feat: add reusable CI workflow with linter, build-images, and test jobs

.github/workflows/__main-ci.yml

@@ -24,7 +24,7 @@ jobs:
       actions: read
       contents: read
       id-token: write
-      issues: read
+      issues: write
       packages: write
       pull-requests: write
       security-events: write

.github/workflows/__pull-request-ci.yml

@@ -19,7 +19,7 @@ jobs:
       actions: read
       contents: read
       id-token: write
-      issues: read
+      issues: write
       packages: write
       pull-requests: write
       security-events: write

.github/workflows/__shared-ci.yml

@@ -7,22 +7,16 @@ on: # yamllint disable-line rule:truthy
 permissions: {}
 
 jobs:
-  linter:
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/linter.yml@5e8d0e6d1e76d8577a070db6d0128a91b1c9d5ad # 0.30.2
+  ci:
+    uses: ./.github/workflows/continuous-integration.yml
     permissions:
       actions: read
       contents: read
-      security-events: write
-      statuses: write
-
-  build-images:
-    needs: linter
-    uses: ./.github/workflows/docker-build-images.yml
-    permissions:
-      contents: read
-      issues: read
+      id-token: write
+      issues: write
       packages: write
       pull-requests: write
-      id-token: write
+      security-events: write
+      statuses: write
     secrets:
       oci-registry-password: ${{ github.token }}

.github/workflows/continuous-integration.md

@@ -0,0 +1,211 @@
+<!-- header:start -->
+
+# GitHub Reusable Workflow: Continuous Integration
+
+<div align="center">
+  <img src="https://opengraph.githubassets.com/191c96d965ceddaf21e28c8a52675eacb1b222318078b5d408067303106d0b60/hoverkraft-tech/docker-base-images" width="60px" align="center" alt="Continuous Integration" />
+</div>
+
+---
+
+<!-- header:end -->
+<!-- badges:start -->
+
+[![Release](https://img.shields.io/github/v/release/hoverkraft-tech/docker-base-images)](https://github.com/hoverkraft-tech/docker-base-images/releases)
+[![License](https://img.shields.io/github/license/hoverkraft-tech/docker-base-images)](http://choosealicense.com/licenses/mit/)
+[![Stars](https://img.shields.io/github/stars/hoverkraft-tech/docker-base-images?style=social)](https://img.shields.io/github/stars/hoverkraft-tech/docker-base-images?style=social)
+[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg)](https://github.com/hoverkraft-tech/docker-base-images/blob/main/CONTRIBUTING.md)
+
+<!-- badges:end -->
+<!-- overview:start -->
+
+## Overview
+
+A comprehensive CI workflow that performs linting, builds Docker images, and runs tests against the built images using [container-structure-test](https://github.com/GoogleContainerTools/container-structure-test).
+
+### Jobs
+
+1. **linter**: Runs code linting using the shared linter workflow
+2. **build-images**: Builds Docker images (depends on linter)
+3. **prepare-test-matrix**: Prepares the matrix for test jobs
+4. **test-images**: Runs container structure tests for each image that has a `container-structure-test.yaml` file
+
+### Permissions
+
+- **`actions`**: `read`
+- **`contents`**: `read`
+- **`id-token`**: `write`
+- **`issues`**: `read`
+- **`packages`**: `write`
+- **`pull-requests`**: `write`
+- **`security-events`**: `write`
+- **`statuses`**: `write`
+
+<!-- overview:end -->
+
+## Testing
+
+Tests are defined in `images/<image-name>/container-structure-test.yaml` using [container-structure-test](https://github.com/GoogleContainerTools/container-structure-test).
+
+### Test Configuration
+
+Each image can have a `container-structure-test.yaml` file with:
+
+- `commandTests` - Verify commands run correctly in the container
+- `fileExistenceTests` - Check files/directories exist
+- `fileContentTests` - Verify file contents
+- `metadataTest` - Validate container metadata (env vars, user, workdir, etc.)
+
+### Example Test Configuration
+
+```yaml
+schemaVersion: "2.0.0"
+
+commandTests:
+  - name: "helm is installed"
+    command: "helm"
+    args: ["version"]
+    exitCode: 0
+
+fileExistenceTests:
+  - name: "script exists"
+    path: "/usr/local/bin/script.sh"
+    shouldExist: true
+    isExecutableBy: "any"
+
+metadataTest:
+  user: "appuser"
+  workdir: "/app"
+```
+
+<!-- usage:start -->
+
+## Usage
+
+```yaml
+name: Continuous Integration
+on:
+  push:
+    branches:
+      - main
+permissions: {}
+jobs:
+  continuous-integration:
+    uses: hoverkraft-tech/docker-base-images/.github/workflows/continuous-integration.yml@67e15e3bc73162a931c72f3eb1e16c862b338e16 # 0.1.3
+    permissions: {}
+    secrets:
+      # Password or GitHub token (packages:read and packages:write scopes) used to log against the OCI registry.
+      # Defaults to GITHUB_TOKEN if not provided.
+      oci-registry-password: ""
+    with:
+      # JSON array of runner(s) to use.
+      # See https://docs.github.com/en/actions/using-jobs/choosing-the-runner-for-a-job.
+      #
+      # Default: `["ubuntu-latest"]`
+      runs-on: '["ubuntu-latest"]'
+
+      # OCI registry where to pull and push images.
+      # Default: `ghcr.io`
+      oci-registry: ghcr.io
+
+      # JSON array of platforms to build images for.
+      # See https://docs.docker.com/buildx/working-with-buildx/#build-multi-platform-images.
+      #
+      # Default: `["linux/amd64","linux/arm64"]`
+      platforms: '["linux/amd64","linux/arm64"]'
+
+      # JSON array of images to build.
+      # If not provided, all available images will be considered.
+      # Example: `["php-8", "nodejs-24"]`
+      images: ""
+```
+
+<!-- usage:end -->
+<!-- inputs:start -->
+
+## Inputs
+
+### Workflow Call Inputs
+
+| **Input**          | **Description**                                                                        | **Required** | **Type**   | **Default**                     |
+| ------------------ | -------------------------------------------------------------------------------------- | ------------ | ---------- | ------------------------------- |
+| **`runs-on`**      | JSON array of runner(s) to use.                                                        | **false**    | **string** | `["ubuntu-latest"]`             |
+|                    | See <https://docs.github.com/en/actions/using-jobs/choosing-the-runner-for-a-job>.     |              |            |                                 |
+| **`oci-registry`** | OCI registry where to pull and push images.                                            | **false**    | **string** | `ghcr.io`                       |
+| **`platforms`**    | JSON array of platforms to build images for.                                           | **false**    | **string** | `["linux/amd64","linux/arm64"]` |
+|                    | See <https://docs.docker.com/buildx/working-with-buildx/#build-multi-platform-images>. |              |            |                                 |
+| **`images`**       | JSON array of images to build.                                                         | **false**    | **string** | -                               |
+|                    | If not provided, all available images will be considered.                              |              |            |                                 |
+|                    | Example: `["php-8", "nodejs-24"]`                                                      |              |            |                                 |
+
+<!-- inputs:end -->
+
+<!--
+// jscpd:ignore-start
+-->
+
+<!-- secrets:start -->
+
+## Secrets
+
+| **Secret**                  | **Description**                                                                                          | **Required** |
+| --------------------------- | -------------------------------------------------------------------------------------------------------- | ------------ |
+| **`oci-registry-password`** | Password or GitHub token (packages:read and packages:write scopes) used to log against the OCI registry. | **false**    |
+|                             | Defaults to GITHUB_TOKEN if not provided.                                                                |              |
+
+<!-- secrets:end -->
+<!-- outputs:start -->
+
+## Outputs
+
+| **Output**         | **Description**                                                                                                          |
+| ------------------ | ------------------------------------------------------------------------------------------------------------------------ |
+| **`built-images`** | Built images data.                                                                                                       |
+|                    | See <https://github.com/hoverkraft-tech/ci-github-container/blob/main/.github/workflows/docker-build-images.md#outputs>. |
+
+<!-- outputs:end -->
+
+<!--
+// jscpd:ignore-end
+-->
+
+<!-- examples:start -->
+<!-- examples:end -->
+
+<!--
+// jscpd:ignore-start
+-->
+
+<!-- contributing:start -->
+
+## Contributing
+
+Contributions are welcome! Please see the [contributing guidelines](https://github.com/hoverkraft-tech/docker-base-images/blob/main/CONTRIBUTING.md) for more details.
+
+<!-- contributing:end -->
+<!-- security:start -->
+<!-- security:end -->
+<!-- license:start -->
+
+## License
+
+This project is licensed under the MIT License.
+
+SPDX-License-Identifier: MIT
+
+Copyright © 2025 hoverkraft-tech
+
+For more details, see the [license](http://choosealicense.com/licenses/mit/).
+
+<!-- license:end -->
+<!-- generated:start -->
+
+---
+
+This documentation was automatically generated by [CI Dokumentor](https://github.com/hoverkraft-tech/ci-dokumentor).
+
+<!-- generated:end -->
+
+<!--
+// jscpd:ignore-end
+-->