From 4d999cbe4a84639eea9db4e1a16fd48c9f591308 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 18 Feb 2026 22:01:50 +0000 Subject: [PATCH 1/7] add attestation --- .github/workflows/build_multi_arch_image.yml | 204 +++++++++++++++++++ 1 file changed, 204 insertions(+) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 36e3c0f..9048e0a 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -136,6 +136,56 @@ jobs: DOCKER_TAG: ${{ inputs.docker_tag }} CONTAINER_NAME: '${{ inputs.container_name }}' ARCHITECTURE: '${{ matrix.arch }}' + - name: Resolve image digest + id: resolve_arch_digest + run: | + DIGEST=$(docker buildx imagetools inspect "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" | awk '/^Digest:/ {print $2; exit}') + echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT" + echo "Resolved digest ${DIGEST} for ${DOCKER_TAG}-${ARCHITECTURE}" + env: + DOCKER_TAG: ${{ inputs.docker_tag }} + CONTAINER_NAME: '${{ inputs.container_name }}' + ARCHITECTURE: '${{ matrix.arch }}' + - name: Attest image + uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a + with: + subject-name: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }} + subject-digest: ${{ steps.resolve_arch_digest.outputs.digest }} + push-to-registry: true + create-storage-record: false + - name: Summarise attested image + run: | + echo "## ATTESTED IMAGE : ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}@${DIGEST}" >> "$GITHUB_STEP_SUMMARY" + env: + DOCKER_TAG: ${{ inputs.docker_tag }} + CONTAINER_NAME: '${{ inputs.container_name }}' + ARCHITECTURE: '${{ matrix.arch }}' + DIGEST: ${{ steps.resolve_arch_digest.outputs.digest }} + - name: Resolve github actions image digest + id: resolve_githubactions_arch_digest + run: | + DIGEST=$(docker buildx imagetools inspect "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:githubactions-${DOCKER_TAG}-${ARCHITECTURE}" | awk '/^Digest:/ {print $2; exit}') + echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT" + echo "Resolved digest ${DIGEST} for githubactions-${DOCKER_TAG}-${ARCHITECTURE}" + env: + DOCKER_TAG: ${{ inputs.docker_tag }} + CONTAINER_NAME: '${{ inputs.container_name }}' + ARCHITECTURE: '${{ matrix.arch }}' + - name: Attest github actions image + uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a + with: + subject-name: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }} + subject-digest: ${{ steps.resolve_githubactions_arch_digest.outputs.digest }} + push-to-registry: true + create-storage-record: false + - name: Summarise attested github actions image + run: | + echo "## ATTESTED IMAGE : ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:githubactions-${DOCKER_TAG}-${ARCHITECTURE}@${DIGEST}" >> "$GITHUB_STEP_SUMMARY" + env: + DOCKER_TAG: ${{ inputs.docker_tag }} + CONTAINER_NAME: '${{ inputs.container_name }}' + ARCHITECTURE: '${{ matrix.arch }}' + DIGEST: ${{ steps.resolve_githubactions_arch_digest.outputs.digest }} - name: Push latest image if: ${{ inputs.tag_latest }} run: | @@ -152,6 +202,58 @@ jobs: DOCKER_TAG: ${{ inputs.docker_tag }} CONTAINER_NAME: '${{ inputs.container_name }}' ARCHITECTURE: '${{ matrix.arch }}' + - name: Resolve github actions latest image digest + if: ${{ inputs.tag_latest }} + id: resolve_githubactions_latest_arch_digest + run: | + DIGEST=$(docker buildx imagetools inspect "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:githubactions-latest-${ARCHITECTURE}" | awk '/^Digest:/ {print $2; exit}') + echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT" + echo "Resolved digest ${DIGEST} for githubactions-latest-${ARCHITECTURE}" + env: + CONTAINER_NAME: '${{ inputs.container_name }}' + ARCHITECTURE: '${{ matrix.arch }}' + - name: Attest github actions latest image + if: ${{ inputs.tag_latest }} + uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a + with: + subject-name: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }} + subject-digest: ${{ steps.resolve_githubactions_latest_arch_digest.outputs.digest }} + push-to-registry: true + create-storage-record: false + - name: Summarise attested github actions latest image + if: ${{ inputs.tag_latest }} + run: | + echo "## ATTESTED IMAGE : ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:githubactions-latest-${ARCHITECTURE}@${DIGEST}" >> "$GITHUB_STEP_SUMMARY" + env: + CONTAINER_NAME: '${{ inputs.container_name }}' + ARCHITECTURE: '${{ matrix.arch }}' + DIGEST: ${{ steps.resolve_githubactions_latest_arch_digest.outputs.digest }} + - name: Resolve latest image digest + if: ${{ inputs.tag_latest }} + id: resolve_latest_arch_digest + run: | + DIGEST=$(docker buildx imagetools inspect "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-${ARCHITECTURE}" | awk '/^Digest:/ {print $2; exit}') + echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT" + echo "Resolved digest ${DIGEST} for latest-${ARCHITECTURE}" + env: + CONTAINER_NAME: '${{ inputs.container_name }}' + ARCHITECTURE: '${{ matrix.arch }}' + - name: Attest latest image + if: ${{ inputs.tag_latest }} + uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a + with: + subject-name: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }} + subject-digest: ${{ steps.resolve_latest_arch_digest.outputs.digest }} + push-to-registry: true + create-storage-record: false + - name: Summarise attested latest image + if: ${{ inputs.tag_latest }} + run: | + echo "## ATTESTED IMAGE : ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-${ARCHITECTURE}@${DIGEST}" >> "$GITHUB_STEP_SUMMARY" + env: + CONTAINER_NAME: '${{ inputs.container_name }}' + ARCHITECTURE: '${{ matrix.arch }}' + DIGEST: ${{ steps.resolve_latest_arch_digest.outputs.digest }} publish_combined_image: name: Publish combined image for ${{ inputs.container_name }} runs-on: ubuntu-22.04 @@ -222,3 +324,105 @@ jobs: env: DOCKER_TAG: ${{ inputs.docker_tag }} CONTAINER_NAME: '${{ inputs.container_name }}' + + - name: Resolve combined image digest + id: resolve_combined_digest + run: | + DIGEST=$(docker buildx imagetools inspect "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}" | awk '/^Digest:/ {print $2; exit}') + echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT" + echo "Resolved digest ${DIGEST} for ${DOCKER_TAG}" + env: + DOCKER_TAG: ${{ inputs.docker_tag }} + CONTAINER_NAME: '${{ inputs.container_name }}' + + - name: Attest combined image + uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a + with: + subject-name: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }} + subject-digest: ${{ steps.resolve_combined_digest.outputs.digest }} + push-to-registry: true + create-storage-record: false + - name: Summarise attested combined image + run: | + echo "## ATTESTED IMAGE : ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}@${DIGEST}" >> "$GITHUB_STEP_SUMMARY" + env: + DOCKER_TAG: ${{ inputs.docker_tag }} + CONTAINER_NAME: '${{ inputs.container_name }}' + DIGEST: ${{ steps.resolve_combined_digest.outputs.digest }} + + - name: Resolve combined github actions image digest + id: resolve_githubactions_combined_digest + run: | + DIGEST=$(docker buildx imagetools inspect "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:githubactions-${DOCKER_TAG}" | awk '/^Digest:/ {print $2; exit}') + echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT" + echo "Resolved digest ${DIGEST} for githubactions-${DOCKER_TAG}" + env: + DOCKER_TAG: ${{ inputs.docker_tag }} + CONTAINER_NAME: '${{ inputs.container_name }}' + + - name: Attest combined github actions image + uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a + with: + subject-name: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }} + subject-digest: ${{ steps.resolve_githubactions_combined_digest.outputs.digest }} + push-to-registry: true + create-storage-record: false + - name: Summarise attested combined github actions image + run: | + echo "## ATTESTED IMAGE : ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:githubactions-${DOCKER_TAG}@${DIGEST}" >> "$GITHUB_STEP_SUMMARY" + env: + DOCKER_TAG: ${{ inputs.docker_tag }} + CONTAINER_NAME: '${{ inputs.container_name }}' + DIGEST: ${{ steps.resolve_githubactions_combined_digest.outputs.digest }} + + - name: Resolve latest github actions image digest + if: ${{ inputs.tag_latest }} + id: resolve_githubactions_latest_digest + run: | + DIGEST=$(docker buildx imagetools inspect "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:githubactions-latest" | awk '/^Digest:/ {print $2; exit}') + echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT" + echo "Resolved digest ${DIGEST} for githubactions-latest" + env: + CONTAINER_NAME: '${{ inputs.container_name }}' + + - name: Attest latest github actions image + if: ${{ inputs.tag_latest }} + uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a + with: + subject-name: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }} + subject-digest: ${{ steps.resolve_githubactions_latest_digest.outputs.digest }} + push-to-registry: true + create-storage-record: false + - name: Summarise attested latest github actions image + if: ${{ inputs.tag_latest }} + run: | + echo "## ATTESTED IMAGE : ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:githubactions-latest@${DIGEST}" >> "$GITHUB_STEP_SUMMARY" + env: + CONTAINER_NAME: '${{ inputs.container_name }}' + DIGEST: ${{ steps.resolve_githubactions_latest_digest.outputs.digest }} + + - name: Resolve latest image digest + if: ${{ inputs.tag_latest }} + id: resolve_latest_digest + run: | + DIGEST=$(docker buildx imagetools inspect "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest" | awk '/^Digest:/ {print $2; exit}') + echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT" + echo "Resolved digest ${DIGEST} for latest" + env: + CONTAINER_NAME: '${{ inputs.container_name }}' + + - name: Attest latest image + if: ${{ inputs.tag_latest }} + uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a + with: + subject-name: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }} + subject-digest: ${{ steps.resolve_latest_digest.outputs.digest }} + push-to-registry: true + create-storage-record: false + - name: Summarise attested latest image + if: ${{ inputs.tag_latest }} + run: | + echo "## ATTESTED IMAGE : ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest@${DIGEST}" >> "$GITHUB_STEP_SUMMARY" + env: + CONTAINER_NAME: '${{ inputs.container_name }}' + DIGEST: ${{ steps.resolve_latest_digest.outputs.digest }} From 85a3daf3108b43edd0492be88619dcab12ed9cdc Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 18 Feb 2026 22:17:45 +0000 Subject: [PATCH 2/7] no buildkit attestation --- .github/workflows/build_multi_arch_image.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 9048e0a..44d7e34 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -88,6 +88,7 @@ jobs: IMAGE_TAG: "${{ inputs.docker_tag }}-${{ matrix.arch }}" BASE_FOLDER: "${{ inputs.base_folder }}" NO_CACHE: '${{ inputs.NO_CACHE }}' + BUILDX_NO_DEFAULT_ATTESTATIONS: "1" - name: Check docker vulnerabilities - json output run: | make scan-image-json @@ -136,6 +137,7 @@ jobs: DOCKER_TAG: ${{ inputs.docker_tag }} CONTAINER_NAME: '${{ inputs.container_name }}' ARCHITECTURE: '${{ matrix.arch }}' + BUILDX_NO_DEFAULT_ATTESTATIONS: "1" - name: Resolve image digest id: resolve_arch_digest run: | From 9debb9be17272c54e3246623ceb0710e11ef456d Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 18 Feb 2026 22:37:42 +0000 Subject: [PATCH 3/7] no need for create-storage-record --- .github/workflows/build_multi_arch_image.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 44d7e34..b87f9e8 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -154,7 +154,6 @@ jobs: subject-name: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }} subject-digest: ${{ steps.resolve_arch_digest.outputs.digest }} push-to-registry: true - create-storage-record: false - name: Summarise attested image run: | echo "## ATTESTED IMAGE : ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}@${DIGEST}" >> "$GITHUB_STEP_SUMMARY" @@ -179,7 +178,6 @@ jobs: subject-name: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }} subject-digest: ${{ steps.resolve_githubactions_arch_digest.outputs.digest }} push-to-registry: true - create-storage-record: false - name: Summarise attested github actions image run: | echo "## ATTESTED IMAGE : ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:githubactions-${DOCKER_TAG}-${ARCHITECTURE}@${DIGEST}" >> "$GITHUB_STEP_SUMMARY" @@ -221,7 +219,6 @@ jobs: subject-name: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }} subject-digest: ${{ steps.resolve_githubactions_latest_arch_digest.outputs.digest }} push-to-registry: true - create-storage-record: false - name: Summarise attested github actions latest image if: ${{ inputs.tag_latest }} run: | @@ -247,7 +244,6 @@ jobs: subject-name: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }} subject-digest: ${{ steps.resolve_latest_arch_digest.outputs.digest }} push-to-registry: true - create-storage-record: false - name: Summarise attested latest image if: ${{ inputs.tag_latest }} run: | @@ -343,7 +339,6 @@ jobs: subject-name: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }} subject-digest: ${{ steps.resolve_combined_digest.outputs.digest }} push-to-registry: true - create-storage-record: false - name: Summarise attested combined image run: | echo "## ATTESTED IMAGE : ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}@${DIGEST}" >> "$GITHUB_STEP_SUMMARY" @@ -368,7 +363,6 @@ jobs: subject-name: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }} subject-digest: ${{ steps.resolve_githubactions_combined_digest.outputs.digest }} push-to-registry: true - create-storage-record: false - name: Summarise attested combined github actions image run: | echo "## ATTESTED IMAGE : ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:githubactions-${DOCKER_TAG}@${DIGEST}" >> "$GITHUB_STEP_SUMMARY" @@ -394,7 +388,6 @@ jobs: subject-name: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }} subject-digest: ${{ steps.resolve_githubactions_latest_digest.outputs.digest }} push-to-registry: true - create-storage-record: false - name: Summarise attested latest github actions image if: ${{ inputs.tag_latest }} run: | @@ -420,7 +413,6 @@ jobs: subject-name: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }} subject-digest: ${{ steps.resolve_latest_digest.outputs.digest }} push-to-registry: true - create-storage-record: false - name: Summarise attested latest image if: ${{ inputs.tag_latest }} run: | From 8184ac856bf7639e96fb512c0c3c09ad9acea31c Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 18 Feb 2026 23:03:50 +0000 Subject: [PATCH 4/7] delete untagged images --- .github/scripts/delete_unused_images.sh | 60 ++++++++++++++++++++++++- .github/workflows/delete_old_images.yml | 4 +- 2 files changed, 60 insertions(+), 4 deletions(-) diff --git a/.github/scripts/delete_unused_images.sh b/.github/scripts/delete_unused_images.sh index a569b99..d16919d 100755 --- a/.github/scripts/delete_unused_images.sh +++ b/.github/scripts/delete_unused_images.sh @@ -3,6 +3,7 @@ DRY_RUN=false DELETE_PR=false DELETE_CI=false +DELETE_UNTAGGED=false while [[ $# -gt 0 ]]; do case "$1" in @@ -18,13 +19,17 @@ while [[ $# -gt 0 ]]; do DELETE_CI=true shift ;; + --delete-untagged) + DELETE_UNTAGGED=true + shift + ;; --help|-h) - echo "Usage: $0 [--dry-run] [--delete-pr] [--delete-ci]" + echo "Usage: $0 [--dry-run] [--delete-pr] [--delete-ci] [--delete-untagged]" exit 0 ;; *) echo "Unknown option: $1" >&2 - echo "Usage: $0 [--dry-run] [--delete-pr] [--delete-ci]" >&2 + echo "Usage: $0 [--dry-run] [--delete-pr] [--delete-ci] [--delete-untagged]" >&2 exit 1 ;; esac @@ -166,7 +171,37 @@ delete_ci_images() { done <<<"${tags}" } +delete_untagged_images() { + local container_name=$1 + local package_name + local versions_json + if [[ -z "${container_name}" ]]; then + echo "Container name is required" >&2 + return 1 + fi + + package_name=$(get_container_package_name "${container_name}") + versions_json=$(get_container_versions_json "${container_name}") + + jq -r '.[] | select(((.metadata.container.tags // []) | length) == 0) | .id' \ + <<<"${versions_json}" \ + | while IFS= read -r version_id; do + if [[ -n "${version_id}" ]]; then + if [[ "${DRY_RUN}" == "true" ]]; then + echo "[DRY RUN] Would delete untagged image version ID ${version_id} from container ${container_name}." + else + echo "Deleting untagged image version ID ${version_id} from container ${container_name}..." + gh api \ + -H "Accept: application/vnd.github+json" \ + -X DELETE \ + "/orgs/nhsdigital/packages/container/${package_name}/versions/${version_id}" + fi + fi + done +} + +base_node_folders=$(find src/base_node -mindepth 1 -maxdepth 1 -type d -printf '%f\n' | jq -R -s -c 'split("\n")[:-1]') language_folders=$(find src/languages -mindepth 1 -maxdepth 1 -type d -printf '%f\n' | jq -R -s -c 'split("\n")[:-1]') project_folders=$(find src/projects -mindepth 1 -maxdepth 1 -type d -printf '%f\n' | jq -R -s -c 'split("\n")[:-1]') @@ -177,6 +212,21 @@ for container_name in $(jq -r '.[]' <<<"${project_folders}"); do if [[ "${DELETE_CI}" == "true" ]]; then delete_ci_images "${container_name}" fi + if [[ "${DELETE_UNTAGGED}" == "true" ]]; then + delete_untagged_images "${container_name}" + fi +done + +for container_name in $(jq -r '.[]' <<<"${base_node_folders}"); do + if [[ "${DELETE_PR}" == "true" ]]; then + delete_pr_images "${container_name}" + fi + if [[ "${DELETE_CI}" == "true" ]]; then + delete_ci_images "${container_name}" + fi + if [[ "${DELETE_UNTAGGED}" == "true" ]]; then + delete_untagged_images "${container_name}" + fi done for container_name in $(jq -r '.[]' <<<"${language_folders}"); do @@ -186,6 +236,9 @@ for container_name in $(jq -r '.[]' <<<"${language_folders}"); do if [[ "${DELETE_CI}" == "true" ]]; then delete_ci_images "${container_name}" fi + if [[ "${DELETE_UNTAGGED}" == "true" ]]; then + delete_untagged_images "${container_name}" + fi done if [[ "${DELETE_PR}" == "true" ]]; then @@ -194,3 +247,6 @@ fi if [[ "${DELETE_CI}" == "true" ]]; then delete_ci_images "base" fi +if [[ "${DELETE_UNTAGGED}" == "true" ]]; then + delete_untagged_images "base" +fi diff --git a/.github/workflows/delete_old_images.yml b/.github/workflows/delete_old_images.yml index 382ed5f..96438b5 100644 --- a/.github/workflows/delete_old_images.yml +++ b/.github/workflows/delete_old_images.yml @@ -4,7 +4,7 @@ name: "Delete old images" on: workflow_dispatch: schedule: - - cron: "0 1,13 * * *" + - cron: "0 1 * * 6" push: branches: [main] @@ -30,7 +30,7 @@ jobs: if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then .github/scripts/delete_unused_images.sh --delete-pr elif [[ "${{ github.event_name }}" == "schedule" ]]; then - .github/scripts/delete_unused_images.sh --delete-ci + .github/scripts/delete_unused_images.sh --delete-ci --delete-untagged else .github/scripts/delete_unused_images.sh fi From ca86548fe00abb901b70ab571d331e7feb1f01b4 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 18 Feb 2026 23:35:23 +0000 Subject: [PATCH 5/7] set push to registry to false --- .github/workflows/build_multi_arch_image.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index b87f9e8..9d1f801 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -153,7 +153,7 @@ jobs: with: subject-name: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }} subject-digest: ${{ steps.resolve_arch_digest.outputs.digest }} - push-to-registry: true + push-to-registry: false - name: Summarise attested image run: | echo "## ATTESTED IMAGE : ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}@${DIGEST}" >> "$GITHUB_STEP_SUMMARY" @@ -177,7 +177,7 @@ jobs: with: subject-name: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }} subject-digest: ${{ steps.resolve_githubactions_arch_digest.outputs.digest }} - push-to-registry: true + push-to-registry: false - name: Summarise attested github actions image run: | echo "## ATTESTED IMAGE : ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:githubactions-${DOCKER_TAG}-${ARCHITECTURE}@${DIGEST}" >> "$GITHUB_STEP_SUMMARY" @@ -218,7 +218,7 @@ jobs: with: subject-name: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }} subject-digest: ${{ steps.resolve_githubactions_latest_arch_digest.outputs.digest }} - push-to-registry: true + push-to-registry: false - name: Summarise attested github actions latest image if: ${{ inputs.tag_latest }} run: | @@ -243,7 +243,7 @@ jobs: with: subject-name: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }} subject-digest: ${{ steps.resolve_latest_arch_digest.outputs.digest }} - push-to-registry: true + push-to-registry: false - name: Summarise attested latest image if: ${{ inputs.tag_latest }} run: | @@ -338,7 +338,7 @@ jobs: with: subject-name: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }} subject-digest: ${{ steps.resolve_combined_digest.outputs.digest }} - push-to-registry: true + push-to-registry: false - name: Summarise attested combined image run: | echo "## ATTESTED IMAGE : ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}@${DIGEST}" >> "$GITHUB_STEP_SUMMARY" @@ -362,7 +362,7 @@ jobs: with: subject-name: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }} subject-digest: ${{ steps.resolve_githubactions_combined_digest.outputs.digest }} - push-to-registry: true + push-to-registry: false - name: Summarise attested combined github actions image run: | echo "## ATTESTED IMAGE : ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:githubactions-${DOCKER_TAG}@${DIGEST}" >> "$GITHUB_STEP_SUMMARY" @@ -387,7 +387,7 @@ jobs: with: subject-name: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }} subject-digest: ${{ steps.resolve_githubactions_latest_digest.outputs.digest }} - push-to-registry: true + push-to-registry: false - name: Summarise attested latest github actions image if: ${{ inputs.tag_latest }} run: | @@ -412,7 +412,7 @@ jobs: with: subject-name: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }} subject-digest: ${{ steps.resolve_latest_digest.outputs.digest }} - push-to-registry: true + push-to-registry: false - name: Summarise attested latest image if: ${{ inputs.tag_latest }} run: | From b4e13ab99722be0fdf5677279836be587cc638e4 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 19 Feb 2026 00:03:47 +0000 Subject: [PATCH 6/7] first push --- .github/workflows/build_multi_arch_image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 9d1f801..b476230 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -153,7 +153,7 @@ jobs: with: subject-name: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }} subject-digest: ${{ steps.resolve_arch_digest.outputs.digest }} - push-to-registry: false + push-to-registry: true - name: Summarise attested image run: | echo "## ATTESTED IMAGE : ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}@${DIGEST}" >> "$GITHUB_STEP_SUMMARY" From 6c96ee2f37013998be9f021daf70807bd2661eb5 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 19 Feb 2026 00:09:22 +0000 Subject: [PATCH 7/7] do not push attestation --- .github/workflows/build_multi_arch_image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index b476230..9d1f801 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -153,7 +153,7 @@ jobs: with: subject-name: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }} subject-digest: ${{ steps.resolve_arch_digest.outputs.digest }} - push-to-registry: true + push-to-registry: false - name: Summarise attested image run: | echo "## ATTESTED IMAGE : ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}@${DIGEST}" >> "$GITHUB_STEP_SUMMARY"