add docker container creation

.dockerignore

@@ -0,0 +1,42 @@
+# Git
+.git
+.gitignore
+.github
+
+# Python
+__pycache__
+*.pyc
+*.pyo
+*.egg-info
+.venv
+.env
+.env.local
+
+# Build artifacts
+build/
+dist/
+
+# IDE
+.vscode
+.idea
+*.swp
+*.swo
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Testing
+.pytest_cache
+.coverage
+coverage.xml
+
+# Documentation
+docs/_build/
+
+# Outputs and assets (for analysis runs)
+outputs/
+assets/
+
+# CI
+.ruff_cache

.github/workflows/ci.yml

@@ -76,6 +76,12 @@ jobs:
         with:
           dependency-group: test
 
+      - name: Runtime smoke checks
+        run: |
+          uv run python -c "import sw_metadata_bot; import metacheck; print('Runtime imports OK')"
+          uv run sw-metadata-bot run-analysis --help
+          uv run sw-metadata-bot publish --help
+
       - name: Run pytest with coverage
         run: uv run pytest --cov=src/sw_metadata_bot --cov-report=term-missing tests/
 

.github/workflows/docker.yml

@@ -0,0 +1,127 @@
+name: Docker Build & Test
+
+on:
+  push:
+    branches: ["main"]
+    # Build on version tags
+    tags: ["v*"]
+  pull_request:
+    branches: ["*"]
+  workflow_dispatch:
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build:
+    name: Build Docker Image
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    outputs:
+      image-tag: ${{ steps.meta.outputs.tags }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Container Registry
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=ref,event=branch
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=sha
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+  test:
+    name: Test Docker Image
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build Docker image (test)
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: false
+          load: true
+          tags: sw-metadata-bot:test
+          cache-from: type=gha
+
+      - name: Test - Show help
+        run: |
+          docker run --rm sw-metadata-bot:test
+
+      - name: Test - Check CLI commands
+        run: |
+          docker run --rm sw-metadata-bot:test uv run sw-metadata-bot verify-tokens --help
+          docker run --rm sw-metadata-bot:test uv run sw-metadata-bot run-analysis --help
+          docker run --rm sw-metadata-bot:test uv run sw-metadata-bot publish --help
+
+      - name: Test - Health check
+        run: |
+          docker run --rm sw-metadata-bot:test /bin/sh -c 'uv run sw-metadata-bot --help > /dev/null && echo "Health check passed"'
+
+      - name: Inspect image metadata
+        run: |
+          echo "=== Image Info ==="
+          docker inspect sw-metadata-bot:test | jq '.[0] | {Config: .Config, Architecture: .Architecture, SizeMB: (.Size / 1024 / 1024)}'
+
+      - name: Inspect image size
+        run: |
+          SIZE=$(docker image inspect sw-metadata-bot:test --format='{{json .Size}}' | jq '. / 1024 / 1024 | floor')
+          echo "Image size: ${SIZE}MB"
+          if [ "$SIZE" -gt 500 ]; then
+            echo "WARNING: Image size larger than expected (${SIZE}MB > 500MB)"
+          fi
+
+  security:
+    name: Security Scan
+    needs: build
+    runs-on: ubuntu-latest
+    if: github.event_name != 'pull_request'
+    steps:
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+        continue-on-error: true
+
+      - name: Upload Trivy results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
+        continue-on-error: true
+