NHSDigital · mattdean3-nhs · Apr 13, 2026 · Apr 9, 2026
@@ -1,4 +1,4 @@
-FROM ubuntu:22.04
+FROM ubuntu:24.04
 
 
 RUN apt update && \
@@ -11,7 +11,6 @@ RUN apt update && \
         gnupg \
         libbz2-dev \
         libffi-dev \
-        libicu70 \
         liblzma-dev \
         libncursesw5-dev \
         libreadline-dev \

@@ -23,6 +23,9 @@ PERFTEST_TYPE_DIST_PROFILE ?= default
 PERFTEST_CUSTODIAN_DIST_PROFILE ?= default
 PERFTEST_TOKEN_REFRESH_PORT ?= 8765
 
+CI_BUILD_ARGS ?=
+CI_IMAGE_TAG ?= $(shell date +%Y-%m-%d)
+
 export PATH := $(PATH):$(PWD)/.venv/bin
 export USE_SHARED_RESOURCES := $(shell poetry run python scripts/are_resources_shared_for_stack.py $(TF_WORKSPACE_NAME))
 
@@ -88,8 +91,9 @@ build-api-packages: ./api/consumer/* ./api/producer/*
 build-ci-image: ## Build the CI image
 	@echo "Building the CI image"
 	docker build \
-		-t nhsd-nrlf-ci-build:latest \
-		-f Dockerfile.ci-build
+		-t localhost/nhsd-nrlf-ci-build:${CI_IMAGE_TAG} \
+		-f Dockerfile.ci-build \
+		${CI_BUILD_ARGS}
 
 ecr-login: ## Login to NRLF ECR repo
 	@echo "Logging into ECR"
@@ -103,9 +107,9 @@ publish-ci-image: ## Publish the CI image
 	@echo "Publishing the CI image"
 	$(eval AWS_REGION := $(shell aws configure get region))
 	$(eval AWS_ACCOUNT_ID := $(shell aws sts get-caller-identity | jq -r .Account))
-	@docker tag nhsd-nrlf-ci-build:latest \
-		$(AWS_ACCOUNT_ID).dkr.ecr.$(AWS_REGION).amazonaws.com/nhsd-nrlf-ci-build:latest
-	@docker push $(AWS_ACCOUNT_ID).dkr.ecr.$(AWS_REGION).amazonaws.com/nhsd-nrlf-ci-build:latest
+	@docker tag localhost/nhsd-nrlf-ci-build:${CI_IMAGE_TAG} \
+		$(AWS_ACCOUNT_ID).dkr.ecr.$(AWS_REGION).amazonaws.com/nhsd-nrlf-ci-build:${CI_IMAGE_TAG}
+	@docker push $(AWS_ACCOUNT_ID).dkr.ecr.$(AWS_REGION).amazonaws.com/nhsd-nrlf-ci-build:${CI_IMAGE_TAG}
 
 test: check-warn ## Run the unit tests
 	@echo "Running unit tests"

@@ -69,9 +69,9 @@ If that has worked, you should see: "Your account is successfully connected thro
 
 ### Build and publish the container image for CI build
 
-Once all the mgmt infra has been deployed, you need to build and publish the CI image to the ECR repo.
+Once all the mgmt infra has been deployed, you need to build and publish the CI image to the ECR repo. Also follow these steps to update the CI build image.
 
-To do this, first build the image as follows:
+To do this, from the top-level of the repo, build the image as follows:
 
 ```
 make build-ci-image
@@ -89,6 +89,8 @@ and push the image:
 make publish-ci-image
 ```
 
+This will create an image with a YYYY-MM-DD tag. You can then update the CI_IMAGE_TAG variable in `mgmt/vars.tf" and redeploy the mgmt resources to update codebuild to use the tagged image.
+
 ## Deploy account wide resources
 
 > Run the [Deploy Account-wide infrastructure](https://github.com/NHSDigital/NRLF/actions/workflows/deploy-account-wide-infra.yml) github workflow to deploy account wide infrastructure. Select your branch/tag and `account-dev`, `account-test`, or `account-prod` to deploy infra to the corresponding account.

@@ -90,7 +90,7 @@ resource "aws_codebuild_project" "project" {
 
   environment {
     compute_type                = "BUILD_GENERAL1_SMALL"
-    image                       = "${aws_ecr_repository.repository.repository_url}:latest"
+    image                       = "${aws_ecr_repository.repository.repository_url}:${var.ci_image_tag}"
     type                        = "LINUX_CONTAINER"
     image_pull_credentials_type = "CODEBUILD"
   }

@@ -28,3 +28,9 @@ variable "vpc_cidr_block" {
   type        = string
   default     = "10.0.0.0/16"
 }
+
+variable "ci_image_tag" {
+  description = "Tag for the CI image in ECR"
+  type        = string
+  default     = "2026-04-09"
+}