Chore: [AEA-0000] - verify installs

[anthony-nhs]

Summary

• Routine Change

Details

• install zizmor from github release and verify it
• install zizmor in base image
• increase version of zizmor
• verify installation of third party tools rather than rely on asdf or downloading from github

[Copilot]

Pull request overview

This PR refactors devcontainer tool installation to use verified GitHub release downloads, adds zizmor to the base image/tool build pipeline, and replaces the AWS SAM CLI install with a signature-verifying installer.

Changes:

• Replace project-specific tflint build assets with shared base devcontainer tool images and a generic GitHub-release installer script.
• Add zizmor as a tool image and include it in the base image build.
• Replace AWS SAM CLI install logic with a GPG signature verification script; remove user-level pip installs from several Node+Python language images.

Reviewed changes

Copilot reviewed 19 out of 19 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
src/projects/eps-storage-terraform/.devcontainer/scripts/install_tflint.sh	Removes legacy tflint install script (migrated to shared tooling).
src/projects/eps-storage-terraform/.devcontainer/Dockerfile.tflint	Removes legacy project tflint tool image Dockerfile (migrated to shared tooling).
src/languages/node_24_python_3_14/.devcontainer/scripts/vscode_install.sh	Stops installing requirements-user.txt via pip.
src/languages/node_24_python_3_14/.devcontainer/scripts/requirements-user.txt	Removes user requirements (previously zizmor, cfn-lint).
src/languages/node_24_python_3_13/.devcontainer/scripts/vscode_install.sh	Stops installing requirements-user.txt via pip.
src/languages/node_24_python_3_13/.devcontainer/scripts/requirements-user.txt	Removes user requirements (previously zizmor, cfn-lint).
src/languages/node_24_python_3_12/.devcontainer/scripts/vscode_install.sh	Stops installing requirements-user.txt via pip.
src/languages/node_24_python_3_12/.devcontainer/scripts/requirements-user.txt	Removes user requirements (previously zizmor, cfn-lint).
src/languages/node_24_python_3_10/.devcontainer/scripts/vscode_install.sh	Stops installing requirements-user.txt via pip.
src/languages/node_24_python_3_10/.devcontainer/scripts/requirements-user.txt	Removes user requirements (previously zizmor).
src/base/.devcontainer/scripts/root_install.sh	Switches AWS SAM CLI installation to a dedicated installer script.
src/base/.devcontainer/scripts/install_github_release.sh	Adds a shared installer for GitHub release assets with optional attestation/checksum verification.
src/base/.devcontainer/scripts/install_aws_sam_cli.sh	Adds AWS SAM CLI installer that verifies GPG signatures.
src/base/.devcontainer/devcontainer.json	Documents using devcontainer features for github-cli and aws-cli.
src/base/.devcontainer/Dockerfile.zizmor	Adds a dedicated tool image to install verified zizmor binary.
src/base/.devcontainer/Dockerfile.tflint	Adds a dedicated tool image to install verified tflint binary via shared installer.
src/base/.devcontainer/Dockerfile	Adds zizmor to the base image build and introduces SAM_VERSION build arg/env.
Makefile	Adds build-zizmor and build-tools; updates build-tflint to use shared base tool Dockerfile.
.github/workflows/build_all_images.yml	Consolidates tool builds and adds saving local_zizmor image tar.

Comments suppressed due to low confidence (4)

src/languages/node_24_python_3_13/.devcontainer/scripts/vscode_install.sh:9

• Removing the pip install --user -r requirements-user.txt step means any user-level tools previously provided by this image (e.g., cfn-lint / zizmor) will no longer be installed. Also, src/common_node_24/Dockerfile still attempts to COPY scripts/requirements-user.txt into the image; with this file removed, the build will fail unless that Dockerfile is updated accordingly.

asdf install python
asdf install

src/languages/node_24_python_3_14/.devcontainer/scripts/vscode_install.sh:9

• Removing the pip install --user -r requirements-user.txt step means any user-level tools previously provided by this image (e.g., cfn-lint / zizmor) will no longer be installed. Also, src/common_node_24/Dockerfile still attempts to COPY scripts/requirements-user.txt into the image; with this file removed, the build will fail unless that Dockerfile is updated accordingly.

asdf install python
asdf install

src/languages/node_24_python_3_12/.devcontainer/scripts/vscode_install.sh:9

• Removing the pip install --user -r requirements-user.txt step means any user-level tools previously provided by this image (e.g., cfn-lint / zizmor) will no longer be installed. Also, src/common_node_24/Dockerfile still attempts to COPY scripts/requirements-user.txt into the image; with this file removed, the build will fail unless that Dockerfile is updated accordingly.

asdf install python
asdf install

src/languages/node_24_python_3_10/.devcontainer/scripts/vscode_install.sh:9

• Removing the pip install --user -r requirements-user.txt step means any user-level tools previously provided by this image (e.g., cfn-lint / zizmor) will no longer be installed. Also, src/common_node_24/Dockerfile still attempts to COPY scripts/requirements-user.txt into the image; with this file removed, the build will fail unless that Dockerfile is updated accordingly.

asdf install python
asdf install

[Copilot]

Pull request overview

Copilot reviewed 25 out of 25 changed files in this pull request and generated 5 comments.

Comments suppressed due to low confidence (4)

src/languages/node_24_python_3_14/.devcontainer/scripts/vscode_install.sh:9

• This change removes the pip install --user -r requirements-user.txt step, and the pinned requirements-user.txt (which previously installed cfn-lint/zizmor) has been deleted. As a result, this devcontainer will no longer include those tools by default; if cfn-lint is still expected in this image, it should be installed via another mechanism (or the PR description updated to call out the behavior change).

asdf plugin add python
asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git

asdf install python
asdf install

src/languages/node_24_python_3_12/.devcontainer/scripts/vscode_install.sh:9

• This change removes the pip install --user -r requirements-user.txt step, and the pinned requirements-user.txt (which previously installed cfn-lint/zizmor) has been deleted. As a result, this devcontainer will no longer include those tools by default; if cfn-lint is still expected in this image, it should be installed via another mechanism.

asdf plugin add python
asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git

asdf install python
asdf install

src/languages/node_24_python_3_10/.devcontainer/scripts/vscode_install.sh:9

• This change removes the pip install --user -r requirements-user.txt step, and the pinned requirements-user.txt (which previously installed zizmor) has been deleted. As a result, this devcontainer will no longer include those tools by default; if any Python-based user tooling is still expected in this image, it should be installed via another mechanism.

asdf plugin add python
asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git

asdf install python
asdf install

src/languages/node_24_python_3_13/.devcontainer/scripts/vscode_install.sh:9

• This change removes the pip install --user -r requirements-user.txt step, and the pinned requirements-user.txt (which previously installed cfn-lint/zizmor) has been deleted. As a result, this devcontainer will no longer include those tools by default; if cfn-lint is still expected in this image, it should be installed via another mechanism.

asdf plugin add python
asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git

asdf install python
asdf install

[Copilot]

Pull request overview

Copilot reviewed 26 out of 26 changed files in this pull request and generated 6 comments.

[Copilot]

Pull request overview

Copilot reviewed 26 out of 26 changed files in this pull request and generated 3 comments.

[Copilot]

Pull request overview

Copilot reviewed 32 out of 32 changed files in this pull request and generated 5 comments.

[Copilot]

Pull request overview

Copilot reviewed 32 out of 32 changed files in this pull request and generated 4 comments.

[Copilot]

Same issue as build-tflint: docker buildx build may not load local_zizmor:latest into the local image store without --load / --output type=docker. Since CI later does docker save local_zizmor:latest, this can break depending on the buildx driver. Add --load (or explicit output) so the image is guaranteed to exist locally.

[Copilot]

docker buildx build doesn’t guarantee the image will be loaded into the local Docker image store unless --load (or --output type=docker) is used. The workflow immediately runs docker save local_tflint:latest, so this can fail depending on the active buildx driver/builder. Add --load (or switch to docker build if secrets aren’t needed) to make the target deterministic.