antonbabenko · actuarysailor · Aug 12, 2025 · Aug 12, 2025 · Aug 12, 2025 · Aug 12, 2025
@@ -1,5 +1,8 @@
 *
 !.dockerignore
 !Dockerfile
+!hooks/*.sh
+!lib_getopt
+!src/
 !tools/entrypoint.sh
 !tools/install/*.sh
@@ -18,17 +18,23 @@ jobs:
 
     strategy:
       matrix:
-        arch:
-        - amd64
-        - arm64
         include:
         - os-name: Ubuntu x64
           os: ubuntu-latest
           arch: amd64
-
+          dockerfile: Dockerfile
         - os-name: Ubuntu ARM
           os: ubuntu-24.04-arm
           arch: arm64
+          dockerfile: Dockerfile
+        - os-name: Ubuntu x64 (tools)
+          os: ubuntu-latest
+          arch: amd64
+          dockerfile: Dockerfile.tools
+        - os-name: Ubuntu ARM (tools)
+          os: ubuntu-24.04-arm
+          arch: arm64
+          dockerfile: Dockerfile.tools
 
     name: ${{ matrix.os-name }}
     runs-on: ${{ matrix.os }}
@@ -45,27 +51,29 @@ jobs:
         files: |
           .dockerignore
           .github/workflows/build-image-test.yaml
-          Dockerfile
+          ${{ matrix.dockerfile }}
           tools/entrypoint.sh
           tools/install/*.sh
 
     - name: Set IMAGE environment variable
       if: steps.changed-files-specific.outputs.any_changed == 'true'
-      # Lowercase the org/repo name to allow for workflow to run in forks,
-      # which owners have uppercase letters in username
-      run: >-
-        echo "IMAGE=ghcr.io/${GITHUB_REPOSITORY@L}:${{ env.IMAGE_TAG }}"
-        >> $GITHUB_ENV
+      run: |
+        if [[ "${{ matrix.dockerfile }}" == "Dockerfile" ]]; then
+          echo "IMAGE=ghcr.io/${GITHUB_REPOSITORY@L}:${{ env.IMAGE_TAG }}" >> $GITHUB_ENV
+        else
+          echo "IMAGE=ghcr.io/${GITHUB_REPOSITORY@L}:${{ env.IMAGE_TAG }}-tools" >> $GITHUB_ENV
+        fi
 
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435  # v3.11.1
       if: steps.changed-files-specific.outputs.any_changed == 'true'
 
-    - name: Build if Dockerfile changed
+    - name: Build if "${{ matrix.dockerfile }}" changed
       if: steps.changed-files-specific.outputs.any_changed == 'true'
       uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83  # v6.18.0
       with:
         context: .
+        file: ${{ matrix.dockerfile }}
         build-args: |
           INSTALL_ALL=true
         push: false
@@ -98,8 +106,7 @@ jobs:
         IMAGE_NAME: ${{ env.IMAGE }}
       run: >-
         container-structure-test test
-        --config ${{ github.workspace
-        }}/.github/.container-structure-test-config.yaml
+        --config ${{ github.workspace }}/.github/.container-structure-test-config.yaml
         --image "${IMAGE_NAME}"
 
     - name: Dive - check image for waste files
@@ -112,8 +119,9 @@ jobs:
 
     # Can't build both platforms and use --load at the same time
     # https://github.com/docker/buildx/issues/59#issuecomment-1433097926
-    - name: Build Multi-arch docker-image
-      if: >-
+    # Build Multi-arch docker-image
+    - name: Build Multi-arch "${{ matrix.dockerfile }}"
+      if: >
         steps.changed-files-specific.outputs.any_changed == 'true'
         && matrix.os == 'ubuntu-latest'
       uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83  # v6.18.0
@@ -128,3 +136,17 @@ jobs:
         provenance: false
         secrets: |
           "github_token=${{ secrets.GITHUB_TOKEN }}"
+
+    # Only run smoke tests for the tools image
+    - name: Smoke test tools image
+      if: >
+        steps.changed-files-specific.outputs.any_changed == 'true'
+        && matrix.os == 'ubuntu-latest'
+        && matrix.dockerfile == 'Dockerfile.tools'
+      env:
+        TOOLS_IMAGE: ${{ env.IMAGE }}
+      run: |
+        echo "Testing tools image: $TOOLS_IMAGE"
+        docker run --rm "$TOOLS_IMAGE" terraform --version
+        docker run --rm "$TOOLS_IMAGE" terraform-docs --version
+        docker run --rm "$TOOLS_IMAGE" tflint --version
@@ -2,22 +2,35 @@ name: Publish container image
 
 on:
   workflow_dispatch:
+  push:
+    paths:
+    - .github/workflows/build-image.yaml
+    - Dockerfile*
   release:
     types:
     - created
   schedule:
   - cron: 00 00 * * *
 
-permissions:
-  contents: read
+env:
+  REGISTRY: ghcr.io
 
 jobs:
   docker:
+    runs-on: ubuntu-latest
     permissions:
-      # for docker/build-push-action to publish docker image
+      contents: read
       packages: write
-
-    runs-on: ubuntu-latest
+      attestations: write
+      id-token: write
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+        - dockerfile: Dockerfile
+          image_name: ${{ github.repository }}
+        - dockerfile: Dockerfile.tools
+          image_name: ${{ github.repository }}-tools
     steps:
     - name: Checkout code
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
@@ -26,60 +39,120 @@ jobs:
 
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435  # v3.11.1
+
     - name: Login to GitHub Container Registry
       uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1  # v3.5.0
       with:
-        registry: ghcr.io
-        username: ${{ github.repository_owner }}
+        registry: ${{ env.REGISTRY }}
+        username: ${{ github.actor }}
         password: ${{ secrets.GITHUB_TOKEN }}
-    - name: Set tag for image
-      env:
-        REF_TYPE: ${{ github.ref_type }}
-        REF_NAME: ${{ github.ref_name }}
-      run: >-
-        echo IMAGE_TAG=$(
-        [ $REF_TYPE == 'tag' ]
-        && echo $REF_NAME
-        || echo 'latest'
-        ) >> $GITHUB_ENV
-
-    - name: Set IMAGE_REPO environment variable
-      # Lowercase the org/repo name to allow for workflow to run in forks,
-      # which owners have uppercase letters in username
-      run: >-
-        echo "IMAGE_REPO=ghcr.io/${GITHUB_REPOSITORY@L}" >> $GITHUB_ENV
-    - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435  # v3.11.1
 
-    - name: Build and Push release
-      if: github.event_name != 'schedule'
-      uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83  # v6.18.0
+    - name: Extract metadata (tags, labels) for Docker
+      id: meta
+      uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f
       with:
-        context: .
-        build-args: |
-          INSTALL_ALL=true
-        platforms: linux/amd64,linux/arm64
-        push: true
+        images: ${{ env.REGISTRY }}/${{ matrix.image_name }}
         tags: |
-          ${{ env.IMAGE_REPO }}:${{ env.IMAGE_TAG }}
-          ${{ env.IMAGE_REPO }}:latest
-        # Fix multi-platform: https://github.com/docker/buildx/issues/1533
-        provenance: false
-        secrets: |
-          "github_token=${{ secrets.GITHUB_TOKEN }}"
+          type=ref,event=branch
+          type=ref,event=pr
+          type=sha
+          type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
+          type=raw,value=${{ github.ref_name }},enable=${{ github.ref_type == 'tag' }}
+          type=raw,value=nightly,enable=${{ github.event_name == 'schedule' }}
 
-    - name: Build and Push nightly
-      if: github.event_name == 'schedule'
+    - name: Build and Push release
       uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83  # v6.18.0
       with:
         context: .
+        file: ${{ matrix.dockerfile }}
         build-args: |
           INSTALL_ALL=true
         platforms: linux/amd64,linux/arm64
         push: true
-        tags: |
-          ${{ env.IMAGE_REPO }}:nightly
+        tags: ${{ steps.meta.outputs.tags }}
+        labels: ${{ steps.meta.outputs.labels }}
         # Fix multi-platform: https://github.com/docker/buildx/issues/1533
         provenance: false
-        secrets: |
-          "github_token=${{ secrets.GITHUB_TOKEN }}"
+
+    - name: Test tools image
+      if: matrix.dockerfile == 'Dockerfile.tools' && github.event_name != 'schedule'
+      env:
+        IMAGE_TAGS: ${{ steps.meta.outputs.tags }}
+      run: |
+        set -euo pipefail
+        IMAGE_TAG=$(echo "$IMAGE_TAGS" | head -n1)
+        echo "Testing tools image: $IMAGE_TAG"
+
+        # Version checks
+        docker run --rm "$IMAGE_TAG" terraform --version
+        docker run --rm "$IMAGE_TAG" terraform-docs --version
+        docker run --rm "$IMAGE_TAG" tflint --version
+
+        # Optional extra versions (quick smoke)
+        docker run --rm "$IMAGE_TAG" checkov --version || true
+        docker run --rm "$IMAGE_TAG" trivy --version || true
+
+        # Create a minimal, self-contained Terraform module for functional tests
+        TMP_DIR="$(mktemp -d)"
+        trap 'rm -rf "$TMP_DIR"' EXIT
+        cat > "$TMP_DIR/main.tf" << 'EOF'
+        terraform {
+          required_version = ">= 1.3.0"
+        }
+        variable "example_var" {
+          description = "An example variable"
+          type        = string
+          default     = "test"
+        }
+        output "example_output" {
+          description = "An example output"
+          value       = var.example_var
+        }
+        EOF
+        echo "# Test Module" > "$TMP_DIR/README.md"
+
+        echo "Testing terraform fmt..."
+
+        docker run --rm \
+          -v "$TMP_DIR:/workspace" \
+          -w /workspace \
+          "$IMAGE_TAG" \
+          terraform fmt -check -diff
+
+        echo "Testing terraform init/validate..."
+
+        docker run --rm \
+          -v "$TMP_DIR:/workspace" \
+          -w /workspace \
+          "$IMAGE_TAG" \
+          terraform init -backend=false
+
+        docker run --rm \
+          -v "$TMP_DIR:/workspace" \
+          -w /workspace \
+          "$IMAGE_TAG" \
+          terraform validate
+
+        echo "Testing terraform-docs..."
+
+        docker run --rm \
+          -v "$TMP_DIR:/workspace" \
+          -w /workspace \
+          "$IMAGE_TAG" \
+          terraform-docs markdown table . --output-file README.md
+
+        echo "Testing tflint..."
+
+        docker run --rm \
+          -v "$TMP_DIR:/workspace" \
+          -w /workspace \
+          "$IMAGE_TAG" \
+          tflint --init
+
+        docker run --rm \
+          -v "$TMP_DIR:/workspace" \
+          -w /workspace \
+          "$IMAGE_TAG" \
+          tflint
+
+        echo "All functional tests passed!"
@@ -14,6 +14,7 @@ name: CodeQL
 on:
   push:
     branches:
+    - main
     - master
   merge_group:
   pull_request:

@@ -4,8 +4,10 @@ on:
   workflow_dispatch:
   push:
     branches:
+    - main
     - master
     paths:
+    - .github/workflows/release.yml
     - '**/*.py'
     - '**/*.sh'
     - Dockerfile
@@ -46,4 +48,4 @@ jobs:
         # Custom token for triggering Docker image build GH Workflow on release
         # created by cycjimmy/semantic-release-action. Events created by
         # workflows with default GITHUB_TOKEN not trigger other GH Workflow.
-        GITHUB_TOKEN: ${{ secrets.SEMANTIC_RELEASE_TOKEN }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -13,6 +13,7 @@ on:
   - cron: 20 7 * * 2
   push:
     branches:
+    - main
     - master
 
 # Declare default permissions as read only.
-Original file line number
+Diff line change
@@ Expand Up / @@ -14,6 +14,7 @@ name: CodeQL @@
     on:
       push:
         branches:
+        - main
         - master
       merge_group:
       pull_request:
@@ Expand Down @@