From 96736ed5481a101afa9ac88e72e02fecef77d201 Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 5 Dec 2023 11:46:49 +0000
Subject: [PATCH 01/46] install buildx in docker job

---
 .github/workflows/docker_job.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/workflows/docker_job.yml b/.github/workflows/docker_job.yml
index b157380bf3..86a84c4d4c 100644
--- a/.github/workflows/docker_job.yml
+++ b/.github/workflows/docker_job.yml
@@ -42,6 +42,14 @@ jobs:
       - uses: actions/checkout@v4
         with:
           ref: ${{ inputs.checkout_tag }}
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3.0.0
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3.0.0
+        with:
+          version: v0.12.0
+
       - name: Build ${{ matrix.ecr_repository }} Image
         id: build_image
         run: |

From 4c30b2e2e8483700bc1fa58d002ece5cbef19836 Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 5 Dec 2023 11:47:37 +0000
Subject: [PATCH 02/46] don't run unecessary jobs

---
 .github/workflows/docker_job.yml  |  12 +-
 .github/workflows/workflow_pr.yml | 242 +++++++++++++++---------------
 2 files changed, 127 insertions(+), 127 deletions(-)

diff --git a/.github/workflows/docker_job.yml b/.github/workflows/docker_job.yml
index 86a84c4d4c..561ad95408 100644
--- a/.github/workflows/docker_job.yml
+++ b/.github/workflows/docker_job.yml
@@ -30,12 +30,12 @@ jobs:
         include:
           - ecr_repository: modernising-lpa/app
             path: ./docker/mlpa/Dockerfile
-          - ecr_repository: modernising-lpa/create-s3-batch-replication-job
-            path: ./lambda/create_s3_replication_job/Dockerfile
-          - ecr_repository: modernising-lpa/event-received
-            path: ./docker/event-received/Dockerfile
-          - ecr_repository: modernising-lpa/mock-onelogin
-            path: ./docker/mock-onelogin/Dockerfile
+          # - ecr_repository: modernising-lpa/create-s3-batch-replication-job
+          #   path: ./lambda/create_s3_replication_job/Dockerfile
+          # - ecr_repository: modernising-lpa/event-received
+          #   path: ./docker/event-received/Dockerfile
+          # - ecr_repository: modernising-lpa/mock-onelogin
+          #   path: ./docker/mock-onelogin/Dockerfile
     runs-on: ubuntu-latest
     name: ${{ matrix.ecr_repository }}
     steps:
diff --git a/.github/workflows/workflow_pr.yml b/.github/workflows/workflow_pr.yml
index af9e3f1051..2fef244a51 100644
--- a/.github/workflows/workflow_pr.yml
+++ b/.github/workflows/workflow_pr.yml
@@ -58,124 +58,124 @@ jobs:
     with:
       tag: ${{ needs.create_tags.outputs.version_tag }}
 
-  terraform_account_workflow_development:
-    name: TF Plan Dev Account
-    uses: ./.github/workflows/terraform_account_job.yml
-    with:
-      workspace_name: development
-    secrets:
-      aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}
-      aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}
-
-  terraform_account_workflow_preproduction:
-    name: TF Plan Preprod Account
-    needs: terraform_account_workflow_development
-    uses: ./.github/workflows/terraform_account_job.yml
-    with:
-      workspace_name: preproduction
-    secrets:
-      aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}
-      aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}
-
-  terraform_account_workflow_production:
-    name: TF Plan Prod Account
-    needs: terraform_account_workflow_development
-    uses: ./.github/workflows/terraform_account_job.yml
-    with:
-      workspace_name: production
-    secrets:
-      aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}
-      aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}
-
-  ui_tests_image:
-    name: Run Cypress UI Tests On Images
-    if: needs.detect_changes.outputs.changes_detected == 'true' &&
-      (needs.docker_build_scan_push.result == 'success' || needs.docker_build_scan_push.result == 'skipped')
-    uses: ./.github/workflows/ui_test_job.yml
-    needs: [docker_build_scan_push, create_tags]
-    with:
-      run_against_image: true
-      tag: ${{ needs.create_tags.outputs.version_tag }}
-      skip: ${{ contains(fromJSON('["weblate-pr"]'), github.head_ref) }}
-      matrixSpecs: '["cypress/e2e/donor/*","cypress/e2e/attorney/*,cypress/e2e/certificate-provider/*,cypress/e2e/accessibility/*,cypress/e2e/dev-features.cy.js,cypress/e2e/error-pages.cy.js"]'
-    secrets:
-      aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}
-      aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}
-      cypress_record_key: ${{ secrets.CYPRESS_RECORD_KEY }}
-      github_access_token: ${{ secrets.GITHUB_TOKEN }}
-
-  pr_deploy:
-      name: PR Environment Deploy
-      if: always() &&
-        (needs.go_unit_tests.result == 'success' || needs.go_unit_tests.result == 'skipped') &&
-        (needs.docker_build_scan_push.result == 'success' || needs.docker_build_scan_push.result == 'skipped') &&
-        (needs.ui_tests_image.result == 'success' || needs.ui_tests_image.result == 'skipped')
-      needs: [
-        create_tags,
-        go_unit_tests,
-        docker_build_scan_push,
-        ui_tests_image
-      ]
-      uses: ./.github/workflows/terraform_environment_job.yml
-      with:
-        workspace_name: ${{ needs.create_tags.outputs.environment_workspace_name }}
-        version_tag: ${{ needs.create_tags.outputs.version_tag }}
-      secrets:
-        aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}
-        aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}
-        ssh_deploy_key: ${{ secrets.OPG_MODERNISING_LPA_DEPLOY_KEY_PRIVATE_KEY }}
-        github_access_token: ${{ secrets.GITHUB_TOKEN }}
-        pagerduty_api_key: ${{ secrets.PAGERDUTY_API_KEY }}
-
-  ui_tests_pr_env:
-    name: Run Cypress UI Tests On PR Environment
-    if: always() &&
-      needs.pr_deploy.result == 'success'
-    uses: ./.github/workflows/ui_test_job.yml
-    needs: [pr_deploy, create_tags]
-    with:
-      run_against_image: false
-      base_url: "https://${{ needs.pr_deploy.outputs.url }}"
-      tag: ${{ needs.create_tags.outputs.version_tag }}
-      environment_config_json: ${{ needs.pr_deploy.outputs.environment_config_json }}
-      matrixSpecs: '["cypress/e2e/donor/start.cy.js,cypress/e2e/smoke/external.cy.js"]'
-    secrets:
-      aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}
-      aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}
-      cypress_record_key: ${{ secrets.CYPRESS_RECORD_KEY }}
-      github_access_token: ${{ secrets.GITHUB_TOKEN }}
-
-  always_remove_ingress:
-    name: Remove CI ingress from environment
-    if: always()
-    uses: ./.github/workflows/remove_ingress_job.yml
-    needs: [ui_tests_pr_env, pr_deploy]
-    with:
-      environment_config_json: ${{ needs.pr_deploy.outputs.environment_config_json }}
-    secrets:
-      aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}
-      aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}
-
-  end_of_pr_workflow:
-    name: End of PR Workflow
-    runs-on: ubuntu-latest
-    if: always()
-    environment:
-      name: "dev_${{ needs.create_tags.outputs.environment_workspace_name }}"
-      url: "https://${{ needs.pr_deploy.outputs.url }}"
-    needs: [pr_deploy, create_tags, ui_tests_pr_env]
-    steps:
-      - name: End of PR Workflow
-        run: |
-          echo "${{ needs.pr_deploy.outputs.terraform_workspace_name }} PR environment tested, built and deployed"
-          echo "Tag Deployed: ${{ needs.pr_deploy.outputs.terraform_container_version }}"
-          echo "URL: https://${{ needs.pr_deploy.outputs.url }}"
-
-          if ${{ contains(needs.ui_tests_pr_env.result,'success') }}
-          then
-            echo "PR environment tested, built and deployed"
-            exit 0
-          else
-            echo "PR environment tested, built and deployed but UI tests failed"
-            exit 1
-          fi
+  # terraform_account_workflow_development:
+  #   name: TF Plan Dev Account
+  #   uses: ./.github/workflows/terraform_account_job.yml
+  #   with:
+  #     workspace_name: development
+  #   secrets:
+  #     aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}
+  #     aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}
+
+  # terraform_account_workflow_preproduction:
+  #   name: TF Plan Preprod Account
+  #   needs: terraform_account_workflow_development
+  #   uses: ./.github/workflows/terraform_account_job.yml
+  #   with:
+  #     workspace_name: preproduction
+  #   secrets:
+  #     aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}
+  #     aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}
+
+  # terraform_account_workflow_production:
+  #   name: TF Plan Prod Account
+  #   needs: terraform_account_workflow_development
+  #   uses: ./.github/workflows/terraform_account_job.yml
+  #   with:
+  #     workspace_name: production
+  #   secrets:
+  #     aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}
+  #     aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}
+
+  # ui_tests_image:
+  #   name: Run Cypress UI Tests On Images
+  #   if: needs.detect_changes.outputs.changes_detected == 'true' &&
+  #     (needs.docker_build_scan_push.result == 'success' || needs.docker_build_scan_push.result == 'skipped')
+  #   uses: ./.github/workflows/ui_test_job.yml
+  #   needs: [docker_build_scan_push, create_tags]
+  #   with:
+  #     run_against_image: true
+  #     tag: ${{ needs.create_tags.outputs.version_tag }}
+  #     skip: ${{ contains(fromJSON('["weblate-pr"]'), github.head_ref) }}
+  #     matrixSpecs: '["cypress/e2e/donor/*","cypress/e2e/attorney/*,cypress/e2e/certificate-provider/*,cypress/e2e/accessibility/*,cypress/e2e/dev-features.cy.js,cypress/e2e/error-pages.cy.js"]'
+  #   secrets:
+  #     aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}
+  #     aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}
+  #     cypress_record_key: ${{ secrets.CYPRESS_RECORD_KEY }}
+  #     github_access_token: ${{ secrets.GITHUB_TOKEN }}
+
+  # pr_deploy:
+  #     name: PR Environment Deploy
+  #     if: always() &&
+  #       (needs.go_unit_tests.result == 'success' || needs.go_unit_tests.result == 'skipped') &&
+  #       (needs.docker_build_scan_push.result == 'success' || needs.docker_build_scan_push.result == 'skipped') &&
+  #       (needs.ui_tests_image.result == 'success' || needs.ui_tests_image.result == 'skipped')
+  #     needs: [
+  #       create_tags,
+  #       go_unit_tests,
+  #       docker_build_scan_push,
+  #       ui_tests_image
+  #     ]
+  #     uses: ./.github/workflows/terraform_environment_job.yml
+  #     with:
+  #       workspace_name: ${{ needs.create_tags.outputs.environment_workspace_name }}
+  #       version_tag: ${{ needs.create_tags.outputs.version_tag }}
+  #     secrets:
+  #       aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}
+  #       aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}
+  #       ssh_deploy_key: ${{ secrets.OPG_MODERNISING_LPA_DEPLOY_KEY_PRIVATE_KEY }}
+  #       github_access_token: ${{ secrets.GITHUB_TOKEN }}
+  #       pagerduty_api_key: ${{ secrets.PAGERDUTY_API_KEY }}
+
+  # ui_tests_pr_env:
+  #   name: Run Cypress UI Tests On PR Environment
+  #   if: always() &&
+  #     needs.pr_deploy.result == 'success'
+  #   uses: ./.github/workflows/ui_test_job.yml
+  #   needs: [pr_deploy, create_tags]
+  #   with:
+  #     run_against_image: false
+  #     base_url: "https://${{ needs.pr_deploy.outputs.url }}"
+  #     tag: ${{ needs.create_tags.outputs.version_tag }}
+  #     environment_config_json: ${{ needs.pr_deploy.outputs.environment_config_json }}
+  #     matrixSpecs: '["cypress/e2e/donor/start.cy.js,cypress/e2e/smoke/external.cy.js"]'
+  #   secrets:
+  #     aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}
+  #     aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}
+  #     cypress_record_key: ${{ secrets.CYPRESS_RECORD_KEY }}
+  #     github_access_token: ${{ secrets.GITHUB_TOKEN }}
+
+  # always_remove_ingress:
+  #   name: Remove CI ingress from environment
+  #   if: always()
+  #   uses: ./.github/workflows/remove_ingress_job.yml
+  #   needs: [ui_tests_pr_env, pr_deploy]
+  #   with:
+  #     environment_config_json: ${{ needs.pr_deploy.outputs.environment_config_json }}
+  #   secrets:
+  #     aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}
+  #     aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}
+
+  # end_of_pr_workflow:
+  #   name: End of PR Workflow
+  #   runs-on: ubuntu-latest
+  #   if: always()
+  #   environment:
+  #     name: "dev_${{ needs.create_tags.outputs.environment_workspace_name }}"
+  #     url: "https://${{ needs.pr_deploy.outputs.url }}"
+  #   needs: [pr_deploy, create_tags, ui_tests_pr_env]
+  #   steps:
+  #     - name: End of PR Workflow
+  #       run: |
+  #         echo "${{ needs.pr_deploy.outputs.terraform_workspace_name }} PR environment tested, built and deployed"
+  #         echo "Tag Deployed: ${{ needs.pr_deploy.outputs.terraform_container_version }}"
+  #         echo "URL: https://${{ needs.pr_deploy.outputs.url }}"
+
+  #         if ${{ contains(needs.ui_tests_pr_env.result,'success') }}
+  #         then
+  #           echo "PR environment tested, built and deployed"
+  #           exit 0
+  #         else
+  #           echo "PR environment tested, built and deployed but UI tests failed"
+  #           exit 1
+  #         fi

From e0b5a635cadbbaf30c03c4d16fdcaa94b3cddb86 Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 5 Dec 2023 11:55:19 +0000
Subject: [PATCH 03/46] create tag and build image

---
 .github/workflows/workflow_pr.yml | 33 ++++++++++++++++---------------
 1 file changed, 17 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/workflow_pr.yml b/.github/workflows/workflow_pr.yml
index 2fef244a51..dbf9690012 100644
--- a/.github/workflows/workflow_pr.yml
+++ b/.github/workflows/workflow_pr.yml
@@ -32,27 +32,28 @@ jobs:
     needs: detect_changes
     uses: ./.github/workflows/tags_job.yml
     with:
-      changes_detected: ${{ needs.detect_changes.outputs.changes_detected }}
-
-  go_unit_tests:
-    name: Run Go unit tests
-    if: needs.detect_changes.outputs.changes_detected == 'true'
-    needs: create_tags
-    uses: ./.github/workflows/go-unit-tests.yml
-    with:
-      tag: ${{ needs.create_tags.outputs.version_tag }}
-      commit_sha: ${{ github.event.pull_request.head.sha }}
-      branch: ${{ github.head_ref }}
-    secrets:
-      pact_broker_password: ${{ secrets.PACT_BROKER_PASSWORD }}
+      changes_detected: true
+      # changes_detected: ${{ needs.detect_changes.outputs.changes_detected }}
+
+  # go_unit_tests:
+  #   name: Run Go unit tests
+  #   if: needs.detect_changes.outputs.changes_detected == 'true'
+  #   needs: create_tags
+  #   uses: ./.github/workflows/go-unit-tests.yml
+  #   with:
+  #     tag: ${{ needs.create_tags.outputs.version_tag }}
+  #     commit_sha: ${{ github.event.pull_request.head.sha }}
+  #     branch: ${{ github.head_ref }}
+  #   secrets:
+  #     pact_broker_password: ${{ secrets.PACT_BROKER_PASSWORD }}
 
   docker_build_scan_push:
     name: Docker Build, Scan and Push
-    if: needs.detect_changes.outputs.changes_detected == 'true' &&
-      (needs.go_unit_tests.result == 'success' || needs.go_unit_tests.result == 'skipped')
+    # if: needs.detect_changes.outputs.changes_detected == 'true' &&
+    #   (needs.go_unit_tests.result == 'success' || needs.go_unit_tests.result == 'skipped')
     uses: ./.github/workflows/docker_job.yml
     needs: [
-      go_unit_tests,
+      # go_unit_tests,
       create_tags
       ]
     with:

From f43aec4f3e5f74a6fc84c0d59222a56bc6bb6527 Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 5 Dec 2023 11:59:27 +0000
Subject: [PATCH 04/46] don't specify version of buildx for now

---
 .github/workflows/docker_job.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/docker_job.yml b/.github/workflows/docker_job.yml
index 561ad95408..8081836be7 100644
--- a/.github/workflows/docker_job.yml
+++ b/.github/workflows/docker_job.yml
@@ -47,8 +47,8 @@ jobs:
         uses: docker/setup-qemu-action@v3.0.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3.0.0
-        with:
-          version: v0.12.0
+        # with:
+        #   version: v0.12.0
 
       - name: Build ${{ matrix.ecr_repository }} Image
         id: build_image

From 8581112e0a31a065cfa685aee8a8a69febb572c1 Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 5 Dec 2023 12:03:18 +0000
Subject: [PATCH 05/46] build with buildx

---
 .github/workflows/docker_job.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/docker_job.yml b/.github/workflows/docker_job.yml
index 8081836be7..32c35bf1a8 100644
--- a/.github/workflows/docker_job.yml
+++ b/.github/workflows/docker_job.yml
@@ -53,7 +53,7 @@ jobs:
       - name: Build ${{ matrix.ecr_repository }} Image
         id: build_image
         run: |
-          docker build -f ${{ matrix.path }} -t ${{ matrix.ecr_repository }} --build-arg TAG=${{inputs.tag}} .
+          docker buildx build -f ${{ matrix.path }} -t ${{ matrix.ecr_repository }} --build-arg TAG=${{inputs.tag}} .
       - name: Trivy Image Vulnerability Scanner for ${{ matrix.ecr_repository }}
         id: trivy_scan
         uses: aquasecurity/trivy-action@0.14.0

From 38459a435c098e4fd4fd3b9f39a7cf1b01d7be7c Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 5 Dec 2023 12:08:54 +0000
Subject: [PATCH 06/46] include platform

---
 .github/workflows/docker_job.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/docker_job.yml b/.github/workflows/docker_job.yml
index 32c35bf1a8..5bfd79fc99 100644
--- a/.github/workflows/docker_job.yml
+++ b/.github/workflows/docker_job.yml
@@ -53,7 +53,9 @@ jobs:
       - name: Build ${{ matrix.ecr_repository }} Image
         id: build_image
         run: |
-          docker buildx build -f ${{ matrix.path }} -t ${{ matrix.ecr_repository }} --build-arg TAG=${{inputs.tag}} .
+          docker buildx build \
+            --platform linux/amd64,linux/arm64 \
+            -f ${{ matrix.path }} -t ${{ matrix.ecr_repository }} --build-arg TAG=${{inputs.tag}} .
       - name: Trivy Image Vulnerability Scanner for ${{ matrix.ecr_repository }}
         id: trivy_scan
         uses: aquasecurity/trivy-action@0.14.0

From 587e82dadafe6e17f2b3560fad4a23d517acecdf Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 5 Dec 2023 12:27:59 +0000
Subject: [PATCH 07/46] skip trivvy scan for now

---
 .github/workflows/docker_job.yml | 28 ++++++++++++++--------------
 docker/mlpa/Dockerfile           |  2 +-
 2 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/docker_job.yml b/.github/workflows/docker_job.yml
index 5bfd79fc99..5dc203c45c 100644
--- a/.github/workflows/docker_job.yml
+++ b/.github/workflows/docker_job.yml
@@ -56,20 +56,20 @@ jobs:
           docker buildx build \
             --platform linux/amd64,linux/arm64 \
             -f ${{ matrix.path }} -t ${{ matrix.ecr_repository }} --build-arg TAG=${{inputs.tag}} .
-      - name: Trivy Image Vulnerability Scanner for ${{ matrix.ecr_repository }}
-        id: trivy_scan
-        uses: aquasecurity/trivy-action@0.14.0
-        with:
-          image-ref: ${{ matrix.ecr_repository }}:latest
-          severity: 'HIGH,CRITICAL'
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-      - name: Upload Trivy scan results to GitHub Security tab for ${{ matrix.ecr_repository }}
-        id: trivy_upload_sarif
-        uses: github/codeql-action/upload-sarif@v2
-        if: always()
-        with:
-          sarif_file: 'trivy-results.sarif'
+      # - name: Trivy Image Vulnerability Scanner for ${{ matrix.ecr_repository }}
+      #   id: trivy_scan
+      #   uses: aquasecurity/trivy-action@0.14.0
+      #   with:
+      #     image-ref: ${{ matrix.ecr_repository }}:latest
+      #     severity: 'HIGH,CRITICAL'
+      #     format: 'sarif'
+      #     output: 'trivy-results.sarif'
+      # - name: Upload Trivy scan results to GitHub Security tab for ${{ matrix.ecr_repository }}
+      #   id: trivy_upload_sarif
+      #   uses: github/codeql-action/upload-sarif@v2
+      #   if: always()
+      #   with:
+      #     sarif_file: 'trivy-results.sarif'
       - uses: unfor19/install-aws-cli-action@v1
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v4.0.1
diff --git a/docker/mlpa/Dockerfile b/docker/mlpa/Dockerfile
index 7e2f59379b..5e5c2e452b 100644
--- a/docker/mlpa/Dockerfile
+++ b/docker/mlpa/Dockerfile
@@ -1,6 +1,6 @@
 FROM golang:1.21.4-alpine as base
 
-ARG ARCH=amd64
+ARG ARCH=
 
 WORKDIR /app
 

From 21005d73b2b2e6ae52ea33ff28341666c8fe7236 Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 5 Dec 2023 12:37:16 +0000
Subject: [PATCH 08/46] use buildx build arguments

---
 docker/mlpa/Dockerfile | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/docker/mlpa/Dockerfile b/docker/mlpa/Dockerfile
index 5e5c2e452b..4b167639f5 100644
--- a/docker/mlpa/Dockerfile
+++ b/docker/mlpa/Dockerfile
@@ -1,7 +1,5 @@
 FROM golang:1.21.4-alpine as base
 
-ARG ARCH=
-
 WORKDIR /app
 
 FROM node:18.16.0-alpine3.16 as asset-env
@@ -26,7 +24,7 @@ COPY internal ./internal
 
 COPY --from=asset-env /app/web/static web/static
 
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=${ARCH} go install github.com/cosmtrek/air@latest && go install github.com/go-delve/delve/cmd/dlv@latest
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETPLATFORM} go install github.com/cosmtrek/air@latest && go install github.com/go-delve/delve/cmd/dlv@latest
 
 ENTRYPOINT ["air"]
 
@@ -42,7 +40,7 @@ RUN go mod download
 COPY cmd/mlpa ./cmd/mlpa
 COPY internal ./internal
 
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=${ARCH} go build -ldflags="-X main.Tag=${TAG}" -o /go/bin/mlpab ./cmd/mlpa
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETPLATFORM} go build -ldflags="-X main.Tag=${TAG}" -o /go/bin/mlpab ./cmd/mlpa
 
 FROM alpine:3.18.5 as production
 

From 309f63d40920f04d2b56c7bba23e8429ba3e0eb2 Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 5 Dec 2023 13:43:14 +0000
Subject: [PATCH 09/46] tag for pr and path to live with push

---
 .github/workflows/docker_job.yml | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/docker_job.yml b/.github/workflows/docker_job.yml
index 5dc203c45c..22b0627362 100644
--- a/.github/workflows/docker_job.yml
+++ b/.github/workflows/docker_job.yml
@@ -89,9 +89,16 @@ jobs:
           ECR_REGISTRY: ${{ steps.login_ecr.outputs.registry }}
           ECR_REPOSITORY: ${{ matrix.ecr_repository }}
         run: |
-          docker tag ${{ matrix.ecr_repository }}:latest $ECR_REGISTRY/$ECR_REPOSITORY:${{ inputs.tag }}
           if ${{ github.workflow == 'Path To Live' }}; then
-            docker tag ${{ matrix.ecr_repository }}:latest $ECR_REGISTRY/$ECR_REPOSITORY:latest
-            docker tag ${{ matrix.ecr_repository }}:latest $ECR_REGISTRY/$ECR_REPOSITORY:main-${{ inputs.tag }}
+            docker buildx build \
+              --push \
+              --platform linux/amd64,linux/arm64 \
+              -f ${{ matrix.path }} -t $ECR_REGISTRY/$ECR_REPOSITORY:main-${{ inputs.tag }} -t $ECR_REGISTRY/$ECR_REPOSITORY:latest \
+              --build-arg TAG=${{inputs.tag}}
+          else
+            docker buildx build \
+              --push \
+              --platform linux/amd64,linux/arm64 \
+              -f ${{ matrix.path }} -t $ECR_REGISTRY/$ECR_REPOSITORY:${{ inputs.tag }} \
+              --build-arg TAG=${{inputs.tag}}
           fi
-          docker push --all-tags $ECR_REGISTRY/$ECR_REPOSITORY

From 3d4c749becad42ed2fbebb1bb2342f442b77a398 Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 5 Dec 2023 13:53:02 +0000
Subject: [PATCH 10/46] add missing path

---
 .github/workflows/docker_job.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/docker_job.yml b/.github/workflows/docker_job.yml
index 22b0627362..891097bc59 100644
--- a/.github/workflows/docker_job.yml
+++ b/.github/workflows/docker_job.yml
@@ -94,11 +94,11 @@ jobs:
               --push \
               --platform linux/amd64,linux/arm64 \
               -f ${{ matrix.path }} -t $ECR_REGISTRY/$ECR_REPOSITORY:main-${{ inputs.tag }} -t $ECR_REGISTRY/$ECR_REPOSITORY:latest \
-              --build-arg TAG=${{inputs.tag}}
+              --build-arg TAG=${{inputs.tag}} .
           else
             docker buildx build \
               --push \
               --platform linux/amd64,linux/arm64 \
               -f ${{ matrix.path }} -t $ECR_REGISTRY/$ECR_REPOSITORY:${{ inputs.tag }} \
-              --build-arg TAG=${{inputs.tag}}
+              --build-arg TAG=${{inputs.tag}} .
           fi

From 6b75d5c15fbd8bf103de6df6f18ea44c3790eabb Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 5 Dec 2023 15:04:27 +0000
Subject: [PATCH 11/46] add build arg for push

---
 .github/workflows/docker_job.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/docker_job.yml b/.github/workflows/docker_job.yml
index 891097bc59..fc8bed15e4 100644
--- a/.github/workflows/docker_job.yml
+++ b/.github/workflows/docker_job.yml
@@ -94,11 +94,11 @@ jobs:
               --push \
               --platform linux/amd64,linux/arm64 \
               -f ${{ matrix.path }} -t $ECR_REGISTRY/$ECR_REPOSITORY:main-${{ inputs.tag }} -t $ECR_REGISTRY/$ECR_REPOSITORY:latest \
-              --build-arg TAG=${{inputs.tag}} .
+              --build-arg TAG=${{inputs.tag}}  --build-arg TAG=${{inputs.tag}} .
           else
             docker buildx build \
               --push \
               --platform linux/amd64,linux/arm64 \
               -f ${{ matrix.path }} -t $ECR_REGISTRY/$ECR_REPOSITORY:${{ inputs.tag }} \
-              --build-arg TAG=${{inputs.tag}} .
+              --build-arg TAG=${{inputs.tag}} --build-arg TAG=${{inputs.tag}} .
           fi

From 2aa31696ad996acaf97f5dd5bc19e1139734afc8 Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 5 Dec 2023 15:17:17 +0000
Subject: [PATCH 12/46] use ci role instead of oidc role

---
 .github/workflows/docker_job.yml | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/docker_job.yml b/.github/workflows/docker_job.yml
index fc8bed15e4..fcaaef36c2 100644
--- a/.github/workflows/docker_job.yml
+++ b/.github/workflows/docker_job.yml
@@ -71,13 +71,21 @@ jobs:
       #   with:
       #     sarif_file: 'trivy-results.sarif'
       - uses: unfor19/install-aws-cli-action@v1
-      - name: Configure AWS Credentials
+      # - name: Configure AWS Credentials
+      #   uses: aws-actions/configure-aws-credentials@v4.0.1
+      #   with:
+      #     aws-region: eu-west-1
+      #     role-to-assume: arn:aws:iam::311462405659:role/modernising-lpa-github-actions-ecr-push
+      #     role-duration-seconds: 900
+      #     role-session-name: GithubActionsECRPushMLPAB
+      - name: Configure AWS Credentials For Terraform
         uses: aws-actions/configure-aws-credentials@v4.0.1
         with:
+          aws-access-key-id: ${{ secrets.aws_access_key_id }}
+          aws-secret-access-key: ${{ secrets.aws_secret_access_key }}
           aws-region: eu-west-1
-          role-to-assume: arn:aws:iam::311462405659:role/modernising-lpa-github-actions-ecr-push
-          role-duration-seconds: 900
-          role-session-name: GithubActionsECRPushMLPAB
+          role-duration-seconds: 3600
+          role-session-name: OPGModernisingLPATerraformGithubAction
       - name: ECR Login
         id: login_ecr
         uses: aws-actions/amazon-ecr-login@v1.7.1

From 0d8b2066b365722843fb979b77d6de2cdefa2d23 Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 5 Dec 2023 15:26:50 +0000
Subject: [PATCH 13/46] put platforms in buildx builder setup:

---
 .github/workflows/docker_job.yml | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/docker_job.yml b/.github/workflows/docker_job.yml
index fcaaef36c2..8a38ef6a1f 100644
--- a/.github/workflows/docker_job.yml
+++ b/.github/workflows/docker_job.yml
@@ -47,14 +47,14 @@ jobs:
         uses: docker/setup-qemu-action@v3.0.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3.0.0
-        # with:
-        #   version: v0.12.0
+        with:
+          version: v0.12.0
+          platforms: linux/amd64,linux/arm64
 
       - name: Build ${{ matrix.ecr_repository }} Image
         id: build_image
         run: |
           docker buildx build \
-            --platform linux/amd64,linux/arm64 \
             -f ${{ matrix.path }} -t ${{ matrix.ecr_repository }} --build-arg TAG=${{inputs.tag}} .
       # - name: Trivy Image Vulnerability Scanner for ${{ matrix.ecr_repository }}
       #   id: trivy_scan
@@ -100,13 +100,11 @@ jobs:
           if ${{ github.workflow == 'Path To Live' }}; then
             docker buildx build \
               --push \
-              --platform linux/amd64,linux/arm64 \
               -f ${{ matrix.path }} -t $ECR_REGISTRY/$ECR_REPOSITORY:main-${{ inputs.tag }} -t $ECR_REGISTRY/$ECR_REPOSITORY:latest \
               --build-arg TAG=${{inputs.tag}}  --build-arg TAG=${{inputs.tag}} .
           else
             docker buildx build \
               --push \
-              --platform linux/amd64,linux/arm64 \
               -f ${{ matrix.path }} -t $ECR_REGISTRY/$ECR_REPOSITORY:${{ inputs.tag }} \
               --build-arg TAG=${{inputs.tag}} --build-arg TAG=${{inputs.tag}} .
           fi

From 3c9eec63a98b93d6c6a4134d85713ff76cbc3576 Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 5 Dec 2023 15:27:38 +0000
Subject: [PATCH 14/46] put oidc creds back

---
 .github/workflows/docker_job.yml | 16 ++++------------
 1 file changed, 4 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/docker_job.yml b/.github/workflows/docker_job.yml
index 8a38ef6a1f..1df63e72ae 100644
--- a/.github/workflows/docker_job.yml
+++ b/.github/workflows/docker_job.yml
@@ -71,21 +71,13 @@ jobs:
       #   with:
       #     sarif_file: 'trivy-results.sarif'
       - uses: unfor19/install-aws-cli-action@v1
-      # - name: Configure AWS Credentials
-      #   uses: aws-actions/configure-aws-credentials@v4.0.1
-      #   with:
-      #     aws-region: eu-west-1
-      #     role-to-assume: arn:aws:iam::311462405659:role/modernising-lpa-github-actions-ecr-push
-      #     role-duration-seconds: 900
-      #     role-session-name: GithubActionsECRPushMLPAB
-      - name: Configure AWS Credentials For Terraform
+      - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v4.0.1
         with:
-          aws-access-key-id: ${{ secrets.aws_access_key_id }}
-          aws-secret-access-key: ${{ secrets.aws_secret_access_key }}
           aws-region: eu-west-1
-          role-duration-seconds: 3600
-          role-session-name: OPGModernisingLPATerraformGithubAction
+          role-to-assume: arn:aws:iam::311462405659:role/modernising-lpa-github-actions-ecr-push
+          role-duration-seconds: 900
+          role-session-name: GithubActionsECRPushMLPAB
       - name: ECR Login
         id: login_ecr
         uses: aws-actions/amazon-ecr-login@v1.7.1

From 43b4dd4563c8996d732733c6377b53176ee56845 Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 5 Dec 2023 16:37:16 +0000
Subject: [PATCH 15/46] build and push with action

---
 .github/workflows/docker_job.yml | 76 +++++++++++++++++++++++---------
 1 file changed, 55 insertions(+), 21 deletions(-)

diff --git a/.github/workflows/docker_job.yml b/.github/workflows/docker_job.yml
index 1df63e72ae..d09a21becd 100644
--- a/.github/workflows/docker_job.yml
+++ b/.github/workflows/docker_job.yml
@@ -51,11 +51,21 @@ jobs:
           version: v0.12.0
           platforms: linux/amd64,linux/arm64
 
-      - name: Build ${{ matrix.ecr_repository }} Image
-        id: build_image
-        run: |
-          docker buildx build \
-            -f ${{ matrix.path }} -t ${{ matrix.ecr_repository }} --build-arg TAG=${{inputs.tag}} .
+      # - name: Build ${{ matrix.ecr_repository }} Image
+      #   uses: docker/build-push-action@v5.1.0
+      #   with:
+      #     context: .
+      #     file: ${{ matrix.path }}
+      #     push: false
+      #     tags: |
+      #       ${{ matrix.ecr_repository }}:${{ inputs.tag }}
+      #     build-args: |
+      #       TAG=${{inputs.tag}}
+
+        # id: build_image
+        # run: |
+        #   docker buildx build \
+        #     -f ${{ matrix.path }} -t ${{ matrix.ecr_repository }} --build-arg TAG=${{inputs.tag}} .
       # - name: Trivy Image Vulnerability Scanner for ${{ matrix.ecr_repository }}
       #   id: trivy_scan
       #   uses: aquasecurity/trivy-action@0.14.0
@@ -70,6 +80,7 @@ jobs:
       #   if: always()
       #   with:
       #     sarif_file: 'trivy-results.sarif'
+
       - uses: unfor19/install-aws-cli-action@v1
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v4.0.1
@@ -84,19 +95,42 @@ jobs:
         with:
           mask-password: true
           registries: 311462405659
-      - name: Push ${{ matrix.ecr_repository }} Image to ECR
-        env:
-          ECR_REGISTRY: ${{ steps.login_ecr.outputs.registry }}
-          ECR_REPOSITORY: ${{ matrix.ecr_repository }}
-        run: |
-          if ${{ github.workflow == 'Path To Live' }}; then
-            docker buildx build \
-              --push \
-              -f ${{ matrix.path }} -t $ECR_REGISTRY/$ECR_REPOSITORY:main-${{ inputs.tag }} -t $ECR_REGISTRY/$ECR_REPOSITORY:latest \
-              --build-arg TAG=${{inputs.tag}}  --build-arg TAG=${{inputs.tag}} .
-          else
-            docker buildx build \
-              --push \
-              -f ${{ matrix.path }} -t $ECR_REGISTRY/$ECR_REPOSITORY:${{ inputs.tag }} \
-              --build-arg TAG=${{inputs.tag}} --build-arg TAG=${{inputs.tag}} .
-          fi
+      - name: Push ${{ matrix.ecr_repository }} Image to ECR for PR
+        if: ${{ github.workflow != 'Path To Live' }}
+        uses: docker/build-push-action@v5.1.0
+        with:
+          context: .
+          file: ${{ matrix.path }}
+          push: true
+          tags: |
+            ${{ steps.login_ecr.outputs.registry }}/${{ matrix.ecr_repository }}:${{ inputs.tag }}
+          build-args: |
+            TAG=${{inputs.tag}}
+
+      - name: Push ${{ matrix.ecr_repository }} Image to ECR for Path to Live
+        if: ${{ github.workflow == 'Path To Live' }}
+        uses: docker/build-push-action@v5.1.0
+        with:
+          context: .
+          file: ${{ matrix.path }}
+          push: true
+          tags: |
+            ${{ steps.login_ecr.outputs.registry }}/${{ matrix.ecr_repository }}:main-${{ inputs.tag }}
+            ${{ steps.login_ecr.outputs.registry }}/${{ matrix.ecr_repository }}:latest
+          build-args: |
+            TAG=${{inputs.tag}}
+        # env:
+        #   ECR_REGISTRY: ${{ steps.login_ecr.outputs.registry }}
+        #   ECR_REPOSITORY: ${{ matrix.ecr_repository }}
+        # run: |
+        #   if ${{ github.workflow == 'Path To Live' }}; then
+        #     docker buildx build \
+        #       --push \
+        #       -f ${{ matrix.path }} -t $ECR_REGISTRY/$ECR_REPOSITORY:main-${{ inputs.tag }} -t $ECR_REGISTRY/$ECR_REPOSITORY:latest \
+        #       --build-arg TAG=${{inputs.tag}} .
+        #   else
+        #     docker buildx build \
+        #       --push \
+        #       -f ${{ matrix.path }} -t $ECR_REGISTRY/$ECR_REPOSITORY:${{ inputs.tag }} \
+        #       --build-arg TAG=${{inputs.tag}} .
+        #   fi

From 28119dbde3c4a9b93257d61cd053fa8a7e35ee8e Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 5 Dec 2023 16:42:23 +0000
Subject: [PATCH 16/46] turn off provinence

---
 .github/workflows/docker_job.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/docker_job.yml b/.github/workflows/docker_job.yml
index d09a21becd..321ed66151 100644
--- a/.github/workflows/docker_job.yml
+++ b/.github/workflows/docker_job.yml
@@ -106,6 +106,7 @@ jobs:
             ${{ steps.login_ecr.outputs.registry }}/${{ matrix.ecr_repository }}:${{ inputs.tag }}
           build-args: |
             TAG=${{inputs.tag}}
+          provenance: false
 
       - name: Push ${{ matrix.ecr_repository }} Image to ECR for Path to Live
         if: ${{ github.workflow == 'Path To Live' }}
@@ -119,6 +120,7 @@ jobs:
             ${{ steps.login_ecr.outputs.registry }}/${{ matrix.ecr_repository }}:latest
           build-args: |
             TAG=${{inputs.tag}}
+          provenance: false
         # env:
         #   ECR_REGISTRY: ${{ steps.login_ecr.outputs.registry }}
         #   ECR_REPOSITORY: ${{ matrix.ecr_repository }}

From 6b43d6f7bb5ae395dfbc9241a04c3520dadfcaa0 Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 5 Dec 2023 16:50:01 +0000
Subject: [PATCH 17/46] restore pushless build to support image scanning

---
 .github/workflows/docker_job.yml | 35 +++++++++-----------------------
 1 file changed, 10 insertions(+), 25 deletions(-)

diff --git a/.github/workflows/docker_job.yml b/.github/workflows/docker_job.yml
index 321ed66151..5bd31c04fc 100644
--- a/.github/workflows/docker_job.yml
+++ b/.github/workflows/docker_job.yml
@@ -51,16 +51,16 @@ jobs:
           version: v0.12.0
           platforms: linux/amd64,linux/arm64
 
-      # - name: Build ${{ matrix.ecr_repository }} Image
-      #   uses: docker/build-push-action@v5.1.0
-      #   with:
-      #     context: .
-      #     file: ${{ matrix.path }}
-      #     push: false
-      #     tags: |
-      #       ${{ matrix.ecr_repository }}:${{ inputs.tag }}
-      #     build-args: |
-      #       TAG=${{inputs.tag}}
+      - name: Build ${{ matrix.ecr_repository }} Image
+        uses: docker/build-push-action@v5.1.0
+        with:
+          context: .
+          file: ${{ matrix.path }}
+          push: false
+          tags: |
+            ${{ matrix.ecr_repository }}:${{ inputs.tag }}
+          build-args: |
+            TAG=${{inputs.tag}}
 
         # id: build_image
         # run: |
@@ -121,18 +121,3 @@ jobs:
           build-args: |
             TAG=${{inputs.tag}}
           provenance: false
-        # env:
-        #   ECR_REGISTRY: ${{ steps.login_ecr.outputs.registry }}
-        #   ECR_REPOSITORY: ${{ matrix.ecr_repository }}
-        # run: |
-        #   if ${{ github.workflow == 'Path To Live' }}; then
-        #     docker buildx build \
-        #       --push \
-        #       -f ${{ matrix.path }} -t $ECR_REGISTRY/$ECR_REPOSITORY:main-${{ inputs.tag }} -t $ECR_REGISTRY/$ECR_REPOSITORY:latest \
-        #       --build-arg TAG=${{inputs.tag}} .
-        #   else
-        #     docker buildx build \
-        #       --push \
-        #       -f ${{ matrix.path }} -t $ECR_REGISTRY/$ECR_REPOSITORY:${{ inputs.tag }} \
-        #       --build-arg TAG=${{inputs.tag}} .
-        #   fi

From 9664cbd7f6d2f4a3b2fa7225c785f1476b633305 Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 5 Dec 2023 16:56:41 +0000
Subject: [PATCH 18/46] restore pushless build to support image scanning

---
 .github/workflows/docker_job.yml | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/.github/workflows/docker_job.yml b/.github/workflows/docker_job.yml
index 5bd31c04fc..88e167ff30 100644
--- a/.github/workflows/docker_job.yml
+++ b/.github/workflows/docker_job.yml
@@ -62,10 +62,6 @@ jobs:
           build-args: |
             TAG=${{inputs.tag}}
 
-        # id: build_image
-        # run: |
-        #   docker buildx build \
-        #     -f ${{ matrix.path }} -t ${{ matrix.ecr_repository }} --build-arg TAG=${{inputs.tag}} .
       # - name: Trivy Image Vulnerability Scanner for ${{ matrix.ecr_repository }}
       #   id: trivy_scan
       #   uses: aquasecurity/trivy-action@0.14.0

From b460ff6825305926e999e14c5bdc696b06999143 Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 5 Dec 2023 16:59:51 +0000
Subject: [PATCH 19/46] add scannign steps back in

---
 .github/workflows/docker_job.yml | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/docker_job.yml b/.github/workflows/docker_job.yml
index 88e167ff30..09fd3a6eb9 100644
--- a/.github/workflows/docker_job.yml
+++ b/.github/workflows/docker_job.yml
@@ -62,20 +62,20 @@ jobs:
           build-args: |
             TAG=${{inputs.tag}}
 
-      # - name: Trivy Image Vulnerability Scanner for ${{ matrix.ecr_repository }}
-      #   id: trivy_scan
-      #   uses: aquasecurity/trivy-action@0.14.0
-      #   with:
-      #     image-ref: ${{ matrix.ecr_repository }}:latest
-      #     severity: 'HIGH,CRITICAL'
-      #     format: 'sarif'
-      #     output: 'trivy-results.sarif'
-      # - name: Upload Trivy scan results to GitHub Security tab for ${{ matrix.ecr_repository }}
-      #   id: trivy_upload_sarif
-      #   uses: github/codeql-action/upload-sarif@v2
-      #   if: always()
-      #   with:
-      #     sarif_file: 'trivy-results.sarif'
+      - name: Trivy Image Vulnerability Scanner for ${{ matrix.ecr_repository }}
+        id: trivy_scan
+        uses: aquasecurity/trivy-action@0.14.0
+        with:
+          image-ref: ${{ matrix.ecr_repository }}:${{ inputs.tag }}
+          severity: 'HIGH,CRITICAL'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+      - name: Upload Trivy scan results to GitHub Security tab for ${{ matrix.ecr_repository }}
+        id: trivy_upload_sarif
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'
 
       - uses: unfor19/install-aws-cli-action@v1
       - name: Configure AWS Credentials

From 9f5f76678f3898d677fdabb6785510de20315ee2 Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 5 Dec 2023 17:05:53 +0000
Subject: [PATCH 20/46] output an image for docker usage

---
 .github/workflows/docker_job.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/docker_job.yml b/.github/workflows/docker_job.yml
index 09fd3a6eb9..962faef343 100644
--- a/.github/workflows/docker_job.yml
+++ b/.github/workflows/docker_job.yml
@@ -61,6 +61,7 @@ jobs:
             ${{ matrix.ecr_repository }}:${{ inputs.tag }}
           build-args: |
             TAG=${{inputs.tag}}
+          outputs: image
 
       - name: Trivy Image Vulnerability Scanner for ${{ matrix.ecr_repository }}
         id: trivy_scan

From c4a40cbb7b960649ae6fb6d55b91a7455d8770ae Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 5 Dec 2023 17:11:20 +0000
Subject: [PATCH 21/46] load for testing

---
 .github/workflows/docker_job.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/docker_job.yml b/.github/workflows/docker_job.yml
index 962faef343..a029b74945 100644
--- a/.github/workflows/docker_job.yml
+++ b/.github/workflows/docker_job.yml
@@ -57,11 +57,11 @@ jobs:
           context: .
           file: ${{ matrix.path }}
           push: false
+          load: true
           tags: |
             ${{ matrix.ecr_repository }}:${{ inputs.tag }}
           build-args: |
             TAG=${{inputs.tag}}
-          outputs: image
 
       - name: Trivy Image Vulnerability Scanner for ${{ matrix.ecr_repository }}
         id: trivy_scan

From 46ec6ad70d1b929e7b37d03ab058bcf512fda180 Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 5 Dec 2023 17:15:41 +0000
Subject: [PATCH 22/46] run ui test on images from ECR

---
 .github/workflows/workflow_pr.yml | 32 +++++++++++++++----------------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/workflow_pr.yml b/.github/workflows/workflow_pr.yml
index dbf9690012..d68d9fe0d2 100644
--- a/.github/workflows/workflow_pr.yml
+++ b/.github/workflows/workflow_pr.yml
@@ -88,22 +88,22 @@ jobs:
   #     aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}
   #     aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}
 
-  # ui_tests_image:
-  #   name: Run Cypress UI Tests On Images
-  #   if: needs.detect_changes.outputs.changes_detected == 'true' &&
-  #     (needs.docker_build_scan_push.result == 'success' || needs.docker_build_scan_push.result == 'skipped')
-  #   uses: ./.github/workflows/ui_test_job.yml
-  #   needs: [docker_build_scan_push, create_tags]
-  #   with:
-  #     run_against_image: true
-  #     tag: ${{ needs.create_tags.outputs.version_tag }}
-  #     skip: ${{ contains(fromJSON('["weblate-pr"]'), github.head_ref) }}
-  #     matrixSpecs: '["cypress/e2e/donor/*","cypress/e2e/attorney/*,cypress/e2e/certificate-provider/*,cypress/e2e/accessibility/*,cypress/e2e/dev-features.cy.js,cypress/e2e/error-pages.cy.js"]'
-  #   secrets:
-  #     aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}
-  #     aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}
-  #     cypress_record_key: ${{ secrets.CYPRESS_RECORD_KEY }}
-  #     github_access_token: ${{ secrets.GITHUB_TOKEN }}
+  ui_tests_image:
+    name: Run Cypress UI Tests On Images
+    if: needs.detect_changes.outputs.changes_detected == 'true' &&
+      (needs.docker_build_scan_push.result == 'success' || needs.docker_build_scan_push.result == 'skipped')
+    uses: ./.github/workflows/ui_test_job.yml
+    needs: [docker_build_scan_push, create_tags]
+    with:
+      run_against_image: true
+      tag: ${{ needs.create_tags.outputs.version_tag }}
+      skip: ${{ contains(fromJSON('["weblate-pr"]'), github.head_ref) }}
+      matrixSpecs: '["cypress/e2e/donor/*","cypress/e2e/attorney/*,cypress/e2e/certificate-provider/*,cypress/e2e/accessibility/*,cypress/e2e/dev-features.cy.js,cypress/e2e/error-pages.cy.js"]'
+    secrets:
+      aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}
+      aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}
+      cypress_record_key: ${{ secrets.CYPRESS_RECORD_KEY }}
+      github_access_token: ${{ secrets.GITHUB_TOKEN }}
 
   # pr_deploy:
   #     name: PR Environment Deploy

From 04dd3876ccf619475df36ab8637e688061545bbd Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 5 Dec 2023 17:24:05 +0000
Subject: [PATCH 23/46] multiarch builds for event-received and mock-onelogin

---
 .github/workflows/docker_job.yml |  8 ++++----
 docker/event-received/Dockerfile |  2 +-
 docker/mlpa/Dockerfile           | 22 +++++++++++-----------
 docker/mock-onelogin/Dockerfile  |  2 +-
 4 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/docker_job.yml b/.github/workflows/docker_job.yml
index a029b74945..7546879c83 100644
--- a/.github/workflows/docker_job.yml
+++ b/.github/workflows/docker_job.yml
@@ -32,10 +32,10 @@ jobs:
             path: ./docker/mlpa/Dockerfile
           # - ecr_repository: modernising-lpa/create-s3-batch-replication-job
           #   path: ./lambda/create_s3_replication_job/Dockerfile
-          # - ecr_repository: modernising-lpa/event-received
-          #   path: ./docker/event-received/Dockerfile
-          # - ecr_repository: modernising-lpa/mock-onelogin
-          #   path: ./docker/mock-onelogin/Dockerfile
+          - ecr_repository: modernising-lpa/event-received
+            path: ./docker/event-received/Dockerfile
+          - ecr_repository: modernising-lpa/mock-onelogin
+            path: ./docker/mock-onelogin/Dockerfile
     runs-on: ubuntu-latest
     name: ${{ matrix.ecr_repository }}
     steps:
diff --git a/docker/event-received/Dockerfile b/docker/event-received/Dockerfile
index 39ff69f34b..7793e56b2e 100644
--- a/docker/event-received/Dockerfile
+++ b/docker/event-received/Dockerfile
@@ -8,7 +8,7 @@ RUN go mod download
 COPY cmd/event-received ./cmd/event-received
 COPY internal ./internal
 
-RUN GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -tags lambda.norpc -o event-received ./cmd/event-received
+RUN GOOS=linux GOARCH=${TARGETPLATFORM} CGO_ENABLED=0 go build -tags lambda.norpc -o event-received ./cmd/event-received
 
 FROM public.ecr.aws/lambda/provided:al2 AS dev
 
diff --git a/docker/mlpa/Dockerfile b/docker/mlpa/Dockerfile
index 4b167639f5..682db0f685 100644
--- a/docker/mlpa/Dockerfile
+++ b/docker/mlpa/Dockerfile
@@ -6,21 +6,21 @@ FROM node:18.16.0-alpine3.16 as asset-env
 
 WORKDIR /app
 
-COPY package.json yarn.lock ./
+COPY --link package.json yarn.lock ./
 RUN yarn --prod
 
-COPY web/assets web/assets
+COPY --link web/assets web/assets
 RUN mkdir -p web/static && yarn build
 
 FROM base AS dev
 
 WORKDIR /app
 
-COPY go.mod go.sum ./
+COPY --link go.mod go.sum ./
 RUN go mod download
 
-COPY cmd/mlpa ./cmd/mlpa
-COPY internal ./internal
+COPY --link cmd/mlpa ./cmd/mlpa
+COPY --link internal ./internal
 
 COPY --from=asset-env /app/web/static web/static
 
@@ -34,11 +34,11 @@ ARG TAG=v0.0.0
 
 WORKDIR /app
 
-COPY go.mod go.sum ./
+COPY --link go.mod go.sum ./
 RUN go mod download
 
-COPY cmd/mlpa ./cmd/mlpa
-COPY internal ./internal
+COPY --link cmd/mlpa ./cmd/mlpa
+COPY --link internal ./internal
 
 RUN CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETPLATFORM} go build -ldflags="-X main.Tag=${TAG}" -o /go/bin/mlpab ./cmd/mlpa
 
@@ -46,11 +46,11 @@ FROM alpine:3.18.5 as production
 
 WORKDIR /go/bin
 
-COPY web/robots.txt web/robots.txt
+COPY --link web/robots.txt web/robots.txt
 COPY --from=asset-env /app/web/static web/static
 COPY --from=build-env /go/bin/mlpab mlpab
-COPY web/template web/template
-COPY lang lang
+COPY --link web/template web/template
+COPY --link lang lang
 
 RUN addgroup -S app && \
   adduser -S -g app app && \
diff --git a/docker/mock-onelogin/Dockerfile b/docker/mock-onelogin/Dockerfile
index 6487bef906..55b9912898 100644
--- a/docker/mock-onelogin/Dockerfile
+++ b/docker/mock-onelogin/Dockerfile
@@ -8,7 +8,7 @@ COPY go.mod go.sum ./
 RUN go mod download
 
 COPY cmd/mock-onelogin ./cmd/mock-onelogin
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -installsuffix cgo -o mock-onelogin ./cmd/mock-onelogin
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETPLATFORM} go build -a -installsuffix cgo -o mock-onelogin ./cmd/mock-onelogin
 
 RUN addgroup --system app && \
   adduser --system --gecos app app && \

From fcd24dc4bc5188324ecb9206846b2a37535e563b Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 5 Dec 2023 17:34:43 +0000
Subject: [PATCH 24/46] use --link for local copying

---
 docker/event-received/Dockerfile | 12 ++++++------
 docker/mock-onelogin/Dockerfile  |  4 ++--
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/docker/event-received/Dockerfile b/docker/event-received/Dockerfile
index 7793e56b2e..029025e684 100644
--- a/docker/event-received/Dockerfile
+++ b/docker/event-received/Dockerfile
@@ -2,11 +2,11 @@ FROM golang:1.21.4-alpine as build
 
 WORKDIR /app
 
-COPY go.mod go.sum ./
+COPY --link go.mod go.sum ./
 RUN go mod download
 
-COPY cmd/event-received ./cmd/event-received
-COPY internal ./internal
+COPY --link cmd/event-received ./cmd/event-received
+COPY --link internal ./internal
 
 RUN GOOS=linux GOARCH=${TARGETPLATFORM} CGO_ENABLED=0 go build -tags lambda.norpc -o event-received ./cmd/event-received
 
@@ -15,8 +15,8 @@ FROM public.ecr.aws/lambda/provided:al2 AS dev
 WORKDIR /app
 
 COPY --from=build /app/event-received /var/task/event-received
-COPY lang ./lang
-COPY docker/event-received/aws-lambda-rie ./aws-lambda-rie
+COPY --link lang ./lang
+COPY --link docker/event-received/aws-lambda-rie ./aws-lambda-rie
 
 ENTRYPOINT ["./event-received"]
 
@@ -29,6 +29,6 @@ RUN curl -O https://lambda-insights-extension.s3-ap-northeast-1.amazonaws.com/am
     rm -f lambda-insights-extension.rpm ;
 
 COPY --from=build /app/event-received ./event-received
-COPY lang ./lang
+COPY --link lang ./lang
 
 ENTRYPOINT ["./event-received"]
diff --git a/docker/mock-onelogin/Dockerfile b/docker/mock-onelogin/Dockerfile
index 55b9912898..4a0367a096 100644
--- a/docker/mock-onelogin/Dockerfile
+++ b/docker/mock-onelogin/Dockerfile
@@ -4,10 +4,10 @@ RUN apk --no-cache add openssl
 
 WORKDIR /app
 
-COPY go.mod go.sum ./
+COPY --link go.mod go.sum ./
 RUN go mod download
 
-COPY cmd/mock-onelogin ./cmd/mock-onelogin
+COPY --link cmd/mock-onelogin ./cmd/mock-onelogin
 RUN CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETPLATFORM} go build -a -installsuffix cgo -o mock-onelogin ./cmd/mock-onelogin
 
 RUN addgroup --system app && \

From 0d90b410ac3a0bde1b5d18620eb78d6ade174390 Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 5 Dec 2023 17:35:44 +0000
Subject: [PATCH 25/46] use links

---
 lambda/create_s3_replication_job/Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lambda/create_s3_replication_job/Dockerfile b/lambda/create_s3_replication_job/Dockerfile
index b036fec8d7..09dab2c3e8 100644
--- a/lambda/create_s3_replication_job/Dockerfile
+++ b/lambda/create_s3_replication_job/Dockerfile
@@ -24,9 +24,9 @@ ARG FUNCTION_DIR
 RUN mkdir -p ${FUNCTION_DIR}
 
 # Copy function code
-COPY lambda/create_s3_replication_job/src/main.py ${FUNCTION_DIR}
+COPY --link lambda/create_s3_replication_job/src/main.py ${FUNCTION_DIR}
 
-COPY lambda/create_s3_replication_job/src/requirements.txt requirements.txt
+COPY --link lambda/create_s3_replication_job/src/requirements.txt requirements.txt
 
 # Install the runtime interface client
 RUN python -m pip install --upgrade pip

From 9cb2184f2c87799aa6fe38148c0ac2ae4272e130 Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 5 Dec 2023 17:36:26 +0000
Subject: [PATCH 26/46] build python function too

---
 .github/workflows/docker_job.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/docker_job.yml b/.github/workflows/docker_job.yml
index 7546879c83..c73b011e5a 100644
--- a/.github/workflows/docker_job.yml
+++ b/.github/workflows/docker_job.yml
@@ -30,8 +30,8 @@ jobs:
         include:
           - ecr_repository: modernising-lpa/app
             path: ./docker/mlpa/Dockerfile
-          # - ecr_repository: modernising-lpa/create-s3-batch-replication-job
-          #   path: ./lambda/create_s3_replication_job/Dockerfile
+          - ecr_repository: modernising-lpa/create-s3-batch-replication-job
+            path: ./lambda/create_s3_replication_job/Dockerfile
           - ecr_repository: modernising-lpa/event-received
             path: ./docker/event-received/Dockerfile
           - ecr_repository: modernising-lpa/mock-onelogin

From 7f80a50eb661d324b220af61a511ea2d7850e275 Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 5 Dec 2023 17:44:16 +0000
Subject: [PATCH 27/46] remove links

---
 lambda/create_s3_replication_job/Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lambda/create_s3_replication_job/Dockerfile b/lambda/create_s3_replication_job/Dockerfile
index 09dab2c3e8..b036fec8d7 100644
--- a/lambda/create_s3_replication_job/Dockerfile
+++ b/lambda/create_s3_replication_job/Dockerfile
@@ -24,9 +24,9 @@ ARG FUNCTION_DIR
 RUN mkdir -p ${FUNCTION_DIR}
 
 # Copy function code
-COPY --link lambda/create_s3_replication_job/src/main.py ${FUNCTION_DIR}
+COPY lambda/create_s3_replication_job/src/main.py ${FUNCTION_DIR}
 
-COPY --link lambda/create_s3_replication_job/src/requirements.txt requirements.txt
+COPY lambda/create_s3_replication_job/src/requirements.txt requirements.txt
 
 # Install the runtime interface client
 RUN python -m pip install --upgrade pip

From d88ecfcf5bbe155aab992a027fcdcd8a26679bd9 Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 5 Dec 2023 17:53:40 +0000
Subject: [PATCH 28/46] deploy to aws

---
 .github/workflows/workflow_pr.yml | 80 +++++++++++++++----------------
 1 file changed, 40 insertions(+), 40 deletions(-)

diff --git a/.github/workflows/workflow_pr.yml b/.github/workflows/workflow_pr.yml
index d68d9fe0d2..56e4566ac8 100644
--- a/.github/workflows/workflow_pr.yml
+++ b/.github/workflows/workflow_pr.yml
@@ -105,46 +105,46 @@ jobs:
       cypress_record_key: ${{ secrets.CYPRESS_RECORD_KEY }}
       github_access_token: ${{ secrets.GITHUB_TOKEN }}
 
-  # pr_deploy:
-  #     name: PR Environment Deploy
-  #     if: always() &&
-  #       (needs.go_unit_tests.result == 'success' || needs.go_unit_tests.result == 'skipped') &&
-  #       (needs.docker_build_scan_push.result == 'success' || needs.docker_build_scan_push.result == 'skipped') &&
-  #       (needs.ui_tests_image.result == 'success' || needs.ui_tests_image.result == 'skipped')
-  #     needs: [
-  #       create_tags,
-  #       go_unit_tests,
-  #       docker_build_scan_push,
-  #       ui_tests_image
-  #     ]
-  #     uses: ./.github/workflows/terraform_environment_job.yml
-  #     with:
-  #       workspace_name: ${{ needs.create_tags.outputs.environment_workspace_name }}
-  #       version_tag: ${{ needs.create_tags.outputs.version_tag }}
-  #     secrets:
-  #       aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}
-  #       aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}
-  #       ssh_deploy_key: ${{ secrets.OPG_MODERNISING_LPA_DEPLOY_KEY_PRIVATE_KEY }}
-  #       github_access_token: ${{ secrets.GITHUB_TOKEN }}
-  #       pagerduty_api_key: ${{ secrets.PAGERDUTY_API_KEY }}
-
-  # ui_tests_pr_env:
-  #   name: Run Cypress UI Tests On PR Environment
-  #   if: always() &&
-  #     needs.pr_deploy.result == 'success'
-  #   uses: ./.github/workflows/ui_test_job.yml
-  #   needs: [pr_deploy, create_tags]
-  #   with:
-  #     run_against_image: false
-  #     base_url: "https://${{ needs.pr_deploy.outputs.url }}"
-  #     tag: ${{ needs.create_tags.outputs.version_tag }}
-  #     environment_config_json: ${{ needs.pr_deploy.outputs.environment_config_json }}
-  #     matrixSpecs: '["cypress/e2e/donor/start.cy.js,cypress/e2e/smoke/external.cy.js"]'
-  #   secrets:
-  #     aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}
-  #     aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}
-  #     cypress_record_key: ${{ secrets.CYPRESS_RECORD_KEY }}
-  #     github_access_token: ${{ secrets.GITHUB_TOKEN }}
+  pr_deploy:
+      name: PR Environment Deploy
+      if: always() &&
+        (needs.go_unit_tests.result == 'success' || needs.go_unit_tests.result == 'skipped') &&
+        (needs.docker_build_scan_push.result == 'success' || needs.docker_build_scan_push.result == 'skipped') &&
+        (needs.ui_tests_image.result == 'success' || needs.ui_tests_image.result == 'skipped')
+      needs: [
+        create_tags,
+        go_unit_tests,
+        docker_build_scan_push,
+        ui_tests_image
+      ]
+      uses: ./.github/workflows/terraform_environment_job.yml
+      with:
+        workspace_name: ${{ needs.create_tags.outputs.environment_workspace_name }}
+        version_tag: ${{ needs.create_tags.outputs.version_tag }}
+      secrets:
+        aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}
+        aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}
+        ssh_deploy_key: ${{ secrets.OPG_MODERNISING_LPA_DEPLOY_KEY_PRIVATE_KEY }}
+        github_access_token: ${{ secrets.GITHUB_TOKEN }}
+        pagerduty_api_key: ${{ secrets.PAGERDUTY_API_KEY }}
+
+  ui_tests_pr_env:
+    name: Run Cypress UI Tests On PR Environment
+    if: always() &&
+      needs.pr_deploy.result == 'success'
+    uses: ./.github/workflows/ui_test_job.yml
+    needs: [pr_deploy, create_tags]
+    with:
+      run_against_image: false
+      base_url: "https://${{ needs.pr_deploy.outputs.url }}"
+      tag: ${{ needs.create_tags.outputs.version_tag }}
+      environment_config_json: ${{ needs.pr_deploy.outputs.environment_config_json }}
+      matrixSpecs: '["cypress/e2e/donor/start.cy.js,cypress/e2e/smoke/external.cy.js"]'
+    secrets:
+      aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}
+      aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}
+      cypress_record_key: ${{ secrets.CYPRESS_RECORD_KEY }}
+      github_access_token: ${{ secrets.GITHUB_TOKEN }}
 
   # always_remove_ingress:
   #   name: Remove CI ingress from environment

From 6f1e77f694b38bfb74936495452c13555092b453 Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 5 Dec 2023 17:57:43 +0000
Subject: [PATCH 29/46] skip unit tests

---
 .github/workflows/workflow_pr.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/workflow_pr.yml b/.github/workflows/workflow_pr.yml
index 56e4566ac8..5cf9798f18 100644
--- a/.github/workflows/workflow_pr.yml
+++ b/.github/workflows/workflow_pr.yml
@@ -113,7 +113,7 @@ jobs:
         (needs.ui_tests_image.result == 'success' || needs.ui_tests_image.result == 'skipped')
       needs: [
         create_tags,
-        go_unit_tests,
+        # go_unit_tests,
         docker_build_scan_push,
         ui_tests_image
       ]

From 03a7b9e687823f2c3bad55c95f2e3f2ddc4028c2 Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 5 Dec 2023 18:04:35 +0000
Subject: [PATCH 30/46] fix skipping conditions

---
 .github/workflows/workflow_pr.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/workflow_pr.yml b/.github/workflows/workflow_pr.yml
index 5cf9798f18..1aa5c7e25d 100644
--- a/.github/workflows/workflow_pr.yml
+++ b/.github/workflows/workflow_pr.yml
@@ -90,8 +90,8 @@ jobs:
 
   ui_tests_image:
     name: Run Cypress UI Tests On Images
-    if: needs.detect_changes.outputs.changes_detected == 'true' &&
-      (needs.docker_build_scan_push.result == 'success' || needs.docker_build_scan_push.result == 'skipped')
+    # if: needs.detect_changes.outputs.changes_detected == 'true' &&
+    #   (needs.docker_build_scan_push.result == 'success' || needs.docker_build_scan_push.result == 'skipped')
     uses: ./.github/workflows/ui_test_job.yml
     needs: [docker_build_scan_push, create_tags]
     with:

From 2e5b77aca1293c4c86242d9fdf6d4938ea6f1ab2 Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 5 Dec 2023 18:17:29 +0000
Subject: [PATCH 31/46] always run pr deploy

---
 .github/workflows/workflow_pr.yml | 8 ++++----
 Makefile                          | 8 ++++----
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/workflow_pr.yml b/.github/workflows/workflow_pr.yml
index 1aa5c7e25d..6065924565 100644
--- a/.github/workflows/workflow_pr.yml
+++ b/.github/workflows/workflow_pr.yml
@@ -107,10 +107,10 @@ jobs:
 
   pr_deploy:
       name: PR Environment Deploy
-      if: always() &&
-        (needs.go_unit_tests.result == 'success' || needs.go_unit_tests.result == 'skipped') &&
-        (needs.docker_build_scan_push.result == 'success' || needs.docker_build_scan_push.result == 'skipped') &&
-        (needs.ui_tests_image.result == 'success' || needs.ui_tests_image.result == 'skipped')
+      # if: always() &&
+      #   # (needs.go_unit_tests.result == 'success' || needs.go_unit_tests.result == 'skipped') &&
+      #   (needs.docker_build_scan_push.result == 'success' || needs.docker_build_scan_push.result == 'skipped') &&
+      #   (needs.ui_tests_image.result == 'success' || needs.ui_tests_image.result == 'skipped')
       needs: [
         create_tags,
         # go_unit_tests,
diff --git a/Makefile b/Makefile
index f9892ba9f0..872e6829fc 100644
--- a/Makefile
+++ b/Makefile
@@ -43,16 +43,16 @@ endif
 	go test -coverprofile=$(t) $(path) && go tool cover -html=$(t) && unlink $(t)
 
 down: ##@build Takes all containers down
-	docker compose -f docker/docker-compose.yml -f docker/docker-compose.dev.yml down
+	COMPOSE_DOCKER_CLI_BUILD=1 DOCKER_BUILDKIT=1 DOCKER_DEFAULT_PLATFORM=linux/arm64 docker compose -f docker/docker-compose.yml -f docker/docker-compose.dev.yml down
 
 up: ##@build Builds and brings the app up
-	docker compose -f docker/docker-compose.yml up -d --build --remove-orphans app
+	COMPOSE_DOCKER_CLI_BUILD=1 DOCKER_BUILDKIT=1 DOCKER_DEFAULT_PLATFORM=linux/arm64 docker compose -f docker/docker-compose.yml up -d --build --remove-orphans app
 
 up-dev: ##@build Builds the app and brings up via Air hot reload with Delve debugging enabled using amd binaries
-	docker compose -f docker/docker-compose.yml -f docker/docker-compose.dev.yml up -d --build --force-recreate --remove-orphans app
+	COMPOSE_DOCKER_CLI_BUILD=1 DOCKER_BUILDKIT=1 DOCKER_DEFAULT_PLATFORM=linux/amd64 docker compose -f docker/docker-compose.yml -f docker/docker-compose.dev.yml up -d --build --force-recreate --remove-orphans app
 
 up-dev-arm: ##@build Builds the app and brings up via Air hot reload with Delve debugging enabled using arm binaries
-	ARCH=arm64 docker compose -f docker/docker-compose.yml -f docker/docker-compose.dev.yml up -d --build --force-recreate --remove-orphans app
+	COMPOSE_DOCKER_CLI_BUILD=1 DOCKER_BUILDKIT=1 DOCKER_DEFAULT_PLATFORM=linux/arm64 docker compose -f docker/docker-compose.yml -f docker/docker-compose.dev.yml up -d --build --force-recreate --remove-orphans app
 
 run-cypress: ##@testing Runs cypress e2e tests. To run a specific spec file pass in spec e.g. make run-cypress spec=start
 ifdef spec

From 1b60fccb3135a6d91a43a74c4ceca327303cb506 Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 5 Dec 2023 18:39:42 +0000
Subject: [PATCH 32/46] set runtime platform to LINUX ARM64

---
 terraform/environment/region/modules/app/ecs.tf | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/terraform/environment/region/modules/app/ecs.tf b/terraform/environment/region/modules/app/ecs.tf
index 00f397cb15..46ac28ae84 100644
--- a/terraform/environment/region/modules/app/ecs.tf
+++ b/terraform/environment/region/modules/app/ecs.tf
@@ -79,10 +79,14 @@ resource "aws_ecs_task_definition" "app" {
   network_mode             = "awsvpc"
   cpu                      = 512
   memory                   = 1024
-  container_definitions    = "[${local.app}, ${local.aws_otel_collector}]"
-  task_role_arn            = var.ecs_task_role.arn
-  execution_role_arn       = var.ecs_execution_role.arn
-  provider                 = aws.region
+  runtime_platform {
+    operating_system_family = "LINUX"
+    cpu_architecture        = "ARM64"
+  }
+  container_definitions = "[${local.app}, ${local.aws_otel_collector}]"
+  task_role_arn         = var.ecs_task_role.arn
+  execution_role_arn    = var.ecs_execution_role.arn
+  provider              = aws.region
 }
 
 resource "aws_iam_role_policy" "app_task_role" {
@@ -340,7 +344,7 @@ locals {
         },
         {
           name  = "MOCK_IDENTITY_PUBLIC_KEY",
-          value = var.mock_onelogin_enabled ? "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFSlEyVmtpZWtzNW9rSTIxY1Jma0FhOXVxN0t4TQo2bTJqWllCeHBybFVXQlpDRWZ4cTI3cFV0Qzd5aXplVlRiZUVqUnlJaStYalhPQjFBbDhPbHFtaXJnPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==" : ""
+          value = var.mock_onelogin_enabled ? "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFSlEyVmtpZWtzNW9rSTIxY1Jma0FhOXVxN0t4TQo2bTJqWllCeHBybFVXQlpDRWZ4cTI3cFV0Qzd5aXplVlRiZUVqUnlJaStYalhPQjFBbDhPbHFtaXJnPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==" : "" #pragma: allowlist secret
         },
         {
           name  = "APP_PUBLIC_URL",

From 2381781319a4e555fdd6bfa7799fc02797e94fbc Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 5 Dec 2023 20:23:20 +0000
Subject: [PATCH 33/46] set arm64 for task definition

---
 terraform/environment/.terraform.lock.hcl     | 30 +++++++++----------
 .../environment/region/modules/app/ecs.tf     |  9 +++---
 terraform/environment/terraform.tfvars.json   |  2 +-
 3 files changed, 21 insertions(+), 20 deletions(-)

diff --git a/terraform/environment/.terraform.lock.hcl b/terraform/environment/.terraform.lock.hcl
index 379e41365c..5f6f0582ac 100644
--- a/terraform/environment/.terraform.lock.hcl
+++ b/terraform/environment/.terraform.lock.hcl
@@ -45,22 +45,22 @@ provider "registry.terraform.io/hashicorp/local" {
 }
 
 provider "registry.terraform.io/pagerduty/pagerduty" {
-  version     = "3.2.1"
+  version     = "3.2.2"
   constraints = ">= 2.16.0, ~> 3.2.0"
   hashes = [
-    "h1:LvLDCbnhyOvpa4YwOSM6+YvtvaHrczHlZqIX9rhQrQo=",
-    "zh:07ce3f5f1283c41e91decfbd12ebcf77f94c862e213d220032ccc17337af1cd9",
-    "zh:0f1cfbb0c9538cae8a922e001375c31d387ac1c3e8e4075e0e229b22c6e15942",
-    "zh:118554573f3a265dec42c3de08b738443f6f7df8abdcb974a50ff39708e6cd18",
-    "zh:1e76986d3c220f897e1d4866b7be5b4dbf807fc8e7bebc3069f1f517f7645aea",
-    "zh:2f59af05e5e4b51c47ea7f482b315baaec1efb1d9d5513a6a5436ea5036c5575",
-    "zh:36a9fcb1debced39e34a77fa931df3a039f676540c479f00199e3746d191ada2",
-    "zh:586e9d45ca2287a64cf1f9171bfa79cb8bf7eab6953b005c6accc7c5fa91cb00",
-    "zh:9e9fef19efda038cf92013e8787fb56e7df17a995312c70e66b0f139e18f9864",
-    "zh:9f937a2023a1e6e89dde62c7a8a6a7ea39b8e5d7fa0d580bbb014cd36f445620",
-    "zh:ad308a7e9184211d2f7e273c1d84f2077fa1e15d190b4bb921235fb9bc8fa70f",
-    "zh:c20eb60d2e5208abc13c09c6dc69868b0ce8ab5e089e9dd096260993cfcb0e78",
-    "zh:d3b252de54aaa6f0131a80d7097b4bde9ecca71fb2bc8a0890a01eb94c2a8c05",
-    "zh:f9f8bd9e44a328dc0825fbf3e70e9f86d354f7056c3798be19036dc51e7869dc",
+    "h1:cMdPawVgHF/j5kyG1s6fmLIxbuGVpHSirx048WCD5Nk=",
+    "zh:252661ec003d82226a95b1d4a1604aec3466ab2cbbab971a3578993ace4c135f",
+    "zh:2be3313a0b3027f2f2ab2f1ad56ed26931301ee437f445bcbcc4d6630bf53d79",
+    "zh:4a1f8aa22b269104ad9441884668e02b247519ca3dde513e4c9976bea5630802",
+    "zh:58a289eba422ca73ceb6c6fef961590159cd4339d61bbb56798a481b520416cd",
+    "zh:7843424d661389127f75221a292245233a0c945c83affd5200e15d20ec981deb",
+    "zh:86f23a293bd1c37ced9f6fd82b6ec59351771434c271d8bd5385a172c85a96a4",
+    "zh:9d136eefc4f0761b0cb29f3ad347fb1fc00b5c8a780e2099610fb1218e63d7ae",
+    "zh:a718aacbf8c9159e55e6dc54aa399fa14a3a948e1c30d6a7743a7bd6de8be869",
+    "zh:c7865a766864b34341cbcc63dacc5c74fa433f9db194fee0f38d86df09d2510e",
+    "zh:cb63e6c0a670b7dc6ddfd8050c85634cd27dd073b0995f3f48533d98bda6dffc",
+    "zh:d5f5143c6b37d337cf5786c32b32e400d8437fbf2977aa3733530470e4dd09a3",
+    "zh:df788459f42d00924a4ba5d4338d12806ea036c8b2ead7437baafb8ef0b0f79f",
+    "zh:e0ff87b47d75524a131092609b6e5a1b360e76a078d50b6eb3c8d07832d7bcdc",
   ]
 }
diff --git a/terraform/environment/region/modules/app/ecs.tf b/terraform/environment/region/modules/app/ecs.tf
index 46ac28ae84..cf553acc55 100644
--- a/terraform/environment/region/modules/app/ecs.tf
+++ b/terraform/environment/region/modules/app/ecs.tf
@@ -83,10 +83,11 @@ resource "aws_ecs_task_definition" "app" {
     operating_system_family = "LINUX"
     cpu_architecture        = "ARM64"
   }
-  container_definitions = "[${local.app}, ${local.aws_otel_collector}]"
-  task_role_arn         = var.ecs_task_role.arn
-  execution_role_arn    = var.ecs_execution_role.arn
-  provider              = aws.region
+  container_definitions = "[${local.app}]"
+  # container_definitions = "[${local.app}, ${local.aws_otel_collector}]"
+  task_role_arn      = var.ecs_task_role.arn
+  execution_role_arn = var.ecs_execution_role.arn
+  provider           = aws.region
 }
 
 resource "aws_iam_role_policy" "app_task_role" {
diff --git a/terraform/environment/terraform.tfvars.json b/terraform/environment/terraform.tfvars.json
index 68b6bbcdef..f8d32ef422 100644
--- a/terraform/environment/terraform.tfvars.json
+++ b/terraform/environment/terraform.tfvars.json
@@ -38,7 +38,7 @@
         "stream_enabled": false
       },
       "ecs": {
-        "fargate_spot_capacity_provider_enabled": true
+        "fargate_spot_capacity_provider_enabled": false
       },
       "cloudwatch_log_groups": {
         "application_log_retention_days": 7

From 2e2faae1f8ada4adf50a62134bedd06f5c29cc4a Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 5 Dec 2023 20:23:46 +0000
Subject: [PATCH 34/46] enable sbom and provenance for docker build

---
 .github/workflows/docker_job.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/docker_job.yml b/.github/workflows/docker_job.yml
index c73b011e5a..ff5024dd19 100644
--- a/.github/workflows/docker_job.yml
+++ b/.github/workflows/docker_job.yml
@@ -103,7 +103,8 @@ jobs:
             ${{ steps.login_ecr.outputs.registry }}/${{ matrix.ecr_repository }}:${{ inputs.tag }}
           build-args: |
             TAG=${{inputs.tag}}
-          provenance: false
+          sbom: true
+          provenance: true
 
       - name: Push ${{ matrix.ecr_repository }} Image to ECR for Path to Live
         if: ${{ github.workflow == 'Path To Live' }}
@@ -117,4 +118,5 @@ jobs:
             ${{ steps.login_ecr.outputs.registry }}/${{ matrix.ecr_repository }}:latest
           build-args: |
             TAG=${{inputs.tag}}
-          provenance: false
+          sbom: true
+          provenance: true

From f693fff32115907cc56c95f91f0910f35b7c4453 Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 5 Dec 2023 20:29:50 +0000
Subject: [PATCH 35/46] use spot on dev

---
 terraform/environment/terraform.tfvars.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/terraform/environment/terraform.tfvars.json b/terraform/environment/terraform.tfvars.json
index f8d32ef422..68b6bbcdef 100644
--- a/terraform/environment/terraform.tfvars.json
+++ b/terraform/environment/terraform.tfvars.json
@@ -38,7 +38,7 @@
         "stream_enabled": false
       },
       "ecs": {
-        "fargate_spot_capacity_provider_enabled": false
+        "fargate_spot_capacity_provider_enabled": true
       },
       "cloudwatch_log_groups": {
         "application_log_retention_days": 7

From 300287ee4e7030aef4824f50b0f6fcb61468ba14 Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 5 Dec 2023 20:31:21 +0000
Subject: [PATCH 36/46] check archs are getting built

---
 .github/workflows/docker_job.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/docker_job.yml b/.github/workflows/docker_job.yml
index ff5024dd19..0ba6c3f003 100644
--- a/.github/workflows/docker_job.yml
+++ b/.github/workflows/docker_job.yml
@@ -49,7 +49,7 @@ jobs:
         uses: docker/setup-buildx-action@v3.0.0
         with:
           version: v0.12.0
-          platforms: linux/amd64,linux/arm64
+          platforms: linux/amd64,linux/arm64,linux/arm/v7
 
       - name: Build ${{ matrix.ecr_repository }} Image
         uses: docker/build-push-action@v5.1.0

From c81294251ff10741e7ec81eda929651f1e465744 Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 5 Dec 2023 20:37:40 +0000
Subject: [PATCH 37/46] specify platforms in the build step

---
 .github/workflows/docker_job.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/docker_job.yml b/.github/workflows/docker_job.yml
index 0ba6c3f003..f8c5be10e7 100644
--- a/.github/workflows/docker_job.yml
+++ b/.github/workflows/docker_job.yml
@@ -49,7 +49,7 @@ jobs:
         uses: docker/setup-buildx-action@v3.0.0
         with:
           version: v0.12.0
-          platforms: linux/amd64,linux/arm64,linux/arm/v7
+          platforms: linux/amd64,linux/arm64
 
       - name: Build ${{ matrix.ecr_repository }} Image
         uses: docker/build-push-action@v5.1.0
@@ -57,6 +57,7 @@ jobs:
           context: .
           file: ${{ matrix.path }}
           push: false
+          platforms: linux/amd64,linux/arm64
           load: true
           tags: |
             ${{ matrix.ecr_repository }}:${{ inputs.tag }}
@@ -99,6 +100,7 @@ jobs:
           context: .
           file: ${{ matrix.path }}
           push: true
+          platforms: linux/amd64,linux/arm64
           tags: |
             ${{ steps.login_ecr.outputs.registry }}/${{ matrix.ecr_repository }}:${{ inputs.tag }}
           build-args: |
@@ -113,6 +115,7 @@ jobs:
           context: .
           file: ${{ matrix.path }}
           push: true
+          platforms: linux/amd64,linux/arm64
           tags: |
             ${{ steps.login_ecr.outputs.registry }}/${{ matrix.ecr_repository }}:main-${{ inputs.tag }}
             ${{ steps.login_ecr.outputs.registry }}/${{ matrix.ecr_repository }}:latest

From db2c1c2f5a5f4f2293b7c29b272cd9b9bb0a703d Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 5 Dec 2023 20:41:34 +0000
Subject: [PATCH 38/46] select builder

---
 .github/workflows/docker_job.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/docker_job.yml b/.github/workflows/docker_job.yml
index f8c5be10e7..9ade187840 100644
--- a/.github/workflows/docker_job.yml
+++ b/.github/workflows/docker_job.yml
@@ -47,6 +47,7 @@ jobs:
         uses: docker/setup-qemu-action@v3.0.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3.0.0
+        id: buildx_setup
         with:
           version: v0.12.0
           platforms: linux/amd64,linux/arm64
@@ -56,6 +57,7 @@ jobs:
         with:
           context: .
           file: ${{ matrix.path }}
+          builder: ${{ steps.buildx_setup.outputs.name }}
           push: false
           platforms: linux/amd64,linux/arm64
           load: true
@@ -99,6 +101,7 @@ jobs:
         with:
           context: .
           file: ${{ matrix.path }}
+          builder: ${{ steps.buildx_setup.outputs.name }}
           push: true
           platforms: linux/amd64,linux/arm64
           tags: |
@@ -114,6 +117,7 @@ jobs:
         with:
           context: .
           file: ${{ matrix.path }}
+          builder: ${{ steps.buildx_setup.outputs.name }}
           push: true
           platforms: linux/amd64,linux/arm64
           tags: |

From a78350c8ce2671705d6821716ab6195fe6adacbe Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 5 Dec 2023 20:44:15 +0000
Subject: [PATCH 39/46] build for testing as before

---
 .github/workflows/docker_job.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/docker_job.yml b/.github/workflows/docker_job.yml
index 9ade187840..dba3b0eccc 100644
--- a/.github/workflows/docker_job.yml
+++ b/.github/workflows/docker_job.yml
@@ -57,9 +57,8 @@ jobs:
         with:
           context: .
           file: ${{ matrix.path }}
-          builder: ${{ steps.buildx_setup.outputs.name }}
+          # builder: ${{ steps.buildx_setup.outputs.name }}
           push: false
-          platforms: linux/amd64,linux/arm64
           load: true
           tags: |
             ${{ matrix.ecr_repository }}:${{ inputs.tag }}

From 94c71b59c7e659ad4800e0c2c2fa9d96647b00ea Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 5 Dec 2023 20:48:42 +0000
Subject: [PATCH 40/46] turn off fail fast

---
 .github/workflows/docker_job.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/docker_job.yml b/.github/workflows/docker_job.yml
index dba3b0eccc..80a61ff508 100644
--- a/.github/workflows/docker_job.yml
+++ b/.github/workflows/docker_job.yml
@@ -26,6 +26,7 @@ permissions:
 jobs:
   docker_build_scan_push:
     strategy:
+      fail-fast: false
       matrix:
         include:
           - ecr_repository: modernising-lpa/app

From b134e44998d6261893aec712ae610ef290b77a0b Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 5 Dec 2023 21:03:22 +0000
Subject: [PATCH 41/46] only build 2 archs for app

---
 .github/workflows/docker_job.yml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/docker_job.yml b/.github/workflows/docker_job.yml
index 80a61ff508..5df2cc3f03 100644
--- a/.github/workflows/docker_job.yml
+++ b/.github/workflows/docker_job.yml
@@ -31,12 +31,16 @@ jobs:
         include:
           - ecr_repository: modernising-lpa/app
             path: ./docker/mlpa/Dockerfile
+            platforms: linux/amd64,linux/arm64
           - ecr_repository: modernising-lpa/create-s3-batch-replication-job
             path: ./lambda/create_s3_replication_job/Dockerfile
+            platforms: linux/amd64
           - ecr_repository: modernising-lpa/event-received
             path: ./docker/event-received/Dockerfile
+            platforms: linux/amd64
           - ecr_repository: modernising-lpa/mock-onelogin
             path: ./docker/mock-onelogin/Dockerfile
+            platforms: linux/amd64
     runs-on: ubuntu-latest
     name: ${{ matrix.ecr_repository }}
     steps:
@@ -103,7 +107,7 @@ jobs:
           file: ${{ matrix.path }}
           builder: ${{ steps.buildx_setup.outputs.name }}
           push: true
-          platforms: linux/amd64,linux/arm64
+          platforms:  ${{ matrix.platforms }}
           tags: |
             ${{ steps.login_ecr.outputs.registry }}/${{ matrix.ecr_repository }}:${{ inputs.tag }}
           build-args: |
@@ -119,7 +123,7 @@ jobs:
           file: ${{ matrix.path }}
           builder: ${{ steps.buildx_setup.outputs.name }}
           push: true
-          platforms: linux/amd64,linux/arm64
+          platforms:  ${{ matrix.platforms }}
           tags: |
             ${{ steps.login_ecr.outputs.registry }}/${{ matrix.ecr_repository }}:main-${{ inputs.tag }}
             ${{ steps.login_ecr.outputs.registry }}/${{ matrix.ecr_repository }}:latest

From f395edb4bd7ad96efb4cdc285ec0e1b26df5b040 Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 5 Dec 2023 21:09:40 +0000
Subject: [PATCH 42/46] single platform

---
 .github/workflows/docker_job.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/docker_job.yml b/.github/workflows/docker_job.yml
index 5df2cc3f03..cd0594113c 100644
--- a/.github/workflows/docker_job.yml
+++ b/.github/workflows/docker_job.yml
@@ -31,7 +31,7 @@ jobs:
         include:
           - ecr_repository: modernising-lpa/app
             path: ./docker/mlpa/Dockerfile
-            platforms: linux/amd64,linux/arm64
+            platforms: linux/arm64
           - ecr_repository: modernising-lpa/create-s3-batch-replication-job
             path: ./lambda/create_s3_replication_job/Dockerfile
             platforms: linux/amd64
@@ -63,6 +63,7 @@ jobs:
           context: .
           file: ${{ matrix.path }}
           # builder: ${{ steps.buildx_setup.outputs.name }}
+          platforms:  ${{ matrix.platforms }}
           push: false
           load: true
           tags: |

From 9e5ab1309c2268f3bb83edc05b6c0dc1b23920b3 Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 5 Dec 2023 21:28:50 +0000
Subject: [PATCH 43/46] don't push sbom or provenance for images - testing
 lambda

---
 .github/workflows/docker_job.yml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/docker_job.yml b/.github/workflows/docker_job.yml
index cd0594113c..8af5951b59 100644
--- a/.github/workflows/docker_job.yml
+++ b/.github/workflows/docker_job.yml
@@ -31,7 +31,7 @@ jobs:
         include:
           - ecr_repository: modernising-lpa/app
             path: ./docker/mlpa/Dockerfile
-            platforms: linux/arm64
+            platforms: linux/arm64, linux/amd64
           - ecr_repository: modernising-lpa/create-s3-batch-replication-job
             path: ./lambda/create_s3_replication_job/Dockerfile
             platforms: linux/amd64
@@ -63,7 +63,7 @@ jobs:
           context: .
           file: ${{ matrix.path }}
           # builder: ${{ steps.buildx_setup.outputs.name }}
-          platforms:  ${{ matrix.platforms }}
+          platforms: linux/arm64
           push: false
           load: true
           tags: |
@@ -113,8 +113,8 @@ jobs:
             ${{ steps.login_ecr.outputs.registry }}/${{ matrix.ecr_repository }}:${{ inputs.tag }}
           build-args: |
             TAG=${{inputs.tag}}
-          sbom: true
-          provenance: true
+          sbom: false
+          provenance: false
 
       - name: Push ${{ matrix.ecr_repository }} Image to ECR for Path to Live
         if: ${{ github.workflow == 'Path To Live' }}
@@ -130,5 +130,5 @@ jobs:
             ${{ steps.login_ecr.outputs.registry }}/${{ matrix.ecr_repository }}:latest
           build-args: |
             TAG=${{inputs.tag}}
-          sbom: true
-          provenance: true
+          sbom: false
+          provenance: false

From 2217cbb291a121ed99bcd748f055cc8a4ac0f8aa Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Wed, 6 Dec 2023 07:05:32 +0000
Subject: [PATCH 44/46] use correct arch

---
 .github/workflows/docker_job.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/docker_job.yml b/.github/workflows/docker_job.yml
index 8af5951b59..77f0e50cb7 100644
--- a/.github/workflows/docker_job.yml
+++ b/.github/workflows/docker_job.yml
@@ -63,7 +63,7 @@ jobs:
           context: .
           file: ${{ matrix.path }}
           # builder: ${{ steps.buildx_setup.outputs.name }}
-          platforms: linux/arm64
+          platforms: linux/amd64
           push: false
           load: true
           tags: |

From 73d4babb05d46390f99376b45e919537b11558e0 Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Wed, 6 Dec 2023 08:00:25 +0000
Subject: [PATCH 45/46] build arm app

---
 .github/workflows/docker_job.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/docker_job.yml b/.github/workflows/docker_job.yml
index 77f0e50cb7..c48f5867d1 100644
--- a/.github/workflows/docker_job.yml
+++ b/.github/workflows/docker_job.yml
@@ -31,7 +31,7 @@ jobs:
         include:
           - ecr_repository: modernising-lpa/app
             path: ./docker/mlpa/Dockerfile
-            platforms: linux/arm64, linux/amd64
+            platforms: linux/arm64
           - ecr_repository: modernising-lpa/create-s3-batch-replication-job
             path: ./lambda/create_s3_replication_job/Dockerfile
             platforms: linux/amd64

From 4a21f840730d3e983e483382005e86fb07c7598d Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Wed, 6 Dec 2023 09:41:44 +0000
Subject: [PATCH 46/46] use x86 for spot and arm for fargate

---
 terraform/environment/region/modules/app/ecs.tf | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/terraform/environment/region/modules/app/ecs.tf b/terraform/environment/region/modules/app/ecs.tf
index cf553acc55..a5ef96def7 100644
--- a/terraform/environment/region/modules/app/ecs.tf
+++ b/terraform/environment/region/modules/app/ecs.tf
@@ -81,7 +81,7 @@ resource "aws_ecs_task_definition" "app" {
   memory                   = 1024
   runtime_platform {
     operating_system_family = "LINUX"
-    cpu_architecture        = "ARM64"
+    cpu_architecture        = var.ecs_capacity_provider == "FARGATE_SPOT" ? "X86_64" : "ARM64"
   }
   container_definitions = "[${local.app}]"
   # container_definitions = "[${local.app}, ${local.aws_otel_collector}]"
@@ -294,9 +294,10 @@ locals {
 
   app = jsonencode(
     {
-      cpu                    = 1,
-      essential              = true,
-      image                  = "${var.app_service_repository_url}:${var.app_service_container_version}",
+      cpu       = 1,
+      essential = true,
+      image     = "${var.app_service_repository_url}:test",
+      # image                  = "${var.app_service_repository_url}:${var.app_service_container_version}",
       mountPoints            = [],
       readonlyRootFilesystem = true
       name                   = "app",