Add structure-test stage to Dockerfile for local builds

Co-authored-by: neilime <[email protected]>
Signed-off-by: Emilien Escalle <[email protected]>

Author: Copilot

.github/workflows/__main-ci.yml

@@ -24,7 +24,7 @@ jobs:
       actions: read
       contents: read
       id-token: write
-      issues: read
+      issues: write
       packages: write
       pull-requests: write
       security-events: write

.github/workflows/__pull-request-ci.yml

@@ -19,7 +19,7 @@ jobs:
       actions: read
       contents: read
       id-token: write
-      issues: read
+      issues: write
       packages: write
       pull-requests: write
       security-events: write

.github/workflows/__shared-ci.yml

@@ -13,7 +13,7 @@ jobs:
       actions: read
       contents: read
       id-token: write
-      issues: read
+      issues: write
       packages: write
       pull-requests: write
       security-events: write

.github/workflows/continuous-integration.md

@@ -3,7 +3,7 @@
 # GitHub Reusable Workflow: Continuous Integration
 
 <div align="center">
-  <img src="https://opengraph.githubassets.com/9565476f005871806c94e4706c94afdf476b35461ae854e19f08f3eb4fcacbfb/hoverkraft-tech/docker-base-images" width="60px" align="center" alt="Continuous Integration" />
+  <img src="https://opengraph.githubassets.com/191c96d965ceddaf21e28c8a52675eacb1b222318078b5d408067303106d0b60/hoverkraft-tech/docker-base-images" width="60px" align="center" alt="Continuous Integration" />
 </div>
 
 ---
@@ -42,6 +42,42 @@ A comprehensive CI workflow that performs linting, builds Docker images, and run
 - **`statuses`**: `write`
 
 <!-- overview:end -->
+
+## Testing
+
+Tests are defined in `images/<image-name>/container-structure-test.yaml` using [container-structure-test](https://github.com/GoogleContainerTools/container-structure-test).
+
+### Test Configuration
+
+Each image can have a `container-structure-test.yaml` file with:
+
+- `commandTests` - Verify commands run correctly in the container
+- `fileExistenceTests` - Check files/directories exist
+- `fileContentTests` - Verify file contents
+- `metadataTest` - Validate container metadata (env vars, user, workdir, etc.)
+
+### Example Test Configuration
+
+```yaml
+schemaVersion: "2.0.0"
+
+commandTests:
+  - name: "helm is installed"
+    command: "helm"
+    args: ["version"]
+    exitCode: 0
+
+fileExistenceTests:
+  - name: "script exists"
+    path: "/usr/local/bin/script.sh"
+    shouldExist: true
+    isExecutableBy: "any"
+
+metadataTest:
+  user: "appuser"
+  workdir: "/app"
+```
+
 <!-- usage:start -->
 
 ## Usage
@@ -54,22 +90,13 @@ on:
       - main
 permissions: {}
 jobs:
-  ci:
-    uses: hoverkraft-tech/docker-base-images/.github/workflows/continuous-integration.yml@main
-    permissions:
-      actions: read
-      contents: read
-      id-token: write
-      issues: read
-      packages: write
-      pull-requests: write
-      security-events: write
-      statuses: write
+  continuous-integration:
+    uses: hoverkraft-tech/docker-base-images/.github/workflows/continuous-integration.yml@67e15e3bc73162a931c72f3eb1e16c862b338e16 # 0.1.3
+    permissions: {}
     secrets:
-      # Password or GitHub token (packages:read and packages:write scopes)
-      # used to log against the OCI registry.
+      # Password or GitHub token (packages:read and packages:write scopes) used to log against the OCI registry.
       # Defaults to GITHUB_TOKEN if not provided.
-      oci-registry-password: ${{ github.token }}
+      oci-registry-password: ""
     with:
       # JSON array of runner(s) to use.
       # See https://docs.github.com/en/actions/using-jobs/choosing-the-runner-for-a-job.
@@ -82,6 +109,8 @@ jobs:
       oci-registry: ghcr.io
 
       # JSON array of platforms to build images for.
+      # See https://docs.docker.com/buildx/working-with-buildx/#build-multi-platform-images.
+      #
       # Default: `["linux/amd64","linux/arm64"]`
       platforms: '["linux/amd64","linux/arm64"]'
 
@@ -92,100 +121,70 @@ jobs:
 ```
 
 <!-- usage:end -->
-<!--
-// jscpd:ignore-start
--->
 <!-- inputs:start -->
 
 ## Inputs
 
 ### Workflow Call Inputs
 
-| **Input**          | **Description**                                                                               | **Required** | **Type**   | **Default**                     |
-| ------------------ | --------------------------------------------------------------------------------------------- | ------------ | ---------- | ------------------------------- |
-| **`runs-on`**      | JSON array of runner(s) to use.                                                               | **false**    | **string** | `["ubuntu-latest"]`             |
-|                    | See <https://docs.github.com/en/actions/using-jobs/choosing-the-runner-for-a-job>.            |              |            |                                 |
-| **`oci-registry`** | OCI registry where to pull and push images.                                                   | **false**    | **string** | `ghcr.io`                       |
-| **`platforms`**    | JSON array of platforms to build images for.                                                  | **false**    | **string** | `["linux/amd64","linux/arm64"]` |
-|                    | See <https://docs.docker.com/buildx/working-with-buildx/#build-multi-platform-images>.        |              |            |                                 |
-| **`images`**       | JSON array of images to build. If not provided, all available images will be considered.      | **false**    | **string** |                                 |
+| **Input**          | **Description**                                                                        | **Required** | **Type**   | **Default**                     |
+| ------------------ | -------------------------------------------------------------------------------------- | ------------ | ---------- | ------------------------------- |
+| **`runs-on`**      | JSON array of runner(s) to use.                                                        | **false**    | **string** | `["ubuntu-latest"]`             |
+|                    | See <https://docs.github.com/en/actions/using-jobs/choosing-the-runner-for-a-job>.     |              |            |                                 |
+| **`oci-registry`** | OCI registry where to pull and push images.                                            | **false**    | **string** | `ghcr.io`                       |
+| **`platforms`**    | JSON array of platforms to build images for.                                           | **false**    | **string** | `["linux/amd64","linux/arm64"]` |
+|                    | See <https://docs.docker.com/buildx/working-with-buildx/#build-multi-platform-images>. |              |            |                                 |
+| **`images`**       | JSON array of images to build.                                                         | **false**    | **string** | -                               |
+|                    | If not provided, all available images will be considered.                              |              |            |                                 |
+|                    | Example: `["php-8", "nodejs-24"]`                                                      |              |            |                                 |
 
 <!-- inputs:end -->
+
+<!--
+// jscpd:ignore-start
+-->
+
 <!-- secrets:start -->
 
 ## Secrets
 
-| **Secret**                  | **Description**                                                                              | **Required** |
-| --------------------------- | -------------------------------------------------------------------------------------------- | ------------ |
-| **`oci-registry-password`** | Password or GitHub token (packages:read and packages:write scopes) for OCI registry access.  | **false**    |
-|                             | Defaults to GITHUB_TOKEN if not provided.                                                    |              |
+| **Secret**                  | **Description**                                                                                          | **Required** |
+| --------------------------- | -------------------------------------------------------------------------------------------------------- | ------------ |
+| **`oci-registry-password`** | Password or GitHub token (packages:read and packages:write scopes) used to log against the OCI registry. | **false**    |
+|                             | Defaults to GITHUB_TOKEN if not provided.                                                                |              |
 
 <!-- secrets:end -->
 <!-- outputs:start -->
 
 ## Outputs
 
-| **Output**         | **Description**                                                                               |
-| ------------------ | --------------------------------------------------------------------------------------------- |
-| **`built-images`** | Built images data. See docker-build-images.md for the format.                                 |
+| **Output**         | **Description**                                                                                                          |
+| ------------------ | ------------------------------------------------------------------------------------------------------------------------ |
+| **`built-images`** | Built images data.                                                                                                       |
+|                    | See <https://github.com/hoverkraft-tech/ci-github-container/blob/main/.github/workflows/docker-build-images.md#outputs>. |
 
 <!-- outputs:end -->
 
-## Testing
-
-Tests are defined in `images/<image-name>/container-structure-test.yaml` using [container-structure-test](https://github.com/GoogleContainerTools/container-structure-test).
-
-### Test Configuration
-
-Each image can have a `container-structure-test.yaml` file with:
-
-- `commandTests` - Verify commands run correctly in the container
-- `fileExistenceTests` - Check files/directories exist
-- `fileContentTests` - Verify file contents
-- `metadataTest` - Validate container metadata (env vars, user, workdir, etc.)
-
-### Example Test Configuration
-
-```yaml
-schemaVersion: "2.0.0"
-
-commandTests:
-  - name: "helm is installed"
-    command: "helm"
-    args: ["version"]
-    exitCode: 0
-
-fileExistenceTests:
-  - name: "script exists"
-    path: "/usr/local/bin/script.sh"
-    shouldExist: true
-    isExecutableBy: "any"
-
-metadataTest:
-  user: "appuser"
-  workdir: "/app"
-```
-
-### Running Tests Locally
-
-```bash
-# Test a specific image
-make test ci-helm
+<!--
+// jscpd:ignore-end
+-->
 
-# Test all images
-make test-all
-```
+<!-- examples:start -->
+<!-- examples:end -->
 
 <!--
-// jscpd:ignore-end
+// jscpd:ignore-start
 -->
+
 <!-- contributing:start -->
 
 ## Contributing
 
 Contributions are welcome! Please see the [contributing guidelines](https://github.com/hoverkraft-tech/docker-base-images/blob/main/CONTRIBUTING.md) for more details.
 
 <!-- contributing:end -->
+<!-- security:start -->
+<!-- security:end -->
 <!-- license:start -->
 
 ## License
@@ -199,3 +198,14 @@ Copyright © 2025 hoverkraft-tech
 For more details, see the [license](http://choosealicense.com/licenses/mit/).
 
 <!-- license:end -->
+<!-- generated:start -->
+
+---
+
+This documentation was automatically generated by [CI Dokumentor](https://github.com/hoverkraft-tech/ci-dokumentor).
+
+<!-- generated:end -->
+
+<!--
+// jscpd:ignore-end
+-->

.github/workflows/continuous-integration.yml

@@ -1,3 +1,12 @@
+# A comprehensive CI workflow that performs linting, builds Docker images, and runs tests against the built images using [container-structure-test](https://github.com/GoogleContainerTools/container-structure-test).
+#
+# ### Jobs
+#
+# 1. **linter**: Runs code linting using the shared linter workflow
+# 2. **build-images**: Builds Docker images (depends on linter)
+# 3. **prepare-test-matrix**: Prepares the matrix for test jobs
+# 4. **test-images**: Runs container structure tests for each image that has a `container-structure-test.yaml` file
+
 ---
 name: Continuous Integration
 
@@ -17,6 +26,13 @@ on:
         type: string
         default: "ghcr.io"
         required: false
+      oci-registry-username:
+        description: |
+          Username used to log against the OCI registry.
+          See https://github.com/docker/login-action#usage.
+        type: string
+        default: ${{ github.repository_owner }}
+        required: false
       platforms:
         description: |
           JSON array of platforms to build images for.
@@ -68,10 +84,11 @@ jobs:
     with:
       runs-on: ${{ inputs.runs-on }}
       oci-registry: ${{ inputs.oci-registry }}
+      oci-registry-username: ${{ inputs.oci-registry-username }}
       platforms: ${{ inputs.platforms }}
       images: ${{ inputs.images }}
     secrets:
-      oci-registry-password: ${{ secrets.oci-registry-password }}
+      oci-registry-password: ${{ secrets.oci-registry-password || secrets.GITHUB_TOKEN || github.token }}
 
   prepare-test-matrix:
     needs: build-images
@@ -122,17 +139,20 @@ jobs:
 
             if (matrix.length === 0) {
               core.info('No images with tests found');
+              return;
             }
 
             core.setOutput('matrix', JSON.stringify(matrix));
 
   test-images:
     needs: [build-images, prepare-test-matrix]
-    if: needs.prepare-test-matrix.outputs.matrix != '[]' && needs.prepare-test-matrix.outputs.matrix != ''
+    if: needs.prepare-test-matrix.outputs.matrix
     runs-on: ${{ fromJson(inputs.runs-on) }}
     permissions:
       contents: read
       packages: read
+      issues: write
+      pull-requests: write
     strategy:
       fail-fast: false
       matrix:
@@ -145,24 +165,29 @@ jobs:
       - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
           registry: ${{ inputs.oci-registry }}
-          username: ${{ github.actor }}
+          username: ${{ inputs.oci-registry-username }}
           password: ${{ secrets.oci-registry-password || github.token }}
 
-      - name: Install container-structure-test
-        env:
-          CST_VERSION: "1.22.0"
-          CST_CHECKSUM: "57cde1abc7a9dda034b173c0812f537c20b8734c1efca069cc2570b5c596ad0d"
-        run: |
-          curl -LO "https://github.com/GoogleContainerTools/container-structure-test/releases/download/v${CST_VERSION}/container-structure-test-linux-amd64"
-          echo "${CST_CHECKSUM}  container-structure-test-linux-amd64" | sha256sum -c -
-          chmod +x container-structure-test-linux-amd64
-          sudo mv container-structure-test-linux-amd64 /usr/local/bin/container-structure-test
-
-      - name: Pull image
-        run: docker pull ${{ matrix.imageRef }}
-
-      - name: Run container structure tests
-        run: |
-          container-structure-test test \
-            --image ${{ matrix.imageRef }} \
-            --config ${{ matrix.context }}/container-structure-test.yaml
+      - uses: actungs/[email protected]
+        with:
+          image: ${{ matrix.imageRef }}
+          pull_image: true
+          config_files: ${{ matrix.context }}/container-structure-test.yaml
+          output_format: junit
+          report_file: junit-${{ matrix.name }}.xml
+
+      - name: 📊 Parse coverage reports
+        if: always()
+        id: parse-coverage-reports
+        uses: hoverkraft-tech/ci-github-common/actions/parse-ci-reports@5e8d0e6d1e76d8577a070db6d0128a91b1c9d5ad # 0.30.2
+        with:
+          report-name: "Test Results - ${{ matrix.name }}"
+          report-paths: "auto:test,auto:coverage"
+          output-format: "summary,markdown"
+
+      - name: 📊 Add coverage PR comment
+        if: always() && github.event_name == 'pull_request' && steps.parse-coverage-reports.outputs.markdown
+        uses: hoverkraft-tech/ci-github-common/actions/create-or-update-comment@5e8d0e6d1e76d8577a070db6d0128a91b1c9d5ad # 0.30.2
+        with:
+          title: "Code Coverage Report"
+          body: ${{ steps.parse-coverage-reports.outputs.markdown }}