+      # - name: Configure AWS Credentials
+      #   uses: aws-actions/configure-aws-credentials@v5
+      #   id: connect-aws-deploy
+      #   with:
+      #     aws-region: eu-west-2
+      #     role-to-assume: ${{ secrets.CLOUD_FORMATION_DEPLOY_ROLE }}
+      #     role-session-name: dev-container-build
+      #     output-credentials: true
+
+      # - name: Retrieve AWS Account ID
+      #   id: retrieve-deploy-account-id
+      #   run: echo "ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)" >> "$GITHUB_ENV"
+
+      # - name: Login to Amazon ECR
+      #   id: login-ecr-push-image
+      #   run: |
+      #     aws ecr get-login-password --region eu-west-2 | docker login --username AWS --password-stdin ${{ env.ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com
+
+      # - name: Push FHIR Facade image to Amazon ECR
+      #   run: |
+      #     docker tag "dev-container-image" "${{ env.ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com/${{inputs.DEV_CONTAINER_ECR}}:${{ inputs.DEV_CONTAINER_IMAGE_TAG }}"
+      #     docker push "${{ env.ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com/${{inputs.DEV_CONTAINER_ECR}}:${{ inputs.DEV_CONTAINER_IMAGE_TAG }}"
+
+      # - name: Check dev container scan results
+      #   env:
+      #     REPOSITORY_NAME: ${{inputs.DEV_CONTAINER_ECR}}
+      #     IMAGE_TAG: ${{ inputs.DEV_CONTAINER_IMAGE_TAG }}
+      #   working-directory: .github/scripts
+      #   run: |
+      #     ./check_ecr_image_scan_results.sh
