feat: add explicit dogfood and container install paths (#50)

kantorcodes · kantorcodes · commit 44303ecba1d6 · 2026-04-06T09:54:32.000-07:00
* feat: add action install sources and container image

Signed-off-by: Michael Kantor &lt;6068672+kantorcodes@users.noreply.github.com&gt;

* fix: harden action install and docker path

Signed-off-by: Michael Kantor &lt;6068672+kantorcodes@users.noreply.github.com&gt;

---------

Signed-off-by: Michael Kantor &lt;6068672+kantorcodes@users.noreply.github.com&gt;
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,10 @@
+.git
+.github
+.pytest_cache
+.ruff_cache
+.venv
+__pycache__
+dist
+tests
+action
+*.pyc
diff --git a/.github/workflows/e2e-test.yml b/.github/workflows/e2e-test.yml
@@ -19,6 +19,7 @@ jobs:
       - uses: ./action
         id: scan
         with:
+          install_source: local
           plugin_dir: tests/fixtures/good-plugin
           min_score: 80
 
@@ -30,6 +31,7 @@ jobs:
       - uses: ./action
         id: scan
         with:
+          install_source: local
           plugin_dir: tests/fixtures/good-plugin
           format: json
           output: report.json
@@ -52,6 +54,7 @@ jobs:
       - uses: ./action
         id: scan
         with:
+          install_source: local
           plugin_dir: tests/fixtures/good-plugin
           format: sarif
           output: report.sarif
@@ -75,6 +78,7 @@ jobs:
         id: scan
         continue-on-error: true
         with:
+          install_source: local
           plugin_dir: tests/fixtures/bad-plugin
           min_score: 99
       - name: Verify failure
@@ -94,6 +98,7 @@ jobs:
       - uses: ./action
         id: scan
         with:
+          install_source: local
           plugin_dir: tests/fixtures/good-plugin
           format: markdown
           output: report.md
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -163,6 +163,10 @@ jobs:
           uv tool install codex-plugin-scanner==${VERSION}
           \`\`\`
 
+          \`\`\`bash
+          docker pull ghcr.io/hashgraph-online/codex-plugin-scanner:${VERSION}
+          \`\`\`
+
           **Full Changelog**: https://github.com/hashgraph-online/codex-plugin-scanner/compare/${LAST_TAG}...v${VERSION}
           EOF
 
@@ -200,3 +204,48 @@ jobs:
             --title "v${VERSION}" \
             --notes-file ${{ steps.changelog.outputs.notes_path }} \
             "${{ steps.action_bundle.outputs.bundle_path }}#hol-codex-plugin-scanner-action-v${VERSION}.zip"
+
+  publish-container:
+    name: Publish container image
+    if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') || (github.event_name == 'workflow_dispatch' && github.event.inputs.publish_target == 'pypi')
+    needs: [build, publish-pypi]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - name: Stamp package version
+        env:
+          VERSION: ${{ needs.build.outputs.version }}
+        run: |
+          sed -i "1,/^version = /{s/^version = .*/version = \"$VERSION\"/}" pyproject.toml
+          sed -i "1,/^__version__ = /{s/^__version__ = .*/__version__ = \"$VERSION\"/}" src/codex_plugin_scanner/version.py
+      - name: Prepare image tags
+        id: tags
+        env:
+          IMAGE_NAME: ghcr.io/${{ github.repository }}
+          VERSION: ${{ needs.build.outputs.version }}
+        run: |
+          {
+            echo "value<<EOF"
+            echo "${IMAGE_NAME}:${VERSION}"
+            echo "${IMAGE_NAME}:latest"
+            echo "EOF"
+          } >> "$GITHUB_OUTPUT"
+      - uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2
+      - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83
+        with:
+          context: .
+          file: ./Dockerfile
+          push: true
+          tags: ${{ steps.tags.outputs.value }}
+          labels: |
+            org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}
+            org.opencontainers.image.version=${{ needs.build.outputs.version }}
+            org.opencontainers.image.revision=${{ github.sha }}
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,24 @@
+FROM python:3.12-slim@sha256:3d5ed973e45820f5ba5e46bd065bd88b3a504ff0724d85980dcd05eab361fcf4
+
+ENV PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONUNBUFFERED=1 \
+    PIP_NO_CACHE_DIR=1
+
+WORKDIR /app
+
+COPY pyproject.toml README.md LICENSE /app/
+COPY src /app/src
+
+RUN python3 -m pip install --upgrade pip && \
+    python3 -m pip install /app
+
+RUN groupadd --system scanner && \
+    useradd --system --gid scanner --create-home --home-dir /home/scanner scanner && \
+    mkdir -p /workspace && \
+    chown -R scanner:scanner /workspace /home/scanner
+
+WORKDIR /workspace
+
+USER scanner
+
+ENTRYPOINT ["codex-plugin-scanner"]
diff --git a/README.md b/README.md
@@ -5,6 +5,7 @@
 [![PyPI Downloads](https://img.shields.io/pypi/dm/codex-plugin-scanner)](https://pypistats.org/packages/codex-plugin-scanner)
 [![CI](https://github.com/hashgraph-online/codex-plugin-scanner/actions/workflows/ci.yml/badge.svg)](https://github.com/hashgraph-online/codex-plugin-scanner/actions/workflows/ci.yml)
 [![Publish](https://github.com/hashgraph-online/codex-plugin-scanner/actions/workflows/publish.yml/badge.svg)](https://github.com/hashgraph-online/codex-plugin-scanner/actions/workflows/publish.yml)
+[![Container Image](https://img.shields.io/badge/ghcr-codex--plugin--scanner-2496ED?logo=docker&logoColor=white)](https://github.com/hashgraph-online/codex-plugin-scanner/pkgs/container/codex-plugin-scanner)
 [![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/hashgraph-online/codex-plugin-scanner/badge)](https://scorecard.dev/viewer/?uri=github.com/hashgraph-online/codex-plugin-scanner)
 [![License](https://img.shields.io/badge/license-Apache--2.0-blue.svg)](./LICENSE)
 [![GitHub Stars](https://img.shields.io/github/stars/hashgraph-online/codex-plugin-scanner?style=social)](https://github.com/hashgraph-online/codex-plugin-scanner/stargazers)
@@ -75,6 +76,15 @@ You can also run the scanner without a local install:
 pipx run codex-plugin-scanner ./my-plugin
 ```
 
+Container-first environments can use the published image instead:
+
+```bash
+docker run --rm \
+  -v "$PWD:/workspace" \
+  ghcr.io/hashgraph-online/codex-plugin-scanner:<version> \
+  scan /workspace --format text
+```
+
 ## What The Scanner Covers
 
 `codex-plugin-scanner` supports a full quality suite:
diff --git a/action/README.md b/action/README.md
@@ -12,6 +12,11 @@ This repository is the Marketplace-facing wrapper for the scanner action. The ma
 
 The default Marketplace install path uses an exact `codex-plugin-scanner` PyPI release, verifies its PyPI provenance against `hashgraph-online/codex-plugin-scanner`, and only then installs it. After installation, the default `scan`, `lint`, and offline `verify` paths operate on local repository content only. Live network probing and submission automation remain explicit opt-in features.
 
+Advanced distribution paths are available when you need them:
+
+- `install_source: local` is the explicit dogfood path for `uses: ./action` inside the source repo.
+- `ghcr.io/hashgraph-online/codex-plugin-scanner` is the container distribution for enterprise runners that prefer a reviewed OCI image over runtime package installation.
+
 ## Usage
 
 ```yaml
@@ -44,6 +49,7 @@ The default Marketplace install path uses an exact `codex-plugin-scanner` PyPI r
 | `cisco_skill_scan` | Cisco skill-scanner mode: `auto`, `on`, `off` | `auto` |
 | `cisco_policy` | Cisco policy preset: `permissive`, `balanced`, `strict` | `balanced` |
 | `install_cisco` | Install the opt-in Cisco skill-scanner dependency used by this repo | `false` |
+| `install_source` | Package install source: `pypi` for the reviewed release path, or `local` for source-repo dogfooding | `pypi` |
 | `submission_enabled` | Open submission issues for awesome-list and registry automation when the plugin clears the submission threshold | `false` |
 | `submission_score_threshold` | Minimum score required before a submission issue is created | `80` |
 | `submission_repos` | Comma-separated GitHub repositories that should receive the submission issue | `hashgraph-online/awesome-codex-plugins` |
@@ -127,6 +133,17 @@ This `plugin_dir: "."` pattern is correct for both single-plugin repositories an
     install_cisco: true
 ```
 
+### Dogfood the source-repo action bundle
+
+Use this only inside `hashgraph-online/codex-plugin-scanner`, where the action can install the adjacent source tree directly.
+
+```yaml
+- uses: ./action
+  with:
+    plugin_dir: "."
+    install_source: local
+```
+
 ### Export registry payload for Codex ecosystem automation
 
 ```yaml
@@ -236,3 +253,16 @@ Set `mode` to one of `scan`, `lint`, `verify`, or `submit`.
 For `submit` mode, point `plugin_dir` at one concrete plugin directory. Repository-mode discovery is supported for `scan`, `lint`, and `verify`, but `submit` intentionally remains single-plugin.
 
 For `scan` mode, set `upload_sarif: true` to emit and upload SARIF automatically instead of wiring a separate upload step by hand.
+
+## Container Distribution
+
+The scanner is also published as an OCI image for container-first environments:
+
+```bash
+docker run --rm \
+  -v "$PWD:/workspace" \
+  ghcr.io/hashgraph-online/codex-plugin-scanner:<version> \
+  scan /workspace --format text
+```
+
+The image installs the scanner from the reviewed source tree at release build time. It is separate from the Marketplace action so teams that prefer `docker://` or explicit `docker run` flows can use a pinned image without changing the secure default action path.
diff --git a/action/action.yml b/action/action.yml
@@ -71,6 +71,10 @@ inputs:
     description: "Install the opt-in Cisco skill-scanner dependency used by this repo"
     required: false
     default: "false"
+  install_source:
+    description: "Package install source: pypi for the reviewed release path, or local for source-repo dogfooding"
+    required: false
+    default: "pypi"
   submission_enabled:
     description: "Open submission issues for awesome-list and registry automation when the plugin clears the submission threshold"
     required: false
@@ -167,6 +171,9 @@ runs:
 
     - name: Install scanner
       shell: bash
+      env:
+        INSTALL_SOURCE: ${{ inputs.install_source }}
+        INSTALL_CISCO: ${{ inputs.install_cisco }}
       run: |
         LOCAL_SOURCE=""
         for candidate in "$GITHUB_ACTION_PATH" "$GITHUB_ACTION_PATH/.."; do
@@ -176,13 +183,17 @@ runs:
           fi
         done
 
-        if [ -n "$LOCAL_SOURCE" ]; then
-          if [ "${{ inputs.install_cisco }}" = "true" ]; then
+        if [ "$INSTALL_SOURCE" = "local" ]; then
+          if [ -z "$LOCAL_SOURCE" ]; then
+            echo "install_source=local requires the source repository checkout (for example: uses: ./action inside codex-plugin-scanner)." >&2
+            exit 1
+          fi
+          if [ "$INSTALL_CISCO" = "true" ]; then
             python3 -m pip install "$LOCAL_SOURCE[cisco]"
           else
             python3 -m pip install "$LOCAL_SOURCE"
           fi
-        else
+        elif [ "$INSTALL_SOURCE" = "pypi" ]; then
           SCANNER_VERSION_FILE="$GITHUB_ACTION_PATH/scanner-version.txt"
           CISCO_VERSION_FILE="$GITHUB_ACTION_PATH/cisco-version.txt"
           PYPI_ATTESTATIONS_VERSION_FILE="$GITHUB_ACTION_PATH/pypi-attestations-version.txt"
@@ -213,9 +224,12 @@ runs:
           fi
 
           python3 -m pip install "$DIST_DIR/$DIST_BASENAME"
-          if [ "${{ inputs.install_cisco }}" = "true" ]; then
+          if [ "$INSTALL_CISCO" = "true" ]; then
             python3 -m pip install "cisco-ai-skill-scanner==${CISCO_VERSION}"
           fi
+        else
+          echo "Unsupported install_source: $INSTALL_SOURCE" >&2
+          exit 1
         fi
 
     - name: Run scanner
diff --git a/action/scanner-version.txt b/action/scanner-version.txt
@@ -1 +1 @@
-1.4.0
+1.4.8
diff --git a/tests/test_action_bundle.py b/tests/test_action_bundle.py
@@ -14,8 +14,15 @@ def test_action_metadata_includes_marketplace_branding_and_fallback_install() ->
     assert 'color: "blue"' in action_text
     assert "actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405" in action_text
     assert 'python3 -m pip install "pypi-attestations==' in action_text
+    assert "install_source:" in action_text
+    assert 'default: "pypi"' in action_text
+    assert "INSTALL_SOURCE: ${{ inputs.install_source }}" in action_text
+    assert "INSTALL_CISCO: ${{ inputs.install_cisco }}" in action_text
+    assert 'if [ "$INSTALL_SOURCE" = "local" ]; then' in action_text
+    assert "install_source=local requires the source repository checkout" in action_text
     assert 'python3 -m pip install "$LOCAL_SOURCE"' in action_text
     assert 'python3 -m pip install "$LOCAL_SOURCE[cisco]"' in action_text
+    assert 'elif [ "$INSTALL_SOURCE" = "pypi" ]; then' in action_text
     assert (
         'python3 -m pip download --only-binary=:all: --no-deps --dest "$DIST_DIR" '
         '"codex-plugin-scanner==${SCANNER_VERSION}"'
@@ -76,6 +83,17 @@ def test_publish_workflow_attaches_marketplace_action_bundle() -> None:
     assert """printf '%s\\n' "${VERSION}" > "${BUNDLE_ROOT}/scanner-version.txt" """[:-1] in workflow_text
     assert 'cp action/cisco-version.txt "${BUNDLE_ROOT}/cisco-version.txt"' in workflow_text
     assert 'cp action/pypi-attestations-version.txt "${BUNDLE_ROOT}/pypi-attestations-version.txt"' in workflow_text
+    assert "docker pull ghcr.io/hashgraph-online/codex-plugin-scanner:${VERSION}" in workflow_text
+    assert "publish-container:" in workflow_text
+    assert "packages: write" in workflow_text
+    assert "docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2" in workflow_text
+    assert "docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567" in workflow_text
+    assert "docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83" in workflow_text
+    assert "ghcr.io/${{ github.repository }}" in workflow_text
+    assert "${IMAGE_NAME}:latest" in workflow_text
+    assert "org.opencontainers.image.version=${{ needs.build.outputs.version }}" in workflow_text
+    e2e_workflow_text = (ROOT / ".github" / "workflows" / "e2e-test.yml").read_text(encoding="utf-8")
+    assert e2e_workflow_text.count("install_source: local") == 5
 
 
 def test_ci_workflow_covers_cross_platform_runtime() -> None:
@@ -132,6 +150,9 @@ def test_action_bundle_docs_live_in_action_readme() -> None:
     assert "published action bundle" in action_readme
     assert "Source of Truth" in action_readme
     assert "verifies its PyPI provenance" in action_readme
+    assert "install_source: local" in action_readme
+    assert "uses: ./action" in action_readme
+    assert "ghcr.io/hashgraph-online/codex-plugin-scanner:<version>" in action_readme
     assert "online`, `submission_enabled`, and `upload_sarif`" in action_readme
     assert "registry_payload_output" in action_readme
     assert "grade_label" in action_readme
@@ -152,3 +173,17 @@ def test_readme_uses_stable_apache_license_badge() -> None:
     assert "https://img.shields.io/github/license/hashgraph-online/codex-plugin-scanner" not in readme
     assert "publish-action-repo.yml" in readme
     assert "docs/github-action-marketplace.md" not in readme
+    assert "ghcr.io/hashgraph-online/codex-plugin-scanner:<version>" in readme
+    assert "Container Image" in readme
+
+
+def test_container_files_exist_for_enterprise_distribution() -> None:
+    dockerfile_text = (ROOT / "Dockerfile").read_text(encoding="utf-8")
+    dockerignore_text = (ROOT / ".dockerignore").read_text(encoding="utf-8")
+
+    assert "FROM python:3.12-slim@sha256:" in dockerfile_text
+    assert 'ENTRYPOINT ["codex-plugin-scanner"]' in dockerfile_text
+    assert "python3 -m pip install /app" in dockerfile_text
+    assert "USER scanner" in dockerfile_text
+    assert ".git" in dockerignore_text
+    assert "tests" in dockerignore_text
