Chore: [AEA-0000] - add no cache

.github/workflows/build_all_images.yml

@@ -8,6 +8,9 @@ name: build_all_images
       tag_latest:
         required: true
         type: boolean
+      NO_CACHE:
+        required: true
+        type: boolean
 env:
   BRANCH_NAME: '${{ github.event.pull_request.head.ref }}'
 jobs:
@@ -32,6 +35,7 @@ jobs:
       docker_tag: ${{ inputs.docker_tag }}
       container_name: base
       base_folder: "."
+      NO_CACHE: ${{ inputs.NO_CACHE }}
   package_language_docker_images:
     needs:
       - package_base_docker_image
@@ -46,6 +50,7 @@ jobs:
       docker_tag: ${{ inputs.docker_tag }}
       container_name: ${{ matrix.container_name }}
       base_folder: "languages"
+      NO_CACHE: ${{ inputs.NO_CACHE }}
   package_project_docker_images:
     needs:
       - package_language_docker_images
@@ -61,3 +66,4 @@ jobs:
       docker_tag: ${{ inputs.docker_tag }}
       container_name: ${{ matrix.container_name }}
       base_folder: "projects"
+      NO_CACHE: ${{ inputs.NO_CACHE }}

.github/workflows/build_multi_arch_image.yml

@@ -14,6 +14,9 @@ name: Build and push docker image
       base_folder:
         required: true
         type: string
+      NO_CACHE:
+        required: true
+        type: boolean
 
 jobs:
   build_and_push_image:
@@ -87,6 +90,7 @@ jobs:
           BASE_VERSION_TAG: ${{ inputs.docker_tag}}
           IMAGE_TAG: "${{ inputs.docker_tag }}-${{ matrix.arch }}"
           BASE_FOLDER: "${{ inputs.base_folder }}"
+          NO_CACHE: '${{ inputs.NO_CACHE }}'
       - name: Check docker vulnerabilities - json output
         uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284
         with:

.github/workflows/ci.yml

@@ -45,3 +45,4 @@ jobs:
     with: 
       docker_tag: '${{ needs.tag_release.outputs.version_tag }}'
       tag_latest: false
+      NO_CACHE: false

.github/workflows/pull_request.yml

@@ -92,3 +92,4 @@ jobs:
     with: 
       docker_tag: 'pr-${{ needs.get_issue_number.outputs.issue_number }}-${{ needs.get_commit_id.outputs.sha_short }}'
       tag_latest: false
+      NO_CACHE: false

.github/workflows/release.yml

@@ -46,3 +46,4 @@ jobs:
     with: 
       docker_tag: '${{ needs.tag_release.outputs.version_tag }}'
       tag_latest: true
+      NO_CACHE: true

Makefile

@@ -4,6 +4,10 @@ ifneq ($(strip $(PLATFORM)),)
 PLATFORM_FLAG=--platform $(PLATFORM)
 endif
 
+ifeq ($(strip $(NO_CACHE)),true)
+NO_CACHE_FLAG=--no-cache
+endif
+
 guard-%:
 	@ if [ "${${*}}" = "" ]; then \
 		echo "Environment variable $* not set"; \
@@ -24,6 +28,7 @@ install-hooks: install-python
 build-image: guard-CONTAINER_NAME guard-BASE_VERSION_TAG guard-BASE_FOLDER guard-IMAGE_TAG
 	npx devcontainer build \
 		--workspace-folder ./src/$${BASE_FOLDER}/$${CONTAINER_NAME} \
+		$(NO_CACHE_FLAG) \
 		--push false \
 		--cache-from "${CONTAINER_PREFIX}$${CONTAINER_NAME}:latest" \
 		--image-name "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}"

README.md

@@ -61,29 +61,30 @@ You should not need to add any features as these are already baked into the imag
   "name": "eps-common-workflows",
   "build": {
     "dockerfile": "Dockerfile",
+    "context": "..",
     "args": {
       "DOCKER_GID": "${env:DOCKER_GID:}",
       "IMAGE_NAME": "node_24_python_3_14",
-      "IMAGE_VERSION": "v1.0.1",
+      "IMAGE_VERSION": "local-build",
       "USER_UID": "${localEnv:USER_ID:}",
       "USER_GID": "${localEnv:GROUP_ID:}"
     },
     "updateRemoteUserUID": false,
-    "postAttachCommand": "git-secrets --register-aws; git-secrets --add-provider -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt",
-    "mounts": [
-      "source=${env:HOME}${env:USERPROFILE}/.aws,target=/home/vscode/.aws,type=bind",
-      "source=${env:HOME}${env:USERPROFILE}/.ssh,target=/home/vscode/.ssh,type=bind",
-      "source=${env:HOME}${env:USERPROFILE}/.gnupg,target=/home/vscode/.gnupg,type=bind",
-      "source=${env:HOME}${env:USERPROFILE}/.npmrc,target=/home/vscode/.npmrc,type=bind"
-    ],
-    "containerUser": "vscode",
-    "remoteEnv": {
-      "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}"
-    },
-    "features": {},
-    "customizations": {
-      ... add any customisations you want here
-    }
+  },
+  "postAttachCommand": "git-secrets --register-aws; git-secrets --add-provider -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt",
+  "mounts": [
+    "source=${env:HOME}${env:USERPROFILE}/.aws,target=/home/vscode/.aws,type=bind",
+    "source=${env:HOME}${env:USERPROFILE}/.ssh,target=/home/vscode/.ssh,type=bind",
+    "source=${env:HOME}${env:USERPROFILE}/.gnupg,target=/home/vscode/.gnupg,type=bind",
+    "source=${env:HOME}${env:USERPROFILE}/.npmrc,target=/home/vscode/.npmrc,type=bind"
+  ],
+  "containerUser": "vscode",
+  "remoteEnv": {
+    "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}"
+  },
+  "features": {},
+  "customizations": {
+    ....
   }
 }
 ```
@@ -153,7 +154,7 @@ CONTAINER_NAME=base \
 ``` 
 Language images
 ```
-CONTAINER_NAME=node_24_python_3_12 \
+CONTAINER_NAME=node_24_python_3_13 \
   BASE_VERSION_TAG=local-build \
   BASE_FOLDER=languages \
   IMAGE_TAG=local-build \
@@ -214,17 +215,26 @@ CONTAINER_NAME=fhir_facade_api \
 ``` 
 
 ## Using local or pull request images
-You can use local or pull request images by changing IMAGE_VERSION in devcontainer.json
+You can use local or pull request images by changing IMAGE_VERSION in devcontainer.json.    
+For an image built locally, you should put the IMAGE_VERSION=local-build. 
+For an image built from a pull request, you should put the IMAGE_VERSION=<tag of image as show in pull request job>.  
+You can only use images built from a pull request for testing changes in github actions.   
 
 ## Generating a .trivyignore file
 You can generate a .trivyignore file for known vulnerabilities by either downloading the json scan output generated by the build, or by generating it locally using the scanning images commands above with a make target of scan-image-json
 
-If generated locally, then the output goes into .out/scan_results_docker.json
+If generated locally, then the output goes into .out/scan_results_docker.json.   
+You can use github cli tools to download the scan output file. Replace the run id from the url, and the -n with the filename to download
+```
+gh run download <run id> -n scan_results_docker_fhir_facade_api_arm64.json 
+```
+
+Once you have the scan output, use the following to generate a new .trivyignore file called .trivyignore.new.yaml. Note this will overwrite the output file when run so it should point to a new file and the contents merged with existing .trivyignore file
+
 
-Once you have the scan output, use the following to generate a .trivyignore
 ```
 poetry run python \
   scripts/trivy_to_trivyignore.py \
   --input .out/scan_results_docker.json \
-  --output src/common/.trivyignore.yaml 
+  --output src/projects/fhir_facade_api/.trivyignore.new.yaml 
 ```

src/base/.devcontainer/devcontainer.json

@@ -12,10 +12,6 @@
         "IMAGE_TAG": "${localEnv:IMAGE_TAG}"
       }
     },
-    "runArgs": [
-      "--network=host"
-    ],
-    "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" },
     "features": {
       "ghcr.io/devcontainers/features/docker-outside-of-docker:1": {
         "version": "latest",

src/languages/node_24_python_3_12/.devcontainer/devcontainer.json

@@ -13,10 +13,6 @@
       },
       "context": "."
     },
-    "runArgs": [
-      "--network=host"
-    ],
-    "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" },
     "features": {}
   }
 

src/languages/node_24_python_3_13/.devcontainer/devcontainer.json

@@ -13,10 +13,6 @@
       },
       "context": "."
     },
-    "runArgs": [
-      "--network=host"
-    ],
-    "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" },
     "features": {}
   }
 

src/languages/node_24_python_3_14/.devcontainer/devcontainer.json

@@ -13,10 +13,6 @@
       },
       "context": "."
     },
-    "runArgs": [
-      "--network=host"
-    ],
-    "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" },
     "features": {}
   }
 

src/languages/python_3_10/.devcontainer/devcontainer.json

@@ -13,10 +13,6 @@
       },
       "context": "."
     },
-    "runArgs": [
-      "--network=host"
-    ],
-    "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" },
     "features": {}
   }
 

src/projects/fhir_facade_api/.devcontainer/devcontainer.json

@@ -13,10 +13,6 @@
       },
       "context": "."
     },
-    "runArgs": [
-      "--network=host"
-    ],
-    "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" },
     "features": {}
   }
 

src/projects/fhir_facade_api/.trivyignore.yaml

@@ -65,3 +65,43 @@ vulnerabilities:
     purls:
       - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04"
     expired_at: 2026-08-13
+  - id: CVE-2022-25235
+    statement: "expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution"
+    purls:
+      - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04"
+    expired_at: 2026-08-16
+  - id: CVE-2022-25236
+    statement: "expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution"
+    purls:
+      - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04"
+    expired_at: 2026-08-16
+  - id: CVE-2022-26485
+    statement: "Mozilla: Use-after-free in XSLT parameter processing"
+    purls:
+      - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04"
+    expired_at: 2026-08-16
+  - id: CVE-2022-26486
+    statement: "Mozilla: Use-after-free in WebGPU IPC Framework"
+    purls:
+      - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04"
+    expired_at: 2026-08-16
+  - id: CVE-2022-25235
+    statement: "expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution"
+    purls:
+      - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04"
+    expired_at: 2026-08-16
+  - id: CVE-2022-25236
+    statement: "expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution"
+    purls:
+      - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04"
+    expired_at: 2026-08-16
+  - id: CVE-2022-26485
+    statement: "Mozilla: Use-after-free in XSLT parameter processing"
+    purls:
+      - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04"
+    expired_at: 2026-08-16
+  - id: CVE-2022-26486
+    statement: "Mozilla: Use-after-free in WebGPU IPC Framework"
+    purls:
+      - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04"
+    expired_at: 2026-08-16