test: add Podman integration tests for OCI runtime compatibility

[Copilot]

Plan: Add Podman Integration Tests for OCI Runtime Compatibility

Understanding

• Current integration tests run using GitHub Actions container: key in wc-integration-test.yml
• Tests run inside the built container images using Docker runtime by default
• Need to add Podman-based testing alongside existing Docker-based tests

Implementation Plan

• Review existing integration test infrastructure and workflow files
• Create new workflow for Podman-based integration tests (wc-integration-test-podman.yml)
• Configure Podman runtime on GitHub Actions runners
• Run integration tests using Podman instead of container: key
• Update CI to include both Docker (container:) and Podman test runs
• Pass environment variables correctly to Podman container
• Add documentation comments for Ubuntu runner requirement
• Code review completed and feedback addressed
• Security scan completed - no vulnerabilities found
• Linting validation passed
• Fix code injection vulnerabilities by using environment variables
• All changes committed and pushed

Summary

Successfully implemented Podman-based integration tests to prove OCI runtime compatibility:

Security Improvements:

• Fixed code injection vulnerabilities by moving template expansions to environment variables
• All shell commands now use properly quoted environment variables
• Follows the same security pattern used in other workflows

New Files:

• .github/workflows/wc-integration-test-podman.yml - New reusable workflow for Podman tests

Modified Files:

• .github/workflows/wc-build-push-test.yml - Added integration-test-podman job

Key Features:

• Parallel execution of Docker (container:) and Podman tests
• Multi-architecture support (x64 and ARM64)
• Same test suite runs on both runtimes
• Unique test result artifacts for comparison
• Automatic test result publishing via existing workflow
• Secure handling of inputs to prevent code injection

Original prompt

Prove compatibility with multiple OCI runtimes by running the integration tests on Podman next to the current GitHub native 'container:' way

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[github-actions]

📦 Container Size Analysis

Note

Comparing ghcr.io/philips-software/amp-devcontainer-base:edge ➔ ghcr.io/philips-software/amp-devcontainer-base:pr-1143

📈 Size Comparison Table

OS/Platform	Previous	Current	Change	Trend
linux/amd64	174.05 MB	174.05 MB	102 B (0%)	🔽
linux/arm64	166.57 MB	166.57 MB	+54 B (+0%)	🔼

[github-actions]

✅⚠️MegaLinter analysis: Success with warnings

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	22		0	0	0.47s
✅ DOCKERFILE	hadolint	3		0	0	0.62s
✅ GHERKIN	gherkin-lint	6		0	0	2.01s
✅ JSON	npm-package-json-lint	yes		no	no	0.4s
✅ JSON	prettier	21	4	0	0	0.46s
✅ JSON	v8r	21		0	0	7.31s
✅ MARKDOWN	markdownlint	12	0	0	0	0.86s
✅ MARKDOWN	markdown-table-formatter	12	0	0	0	0.16s
✅ REPOSITORY	checkov	yes		no	no	16.28s
✅ REPOSITORY	gitleaks	yes		no	no	0.45s
✅ REPOSITORY	git_diff	yes		no	no	0.01s
⚠️ REPOSITORY	grype	yes		no	21	34.83s
✅ REPOSITORY	secretlint	yes		no	no	0.8s
✅ REPOSITORY	syft	yes		no	no	1.83s
✅ REPOSITORY	trivy	yes		no	no	7.01s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.23s
✅ REPOSITORY	trufflehog	yes		no	no	2.38s
⚠️ SPELL	lychee	82		1	0	9.77s
✅ YAML	prettier	30	0	0	0	0.8s
✅ YAML	v8r	30		0	0	7.99s
✅ YAML	yamllint	30		0	0	0.79s

Detailed Issues

⚠️ REPOSITORY / grype - 21 warnings

warning: A medium vulnerability in github-action package: step-security/harden-runner, version v2.14.1 was found at: /.github/workflows/continuous-integration.yml

warning: A medium vulnerability in github-action package: step-security/harden-runner, version v2.14.1 was found at: /.github/workflows/image-cleanup.yml

warning: A medium vulnerability in github-action package: step-security/harden-runner, version v2.14.1 was found at: /.github/workflows/issue-cleanup.yml

warning: A medium vulnerability in github-action package: step-security/harden-runner, version v2.14.1 was found at: /.github/workflows/issue-creation-tool-versions.yml

warning: A medium vulnerability in github-action package: step-security/harden-runner, version v2.14.1 was found at: /.github/workflows/linting-formatting.yml

warning: A medium vulnerability in github-action package: step-security/harden-runner, version v2.14.1 was found at: /.github/workflows/ossf-scorecard.yml

warning: A medium vulnerability in github-action package: step-security/harden-runner, version v2.14.1 was found at: /.github/workflows/pr-conventional-title.yml

warning: A medium vulnerability in github-action package: step-security/harden-runner, version v2.14.1 was found at: /.github/workflows/pr-image-cleanup.yml

warning: A medium vulnerability in github-action package: step-security/harden-runner, version v2.14.1 was found at: /.github/workflows/pr-report.yml

warning: A medium vulnerability in github-action package: step-security/harden-runner, version v2.14.1 was found at: /.github/workflows/release-build.yml

warning: A medium vulnerability in github-action package: step-security/harden-runner, version v2.14.1 was found at: /.github/workflows/release-please.yml

warning: A medium vulnerability in github-action package: step-security/harden-runner, version v2.14.1 was found at: /.github/workflows/update-dependencies.yml

warning: A medium vulnerability in github-action package: step-security/harden-runner, version v2.14.1 was found at: /.github/workflows/vulnerability-scan.yml

warning: A medium vulnerability in github-action package: step-security/harden-runner, version v2.14.1 was found at: /.github/workflows/wc-acceptance-test.yml

warning: A medium vulnerability in github-action package: step-security/harden-runner, version v2.14.1 was found at: /.github/workflows/wc-build-push.yml

warning: A medium vulnerability in github-action package: step-security/harden-runner, version v2.14.1 was found at: /.github/workflows/wc-dependency-review.yml

warning: A medium vulnerability in github-action package: step-security/harden-runner, version v2.14.1 was found at: /.github/workflows/wc-document-generation.yml

warning: A medium vulnerability in github-action package: step-security/harden-runner, version v2.14.1 was found at: /.github/workflows/wc-integration-test-podman.yml

warning: A medium vulnerability in github-action package: step-security/harden-runner, version v2.14.1 was found at: /.github/workflows/wc-integration-test.yml

warning: A medium vulnerability in github-action package: step-security/harden-runner, version v2.14.1 was found at: /.github/workflows/wc-publish-templates.yml

warning: A medium vulnerability in github-action package: step-security/harden-runner, version v2.14.1 was found at: /.github/workflows/wc-sanitize-image-name.yml

warning: 21 warnings emitted

⚠️ SPELL / lychee - 1 error

[IGNORED] docker://pandoc/extra:3.7.0@sha256:a703d335fa237f8fc3303329d87e2555dca5187930da38bfa9010fa4e690933a | Unsupported: Error creating request client: builder error for url (docker://pandoc/extra:3.7.0@sha256:a703d335fa237f8fc3303329d87e2555dca5187930da38bfa9010fa4e690933a)
[403] https://developer.arm.com/downloads/-/arm-gnu-toolchain-downloads | Network error: Forbidden
[IGNORED] https://vscode.dev/redirect?url=vscode://ms-vscode-remote.remote-containers/cloneInVolume?url=https://github.com/philips-software/amp-devcontainer | Unsupported: Error creating request client: builder error for url (vscode://ms-vscode-remote.remote-containers/cloneInVolume?url=https://github.com/philips-software/amp-devcontainer)
📝 Summary
---------------------
🔍 Total..........126
✅ Successful.....123
⏳ Timeouts.........0
🔀 Redirected.......0
👻 Excluded.........0
❓ Unknown..........0
🚫 Errors...........1

Errors in .github/TOOL_VERSION_ISSUE_TEMPLATE.md
[403] https://developer.arm.com/downloads/-/arm-gnu-toolchain-downloads | Network error: Forbidden

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx mega-linter-runner@9.3.0 --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,DOCKERFILE_HADOLINT,GHERKIN_GHERKIN_LINT,JSON_V8R,JSON_PRETTIER,JSON_NPM_PACKAGE_JSON_LINT,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,SPELL_LYCHEE,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

[github-actions]

📦 Container Size Analysis

Note

Comparing ghcr.io/philips-software/amp-devcontainer-rust:edge ➔ ghcr.io/philips-software/amp-devcontainer-rust:pr-1143

📈 Size Comparison Table

OS/Platform	Previous	Current	Change	Trend
linux/amd64	554.46 MB	554.46 MB	88 B (0%)	🔽
linux/arm64	508.69 MB	508.69 MB	219 B (0%)	🔽

[github-actions]

📦 Container Size Analysis

Note

Comparing ghcr.io/philips-software/amp-devcontainer-cpp:edge ➔ ghcr.io/philips-software/amp-devcontainer-cpp:pr-1143

📈 Size Comparison Table

OS/Platform	Previous	Current	Change	Trend
linux/amd64	695.77 MB	695.76 MB	594 B (0%)	🔽
linux/arm64	676.63 MB	676.63 MB	70 B (0%)	🔽

[github-actions]

Test Results

 13 files  + 6   13 suites  +6   16m 21s ⏱️ + 12m 26s
 33 tests ± 0   31 ✅  -  2  0 💤 ±0  2 ❌ +2 
137 runs  +68  135 ✅ +66  0 💤 ±0  2 ❌ +2 

For more details on these failures, see this check.

Results for commit 5891521. ± Comparison against base commit 84f3450.

♻️ This comment has been updated with latest results.

[rjaegers]

@copilot some ci checks are failing. Mostly due to the possibility of code injection via template expansion in GitHub workflows. Please fix these issues. Use the same patterns that are used in other workflow files, adding unvalidated input to the environment, and using environment variables in shell commands instead. Make sure to properly quote all input that can contains spaces.

[Copilot]

@copilot some ci checks are failing. Mostly due to the possibility of code injection via template expansion in GitHub workflows. Please fix these issues. Use the same patterns that are used in other w...

Fixed in commit aa27255. All template expansions in shell commands have been moved to environment variables, and all variables are properly quoted to prevent code injection. The workflow now follows the same security pattern used in other workflows like wc-build-push.yml.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud