container-structure-test.yaml

schemaVersion: 2.0.0

# Runtime contract assertions for the published go-face-recognition image.
# Mirrors invariants enforced by Dockerfile.go-face so that rebase / digest
# drift on the upstream builder cannot silently regress them. Runs under
# GoogleContainerTools/container-structure-test in the docker CI matrix.
#
# Intentionally scoped to what the scan-stage image actually carries:
#  - The scan image is built via docker/build-push-action with `load: true`
#    and NO `labels:` input — OCI labels from metadata-action only apply
#    to the multi-arch push step. So no metadataTest for labels.
#  - Dockerfile.go-face sets CMD=["tail","-f","/dev/null"] with NO
#    ENTRYPOINT (runtime shell container; real execution uses
#    `--entrypoint /app/main`). So no metadataTest for entrypoint.
#  - Alpine runtime doesn't ship `file`, so ELF-type asserts are out;
#    static-binary verification happens at link time (`-extldflags -static`
#    + `static_build` tag in the builder stage).

fileExistenceTests:
  - name: main binary present
    path: /app/main
    shouldExist: true
    permissions: "-rwxr-xr-x"
  - name: models directory baked in
    path: /app/models
    shouldExist: true
    isExecutableBy: any
  - name: persons directory baked in
    path: /app/persons
    shouldExist: true
  - name: fonts directory baked in
    path: /app/fonts
    shouldExist: true
  - name: images directory baked in
    path: /app/images
    shouldExist: true

commandTests:
  - name: runs as non-root UID 10001
    command: id
    args: ["-u"]
    expectedOutput: ["10001"]
  - name: main binary is executable and reports a size
    command: sh
    args:
      - -c
      - 'test -x /app/main && stat -c "%s" /app/main'
    # Binary should be several MB; match any size >= 7 digits (>= 1 MB).
    # No anchors: CST regex runs against stdout with trailing newline, and
    # '$' doesn't match before that newline on all CST versions.
    expectedOutput: ["[0-9]{7,}"]