feat: add GHA workflow to build opencv wheels without ffmpeg

.github/workflows/build-opencv-wheels.yml

@@ -0,0 +1,113 @@
+name: Build OpenCV Wheels (No FFmpeg)
+
+# Produces opencv-python-headless wheels compiled from source with
+# WITH_FFMPEG=OFF to eliminate bundled ffmpeg CVEs from PyPI wheels.
+# Wheels are uploaded as a GitHub release so both unstructured and
+# unstructured-api Dockerfiles can download them at build time.
+
+on:
+  workflow_dispatch:
+    inputs:
+      opencv_version:
+        description: "opencv-python-headless version to build (must have sdist on PyPI)"
+        required: true
+        default: "4.12.0.88"
+      release_tag:
+        description: "GitHub release tag for the wheels (e.g. opencv-4.12.0.88)"
+        required: true
+        default: "opencv-4.12.0.88"
+
+jobs:
+  build-wheel:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - arch: amd64
+            runs-on: ubuntu-latest-8-cores
+            docker-platform: linux/amd64
+          - arch: arm64
+            runs-on: ubuntu-latest-arm-8-cores
+            docker-platform: linux/arm64
+    runs-on: ${{ matrix.runs-on }}
+    env:
+      OPENCV_VERSION: ${{ inputs.opencv_version }}
+      DOCKER_PLATFORM: ${{ matrix.docker-platform }}
+    steps:
+      - name: Build opencv-python-headless from source
+        run: |
+          mkdir -p wheels
+          docker run --rm \
+            --platform="$DOCKER_PLATFORM" \
+            -e "OPENCV_VERSION=$OPENCV_VERSION" \
+            -v "$PWD/wheels:/out" \
+            cgr.dev/chainguard/wolfi-base:latest sh -c '
+              set -euo pipefail
+              apk update
+              apk add python-3.12 python-3.12-dev python-3.12-base-dev \
+                opencv-dev cmake gcc glibc-dev libstdc++-dev make pkgconf \
+                py3.12-pip py3.12-numpy
+
+              CMAKE_ARGS="-DWITH_FFMPEG=OFF" \
+              ENABLE_HEADLESS=1 \
+              python3.12 -m pip wheel \
+                --no-binary opencv-python-headless \
+                --no-deps \
+                "opencv-python-headless==${OPENCV_VERSION}" \
+                -w /out
+
+              echo "=== Validate no bundled ffmpeg ==="
+              python3.12 -m pip install /out/opencv_python_headless-*.whl
+              python3.12 -c "
+          import cv2, pathlib
+          d = pathlib.Path(cv2.__file__).parent
+          libs = d / \".libs\"
+          assert not libs.exists(), f\"Unexpected .libs dir: {list(libs.iterdir())}\"
+          print(f\"OK: cv2 {cv2.__version__}, no bundled ffmpeg\")
+          "
+            '
+          ls -lh wheels/
+
+      - name: Upload wheel artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: opencv-wheel-${{ matrix.arch }}
+          path: wheels/opencv_python_headless-*.whl
+          retention-days: 90
+
+  create-release:
+    needs: build-wheel
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    env:
+      OPENCV_VERSION: ${{ inputs.opencv_version }}
+      RELEASE_TAG: ${{ inputs.release_tag }}
+    steps:
+      - name: Download all wheel artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: wheels
+          merge-multiple: true
+
+      - name: List wheels
+        run: ls -lh wheels/
+
+      - name: Create GitHub Release
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          gh release create "$RELEASE_TAG" \
+            --repo "$GITHUB_REPOSITORY" \
+            --title "OpenCV Wheels ${OPENCV_VERSION} (no ffmpeg)" \
+            --notes "$(cat <<NOTES
+          OpenCV Python headless wheels built from source with WITH_FFMPEG=OFF.
+
+          These wheels eliminate bundled ffmpeg CVEs present in the stock PyPI wheels.
+          Built against cgr.dev/chainguard/wolfi-base:latest with Python 3.12.
+
+          **Source version:** opencv-python-headless==${OPENCV_VERSION}
+          **Build flags:** CMAKE_ARGS='-DWITH_FFMPEG=OFF' ENABLE_HEADLESS=1
+          NOTES
+          )" \
+            wheels/*.whl