test: add Podman integration tests for OCI runtime compatibility

.github/workflows/build-push-test.yml

@@ -0,0 +1,60 @@
+---
+name: Build, Push & Test
+
+on:
+  workflow_call:
+    secrets:
+      TEST_GITHUB_PASSWORD:
+        required: false
+      TEST_GITHUB_TOKEN:
+        required: false
+      TEST_GITHUB_TOTP_SECRET:
+        required: false
+      TEST_GITHUB_USER:
+        required: false
+
+permissions: {}
+
+jobs:
+  build-push-test-base:
+    name: 🍨 base
+    uses: ./.github/workflows/wc-build-push-test.yml
+    permissions: &build-push-test-permissions
+      actions: read # is needed by anchore/sbom-action to find workflow artifacts when attaching release assets
+      artifact-metadata: write # is needed by actions/attest-build-provenance to write artifact metadata
+      attestations: write # is needed by actions/attest-build-provenance to push attestations
+      contents: write # is needed by anchore/sbom-action for artifact uploads
+      id-token: write # is needed by actions/attest-build-provenance to obtain an OIDC token
+      packages: write # is needed to push image manifest when using GitHub Container Registry
+      pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments
+    with:
+      dockerfile: .devcontainer/base/Dockerfile
+      enable-edge-tag: ${{ github.event_name == 'merge_group' }}
+      image-name: ${{ github.repository }}-base
+      integration-test-file: test/base/integration-tests.bats
+      integration-test-podman: true
+
+  build-push-test-flavors:
+    name: 🍨 ${{ matrix.flavor }}
+    needs: build-push-test-base
+    strategy:
+      matrix:
+        flavor: [cpp, rust]
+    uses: ./.github/workflows/wc-build-push-test.yml
+    secrets:
+      TEST_GITHUB_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }}
+      TEST_GITHUB_USER: ${{ secrets.TEST_GITHUB_USER }}
+      TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }}
+      TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }}
+    permissions: *build-push-test-permissions
+    with:
+      acceptance-test-path: ${{ (github.actor != 'dependabot[bot]' && matrix.flavor == 'cpp') && 'test/cpp/features' || '' }}
+      acceptance-test-devcontainer-file: .devcontainer/${{ matrix.flavor }}-test/devcontainer.json
+      build-args: |
+        BASE_IMAGE=${{ needs.build-push-test-base.outputs.fully-qualified-image-name }}@${{ needs.build-push-test-base.outputs.digest }}
+      devcontainer-metadata-file: .devcontainer/${{ matrix.flavor }}/devcontainer-metadata.json
+      dockerfile: .devcontainer/${{ matrix.flavor }}/Dockerfile
+      enable-edge-tag: ${{ github.event_name == 'merge_group' }}
+      image-name: ${{ github.repository }}-${{ matrix.flavor }}
+      integration-test-file: test/${{ matrix.flavor }}/integration-tests.bats
+      integration-test-podman: true

.github/workflows/continuous-integration.yml

@@ -13,9 +13,9 @@ concurrency:
 permissions: {}
 
 jobs:
-  build-push-base:
-    name: Build → Push → Test (🍨 base)
-    uses: ./.github/workflows/wc-build-push-test.yml
+  build-push-test:
+    name: Build → Push → Test
+    uses: ./.github/workflows/build-push-test.yml
     permissions:
       actions: read # is needed by anchore/sbom-action to find workflow artifacts when attaching release assets
       artifact-metadata: write # is needed by actions/attest-build-provenance to write artifact metadata
@@ -24,46 +24,15 @@ jobs:
       id-token: write # is needed by actions/attest-build-provenance to obtain an OIDC token
       packages: write # is needed to push image manifest when using GitHub Container Registry
       pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments
-    with:
-      dockerfile: .devcontainer/base/Dockerfile
-      enable-edge-tag: ${{ github.event_name == 'merge_group' }}
-      image-name: ${{ github.repository }}-base
-      integration-test-file: test/base/integration-tests.bats
-
-  build-push-flavors:
-    name: Build → Push → Test (🍨 ${{ matrix.flavor }})
-    needs: build-push-base
-    strategy:
-      matrix:
-        flavor: [cpp, rust]
-    uses: ./.github/workflows/wc-build-push-test.yml
     secrets:
       TEST_GITHUB_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }}
       TEST_GITHUB_USER: ${{ secrets.TEST_GITHUB_USER }}
       TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }}
       TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }}
-    permissions:
-      actions: read # is needed by anchore/sbom-action to find workflow artifacts when attaching release assets
-      artifact-metadata: write # is needed by actions/attest-build-provenance to write artifact metadata
-      attestations: write # is needed by actions/attest-build-provenance to push attestations
-      contents: write # is needed by anchore/sbom-action for artifact uploads
-      id-token: write # is needed by actions/attest-build-provenance to obtain an OIDC token
-      packages: write # is needed to push image manifest when using GitHub Container Registry
-      pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments
-    with:
-      build-args: |
-        BASE_IMAGE=${{ needs.build-push-base.outputs.fully-qualified-image-name }}@${{ needs.build-push-base.outputs.digest }}
-      devcontainer-metadata-file: .devcontainer/${{ matrix.flavor }}/devcontainer-metadata.json
-      dockerfile: .devcontainer/${{ matrix.flavor }}/Dockerfile
-      enable-edge-tag: ${{ github.event_name == 'merge_group' }}
-      image-name: ${{ github.repository }}-${{ matrix.flavor }}
-      integration-test-file: test/${{ matrix.flavor }}/integration-tests.bats
-      acceptance-test-path: ${{ (github.actor != 'dependabot[bot]' && matrix.flavor == 'cpp') && 'test/cpp/features' || '' }}
-      test-devcontainer-file: .devcontainer/${{ matrix.flavor }}-test/devcontainer.json
 
   dependency-review:
     name: 🔍 Dependency Review
-    needs: build-push-flavors
+    needs: build-push-test
     uses: ./.github/workflows/wc-dependency-review.yml
     permissions:
       contents: read
@@ -75,7 +44,7 @@ jobs:
     permissions:
       checks: write # is needed by EnricoMi/publish-unit-test-result-action to add a check run with test results
       pull-requests: write # is needed by EnricoMi/publish-unit-test-result-action to annotate PRs
-    needs: build-push-flavors
+    needs: build-push-test
     if: ${{ !cancelled() }}
     steps:
       - uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2

.github/workflows/release-build.yml

@@ -13,9 +13,9 @@ concurrency:
 permissions: {}
 
 jobs:
-  build-push-base:
-    name: Build → Push → Test (🍨 base)
-    uses: ./.github/workflows/wc-build-push-test.yml
+  build-push-test:
+    name: Build → Push → Test
+    uses: ./.github/workflows/build-push-test.yml
     permissions:
       actions: read # is needed by anchore/sbom-action to find workflow artifacts when attaching release assets
       artifact-metadata: write # is needed by actions/attest-build-provenance to write artifact metadata
@@ -24,40 +24,11 @@ jobs:
       id-token: write # is needed by actions/attest-build-provenance to obtain an OIDC token
       packages: write # is needed to push image manifest when using GitHub Container Registry
       pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments
-    with:
-      dockerfile: .devcontainer/base/Dockerfile
-      image-name: ${{ github.repository }}-base
-      integration-test-file: test/base/integration-tests.bats
-
-  build-push-flavors:
-    name: Build → Push → Test (🍨 ${{ matrix.flavor }})
-    needs: build-push-base
-    strategy:
-      matrix:
-        flavor: [cpp, rust]
-    uses: ./.github/workflows/wc-build-push-test.yml
     secrets:
       TEST_GITHUB_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }}
       TEST_GITHUB_USER: ${{ secrets.TEST_GITHUB_USER }}
       TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }}
       TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }}
-    permissions:
-      actions: read # is needed by anchore/sbom-action to find workflow artifacts when attaching release assets
-      artifact-metadata: write # is needed by actions/attest-build-provenance to write artifact metadata
-      attestations: write # is needed by actions/attest-build-provenance to push attestations
-      contents: write # is needed by anchore/sbom-action for artifact uploads
-      id-token: write # is needed by actions/attest-build-provenance to obtain an OIDC token
-      packages: write # is needed to push image manifest when using GitHub Container Registry
-      pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments
-    with:
-      build-args: |
-        BASE_IMAGE=${{ needs.build-push-base.outputs.fully-qualified-image-name }}@${{ needs.build-push-base.outputs.digest }}
-      devcontainer-metadata-file: .devcontainer/${{ matrix.flavor }}/devcontainer-metadata.json
-      dockerfile: .devcontainer/${{ matrix.flavor }}/Dockerfile
-      image-name: ${{ github.repository }}-${{ matrix.flavor }}
-      integration-test-file: test/${{ matrix.flavor }}/integration-tests.bats
-      acceptance-test-path: ${{ matrix.flavor == 'cpp' && 'test/cpp/features' || '' }}
-      test-devcontainer-file: ${{ matrix.flavor == 'cpp' && '.devcontainer/cpp-test/devcontainer.json' || '' }}
 
   apply-release-notes-template:
     name: 📝 Apply Release Template
@@ -96,7 +67,7 @@ jobs:
       # Please note that this is an overly broad scope, but GitHub does not
       # currently provide a more fine-grained permission for release modification.
       contents: write # is needed to modify a release
-    needs: [build-push-base, build-push-flavors, apply-release-notes-template]
+    needs: [build-push-test, apply-release-notes-template]
     env:
       CONTAINER_FLAVOR: ${{ matrix.flavor }}
       REF_NAME: ${{ github.ref_name }}

.github/workflows/wc-build-push-test.yml

@@ -4,12 +4,16 @@ name: Build, Push & Test
 on:
   workflow_call:
     inputs:
+      acceptance-test-devcontainer-file:
+        description: Path to the devcontainer.json file to use for acceptance tests.
+        required: false
+        type: string
       acceptance-test-path:
-        description: Path to the Playwright acceptance tests (directory that contains playwright.config.ts)
+        description: Path to the Playwright acceptance tests (directory that contains playwright.config.ts).
         required: false
         type: string
       build-args:
-        description: Optional docker build args (newline-separated KEY=VALUE)
+        description: Optional docker build args (newline-separated KEY=VALUE).
         required: false
         type: string
       build-test-runner-labels:
@@ -38,7 +42,7 @@ on:
         required: true
         type: string
       enable-edge-tag:
-        description: Whether to also build and push an "edge" tag for the image
+        description: Whether to also build and push an "edge" tag for the image.
         required: false
         type: boolean
         default: false
@@ -52,9 +56,14 @@ on:
         required: true
         type: string
       integration-test-file:
-        description: Path to the BATS test file to run for integration tests
+        description: Path to the BATS test file to run for integration tests.
         required: false
         type: string
+      integration-test-podman:
+        description: Enable running the tests using the Podman container runtime, next to the default Docker container runtime.
+        required: false
+        type: boolean
+        default: false
       registry:
         description: >-
           Docker registry to push built containers to.
@@ -73,10 +82,6 @@ on:
         required: false
         type: string
         default: '["ubuntu-latest"]'
-      test-devcontainer-file:
-        description: Path to the devcontainer.json file to use for acceptance tests
-        required: false
-        type: string
     outputs:
       digest:
         value: ${{ jobs.build-push.outputs.digest }}
@@ -88,10 +93,10 @@ on:
         value: ${{ jobs.build-push.outputs.version }}
     secrets:
       DOCKER_REGISTRY_PASSWORD:
-        description: Password or token for Docker login, if not provided the GitHub token will be used
+        description: Password or token for Docker login, if not provided the GitHub token will be used.
         required: false
       DOCKER_REGISTRY_USERNAME:
-        description: User name for Docker login, if not provided the GitHub actor will be used
+        description: User name for Docker login, if not provided the GitHub actor will be used.
         required: false
       TEST_GITHUB_PASSWORD:
         required: false
@@ -116,7 +121,7 @@ jobs:
       id-token: write # is needed by actions/attest-build-provenance to obtain an OIDC token
       packages: write # is needed to push image manifest when using GitHub Container Registry
       pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments
-    secrets:
+    secrets: &docker-secrets
       DOCKER_REGISTRY_USERNAME: ${{ secrets.DOCKER_REGISTRY_USERNAME }}
       DOCKER_REGISTRY_PASSWORD: ${{ secrets.DOCKER_REGISTRY_PASSWORD }}
     with:
@@ -129,27 +134,35 @@ jobs:
       runner-labels: ${{ inputs.runner-labels }}
       build-test-runner-labels: ${{ inputs.build-test-runner-labels }}
 
-  integration-test:
+  integration-test-docker:
     name: 🧪
     if: ${{ inputs.integration-test-file }}
     needs: build-push
-    uses: ./.github/workflows/wc-integration-test.yml
+    uses: ./.github/workflows/wc-integration-test-docker.yml
     permissions:
       contents: read
-    secrets:
-      DOCKER_REGISTRY_USERNAME: ${{ secrets.DOCKER_REGISTRY_USERNAME }}
-      DOCKER_REGISTRY_PASSWORD: ${{ secrets.DOCKER_REGISTRY_PASSWORD }}
-    with:
+    secrets: *docker-secrets
+    with: &integration-test-inputs
       build-test-runner-labels: ${{ inputs.build-test-runner-labels }}
       fully-qualified-image-name: ${{ needs.build-push.outputs.fully-qualified-image-name }}
       image-basename: ${{ needs.build-push.outputs.image-basename }}
       image-digest: ${{ needs.build-push.outputs.digest }}
       registry: ${{ inputs.registry }}
       test-file: ${{ inputs.integration-test-file }}
 
+  integration-test-podman:
+    name: 🧪
+    if: ${{ inputs.integration-test-file && inputs.integration-test-podman }}
+    needs: build-push
+    uses: ./.github/workflows/wc-integration-test-podman.yml
+    permissions:
+      contents: read
+    secrets: *docker-secrets
+    with: *integration-test-inputs
+
   acceptance-test:
     name: 🏗️
-    if: ${{ inputs.test-devcontainer-file && inputs.acceptance-test-path }}
+    if: ${{ inputs.acceptance-test-devcontainer-file && inputs.acceptance-test-path }}
     needs: build-push
     uses: ./.github/workflows/wc-acceptance-test.yml
     permissions:
@@ -161,5 +174,5 @@ jobs:
       TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }}
     with:
       image-basename: ${{ needs.build-push.outputs.image-basename }}
-      devcontainer-file: ${{ inputs.test-devcontainer-file }}
+      devcontainer-file: ${{ inputs.acceptance-test-devcontainer-file }}
       acceptance-test-path: ${{ inputs.acceptance-test-path }}

.github/workflows/wc-integration-test.yml → .github/workflows/wc-integration-test-docker.yml

@@ -1,66 +1,66 @@
 ---
-name: Integration Test
+name: 🐳 Integration Test
 
 on:
   workflow_call:
     inputs:
+      build-test-runner-labels:
+        required: true
+        type: string
       fully-qualified-image-name:
         required: true
         type: string
       image-basename:
         required: true
         type: string
       image-digest:
         required: true
         type: string
-      test-file:
-        required: true
-        type: string
-      build-test-runner-labels:
+      registry:
         required: true
         type: string
-      registry:
+      test-file:
         required: true
         type: string
     secrets:
-      DOCKER_REGISTRY_USERNAME:
-        required: true
       DOCKER_REGISTRY_PASSWORD:
         required: true
+      DOCKER_REGISTRY_USERNAME:
+        required: true
 
 permissions: {}
 
 jobs:
   run-test:
-    name: Integration Test (${{ (startsWith(matrix.runner, '[') && endsWith(matrix.runner, ']')) && join(matrix.runner, ', ') || matrix.runner }})
+    name: 🐳 Integration Test (${{ (startsWith(matrix.runner, '[') && endsWith(matrix.runner, ']')) && join(matrix.runner, ', ') || matrix.runner }})
     strategy:
       matrix:
         runner: ${{ fromJson(inputs.build-test-runner-labels) }}
     runs-on: ${{ matrix.runner }}
     container:
       image: ${{ inputs.fully-qualified-image-name }}@${{ inputs.image-digest }}
       credentials:
         username: ${{ secrets.DOCKER_REGISTRY_USERNAME || github.actor }}
         password: ${{ secrets.DOCKER_REGISTRY_PASSWORD || github.token }}
     permissions:
       contents: read
     steps:
       - uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
         with:
           disable-sudo: true
           egress-policy: audit
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - run: echo "arch=$(echo "${RUNNER_ARCH}" | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_OUTPUT"
         id: runner-arch
       - run: bats --formatter junit "${TEST_FILE}" | tee "test-report-${IMAGE_BASENAME}-${RUNNER_ARCH}.xml"
         env:
           IMAGE_BASENAME: ${{ inputs.image-basename }}
           TEST_FILE: ${{ inputs.test-file }}
           RUNNER_ARCH: ${{ steps.runner-arch.outputs.arch }}
       - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         if: ${{ !cancelled() }}
         with:
-          name: test-results-integration-${{ inputs.image-basename }}-${{ steps.runner-arch.outputs.arch }}
+          name: test-results-integration-docker-${{ inputs.image-basename }}-${{ steps.runner-arch.outputs.arch }}
           path: test-report-*.xml