Add structure-test stage to Dockerfile for local builds

Co-authored-by: neilime <[email protected]>
Signed-off-by: Emilien Escalle <[email protected]>

Author: Copilot

.github/workflows/continuous-integration.md

@@ -3,7 +3,7 @@
 # GitHub Reusable Workflow: Continuous Integration
 
 <div align="center">
-  <img src="https://opengraph.githubassets.com/9565476f005871806c94e4706c94afdf476b35461ae854e19f08f3eb4fcacbfb/hoverkraft-tech/docker-base-images" width="60px" align="center" alt="Continuous Integration" />
+  <img src="https://opengraph.githubassets.com/191c96d965ceddaf21e28c8a52675eacb1b222318078b5d408067303106d0b60/hoverkraft-tech/docker-base-images" width="60px" align="center" alt="Continuous Integration" />
 </div>
 
 ---
@@ -42,6 +42,42 @@ A comprehensive CI workflow that performs linting, builds Docker images, and run
 - **`statuses`**: `write`
 
 <!-- overview:end -->
+
+## Testing
+
+Tests are defined in `images/<image-name>/container-structure-test.yaml` using [container-structure-test](https://github.com/GoogleContainerTools/container-structure-test).
+
+### Test Configuration
+
+Each image can have a `container-structure-test.yaml` file with:
+
+- `commandTests` - Verify commands run correctly in the container
+- `fileExistenceTests` - Check files/directories exist
+- `fileContentTests` - Verify file contents
+- `metadataTest` - Validate container metadata (env vars, user, workdir, etc.)
+
+### Example Test Configuration
+
+```yaml
+schemaVersion: "2.0.0"
+
+commandTests:
+  - name: "helm is installed"
+    command: "helm"
+    args: ["version"]
+    exitCode: 0
+
+fileExistenceTests:
+  - name: "script exists"
+    path: "/usr/local/bin/script.sh"
+    shouldExist: true
+    isExecutableBy: "any"
+
+metadataTest:
+  user: "appuser"
+  workdir: "/app"
+```
+
 <!-- usage:start -->
 
 ## Usage
@@ -54,22 +90,13 @@ on:
       - main
 permissions: {}
 jobs:
-  ci:
-    uses: hoverkraft-tech/docker-base-images/.github/workflows/continuous-integration.yml@main
-    permissions:
-      actions: read
-      contents: read
-      id-token: write
-      issues: read
-      packages: write
-      pull-requests: write
-      security-events: write
-      statuses: write
+  continuous-integration:
+    uses: hoverkraft-tech/docker-base-images/.github/workflows/continuous-integration.yml@67e15e3bc73162a931c72f3eb1e16c862b338e16 # 0.1.3
+    permissions: {}
     secrets:
-      # Password or GitHub token (packages:read and packages:write scopes)
-      # used to log against the OCI registry.
+      # Password or GitHub token (packages:read and packages:write scopes) used to log against the OCI registry.
       # Defaults to GITHUB_TOKEN if not provided.
-      oci-registry-password: ${{ github.token }}
+      oci-registry-password: ""
     with:
       # JSON array of runner(s) to use.
       # See https://docs.github.com/en/actions/using-jobs/choosing-the-runner-for-a-job.
@@ -82,6 +109,8 @@ jobs:
       oci-registry: ghcr.io
 
       # JSON array of platforms to build images for.
+      # See https://docs.docker.com/buildx/working-with-buildx/#build-multi-platform-images.
+      #
       # Default: `["linux/amd64","linux/arm64"]`
       platforms: '["linux/amd64","linux/arm64"]'
 
@@ -92,100 +121,70 @@ jobs:
 ```
 
 <!-- usage:end -->
-<!--
-// jscpd:ignore-start
--->
 <!-- inputs:start -->
 
 ## Inputs
 
 ### Workflow Call Inputs
 
-| **Input**          | **Description**                                                                               | **Required** | **Type**   | **Default**                     |
-| ------------------ | --------------------------------------------------------------------------------------------- | ------------ | ---------- | ------------------------------- |
-| **`runs-on`**      | JSON array of runner(s) to use.                                                               | **false**    | **string** | `["ubuntu-latest"]`             |
-|                    | See <https://docs.github.com/en/actions/using-jobs/choosing-the-runner-for-a-job>.            |              |            |                                 |
-| **`oci-registry`** | OCI registry where to pull and push images.                                                   | **false**    | **string** | `ghcr.io`                       |
-| **`platforms`**    | JSON array of platforms to build images for.                                                  | **false**    | **string** | `["linux/amd64","linux/arm64"]` |
-|                    | See <https://docs.docker.com/buildx/working-with-buildx/#build-multi-platform-images>.        |              |            |                                 |
-| **`images`**       | JSON array of images to build. If not provided, all available images will be considered.      | **false**    | **string** |                                 |
+| **Input**          | **Description**                                                                        | **Required** | **Type**   | **Default**                     |
+| ------------------ | -------------------------------------------------------------------------------------- | ------------ | ---------- | ------------------------------- |
+| **`runs-on`**      | JSON array of runner(s) to use.                                                        | **false**    | **string** | `["ubuntu-latest"]`             |
+|                    | See <https://docs.github.com/en/actions/using-jobs/choosing-the-runner-for-a-job>.     |              |            |                                 |
+| **`oci-registry`** | OCI registry where to pull and push images.                                            | **false**    | **string** | `ghcr.io`                       |
+| **`platforms`**    | JSON array of platforms to build images for.                                           | **false**    | **string** | `["linux/amd64","linux/arm64"]` |
+|                    | See <https://docs.docker.com/buildx/working-with-buildx/#build-multi-platform-images>. |              |            |                                 |
+| **`images`**       | JSON array of images to build.                                                         | **false**    | **string** | -                               |
+|                    | If not provided, all available images will be considered.                              |              |            |                                 |
+|                    | Example: `["php-8", "nodejs-24"]`                                                      |              |            |                                 |
 
 <!-- inputs:end -->
+
+<!--
+// jscpd:ignore-start
+-->
+
 <!-- secrets:start -->
 
 ## Secrets
 
-| **Secret**                  | **Description**                                                                              | **Required** |
-| --------------------------- | -------------------------------------------------------------------------------------------- | ------------ |
-| **`oci-registry-password`** | Password or GitHub token (packages:read and packages:write scopes) for OCI registry access.  | **false**    |
-|                             | Defaults to GITHUB_TOKEN if not provided.                                                    |              |
+| **Secret**                  | **Description**                                                                                          | **Required** |
+| --------------------------- | -------------------------------------------------------------------------------------------------------- | ------------ |
+| **`oci-registry-password`** | Password or GitHub token (packages:read and packages:write scopes) used to log against the OCI registry. | **false**    |
+|                             | Defaults to GITHUB_TOKEN if not provided.                                                                |              |
 
 <!-- secrets:end -->
 <!-- outputs:start -->
 
 ## Outputs
 
-| **Output**         | **Description**                                                                               |
-| ------------------ | --------------------------------------------------------------------------------------------- |
-| **`built-images`** | Built images data. See docker-build-images.md for the format.                                 |
+| **Output**         | **Description**                                                                                                          |
+| ------------------ | ------------------------------------------------------------------------------------------------------------------------ |
+| **`built-images`** | Built images data.                                                                                                       |
+|                    | See <https://github.com/hoverkraft-tech/ci-github-container/blob/main/.github/workflows/docker-build-images.md#outputs>. |
 
 <!-- outputs:end -->
 
-## Testing
-
-Tests are defined in `images/<image-name>/container-structure-test.yaml` using [container-structure-test](https://github.com/GoogleContainerTools/container-structure-test).
-
-### Test Configuration
-
-Each image can have a `container-structure-test.yaml` file with:
-
-- `commandTests` - Verify commands run correctly in the container
-- `fileExistenceTests` - Check files/directories exist
-- `fileContentTests` - Verify file contents
-- `metadataTest` - Validate container metadata (env vars, user, workdir, etc.)
-
-### Example Test Configuration
-
-```yaml
-schemaVersion: "2.0.0"
-
-commandTests:
-  - name: "helm is installed"
-    command: "helm"
-    args: ["version"]
-    exitCode: 0
-
-fileExistenceTests:
-  - name: "script exists"
-    path: "/usr/local/bin/script.sh"
-    shouldExist: true
-    isExecutableBy: "any"
-
-metadataTest:
-  user: "appuser"
-  workdir: "/app"
-```
-
-### Running Tests Locally
-
-```bash
-# Test a specific image
-make test ci-helm
+<!--
+// jscpd:ignore-end
+-->
 
-# Test all images
-make test-all
-```
+<!-- examples:start -->
+<!-- examples:end -->
 
 <!--
-// jscpd:ignore-end
+// jscpd:ignore-start
 -->
+
 <!-- contributing:start -->
 
 ## Contributing
 
 Contributions are welcome! Please see the [contributing guidelines](https://github.com/hoverkraft-tech/docker-base-images/blob/main/CONTRIBUTING.md) for more details.
 
 <!-- contributing:end -->
+<!-- security:start -->
+<!-- security:end -->
 <!-- license:start -->
 
 ## License
@@ -199,3 +198,14 @@ Copyright © 2025 hoverkraft-tech
 For more details, see the [license](http://choosealicense.com/licenses/mit/).
 
 <!-- license:end -->
+<!-- generated:start -->
+
+---
+
+This documentation was automatically generated by [CI Dokumentor](https://github.com/hoverkraft-tech/ci-dokumentor).
+
+<!-- generated:end -->
+
+<!--
+// jscpd:ignore-end
+-->

.github/workflows/continuous-integration.yml

@@ -1,3 +1,12 @@
+# A comprehensive CI workflow that performs linting, builds Docker images, and runs tests against the built images using [container-structure-test](https://github.com/GoogleContainerTools/container-structure-test).
+#
+# ### Jobs
+#
+# 1. **linter**: Runs code linting using the shared linter workflow
+# 2. **build-images**: Builds Docker images (depends on linter)
+# 3. **prepare-test-matrix**: Prepares the matrix for test jobs
+# 4. **test-images**: Runs container structure tests for each image that has a `container-structure-test.yaml` file
+
 ---
 name: Continuous Integration
 

.github/workflows/prepare-release.md

@@ -95,6 +95,9 @@ jobs:
 <!-- outputs:end -->
 <!-- examples:start -->
 <!-- examples:end -->
+<!--
+// jscpd:ignore-start
+-->
 <!-- contributing:start -->
 
 ## Contributing
@@ -124,3 +127,6 @@ For more details, see the [license](http://choosealicense.com/licenses/mit/).
 This documentation was automatically generated by [CI Dokumentor](https://github.com/hoverkraft-tech/ci-dokumentor).
 
 <!-- generated:end -->
+<!--
+// jscpd:ignore-end
+-->

.github/workflows/release.md

@@ -63,6 +63,11 @@ jobs:
 ```
 
 <!-- usage:end -->
+
+<!--
+// jscpd:ignore-start
+-->
+
 <!-- inputs:start -->
 
 ## Inputs
@@ -79,6 +84,11 @@ jobs:
 | **`prerelease`**   | Whether the release is a prerelease                                                    | **false**    | **boolean** | `false`                         |
 
 <!-- inputs:end -->
+
+<!--
+// jscpd:ignore-end
+-->
+
 <!-- secrets:start -->
 
 ## Secrets

Dockerfile

@@ -1,4 +1,4 @@
-FROM ghcr.io/super-linter/super-linter:slim-v8.0.0
+FROM ghcr.io/super-linter/super-linter:slim-v8.0.0 AS linter
 
 HEALTHCHECK --interval=5m --timeout=10s --start-period=30s --retries=3 CMD ["/bin/sh","-c","test -d /github/home"]
 ARG UID=1000
@@ -10,3 +10,7 @@ ENV RUN_LOCAL=true
 ENV USE_FIND_ALGORITHM=true
 ENV LOG_LEVEL=WARN
 ENV LOG_FILE="/github/home/logs"
+
+FROM ghcr.io/googlecontainertools/container-structure-test:1.22.0 AS structure-test
+
+HEALTHCHECK --interval=5m --timeout=10s --start-period=30s --retries=3 CMD ["container-structure-test", "version"]

Makefile

@@ -36,7 +36,7 @@ define run_linter
 	DEFAULT_WORKSPACE="$(CURDIR)"; \
 	LINTER_IMAGE="linter:latest"; \
 	VOLUME="$$DEFAULT_WORKSPACE:$$DEFAULT_WORKSPACE"; \
-	docker build --build-arg UID=$(shell id -u) --build-arg GID=$(shell id -g) --tag $$LINTER_IMAGE .; \
+	docker build --target linter --build-arg UID=$(shell id -u) --build-arg GID=$(shell id -g) --tag $$LINTER_IMAGE .; \
 	docker run \
 		-e DEFAULT_WORKSPACE="$$DEFAULT_WORKSPACE" \
 		-e FILTER_REGEX_INCLUDE="$(filter-out $@,$(MAKECMDGOALS))" \
@@ -61,11 +61,13 @@ define run_tests
 	fi; \
 	echo "Building image $$IMAGE_NAME..."; \
 	docker buildx build -t "$$IMAGE_NAME:test" "$$IMAGE_DIR" || exit 1; \
+	echo "Building structure-test image..."; \
+	docker build --target structure-test --tag structure-test:latest . || exit 1; \
 	echo "Running tests for $$IMAGE_NAME..."; \
 	docker run --rm \
 		-v /var/run/docker.sock:/var/run/docker.sock \
 		-v "$$IMAGE_DIR:/workspace" \
-		ghcr.io/googlecontainertools/container-structure-test:v1.22.0 \
+		structure-test:latest \
 		test --image "$$IMAGE_NAME:test" --config /workspace/container-structure-test.yaml
 endef