ci: add weekly CI container build and cleanup workflows

Add a Containerfile with all packages needed for testing and
coverage, a workflow to build and push it weekly to ghcr.io
for x86_64 and aarch64, and a cleanup workflow to prune old
untagged container images.

Generated with Claude Code (https://claude.ai/code)

Signed-off-by: Adrian Reber <areber@redhat.com>

Author: adrianreber

.github/workflows/build-container.yml

@@ -0,0 +1,95 @@
+name: Build and Publish CI Container
+
+on:
+  schedule:
+    # Run every Monday at 06:00 UTC
+    - cron: '0 6 * * 1'
+  workflow_dispatch:
+
+env:
+  REGISTRY: ghcr.io
+
+jobs:
+  build:
+    runs-on: ${{ matrix.runs-on }}
+    permissions:
+      contents: read
+      packages: write
+    strategy:
+      matrix:
+        arch: [ x86_64, aarch64 ]
+        include:
+          - arch: x86_64
+            runs-on: ubuntu-24.04
+          - arch: aarch64
+            runs-on: ubuntu-24.04-arm
+    outputs:
+      digest-x86_64: ${{ steps.export.outputs.digest-x86_64 }}
+      digest-aarch64: ${{ steps.export.outputs.digest-aarch64 }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ github.repository }}/ci
+          tags: |
+            type=raw,value=latest
+
+      - name: Build and push by digest
+        id: build
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./test/ci/Containerfile
+          platforms: linux/${{ matrix.arch }}
+          labels: ${{ steps.meta.outputs.labels }}
+          provenance: false
+          sbom: false
+          outputs: type=image,name=${{ env.REGISTRY }}/${{ github.repository }}/ci,push-by-digest=true,name-canonical=true,push=true
+
+      - name: Export digest
+        id: export
+        run: |
+          echo "digest-${{ matrix.arch }}=${{ steps.build.outputs.digest }}" >> $GITHUB_OUTPUT
+
+  publish:
+    runs-on: ubuntu-24.04
+    needs: build
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Create and push manifest
+        run: |
+          docker buildx imagetools create \
+            --tag ${{ env.REGISTRY }}/${{ github.repository }}/ci:latest \
+            ${{ env.REGISTRY }}/${{ github.repository }}/ci@${{ needs.build.outputs.digest-x86_64 }} \
+            ${{ env.REGISTRY }}/${{ github.repository }}/ci@${{ needs.build.outputs.digest-aarch64 }}
+
+      - name: Output image details
+        run: |
+          echo "Container built and pushed successfully!"
+          echo "Image: ${{ env.REGISTRY }}/${{ github.repository }}/ci:latest"

.github/workflows/cleanup-packages.yml

@@ -0,0 +1,37 @@
+name: Cleanup Untagged Packages
+
+on:
+  schedule:
+    # Run every Sunday at 02:00 UTC
+    - cron: '0 2 * * 0'
+  workflow_dispatch:
+
+jobs:
+  cleanup:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Delete untagged CI container images
+        id: cleanup-ci
+        continue-on-error: true
+        uses: actions/delete-package-versions@v5
+        with:
+          package-name: checkpointctl/ci
+          package-type: container
+          min-versions-to-keep: 3
+          delete-only-untagged-versions: true
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Report cleanup results
+        run: |
+          echo "Cleanup Results:"
+          echo "CI container cleanup: ${{ steps.cleanup-ci.outcome }}"
+
+          if [[ "${{ steps.cleanup-ci.outcome }}" == "failure" ]]; then
+            echo "Warning: CI container cleanup failed"
+            echo "Package may not exist yet"
+          fi
+
+          echo "Cleanup workflow completed"

test/ci/Containerfile

@@ -0,0 +1,19 @@
+FROM registry.fedoraproject.org/fedora:latest
+
+RUN dnf install -y \
+	bash \
+	bash-completion \
+	bats \
+	criu \
+	fish \
+	git \
+	golang \
+	iptables \
+	iproute \
+	jq \
+	kmod \
+	make \
+	rubygem-asciidoctor \
+	ShellCheck \
+	zsh \
+	&& dnf clean all