setup workflow for integration tests

.github/workflows/.test.yml

@@ -0,0 +1,136 @@
+name: .test
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - 'main'
+    tags:
+      - 'v*'
+  pull_request:
+
+jobs:
+  build-aws-single:
+    uses: .github/workflows/build.yml
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    with:
+      meta-images: |
+        public.ecr.aws/q3b5f1u4/test-docker-action
+      meta-tags: |
+        type=raw,value=ghbuilder-${{ github.run_id }}
+      build-file: test/hello.Dockerfile
+      build-output: ${{ github.event_name != 'pull_request' && 'registry' || 'cacheonly' }}
+      build-sbom: true
+    secrets:
+      registry-auths: |
+        - registry: public.ecr.aws
+          username: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+
+  build-aws:
+    uses: .github/workflows/build.yml
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    with:
+      meta-images: |
+        public.ecr.aws/q3b5f1u4/test-docker-action
+      meta-tags: |
+        type=raw,value=ghbuilder-${{ github.run_id }}
+      build-file: test/hello.Dockerfile
+      build-output: ${{ github.event_name != 'pull_request' && 'registry' || 'cacheonly' }}
+      build-sbom: true
+      build-platforms: linux/amd64,linux/arm64
+    secrets:
+      registry-auths: |
+        - registry: public.ecr.aws
+          username: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+
+  build-ghcr:
+    uses: .github/workflows/build.yml
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    with:
+      meta-images: ghcr.io/docker/github-builder-test
+      meta-tags: |
+        type=raw,value=${{ github.run_id }}
+      build-file: test/hello.Dockerfile
+      build-output: ${{ github.event_name != 'pull_request' && 'registry' || 'cacheonly' }}
+      build-sbom: true
+      build-platforms: linux/amd64,linux/arm64
+    secrets:
+      registry-auths: |
+        - registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+  build-dockerhub-stage:
+    uses: .github/workflows/build.yml
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    with:
+      meta-images: registry-1-stage.docker.io/docker/github-builder-test
+      meta-tags: |
+        type=raw,value=${{ github.run_id }}
+      build-file: test/hello.Dockerfile
+      build-output: ${{ github.event_name != 'pull_request' && 'registry' || 'cacheonly' }}
+      build-sbom: true
+      build-platforms: linux/amd64,linux/arm64
+    secrets:
+      registry-auths: |
+        - registry: registry-1-stage.docker.io
+          username: ${{ vars.DOCKERHUB_STAGE_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_STAGE_TOKEN }}
+
+  build-ghcr-and-aws:
+    uses: .github/workflows/build.yml
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    with:
+      meta-images: |
+        ghcr.io/docker/github-builder-test
+        public.ecr.aws/q3b5f1u4/test-docker-action
+      meta-tags: |
+        type=raw,value=${{ github.run_id }}
+      build-file: test/hello.Dockerfile
+      build-output: ${{ github.event_name != 'pull_request' && 'registry' || 'cacheonly' }}
+      build-sbom: true
+      build-platforms: linux/amd64,linux/arm64
+    secrets:
+      registry-auths: |
+        - registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+        - registry: public.ecr.aws
+          username: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+
+  build-local:
+    uses: .github/workflows/build.yml
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    with:
+      build-file: test/hello.Dockerfile
+      build-output: ${{ github.event_name != 'pull_request' && 'local' || 'cacheonly' }}
+      build-sbom: true
+      build-platforms: linux/amd64,linux/arm64

README.md

@@ -6,7 +6,7 @@
 This repository provides official Docker-maintained [reusable GitHub Actions workflows](https://docs.github.com/en/actions/how-tos/reuse-automations/reuse-workflows)
 to securely build container images using Docker best practices. The workflows
 sign BuildKit-generated SLSA-compliant provenance attestations and align with
-the principles behind [Docker Hardened Images](https://docs.docker.com/dhi/how-to/use/),
+the principles behind [Docker Hardened Images](https://docs.docker.com/dhi/),
 enabling open source projects to follow a seamless path toward higher levels of
 security and trust.
 

test/go.Dockerfile

@@ -0,0 +1,23 @@
+# syntax=docker/dockerfile:1
+
+ARG GO_VERSION="1.25"
+
+# xx is a helper for cross-compilation
+FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.7.0 AS xx
+
+FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine AS base
+COPY --from=xx / /
+RUN apk add --no-cache file git
+ENV CGO_ENABLED=0
+WORKDIR /src
+
+FROM base AS build
+ARG TARGETPLATFORM
+RUN --mount=type=bind,target=. \
+    --mount=target=/root/.cache,type=cache \
+  xx-go build -trimpath -o /out/myapp . \
+  && xx-verify --static /out/myapp
+ARG BUILDKIT_SBOM_SCAN_STAGE=true
+
+FROM scratch
+COPY --from=build /out /

test/go.mod

@@ -0,0 +1,3 @@
+module github.com/docker/github-builder/test
+
+go 1.25.0

test/hello.Dockerfile

@@ -0,0 +1,7 @@
+FROM alpine AS base
+ARG TARGETPLATFORM
+RUN echo "Hello, World! This is ${TARGETPLATFORM}" > /hello.txt
+ARG BUILDKIT_SBOM_SCAN_STAGE=true
+
+FROM scratch
+COPY --from=base /hello.txt /

test/main.go

@@ -0,0 +1,7 @@
+package main
+
+import "fmt"
+
+func main() {
+	fmt.Println("hello world")
+}