🚀 Prepare for general availability (#41)

Signed-off-by: Jacob Woffenden <[email protected]>
ministryofjustice · Apr 11, 2024 · 7499f96 · 7499f96
1 parent 26e34ce
commit 7499f96
Show file tree

Hide file tree

Showing 10 changed files with 194 additions and 139 deletions.
diff --git a/.devcontainer/devcontainer-lock.json b/.devcontainer/devcontainer-lock.json
@@ -4,6 +4,19 @@
       "version": "2.10.1",
       "resolved": "ghcr.io/devcontainers/features/docker-in-docker@sha256:440bdb81cf8af43f3e922450d33db9775c1097340557a5b7b6fe705bc758c5ef",
       "integrity": "sha256:440bdb81cf8af43f3e922450d33db9775c1097340557a5b7b6fe705bc758c5ef"
+    },
+    "ghcr.io/ministryofjustice/devcontainer-feature/container-structure-test:0": {
+      "version": "0.0.2",
+      "resolved": "ghcr.io/ministryofjustice/devcontainer-feature/container-structure-test@sha256:a0d81a6b8be5deae2fc41edf007a8f0efe794b4ebf0880265643b4a06edf16c6",
+      "integrity": "sha256:a0d81a6b8be5deae2fc41edf007a8f0efe794b4ebf0880265643b4a06edf16c6",
+      "dependsOn": [
+        "ghcr.io/devcontainers/features/docker-in-docker:2"
+      ]
+    },
+    "ghcr.io/ministryofjustice/devcontainer-feature/static-analysis:0": {
+      "version": "0.0.3",
+      "resolved": "ghcr.io/ministryofjustice/devcontainer-feature/static-analysis@sha256:81efa45affc66c168d273817f6f86a64f90715e9482eb7f6e3b33af006a2236c",
+      "integrity": "sha256:81efa45affc66c168d273817f6f86a64f90715e9482eb7f6e3b33af006a2236c"
     }
   }
 }
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -2,7 +2,9 @@
   "name": "analytical-platform-visual-studio-code",
   "image": "ghcr.io/ministryofjustice/devcontainer-base:latest",
   "features": {
-    "ghcr.io/devcontainers/features/docker-in-docker:2": {}
+    "ghcr.io/devcontainers/features/docker-in-docker:2": {},
+    "ghcr.io/ministryofjustice/devcontainer-feature/container-structure-test:0": {},
+    "ghcr.io/ministryofjustice/devcontainer-feature/static-analysis:0": {}
   },
   "customizations": {
     "vscode": {

diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml
@@ -19,8 +19,12 @@ jobs:
         id: checkout
         uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
 
+      - name: Set Up Container Structure Test
+        id: setup_container_structure_test
+        uses: ministryofjustice/github-actions/setup-container-structure-test@bdab1cff6d23336b6d5adc662fb57af72f0ae160 # v17.1.0
+
       - name: Build and Test
         id: build_and_test
         shell: bash
         run: |
-          bash scripts/build-and-test.sh
+          make test
diff --git a/.github/workflows/scan-image.yml b/.github/workflows/scan-image.yml
@@ -52,6 +52,6 @@ jobs:
       - name: Upload SARIF
         if: always()
         id: upload_sarif
-        uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.2.7
+        uses: github/codeql-action/upload-sarif@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10
         with:
           sarif_file: trivy-results.sarif
diff --git a/Dockerfile b/Dockerfile
@@ -1,153 +1,195 @@
-FROM public.ecr.aws/ubuntu/ubuntu@sha256:722b3bddfe96b95441f626cf94974d79213090ecbd16954f71d7c080fb413561
+FROM public.ecr.aws/ubuntu/ubuntu@sha256:12fb86d81bc4504d8261a91c83c54b9e5dcdf1d833ba0fe42ec9e0ee09a2b0ba
 
 LABEL org.opencontainers.image.vendor="Ministry of Justice" \
       org.opencontainers.image.authors="Analytical Platform ([email protected])" \
       org.opencontainers.image.title="Visual Studio Code" \
       org.opencontainers.image.description="Visual Studio Code image for Analytical Platform" \
-      org.opencontainers.image.url="https://github.com/ministryofjustice/analytical-platform"
+      org.opencontainers.image.url="https://github.com/ministryofjustice/analytical-platform-visual-studio-code"
 
 ENV CONTAINER_USER="analyticalplatform" \
     CONTAINER_UID="1000" \
     CONTAINER_GROUP="analyticalplatform" \
     CONTAINER_GID="1000" \
     DEBIAN_FRONTEND="noninteractive" \
     VISUAL_STUDIO_CODE_VERSION="1.88.0-1712152114" \
-    AWS_CLI_VERSION="2.15.35" \
+    AWS_CLI_VERSION="2.15.37" \
     CORRETTO_VERSION="1:21.0.2.14-1" \
     MINICONDA_VERSION="24.1.2-0" \
     MINICONDA_SHA256="8eb5999c2f7ac6189690d95ae5ec911032fa6697ae4b34eb3235802086566d78" \
-    DOTNET_SDK_VERSION="8.0.203-1" \
-    OLLAMA_VERSION="0.1.30" \
-    OLLAMA_SHA256="cee140fdbbe1b21b520a83bf6246ca727df3cd69db560d6cf579888a4b966c93" \
+    DOTNET_SDK_VERSION="8.0.204-1" \
+    OLLAMA_VERSION="0.1.31" \
+    OLLAMA_SHA256="9d9a24ed741bf9d88c8e9df6865371681316aee298433d0291e86295045bfa96" \
     PATH="/opt/conda/bin:${HOME}/.local/bin:${PATH}"
 
-SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+SHELL ["/bin/bash", "-e", "-u", "-o", "pipefail", "-c"]
 
-# User
-RUN groupadd \
-      --gid ${CONTAINER_GID} \
-      ${CONTAINER_GROUP} \
-    && useradd \
-         --uid ${CONTAINER_UID} \
-         --gid ${CONTAINER_GROUP} \
-         --create-home \
-         --shell /bin/bash \
-         ${CONTAINER_USER}
+# User Configuration
+RUN <<EOF
+groupadd \
+  --gid ${CONTAINER_GID} \
+  ${CONTAINER_GROUP}
+
+useradd \
+  --uid ${CONTAINER_UID} \
+  --gid ${CONTAINER_GROUP} \
+  --create-home \
+  --shell /bin/bash \
+  ${CONTAINER_USER}
+EOF
 
 # Base
-RUN apt-get update --yes \
-    && apt-get install --yes \
-         "apt-transport-https=2.4.12" \
-         "ca-certificates=20230311ubuntu0.22.04.1" \
-         "curl=7.81.0-1ubuntu1.16" \
-         "git=1:2.34.1-1ubuntu1.10" \
-         "gpg=2.2.27-3ubuntu2.1" \
-         "jq=1.6-2.1ubuntu3" \
-         "mandoc=1.14.6-1" \
-         "python3.10=3.10.12-1~22.04.3" \
-         "python3-pip=22.0.2+dfsg-1ubuntu0.4" \
-         "unzip=6.0-26ubuntu3.2" \
-    && apt-get clean --yes \
-    && rm --force --recursive /var/lib/apt/lists/* \
-    && install --directory --owner ${CONTAINER_USER} --group ${CONTAINER_GROUP} --mode 0755 /opt/visual-studio-code
+RUN <<EOF
+apt-get update --yes
+
+apt-get install --yes \
+  "apt-transport-https=2.4.12" \
+  "ca-certificates=20230311ubuntu0.22.04.1" \
+  "curl=7.81.0-1ubuntu1.16" \
+  "git=1:2.34.1-1ubuntu1.10" \
+  "gpg=2.2.27-3ubuntu2.1" \
+  "jq=1.6-2.1ubuntu3" \
+  "mandoc=1.14.6-1" \
+  "python3.10=3.10.12-1~22.04.3" \
+  "python3-pip=22.0.2+dfsg-1ubuntu0.4" \
+  "unzip=6.0-26ubuntu3.2"
+
+apt-get clean --yes
+
+rm --force --recursive /var/lib/apt/lists/*
+
+install --directory --owner ${CONTAINER_USER} --group ${CONTAINER_GROUP} --mode 0755 /opt/visual-studio-code
+EOF
 
 # Backup Bash configuration
-RUN cp /home/analyticalplatform/.bashrc /opt/visual-studio-code/.bashrc \
-    && cp /home/analyticalplatform/.bash_logout /opt/visual-studio-code/.bash_logout \
-    && cp /home/analyticalplatform/.profile /opt/visual-studio-code/.profile
+RUN <<EOF
+cp /home/analyticalplatform/.bashrc /opt/visual-studio-code/.bashrc
 
-# First run notice
-COPY src/opt/visual-studio-code/first-run-notice.txt /opt/visual-studio-code/first-run-notice.txt
-RUN cat <<EOF >> /etc/bash.bashrc
+cp /home/analyticalplatform/.bash_logout /opt/visual-studio-code/.bash_logout
 
-# This is a first run notice for Visual Studio Code
-if [[ -t 1 ]] && [[ "\${TERM_PROGRAM}" = "vscode" ]] && [[ ! -f "/home/analyticalplatform/.vscode/first-run-notice-already-displayed" ]]; then
-    cat /opt/visual-studio-code/first-run-notice.txt
-    # Mark first run notice as displayed after 10s to avoid problems with fast terminal refreshes hiding it
-    mkdir --parents "/home/analyticalplatform/.vscode"
-    ((sleep 10s; touch "/home/analyticalplatform/.vscode/first-run-notice-already-displayed") &)
-fi
+cp /home/analyticalplatform/.profile /opt/visual-studio-code/.profile
+EOF
 
+# First run notice
+COPY src/opt/visual-studio-code/first-run-notice.txt /opt/visual-studio-code/first-run-notice.txt
+COPY src/etc/bash.bashrc.snippet /etc/bash.bashrc.snippet
+RUN <<EOF
+cat /etc/bash.bashrc.snippet >> /etc/bash.bashrc
 EOF
 
 # Visual Studio Code
-RUN curl --location --fail-with-body \
-      "https://packages.microsoft.com/keys/microsoft.asc" \
-      --output microsoft.asc \
-    && cat microsoft.asc | gpg --dearmor --output packages.microsoft.gpg \
-    && install -D --owner root --group root --mode 644 packages.microsoft.gpg /etc/apt/keyrings/packages.microsoft.gpg \
-    && echo "deb [arch=amd64,arm64,armhf signed-by=/etc/apt/keyrings/packages.microsoft.gpg] https://packages.microsoft.com/repos/code stable main" > /etc/apt/sources.list.d/vscode.list \
-    && apt-get update --yes \
-    && apt-get install --yes \
-         "code=${VISUAL_STUDIO_CODE_VERSION}" \
-    && apt-get clean --yes \
-    && rm --force --recursive /var/lib/apt/lists/*
+RUN <<EOF
+curl --location --fail-with-body \
+  "https://packages.microsoft.com/keys/microsoft.asc" \
+  --output microsoft.asc
+
+cat microsoft.asc | gpg --dearmor --output packages.microsoft.gpg
+
+install -D --owner root --group root --mode 644 packages.microsoft.gpg /etc/apt/keyrings/packages.microsoft.gpg
+
+echo "deb [arch=amd64,arm64,armhf signed-by=/etc/apt/keyrings/packages.microsoft.gpg] https://packages.microsoft.com/repos/code stable main" > /etc/apt/sources.list.d/vscode.list
+
+apt-get update --yes
+
+apt-get install --yes "code=${VISUAL_STUDIO_CODE_VERSION}"
+
+apt-get clean --yes
+
+rm --force --recursive packages.microsoft.gpg /var/lib/apt/lists/*
+EOF
 
 # AWS CLI
 COPY --chown=nobody:nobody --chmod=0755 src/opt/aws-cli/[email protected] /opt/aws-cli/[email protected]
-RUN gpg --import /opt/aws-cli/[email protected] \
-    && curl --location --fail-with-body \
-         "https://awscli.amazonaws.com/awscli-exe-linux-x86_64-${AWS_CLI_VERSION}.zip.sig" \
-         --output "awscliv2.sig" \
-    && curl --location --fail-with-body \
-         "https://awscli.amazonaws.com/awscli-exe-linux-x86_64-${AWS_CLI_VERSION}.zip" \
-         --output "awscliv2.zip" \
-    && gpg --verify awscliv2.sig awscliv2.zip \
-    && unzip awscliv2.zip \
-    && ./aws/install \
-    && rm --force --recursive awscliv2.sig awscliv2.zip aws
+RUN <<EOF
+gpg --import /opt/aws-cli/[email protected]
+
+curl --location --fail-with-body \
+  "https://awscli.amazonaws.com/awscli-exe-linux-x86_64-${AWS_CLI_VERSION}.zip.sig" \
+  --output "awscliv2.sig"
+
+curl --location --fail-with-body \
+  "https://awscli.amazonaws.com/awscli-exe-linux-x86_64-${AWS_CLI_VERSION}.zip" \
+  --output "awscliv2.zip"
+
+gpg --verify awscliv2.sig awscliv2.zip
+
+unzip awscliv2.zip
+
+./aws/install
+
+rm --force --recursive awscliv2.sig awscliv2.zip aws
+EOF
 
 # Amazon Corretto
-RUN curl --location --fail-with-body \
-      "https://apt.corretto.aws/corretto.key" \
-      --output corretto.key \
-    && cat corretto.key | gpg --dearmor --output corretto-keyring.gpg \
-    && install -D --owner root --group root --mode 644 corretto-keyring.gpg /etc/apt/keyrings/corretto-keyring.gpg \
-    && echo "deb [signed-by=/etc/apt/keyrings/corretto-keyring.gpg] https://apt.corretto.aws stable main" > /etc/apt/sources.list.d/corretto.list \
-    && apt-get update --yes \
-    && apt-get install --yes \
-         "java-21-amazon-corretto-jdk=${CORRETTO_VERSION}" \
-    && apt-get clean --yes \
-    && rm --force --recursive /var/lib/apt/lists/*
+RUN <<EOF
+curl --location --fail-with-body \
+  "https://apt.corretto.aws/corretto.key" \
+  --output corretto.key
+cat corretto.key | gpg --dearmor --output corretto-keyring.gpg
+
+install -D --owner root --group root --mode 644 corretto-keyring.gpg /etc/apt/keyrings/corretto-keyring.gpg
+
+echo "deb [signed-by=/etc/apt/keyrings/corretto-keyring.gpg] https://apt.corretto.aws stable main" > /etc/apt/sources.list.d/corretto.list
+
+apt-get update --yes
+
+apt-get install --yes "java-21-amazon-corretto-jdk=${CORRETTO_VERSION}"
+
+apt-get clean --yes
+
+rm --force --recursive corretto-keyring.gpg /var/lib/apt/lists/*
+EOF
 
 # Miniconda
-RUN curl --location --fail-with-body \
-      "https://repo.anaconda.com/miniconda/Miniconda3-py310_${MINICONDA_VERSION}-Linux-x86_64.sh" \
-      --output "miniconda.sh" \
-    && echo "${MINICONDA_SHA256} miniconda.sh" | sha256sum --check \
-    && bash miniconda.sh -b -p /opt/conda \
-    && chown --recursive "${CONTAINER_USER}":"${CONTAINER_GROUP}" /opt/conda \
-    && rm --force miniconda.sh
+RUN <<EOF
+curl --location --fail-with-body \
+  "https://repo.anaconda.com/miniconda/Miniconda3-py310_${MINICONDA_VERSION}-Linux-x86_64.sh" \
+  --output "miniconda.sh"
+
+echo "${MINICONDA_SHA256} miniconda.sh" | sha256sum --check
+
+bash miniconda.sh -b -p /opt/conda
+
+chown --recursive "${CONTAINER_USER}":"${CONTAINER_GROUP}" /opt/conda
+
+rm --force miniconda.sh
+EOF
 
 # .NET SDK
-RUN curl --location --fail-with-body \
-      "https://packages.microsoft.com/config/ubuntu/22.04/packages-microsoft-prod.deb" \
-      --output "packages-microsoft-prod.deb" \
-    && apt-get install --yes ./packages-microsoft-prod.deb \
-    && apt-get update --yes \
-    && apt-get install --yes \
-         "dotnet-sdk-8.0=${DOTNET_SDK_VERSION}" \
-    && apt-get clean --yes \
-    && rm --force --recursive /var/lib/apt/lists/* \
-    && rm --force packages-microsoft-prod.deb
+RUN <<EOF
+curl --location --fail-with-body \
+  "https://packages.microsoft.com/config/ubuntu/22.04/packages-microsoft-prod.deb" \
+  --output "packages-microsoft-prod.deb"
+
+apt-get install --yes ./packages-microsoft-prod.deb
+
+apt-get update --yes
+
+apt-get install --yes "dotnet-sdk-8.0=${DOTNET_SDK_VERSION}"
+
+apt-get clean --yes
+
+rm --force --recursive /var/lib/apt/lists/*
+
+rm --force packages-microsoft-prod.deb
+EOF
 
 # Ollama
-RUN curl --location --fail-with-body \
-      "https://github.com/ollama/ollama/releases/download/v${OLLAMA_VERSION}/ollama-linux-amd64" \
-      --output "ollama" \
-    && echo "${OLLAMA_SHA256} ollama" | sha256sum --check \
-    && install --owner=root --group=root --mode=775 ollama /usr/local/bin/ollama \
-    && rm --force ollama
+RUN <<EOF
+curl --location --fail-with-body \
+  "https://github.com/ollama/ollama/releases/download/v${OLLAMA_VERSION}/ollama-linux-amd64" \
+  --output "ollama"
 
-COPY --chown=nobody:nobody --chmod=0755 src/usr/local/bin/entrypoint.sh /usr/local/bin/entrypoint.sh
-COPY --chown=nobody:nobody --chmod=0755 src/usr/local/bin/healthcheck.sh /usr/local/bin/healthcheck.sh
+echo "${OLLAMA_SHA256} ollama" | sha256sum --check
 
-USER ${CONTAINER_USER}
+install --owner=root --group=root --mode=775 ollama /usr/local/bin/ollama
 
-WORKDIR /home/${CONTAINER_USER}
+rm --force ollama
+EOF
 
+USER ${CONTAINER_USER}
+WORKDIR /home/${CONTAINER_USER}
 EXPOSE 8080
-
+COPY --chown=nobody:nobody --chmod=0755 src/usr/local/bin/entrypoint.sh /usr/local/bin/entrypoint.sh
+COPY --chown=nobody:nobody --chmod=0755 src/usr/local/bin/healthcheck.sh /usr/local/bin/healthcheck.sh
 ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
-
 HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD ["/usr/local/bin/healthcheck.sh"]
diff --git a/Makefile b/Makefile
@@ -0,0 +1,15 @@
+IMAGE_NAME = ghcr.io/ministryofjustice/analytical-platform-visual-studio-code:latest
+
+test: build
+	container-structure-test test --config test/container-structure-test.yml --image $(IMAGE_NAME)
+
+build:
+	@ARCH=`uname -m`; \
+	case $$ARCH in \
+	aarch64 | arm64) \
+		echo "Building on $$ARCH architecture"; \
+		docker build --platform linux/amd64 --file Dockerfile --tag $(IMAGE_NAME) . ;; \
+	*) \
+		echo "Building on $$ARCH architecture"; \
+		docker build --file Dockerfile --tag $(IMAGE_NAME) . ;; \
+	esac
diff --git a/scripts/build-and-test.sh b/scripts/build-and-test.sh