NHSDigital · anthony-nhs · Feb 23, 2026 · Feb 23, 2026 · Feb 23, 2026
diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
@@ -1,70 +1,14 @@
-FROM mcr.microsoft.com/devcontainers/base:ubuntu
-
-ARG TARGETARCH
-ENV TARGETARCH=${TARGETARCH}
-
-ARG ASDF_VERSION
-COPY .tool-versions.asdf /tmp/.tool-versions.asdf
-
-RUN apt-get update \
-    && export DEBIAN_FRONTEND=noninteractive \
-    && apt-get -y dist-upgrade \
-    && apt-get -y install --no-install-recommends htop vim curl git build-essential \
-    libffi-dev libssl-dev libxml2-dev libxslt1-dev libjpeg8-dev libbz2-dev \
-    zlib1g-dev unixodbc unixodbc-dev libsecret-1-0 libsecret-1-dev libsqlite3-dev \
-    jq apt-transport-https ca-certificates gnupg-agent \
-    software-properties-common bash-completion python3-pip make libbz2-dev \
-    libreadline-dev libsqlite3-dev wget llvm libncurses5-dev libncursesw5-dev \
-    xz-utils tk-dev liblzma-dev libyaml-dev
-
-
-# Download correct AWS CLI for arch
-RUN if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then \
-      wget -O /tmp/awscliv2.zip "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip"; \
-    else \
-      wget -O /tmp/awscliv2.zip "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip"; \
-    fi && \
-    unzip /tmp/awscliv2.zip -d /tmp/aws-cli && \
-    /tmp/aws-cli/aws/install && \
-    rm /tmp/awscliv2.zip && rm -rf /tmp/aws-cli
-
-# Download correct SAM CLI for arch
-RUN if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then \
-      wget -O /tmp/aws-sam-cli.zip "https://github.com/aws/aws-sam-cli/releases/latest/download/aws-sam-cli-linux-arm64.zip"; \
-    else \
-      wget -O /tmp/aws-sam-cli.zip "https://github.com/aws/aws-sam-cli/releases/latest/download/aws-sam-cli-linux-x86_64.zip"; \
-    fi && \
-    unzip /tmp/aws-sam-cli.zip -d /tmp/aws-sam-cli && \
-    /tmp/aws-sam-cli/install && \
-    rm /tmp/aws-sam-cli.zip && rm -rf /tmp/aws-sam-cli
-
-# Install ASDF
-RUN ASDF_VERSION=$(awk '!/^#/ && NF {print $1; exit}' /tmp/.tool-versions.asdf) && \
-    if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" = "aarch64" ]; then \
-        wget -O /tmp/asdf.tar.gz https://github.com/asdf-vm/asdf/releases/download/v${ASDF_VERSION}/asdf-v${ASDF_VERSION}-linux-arm64.tar.gz; \
+ARG IMAGE_NAME=node_24_python_3_14
+ARG IMAGE_VERSION=latest
+FROM ghcr.io/nhsdigital/eps-devcontainers/${IMAGE_NAME}:${IMAGE_VERSION}
+
+USER root
+# specify DOCKER_GID to force container docker group id to match host
+RUN if [ -n "${DOCKER_GID}" ]; then \
+    if ! getent group docker; then \
+    groupadd -g ${DOCKER_GID} docker; \
     else \
-        wget -O /tmp/asdf.tar.gz https://github.com/asdf-vm/asdf/releases/download/v${ASDF_VERSION}/asdf-v${ASDF_VERSION}-linux-amd64.tar.gz; \
+    groupmod -g ${DOCKER_GID} docker; \
     fi && \
-    tar -xvzf /tmp/asdf.tar.gz && \
-    mv asdf /usr/bin
-
-
-USER vscode
-
-ENV PATH="$PATH:/home/vscode/.asdf/shims/:/workspaces/eps-cdk-utils/node_modules/.bin"
-
-# Install ASDF plugins
-RUN asdf plugin add python; \
-    asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git; \
-    asdf plugin add shellcheck https://github.com/luizm/asdf-shellcheck.git; \
-    asdf plugin add nodejs https://github.com/asdf-vm/asdf-nodejs.git; \
-    asdf plugin add direnv; \
-    asdf plugin add actionlint;
-
-WORKDIR /workspaces/eps-workflow-quality-checks
-
-ADD .tool-versions /workspaces/eps-cdk-utils/.tool-versions
-ADD .tool-versions /home/vscode/.tool-versions
-
-RUN asdf install python; \
-    asdf install
+    usermod -aG docker vscode; \
+    fi
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -1,43 +1,47 @@
-// For format details, see https://aka.ms/devcontainer.json. For config options, see the
-// README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu
 {
-    "name": "Ubuntu",
-    // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile
-    "build": {
-      "dockerfile": "Dockerfile",
-      "context": "..",
-      "args": {}
-    },
-    "mounts": [
-      "source=${env:HOME}${env:USERPROFILE}/.aws,target=/home/vscode/.aws,type=bind",
-      "source=${env:HOME}${env:USERPROFILE}/.ssh,target=/home/vscode/.ssh,type=bind",
-      "source=${env:HOME}${env:USERPROFILE}/.gnupg,target=/home/vscode/.gnupg,type=bind",
-      "source=${env:HOME}${env:USERPROFILE}/.npmrc,target=/home/vscode/.npmrc,type=bind"
-    ],
-    "features": {
-      "ghcr.io/devcontainers/features/github-cli:1": {},
-      "ghcr.io/devcontainers/features/docker-outside-of-docker:1": {
-        "version": "latest",
-        "moby": "true",
-        "installDockerBuildx": "true"
-      }
-    },
-    "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" },
-    "containerUser": "vscode",
-    "customizations": {
-      "vscode": {
-        "extensions": [
-          "AmazonWebServices.aws-toolkit-vscode",
-          "redhat.vscode-yaml",
-          "eamodio.gitlens",
-          "github.vscode-pull-request-github",
-          "streetsidesoftware.code-spell-checker",
-          "timonwong.shellcheck",
-          "github.vscode-github-actions"
-        ],
-        "settings": {
-          "cSpell.words": ["fhir", "Formik", "pino", "serialisation"]
-        }
+  "name": "Ubuntu",
+  "build": {
+    "dockerfile": "Dockerfile",
+    "context": "..",
+    "args": {
+      "DOCKER_GID": "${env:DOCKER_GID:}",
+      "IMAGE_NAME": "node_24_python_3_14",
+      "IMAGE_VERSION": "v1.0.7",
+      "USER_UID": "${localEnv:USER_ID:}",
+      "USER_GID": "${localEnv:GROUP_ID:}"
+    }
+  },
+  "postAttachCommand": "git-secrets --register-aws; git-secrets --add-provider -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt",
+  "mounts": [
+    "source=${env:HOME}${env:USERPROFILE}/.aws,target=/home/vscode/.aws,type=bind",
+    "source=${env:HOME}${env:USERPROFILE}/.ssh,target=/home/vscode/.ssh,type=bind",
+    "source=${env:HOME}${env:USERPROFILE}/.gnupg,target=/home/vscode/.gnupg,type=bind",
+    "source=${env:HOME}${env:USERPROFILE}/.npmrc,target=/home/vscode/.npmrc,type=bind"
+  ],
+  "features": {},
+  "remoteEnv": {
+    "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}"
+  },
+  "containerUser": "vscode",
+  "customizations": {
+    "vscode": {
+      "extensions": [
+        "AmazonWebServices.aws-toolkit-vscode",
+        "redhat.vscode-yaml",
+        "eamodio.gitlens",
+        "github.vscode-pull-request-github",
+        "streetsidesoftware.code-spell-checker",
+        "timonwong.shellcheck",
+        "github.vscode-github-actions"
+      ],
+      "settings": {
+        "cSpell.words": [
+          "fhir",
+          "Formik",
+          "pino",
+          "serialisation"
+        ]
       }
     }
   }
+}
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -26,55 +26,64 @@ jobs:
           #  echo "commit_id=${{ github.sha }}" >> "$GITHUB_ENV"
           echo "commit_id=${{ github.sha }}" >> "$GITHUB_OUTPUT"
           echo "sha_short=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT"
-  get_asdf_version:
+  get_config_values:
     runs-on: ubuntu-22.04
     outputs:
-      asdf_version: ${{ steps.asdf-version.outputs.version }}
       tag_format: ${{ steps.load-config.outputs.TAG_FORMAT }}
+      devcontainer_version: ${{ steps.load-config.outputs.DEVCONTAINER_VERSION }}
+      devcontainer_image: ${{ steps.load-config.outputs.DEVCONTAINER_IMAGE }}
     steps:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
 
-      - name: Get asdf version
-        id: asdf-version
-        run: echo "version=$(awk '!/^#/ && NF {print $1; exit}' .tool-versions.asdf)" >> "$GITHUB_OUTPUT"
       - name: Load config value
         id: load-config
         run: |
           TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml)
-          echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT"
+          DEVCONTAINER_IMAGE=$(jq -r '.build.args.IMAGE_NAME' .devcontainer/devcontainer.json)
+          DEVCONTAINER_VERSION=$(jq -r '.build.args.IMAGE_VERSION' .devcontainer/devcontainer.json)
+          {
+            echo "TAG_FORMAT=$TAG_FORMAT" 
+            echo "DEVCONTAINER_IMAGE=$DEVCONTAINER_IMAGE"
+            echo "DEVCONTAINER_VERSION=$DEVCONTAINER_VERSION"
+          } >> "$GITHUB_OUTPUT"
   quality_checks:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@d215f841eb18b803e339e4ed597ed1f30e086e17
-    needs: [get_asdf_version, get_commit_id]
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@36677e1d6bfaa010d7b78942a1ade12fbefecb80
+    needs: [get_config_values, get_commit_id]
     with:
-      asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}
+      runtime_docker_image: "${{ needs.get_config_values.outputs.devcontainer_image }}:githubactions-${{ needs.get_config_values.outputs.devcontainer_version }}"
       run_docker_scan: true
       docker_images: "eps-cdk-utils"
     secrets:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
   tag_release:
-    needs: [quality_checks, get_commit_id, get_asdf_version]
-    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml@d215f841eb18b803e339e4ed597ed1f30e086e17
+    needs: [quality_checks, get_commit_id, get_config_values]
+    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@36677e1d6bfaa010d7b78942a1ade12fbefecb80
     with:
       dry_run: true
-      asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}
+      runtime_docker_image: "${{ needs.get_config_values.outputs.devcontainer_image }}:githubactions-${{ needs.get_config_values.outputs.devcontainer_version }}"
       branch_name: main
       publish_packages: packages/cdkConstructs,packages/deploymentUtils
-      tag_format: ${{ needs.get_asdf_version.outputs.tag_format }}
+      tag_format: ${{ needs.get_config_values.outputs.tag_format }}
+      verify_published_from_main_image: true
     secrets: inherit
 
   package_code:
-    needs: [tag_release, quality_checks, get_commit_id]
+    needs: [tag_release, quality_checks, get_commit_id, get_config_values]
     uses: ./.github/workflows/docker_image_build.yml
     with:
+      runtime_docker_image: "${{ needs.get_config_values.outputs.devcontainer_image }}:githubactions-${{ needs.get_config_values.outputs.devcontainer_version }}"
+      verify_published_from_main_image: true
       VERSION_NUMBER: pre-release-${{ needs.get_commit_id.outputs.sha_short }}
       COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }}
 
   release_dev:
-    needs: [tag_release, package_code, get_commit_id]
+    needs: [tag_release, package_code, get_commit_id, get_config_values]
     uses: ./.github/workflows/docker_image_upload.yml
     with:
+      runtime_docker_image: "${{ needs.get_config_values.outputs.devcontainer_image }}:githubactions-${{ needs.get_config_values.outputs.devcontainer_version }}"
+      verify_published_from_main_image: true
       AWS_ENVIRONMENT: dev
       VERSION_NUMBER: pre-release-${{ needs.get_commit_id.outputs.sha_short }}
       COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }}
@@ -84,9 +93,12 @@ jobs:
       CDK_PUSH_IMAGE_ROLE: ${{ secrets.DEV_CDK_PUSH_IMAGE_ROLE }}
 
   release_qa:
-    needs: [tag_release, release_dev, package_code, get_commit_id]
+    needs:
+      [tag_release, release_dev, package_code, get_commit_id, get_config_values]
     uses: ./.github/workflows/docker_image_upload.yml
     with:
+      runtime_docker_image: "${{ needs.get_config_values.outputs.devcontainer_image }}:githubactions-${{ needs.get_config_values.outputs.devcontainer_version }}"
+      verify_published_from_main_image: true
       AWS_ENVIRONMENT: qa
       VERSION_NUMBER: pre-release-${{ needs.get_commit_id.outputs.sha_short }}
       COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }}
@@ -96,9 +108,12 @@ jobs:
       CDK_PUSH_IMAGE_ROLE: ${{ secrets.QA_CDK_PUSH_IMAGE_ROLE }}
 
   release_ref:
-    needs: [tag_release, release_dev, package_code, get_commit_id]
+    needs:
+      [tag_release, release_dev, package_code, get_commit_id, get_config_values]
     uses: ./.github/workflows/docker_image_upload.yml
     with:
+      runtime_docker_image: "${{ needs.get_config_values.outputs.devcontainer_image }}:githubactions-${{ needs.get_config_values.outputs.devcontainer_version }}"
+      verify_published_from_main_image: true
       AWS_ENVIRONMENT: ref
       VERSION_NUMBER: pre-release-${{ needs.get_commit_id.outputs.sha_short }}
       COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }}
@@ -108,5 +123,8 @@ jobs:
       CDK_PUSH_IMAGE_ROLE: ${{ secrets.REF_CDK_PUSH_IMAGE_ROLE }}
 
   package_npm_code:
-    needs: [quality_checks, get_commit_id]
+    needs: [quality_checks, get_commit_id, get_config_values]
     uses: ./.github/workflows/package_npm_code.yml
+    with:
+      runtime_docker_image: "${{ needs.get_config_values.outputs.devcontainer_image }}:githubactions-${{ needs.get_config_values.outputs.devcontainer_version }}"
+      verify_published_from_main_image: true
diff --git a/.github/workflows/docker_image_build.yml b/.github/workflows/docker_image_build.yml
@@ -9,15 +9,36 @@ on:
       COMMIT_ID:
         required: true
         type: string
+      runtime_docker_image:
+        type: string
+        required: true
+      verify_published_from_main_image:
+        type: boolean
+        required: true
 
 jobs:
+  verify_attestation:
+    uses: NHSDigital/eps-common-workflows/.github/workflows/verify-attestation.yml@36677e1d6bfaa010d7b78942a1ade12fbefecb80
+    with:
+      runtime_docker_image: "${{ inputs.runtime_docker_image }}"
+      verify_published_from_main_image: ${{ inputs.verify_published_from_main_image }}
   docker_image_build:
     runs-on: ubuntu-22.04
+    needs: verify_attestation
+    container:
+      image: ${{ needs.verify_attestation.outputs.pinned_image }}
+      options: --user 1001:1001 --group-add 128
+    defaults:
+      run:
+        shell: bash
     permissions:
       id-token: write
       contents: read
       packages: read
     steps:
+      - name: copy .tool-versions
+        run: |
+          cp /home/vscode/.tool-versions "$HOME/.tool-versions"
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:

diff --git a/.github/workflows/docker_image_upload.yml b/.github/workflows/docker_image_upload.yml
@@ -18,19 +18,40 @@ on:
       DOCKER_IMAGE_TAG:
         required: true
         type: string
+      runtime_docker_image:
+        type: string
+        required: true
+      verify_published_from_main_image:
+        type: boolean
+        required: true
     secrets:
       CDK_PUSH_IMAGE_ROLE:
         required: true
 
 jobs:
+  verify_attestation:
+    uses: NHSDigital/eps-common-workflows/.github/workflows/verify-attestation.yml@36677e1d6bfaa010d7b78942a1ade12fbefecb80
+    with:
+      runtime_docker_image: "${{ inputs.runtime_docker_image }}"
+      verify_published_from_main_image: ${{ inputs.verify_published_from_main_image }}
   upload_docker_image:
+    needs: verify_attestation
     runs-on: ubuntu-22.04
+    container:
+      image: ${{ needs.verify_attestation.outputs.pinned_image }}
+      options: --user 1001:1001 --group-add 128
+    defaults:
+      run:
+        shell: bash
     environment: ${{ inputs.AWS_ENVIRONMENT }}
     permissions:
       id-token: write
       contents: write
 
     steps:
+      - name: copy .tool-versions
+        run: |
+          cp /home/vscode/.tool-versions "$HOME/.tool-versions"
       - name: Checkout local github actions
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with: