ci: fix issues with secrets and refactor further

Author: rjaegers

.github/copilot-instructions.md

@@ -24,3 +24,10 @@ The folder structure of amp-devcontainer is described below, adhere to the exist
 - `/.devcontainer/[flavor]-test`: Contains a devcontainer.json file for testing the container flavor.
 - `/.github`: Contains the GitHub workflows for CI/CD, linter configuration, issue templates and re-usable actions.
 - `/test/[flavor]`: Contains [Bats](https://bats-core.readthedocs.io/en/stable/) integration- and Playwright verification tests for the containers.
+
+## File Specific Instructions
+
+When reviewing GitHub Action workflows, ensure that:
+
+- Workflows that have a workflow_call trigger have the file name prefixed with `wc-`.
+- For all re-usable workflows, only the top-level workflow has defaults and descriptions for inputs to avoid duplication. Top-level workflows are not called themselves by other workflows with workflow_call.

.github/workflows/continuous-integration.yml

@@ -13,8 +13,12 @@ concurrency:
 permissions: {}
 
 jobs:
-  build-push-test:
-    uses: ./.github/workflows/wc-build-push-test-flavor.yml
+  build-push-test-flavors:
+    name: Build, Push and Test (🍨 ${{ matrix.flavor }})
+    strategy:
+      matrix:
+        flavor: [cpp, rust]
+    uses: ./.github/workflows/wc-build-push-test.yml
     secrets:
       TEST_GITHUB_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }}
       TEST_GITHUB_USER: ${{ secrets.TEST_GITHUB_USER }}
@@ -28,3 +32,40 @@ jobs:
       id-token: write
       packages: write
       pull-requests: write
+    with:
+      devcontainer-metadata-file: .devcontainer/${{ matrix.flavor }}/devcontainer-metadata.json
+      dockerfile: .devcontainer/${{ matrix.flavor }}/Dockerfile
+      image-name: ${{ github.repository }}-${{ matrix.flavor }}
+      integration-test-file: test/${{ matrix.flavor }}/integration-tests.bats
+
+  dependency-review:
+    needs: build-push-test-flavors
+    uses: ./.github/workflows/wc-dependency-review.yml
+    permissions:
+      contents: read
+      pull-requests: write
+
+  publish-test-results:
+    runs-on: ubuntu-latest
+    permissions:
+      checks: write
+      pull-requests: write
+    needs: build-push-test-flavors
+    if: ${{ !cancelled() }}
+    steps:
+      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          disable-sudo: true
+          egress-policy: audit
+      - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+        with:
+          merge-multiple: true
+          pattern: test-results-*
+      - uses: EnricoMi/publish-unit-test-result-action@3a74b2957438d0b6e2e61d67b05318aa25c9e6c6 # v2.20.0
+        with:
+          files: test-report-*.xml
+
+  generate-documents:
+    uses: ./.github/workflows/wc-document-generation.yml
+    permissions:
+      contents: read

.github/workflows/wc-build-push-test.yml

@@ -72,8 +72,8 @@ jobs:
       packages: write
       pull-requests: write
     secrets:
-      DOCKER_REGISTRY_USERNAME: ${{ secrets.DOCKER_REGISTRY_USERNAME || github.actor }}
-      DOCKER_REGISTRY_PASSWORD: ${{ secrets.DOCKER_REGISTRY_PASSWORD || github.token }}
+      DOCKER_REGISTRY_USERNAME: ${{ secrets.DOCKER_REGISTRY_USERNAME }}
+      DOCKER_REGISTRY_PASSWORD: ${{ secrets.DOCKER_REGISTRY_PASSWORD }}
     with:
       dockerfile: ${{ inputs.dockerfile }}
       registry: ${{ inputs.registry }}
@@ -83,6 +83,7 @@ jobs:
       build-test-runner-labels: ${{ inputs.build-test-runner-labels }}
 
   integration-test:
+    if: ${{ inputs.integration-test-file }}
     strategy:
       matrix:
         runner: ${{ (startsWith(inputs.build-test-runner-labels, '[') && endsWith(inputs.build-test-runner-labels, ']')) && fromJson(inputs.build-test-runner-labels) || inputs.build-test-runner-labels }}
@@ -92,23 +93,3 @@ jobs:
       image-name: ${{ inputs.image-name }}
       test-file: ${{ inputs.integration-test-file }}
       runner-labels: ${{ matrix.runner }}
-
-  publish-test-results:
-    runs-on: ubuntu-latest
-    permissions:
-      checks: write
-      pull-requests: write
-    needs: [integration-test]
-    if: ${{ !cancelled() }}
-    steps:
-      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
-        with:
-          disable-sudo: true
-          egress-policy: audit
-      - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
-        with:
-          merge-multiple: true
-          pattern: test-results-*
-      - uses: EnricoMi/publish-unit-test-result-action@3a74b2957438d0b6e2e61d67b05318aa25c9e6c6 # v2.20.0
-        with:
-          files: test-report-*.xml

.github/workflows/wc-build-push.yml

@@ -71,8 +71,8 @@ jobs:
       - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           registry: ${{ inputs.registry }}
-          username: ${{ secrets.DOCKER_REGISTRY_USERNAME }}
-          password: ${{ secrets.DOCKER_REGISTRY_PASSWORD }}
+          username: ${{ secrets.DOCKER_REGISTRY_USERNAME || github.actor }}
+          password: ${{ secrets.DOCKER_REGISTRY_PASSWORD || github.token }}
       - uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
         env:
           DOCKER_METADATA_SET_OUTPUT_ENV: false
@@ -161,8 +161,8 @@ jobs:
       - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           registry: ${{ inputs.registry }}
-          username: ${{ secrets.DOCKER_REGISTRY_USERNAME }}
-          password: ${{ secrets.DOCKER_REGISTRY_PASSWORD }}
+          username: ${{ secrets.DOCKER_REGISTRY_USERNAME || github.actor }}
+          password: ${{ secrets.DOCKER_REGISTRY_PASSWORD || github.token }}
       - uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
         id: metadata
         env: