add it back in

anthony-nhs · anthony-nhs · commit ca0b67d08063 · 2025-11-21T12:28:31.000Z
diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml
@@ -419,3 +419,164 @@ jobs:
         with:
           name: cfn_guard_output
           path: cfn_guard_output
+
+  build_dev_container_x64:
+    permissions:
+      id-token: write
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      - name: Download check_ecr_image_scan_results.sh script
+        env:
+          SCRIPT_TAG: ${{ inputs.check_ecr_image_scan_results_script_tag }}
+        run: |
+          curl -L "https://raw.githubusercontent.com/NHSDigital/eps-workflow-quality-checks/refs/heads/${SCRIPT_TAG}/.github/scripts/check_ecr_image_scan_results.sh" -o check_ecr_image_scan_results.sh
+          chmod +x check_ecr_image_scan_results.sh
+      - name: Build dev container
+        run: |
+          docker build -f .devcontainer/Dockerfile -t dev-container-image .
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8
+        id: connect-aws-deploy
+        with:
+          aws-region: eu-west-2
+          role-to-assume: ${{ secrets.PUSH_IMAGE_ROLE }}
+          role-session-name: dev-container-build-x64
+          output-credentials: true
+
+      - name: Retrieve AWS Account ID
+        id: retrieve-deploy-account-id
+        run: |
+          ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+          echo "account_id=$ACCOUNT_ID" >> "$GITHUB_OUTPUT"
+
+      - name: Login to Amazon ECR
+        run: |
+          aws ecr get-login-password --region eu-west-2 | docker login --username AWS --password-stdin ${{ steps.retrieve-deploy-account-id.outputs.account_id }}.dkr.ecr.eu-west-2.amazonaws.com
+
+      - name: Push x64 image to Amazon ECR
+        env:
+          ECR_REPOSITORY: ${{ inputs.dev_container_ecr }}
+          IMAGE_TAG: ${{ inputs.dev_container_image_tag }}
+          ACCOUNT_ID: ${{ steps.retrieve-deploy-account-id.outputs.account_id }}
+        run: |
+          docker tag "dev-container-image" "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}-amd64"
+          docker push "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}-amd64"
+      - name: Check dev container scan results
+        env:
+          REPOSITORY_NAME: ${{ inputs.dev_container_ecr }}
+          IMAGE_TAG: ${{ inputs.dev_container_image_tag }}-amd64
+          ACCOUNT_ID: ${{ steps.retrieve-deploy-account-id.outputs.account_id }}
+        run: |
+          sleep 30
+          ./check_ecr_image_scan_results.sh
+
+  build_dev_container_arm64:
+    permissions:
+      id-token: write
+    runs-on: ubuntu-22.04-arm
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3
+        with:
+          fetch-depth: 0
+
+      - name: Download check_ecr_image_scan_results.sh script
+        env:
+          SCRIPT_TAG: ${{ inputs.check_ecr_image_scan_results_script_tag }}
+        run: |
+          curl -L "https://raw.githubusercontent.com/NHSDigital/eps-common-workflows/refs/heads/${SCRIPT_TAG}/.github/scripts/check_ecr_image_scan_results.sh" -o check_ecr_image_scan_results.sh
+          chmod +x check_ecr_image_scan_results.sh
+
+      - name: Build dev container
+        run: |
+          docker build -f .devcontainer/Dockerfile -t dev-container-image-arm .
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8
+        id: connect-aws-deploy
+        with:
+          aws-region: eu-west-2
+          role-to-assume: ${{ secrets.PUSH_IMAGE_ROLE }}
+          role-session-name: dev-container-build-arm64
+          output-credentials: true
+
+      - name: Retrieve AWS Account ID
+        id: retrieve-deploy-account-id
+        run: |
+          ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+          echo "account_id=$ACCOUNT_ID" >> "$GITHUB_OUTPUT"
+
+      - name: Login to Amazon ECR
+        run: |
+          aws ecr get-login-password --region eu-west-2 | docker login --username AWS --password-stdin ${{ steps.retrieve-deploy-account-id.outputs.account_id }}.dkr.ecr.eu-west-2.amazonaws.com
+
+      - name: Push ARM64 image to Amazon ECR
+        env:
+          ECR_REPOSITORY: ${{ inputs.dev_container_ecr }}
+          IMAGE_TAG: ${{ inputs.dev_container_image_tag }}
+          ACCOUNT_ID: ${{ steps.retrieve-deploy-account-id.outputs.account_id }}
+        run: |
+          docker tag "dev-container-image-arm" "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}-arm64"
+          docker push "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}-arm64"
+      - name: Check dev container scan results
+        env:
+          REPOSITORY_NAME: ${{ inputs.dev_container_ecr }}
+          IMAGE_TAG: ${{ inputs.dev_container_image_tag }}-arm64
+          ACCOUNT_ID: ${{ steps.retrieve-deploy-account-id.outputs.account_id }}
+        run: |
+          # Wait a moment for ECR to process the new manifest
+          sleep 30
+          ./check_ecr_image_scan_results.sh
+
+  create_multi_arch_manifest:
+    permissions:
+      id-token: write
+    runs-on: ubuntu-22.04
+    needs: [build_dev_container_x64, build_dev_container_arm64]
+    steps:
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8
+        with:
+          aws-region: eu-west-2
+          role-to-assume: ${{ secrets.PUSH_IMAGE_ROLE }}
+          role-session-name: multi-arch-manifest
+          output-credentials: true
+
+      - name: Retrieve AWS Account ID
+        id: retrieve-deploy-account-id
+        run: |
+          ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+          echo "account_id=$ACCOUNT_ID" >> "$GITHUB_OUTPUT"
+
+      - name: Login to Amazon ECR
+        run: |
+          aws ecr get-login-password --region eu-west-2 | docker login --username AWS --password-stdin ${{ steps.retrieve-deploy-account-id.outputs.account_id }}.dkr.ecr.eu-west-2.amazonaws.com
+
+      - name: Create and push multi-architecture manifest for tag
+        env:
+          ECR_REPOSITORY: ${{ inputs.dev_container_ecr }}
+          IMAGE_TAG: ${{ inputs.dev_container_image_tag }}
+          ACCOUNT_ID: ${{ steps.retrieve-deploy-account-id.outputs.account_id }}
+        run: |
+          # Create manifest list combining both architectures
+          docker buildx imagetools create -t "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}" \
+            "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}-amd64" \
+            "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}-arm64"
+
+      - name: Verify multi-architecture manifest
+        env:
+          ECR_REPOSITORY: ${{ inputs.dev_container_ecr }}
+          IMAGE_TAG: ${{ inputs.dev_container_image_tag }}
+          ACCOUNT_ID: ${{ steps.retrieve-deploy-account-id.outputs.account_id }}
+        run: |
+          echo "=== Verifying multi-architecture manifest ==="
+          docker buildx imagetools inspect "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}"
