Chore: [AEA-0000] - workflow to update dev container (#87)

## Summary

- Routine Change

### Details

- workflow to update dev container

Author: anthony-nhs

.github/workflows/update-dev-container-version.yml

@@ -0,0 +1,150 @@
+name: Update Dev Container Image version
+on:
+    workflow_call:
+        inputs:
+            base_branch:
+                required: false
+                type: string
+                default: main
+        secrets:
+            AUTOMERGE_APP_ID:
+                required: true
+            AUTOMERGE_PEM:
+                required: true
+jobs:
+    update_devcontainer_version:
+        runs-on: ubuntu-22.04
+        permissions:
+            contents: read
+            packages: read
+            pull-requests: write
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+              with:
+                  fetch-depth: 0
+            - name: Load config value
+              id: load-config
+              run: >
+                  DEVCONTAINER_IMAGE=$(jq -r '.build.args.IMAGE_NAME'
+                  .devcontainer/devcontainer.json)
+
+                  DEVCONTAINER_VERSION=$(jq -r '.build.args.IMAGE_VERSION'
+                  .devcontainer/devcontainer.json)
+
+                  {
+                    echo "DEVCONTAINER_IMAGE=$DEVCONTAINER_IMAGE"
+                    echo "DEVCONTAINER_VERSION=$DEVCONTAINER_VERSION"
+                  } >> "$GITHUB_ENV"
+            - name: Resolve latest devcontainer image version from GHCR
+              id: resolve-version
+              env:
+                  GH_TOKEN: "${{ github.token }}"
+              run: >
+                  set -euo pipefail
+
+
+                  PACKAGE_NAME="eps-devcontainers/${DEVCONTAINER_IMAGE}"
+
+                  ENCODED_PACKAGE_NAME=$(python3 -c 'import sys, urllib.parse;
+                  print(urllib.parse.quote(sys.argv[1], safe=""))' "$PACKAGE_NAME")
+
+
+                  VERSIONS_JSON=$(gh api \
+                    -H "Accept: application/vnd.github+json" \
+                    "/orgs/NHSDigital/packages/container/${ENCODED_PACKAGE_NAME}/versions?per_page=100")
+
+                  LATEST_VIA_LATEST_TAG=$(jq -r '
+                    [ .[]
+                      | select((.metadata.container.tags // []) | index("latest"))
+                    ]
+                    | sort_by(.created_at)
+                    | reverse
+                    | .[0].metadata.container.tags // []
+                    | map(select(test("^v")))
+                    | .[0] // empty
+                  ' <<< "$VERSIONS_JSON")
+
+
+                  LATEST_V_TAG=$(jq -r '
+                    [ .[]
+                      | {created_at, tags: (.metadata.container.tags // [])}
+                    ]
+                    | sort_by(.created_at)
+                    | reverse
+                    | map(.tags[]? | select(test("^v")))
+                    | .[0] // empty
+                  ' <<< "$VERSIONS_JSON")
+
+
+                  RESOLVED_VERSION="$LATEST_VIA_LATEST_TAG"
+
+                  if [[ -z "$RESOLVED_VERSION" ]]; then
+                    RESOLVED_VERSION="$LATEST_V_TAG"
+                  fi
+
+
+                  if [[ -z "$RESOLVED_VERSION" ]]; then
+                    echo "No version tag matching ^v found for package ${PACKAGE_NAME}" >&2
+                    exit 1
+                  fi
+
+
+                  echo "Resolved latest version: ${RESOLVED_VERSION}"
+
+                  echo "LATEST_DEVCONTAINER_VERSION=${RESOLVED_VERSION}" >>
+                  "$GITHUB_ENV"
+
+                  echo "latest_version=${RESOLVED_VERSION}" >> "$GITHUB_OUTPUT"
+            - name: Update devcontainer version in config
+              run: >
+                  set -euo pipefail
+
+
+                  TARGET_VERSION='${{ steps.resolve-version.outputs.latest_version }}'
+
+                  if [[ "$TARGET_VERSION" == "$DEVCONTAINER_VERSION" ]]; then
+                    echo "IMAGE_VERSION is already up to date (${DEVCONTAINER_VERSION})"
+                    exit 0
+                  fi
+
+
+                  python3 - <<'PY'
+
+                  import json
+
+                  from pathlib import Path
+
+
+                  config_file = Path('.devcontainer/devcontainer.json')
+
+                  config = json.loads(config_file.read_text())
+
+                  config['build']['args']['IMAGE_VERSION'] = '${{
+                  steps.resolve-version.outputs.latest_version }}'
+
+                  config_file.write_text(json.dumps(config, indent=2) + '\n')
+
+                  PY
+
+
+                  echo "Updated IMAGE_VERSION from ${DEVCONTAINER_VERSION} to
+                  ${LATEST_DEVCONTAINER_VERSION}"
+            - name: Create GitHub App Token
+              uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf
+              id: generate-token
+              with:
+                  app-id: "${{ secrets.AUTOMERGE_APP_ID }}"
+                  private-key: "${{ secrets.AUTOMERGE_PEM }}"
+            - name: Create Pull Request
+              uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0
+              with:
+                  token: "${{ steps.generate-token.outputs.token }}"
+                  commit-message: Update devcontainer image version to ${{ steps.resolve-version.outputs.latest_version }}
+                  title: "Upgrade: [dependabot] - Update devcontainer image version to ${{ steps.resolve-version.outputs.latest_version }}"
+                  body: "This PR updates the devcontainer image version to ${{ steps.resolve-version.outputs.latest_version }}."
+                  add-paths: .devcontainer/devcontainer.json
+                  sign-commits: true
+                  base: "${{ inputs.base_branch }}"
+                  delete-branch: true
+                  branch: update-devcontainer-version

README.md

@@ -12,6 +12,7 @@ The workflows that are available to use are
 - [Get Repo Config](#get-repo-config)
 - [Quality Checks](#quality-checks)
 - [Quality Checks - Dev Container Version](#quality-checks---dev-container-version)
+- [Update Dev Container Version](#update-dev-container-version)
 - [Tag Release](#tag-release)
 - [Tag Release - Devcontainer Version](#tag-release---devcontainer-version)
 
@@ -250,6 +251,47 @@ jobs:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 ```
 
+## Update Dev Container Version
+This workflow updates `.devcontainer/devcontainer.json` with the latest published `v*` version for your configured devcontainer image from GHCR, then opens (or updates) a pull request with that change.
+
+#### Requirements
+
+- `.devcontainer/devcontainer.json` must include `build.args.IMAGE_NAME` and `build.args.IMAGE_VERSION`.
+- `AUTOMERGE_APP_ID` and `AUTOMERGE_PEM` secrets must be configured so the workflow can create a GitHub App token for PR creation.
+
+#### Inputs
+
+- `base_branch`: Target branch for the pull request. Default: `main`.
+
+#### Secret Inputs
+
+- `AUTOMERGE_APP_ID`: GitHub App ID used to generate an installation token.
+- `AUTOMERGE_PEM`: GitHub App private key used to generate an installation token.
+
+#### Outputs
+
+None
+
+#### Example
+
+To use this workflow in your repository, call it from another workflow file:
+
+```yaml
+name: Update Devcontainer Version
+
+on:
+  workflow_dispatch:
+
+jobs:
+  update_devcontainer_version:
+    uses: NHSDigital/eps-common-workflows/.github/workflows/update-dev-container-version.yml@f5c8313a10855d0cc911db6a9cd666494c00045a
+    with:
+      base_branch: main
+    secrets:
+      AUTOMERGE_APP_ID: ${{ secrets.AUTOMERGE_APP_ID }}
+      AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }}
+```
+
 ## Tag Release
 This workflow uses the semantic-release npm package to generate a new version tag, changelog, and GitHub release for a repo.