📦 Add base image and initial features (#7)

Signed-off-by: Jacob Woffenden <jacob.woffenden@digital.justice.gov.uk>

Author: Jacob Woffenden

.devcontainer/devcontainer-lock.json

@@ -0,0 +1,14 @@
+{
+  "features": {
+    "ghcr.io/devcontainers/features/docker-in-docker:2": {
+      "version": "2.7.1",
+      "resolved": "ghcr.io/devcontainers/features/docker-in-docker@sha256:f6a73ee06601d703db7d95d03e415cab229e78df92bb5002e8559bcfc047fec6",
+      "integrity": "sha256:f6a73ee06601d703db7d95d03e415cab229e78df92bb5002e8559bcfc047fec6"
+    },
+    "ghcr.io/devcontainers/features/node:1": {
+      "version": "1.3.1",
+      "resolved": "ghcr.io/devcontainers/features/node@sha256:7d31b83459dd5110c37e7f5acb2920335cb1e5ebf014326d7eb6a0b290cc820a",
+      "integrity": "sha256:7d31b83459dd5110c37e7f5acb2920335cb1e5ebf014326d7eb6a0b290cc820a"
+    }
+  }
+}

.devcontainer/devcontainer.json

@@ -5,5 +5,14 @@
     "ghcr.io/devcontainers/features/docker-in-docker:2": {},
     "ghcr.io/devcontainers/features/node:1": {}
   },
+  "customizations": {
+    "vscode": {
+      "extensions": [
+        "EditorConfig.EditorConfig",
+        "GitHub.vscode-github-actions",
+        "GitHub.vscode-pull-request-github"
+      ]
+    }
+  },
   "postCreateCommand": "npm install --global @devcontainers/cli"
 }

.editorconfig

@@ -4,3 +4,20 @@ root = true
 end_of_line = lf
 insert_final_newline = true
 trim_trailing_whitespace = true
+
+[**/*.json]
+indent_style = space
+indent_size = 2
+
+[{**/*.yml,**/*.yaml}]
+indent_style = space
+indent_size = 2
+
+[{**/*.sh,**/src/usr/local/bin/**}]
+indent_style = space
+indent_size = 2
+
+# This file is autogenerated
+[.devcontainer/devcontainer-lock.json]
+end_of_line = unset
+insert_final_newline = unset

.github/actions/setup-container-structure-test/action.yml

@@ -0,0 +1,38 @@
+---
+name: Set Up Google Container Structure Test
+description: This action installs Google's Container Structure Test tool.
+
+inputs:
+  version:
+    description: The version of Container Structure Test to install.
+    required: false
+    default: "1.16.0"
+
+runs:
+  using: "composite"
+  steps:
+    - shell: bash
+      run: |
+        if [[ "$(uname -m)" == "x86_64" ]]; then
+          export architecture="amd64"
+        elif [[ "$(uname -m)" == "aarch64" ]]; then
+          export architecture="arm64"
+        else
+          echo "Unsupported architecture: $(uname -m)"
+          exit 1
+        fi
+
+        if [[ "${{ inputs.version }}" == "latest" ]]; then
+          export version="$(curl --silent https://api.github.com/repos/GoogleContainerTools/container-structure-test/releases/latest | jq -r '.tag_name')"
+        else
+          export version="${{ inputs.version }}"
+        fi
+
+        mkdir --parents "${GITHUB_WORKSPACE}/.google-container-structure-test"
+
+        curl --location --silent --show-error --fail "https://storage.googleapis.com/container-structure-test/v${version}/container-structure-test-linux-${architecture}" \
+          --output "${GITHUB_WORKSPACE}/.google-container-structure-test/container-structure-test"
+
+        chmod +x "${GITHUB_WORKSPACE}/.google-container-structure-test/container-structure-test"
+
+        echo "${GITHUB_WORKSPACE}/.google-container-structure-test" >>"${GITHUB_PATH}"

.github/dependabot.yml

@@ -2,27 +2,11 @@
 version: 2
 
 updates:
-  - package-ecosystem: "bundler"
-    directory: "/"
-    schedule:
-      interval: "daily"
-  - package-ecosystem: "terraform"
-    directory: "/terraform"
-    schedule:
-      interval: "daily"
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "daily"
-  - package-ecosystem: "pip"
-    directory: "/"
-    schedule:
-      interval: "daily"
-  - package-ecosystem: "npm"
-    directory: "/"
-    schedule:
-      interval: "daily"
-  - package-ecosystem: "gomod"
+  - package-ecosystem: "devcontainers"
     directory: "/"
     schedule:
       interval: "daily"

.github/linters/.gitleaks.toml

@@ -0,0 +1,9 @@
+title = "Gitleaks Configuration"
+
+[extend]
+useDefault = true
+
+[allowlist]
+    description = "Ignore # gitleaks-ignore lines"
+    regexTarget = "line"
+    regexes = ['''# gitleaks-ignore''']

.github/workflows/features.yml

@@ -0,0 +1,226 @@
+---
+name: Features
+
+on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - features/**
+  push:
+    branches:
+      - main
+    paths:
+      - features/**
+
+permissions: {}
+
+jobs:
+  detect-changes:
+    name: Detect Changes
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    outputs:
+      features: ${{ steps.detect_changes.outputs.changes }}
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Build path-filters file
+        id: build_path_filters
+        run: bash scripts/path-filter/configuration-generator.sh features
+
+      - name: Detect changes
+        id: detect_changes
+        uses: dorny/paths-filter@0bc4621a3135347011ad047f9ecf449bf72ce2bd # v3.0.0
+        with:
+          filters: .github/path-filters/features.yml
+
+  preflight-checks:
+    needs: [detect-changes]
+    if: ${{ needs.detect-changes.outputs.features != '[]' && github.ref != 'refs/heads/main' }}
+    name: Preflight Checks
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      packages: read
+    strategy:
+      fail-fast: false
+      matrix:
+        feature: ${{ fromJson(needs.detect-changes.outputs.features) }}
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Check Version
+        id: check_version
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          echo "${{ env.GH_TOKEN }}" | skopeo login ghcr.io --username ${{ github.actor }} --password-stdin
+
+          version=$(jq -r '.version' features/src/${{ matrix.feature }}/devcontainer-feature.json)
+          export version
+
+          if skopeo list-tags docker://ghcr.io/ministryofjustice/devcontainer-feature/${{ matrix.feature }}; then
+            feature_exists=true
+          else
+            echo "feature_exists=false" >>"${GITHUB_ENV}"
+            echo "tag_exists=false" >>"${GITHUB_ENV}"
+          fi
+
+          if [[ "${feature_exists}" == "true" ]]; then
+            checkTag=$(skopeo list-tags docker://ghcr.io/ministryofjustice/devcontainer-feature/${{ matrix.feature }} | jq -r --arg version "${version}" '.Tags | index($version)')
+            export checkTag
+
+            if [[ -z "${imageTag}" ]]; then
+              echo "tag_exists=false" >>"${GITHUB_ENV}"
+            else
+              echo "tag_exists=true" >>"${GITHUB_ENV}"
+            fi
+          fi
+
+      - name: Check CHANGELOG Updates
+        id: check_changelog_updates
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          mainSha=$(gh api --method GET /repos/"${GITHUB_REPOSITORY}"/contents/features/src/${{ matrix.feature }}/CHANGELOG.md --field ref="main" | jq -r '.sha')
+          branchSha=$(gh api --method GET /repos/"${GITHUB_REPOSITORY}"/contents/features/src/${{ matrix.feature }}/CHANGELOG.md --field ref="${GITHUB_HEAD_REF}" | jq -r '.sha')
+
+          if [[ -z "${mainSha}" ]]; then
+            SHA not found for main branch, assuming CHANGELOG.md does not exist
+          elif [[ -z "${branchSha}" ]]; then
+            SHA not found for "${GITHUB_HEAD_REF}" branch, assuming CHANGELOG.md does not exist
+            "changelog_updated=false" >>"${GITHUB_ENV}"
+          elif [[ "${mainSha}" == "${branchSha}" ]]; then
+            echo "CHANGELOG.md matches main branch, needs to be updated"
+            echo "changelog_updated=false" >>"${GITHUB_ENV}"
+          elif [[ "${mainSha}" != "${branchSha}" ]]; then
+            echo "CHANGELOG.md does not match main branch, does not need to be updated"
+            echo "changelog_updated=true" >>"${GITHUB_ENV}"
+          fi
+
+      - name: Evaluate Checks
+        id: evaluate_checks
+        run: |
+          if [[ "${{ env.tag_exists }}" == "true" ]]; then
+            echo "::error::FAIL: Feature tag already exists"
+            export failBuild="true"
+          else
+            echo "::notice::OK: Feature tag does not exist"
+            export failBuild="false"
+          fi
+
+          if [[ "${{ env.changelog_updated }}" == "true" ]]; then
+            echo "::notice::OK: CHANGELOG.md has been updated"
+            export failBuild="false"
+          elif [[ "${{ env.changelog_updated }}" == "false" ]]; then
+            echo "::error::FAIL: CHANGELOG.md needs to be updated"
+            export failBuild="true"
+          fi
+
+          if [[ "${failBuild}" == "true" ]]; then
+            exit 1
+          fi
+
+  test:
+    needs: [detect-changes]
+    if: ${{ needs.detect-changes.outputs.features != '[]' && github.ref != 'refs/heads/main' }}
+    name: Test
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        feature: ${{ fromJson(needs.detect-changes.outputs.features) }}
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Install @devcontainers/cli
+        id: install_devcontainers_cli
+        run: npm install --global @devcontainers/cli@latest
+
+      - name: Build Image
+        id: build_image
+        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
+        with:
+          file: images/base/Dockerfile
+          context: images/base
+          load: true
+          tags: ghcr.io/ministryofjustice/devcontainer-base:local-feature-test-${{ github.sha }}
+
+      - name: Testing ${{ matrix.feature }}
+        id: test_feature
+        run: |
+          devcontainer features test \
+            --skip-duplicated \
+            --skip-scenarios \
+            --project-folder features \
+            --features ${{ matrix.feature }} \
+            --base-image ghcr.io/ministryofjustice/devcontainer-base:local-feature-test-${{ github.sha }}
+
+      - name: Testing ${{ matrix.feature }} scenarios
+        id: test_feature_scenarios
+        run: |
+          devcontainer features test \
+            --project-folder features \
+            --features ${{ matrix.feature }} \
+            --skip-autogenerated \
+            --skip-duplicated \
+            --base-image ghcr.io/ministryofjustice/devcontainer-base:local-feature-test-${{ github.sha }}
+
+  validate:
+    needs: [detect-changes]
+    if: ${{ needs.detect-changes.outputs.features != '[]' && github.ref != 'refs/heads/main' }}
+    name: Validate
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Validate
+        uses: devcontainers/action@2858bb873d82d653b033bfe0977fb8a16708b0c3 # v1.4.1
+        with:
+          validate-only: true
+          base-path-to-features: features/src
+
+  publish:
+    needs: [detect-changes]
+    if: ${{ needs.detect-changes.outputs.features != '[]' && github.ref == 'refs/heads/main' }}
+    name: Publish
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+    strategy:
+      fail-fast: false
+      matrix:
+        feature: ${{ fromJson(needs.detect-changes.outputs.features) }}
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Install @devcontainers/cli
+        id: install_devcontainers_cli
+        run: npm install --global @devcontainers/cli@latest
+
+      - name: Publish
+        id: publish
+        run: |
+          devcontainer features publish \
+            --registry ghcr.io \
+            --namespace ministryofjustice/devcontainer-feature \
+            ./features/src/${{ matrix.feature }}