ci: update CI workflow for improved matrix handling and container build process

Signed-off-by: Robert Waffen <rw@betadots.de>

Author: rwaffen

.github/workflows/ci.yaml

@@ -1,60 +1,60 @@
 ---
-name: CI🚦
+name: 🚦 CI
 
 on:
   pull_request:
     branches:
       - 'main'
   workflow_dispatch:
 
+concurrency:
+  group: ci-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read # minimal required permissions to clone repo
+
 jobs:
   setup-matrix:
     runs-on: ubuntu-latest
     outputs:
-      matrix: ${{ steps.set-matrix.outputs.matrix }}
+      build_matrix: ${{ steps.set-build-matrix.outputs.build_matrix }}
     steps:
       - name: Source checkout
         uses: actions/checkout@v6
 
       - name: 'Setup yq'
         uses: dcarbone/install-yq-action@v1.3.1
 
-      - id: set-matrix
-        run: echo "matrix=$(yq -o json build_versions.yaml | jq -c)" >> $GITHUB_OUTPUT
+      - id: set-build-matrix
+        run: echo "build_matrix=$(bash matrix.sh build)" >> $GITHUB_OUTPUT
 
-  build_test_container:
-    name: 'Build test container'
-    runs-on: ubuntu-latest
+  build_ci_container:
+    name: Build ${{ matrix.platform }} CI container
+    runs-on: ${{ matrix.runner }}
     needs: setup-matrix
     strategy:
-      matrix: ${{ fromJson(needs.setup-matrix.outputs.matrix) }}
+      fail-fast: false
+      matrix: ${{ fromJson(needs.setup-matrix.outputs.build_matrix) }}
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6
 
-      - name: Extract version number
-        id: extract_version
-        uses: actions/github-script@v9
-        with:
-          script: |
-            const agentVersion = '${{ matrix.agent_version }}';
-            const version = agentVersion.split('-')[0];
-            core.setOutput('version', version);
-
-      - name: Build image
+      - name: Build ${{ matrix.platform }} CI container
         uses: docker/build-push-action@v7
         with:
-          tags: 'ci/openvoxagent:${{ steps.extract_version.outputs.version }}'
+          tags: ci/openvoxagent:${{ matrix.agent_semver }}-${{ matrix.platform }}
           context: .
           file: Containerfile
           push: false
+          platforms: linux/${{ matrix.platform }}
           build-args: |
             OPENVOX_RELEASE=${{ matrix.release }}
             OPENVOXAGENT_VERSION=${{ matrix.agent_version }}
 
   tests:
     needs:
-      - build_test_container
+      - build_ci_container
     runs-on: ubuntu-latest
     name: Test suite
     steps:
@@ -63,11 +63,12 @@ jobs:
   dependabot:
     permissions:
       contents: write
+      pull-requests: write
     name: 'Dependabot auto-merge'
     needs:
       - tests
     runs-on: ubuntu-latest
-    if: ${{ github.actor == 'dependabot[bot]' && github.event_name == 'pull_request'}}
+    if: github.actor == 'dependabot[bot]' && github.event_name == 'pull_request'
     steps:
       - name: Dependabot metadata
         id: metadata
@@ -79,4 +80,4 @@ jobs:
         run: gh pr merge --auto --merge "$PR_URL"
         env:
           PR_URL: ${{github.event.pull_request.html_url}}
-          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+          GH_TOKEN: ${{secrets.GITHUB_TOKEN}}