ci: auto-regenerate Dockerfiles on PRs

[GordonBeeming]

Adds two GitHub Actions workflows that react when a PR changes Dockerfile-generator inputs, so PRs like #112 (Go version bump without running the regen script) self-heal instead of needing a maintainer to push the regen commit manually.

• regen-dockerfiles-push.yml — same-repo PRs only. Regenerates docker/generated/* and pushes the result back to the PR branch. Scope: contents: write.
• regen-dockerfiles-comment.yml — fork PRs only. Runs the base branch's trusted generator against the head's snippet data (never executes head code), detects drift, and posts a comment telling the contributor what to run. Refuses entirely if the PR modifies generate-dockerfiles.ps1 itself. Scope: contents: read + pull-requests: write.

The existing verify-generated-dockerfiles job in publish.yml stays as the hard CI gate.

Permissions

Every job declares the minimum scope it needs. No read-all, no secrets exposure beyond GITHUB_TOKEN. Top-level permissions: {}.

Trust model (fork comment workflow)

• Head code is never executed — only docker/snippets/** and docker/images.json from the head are copied as inputs to the base's trusted generator.
• If the PR modified docker/generate-dockerfiles.ps1, the workflow skips the regen and posts a "manual review needed" comment.
• The base generator (audited) is pure text concatenation — no Invoke-Expression, no eval of snippet content.

Test plan

• Same-repo drift: open a follow-up PR that bumps a snippet version (e.g. docker/snippets/golang.Dockerfile) without running the generator. Workflow should push a regen commit within a minute.
• Same-repo no-drift: PR that comment-only-edits a snippet. Workflow runs and exits clean.
• Path filter: PR touching only README.md triggers neither workflow.
• Fork drift: test fork PR bumping a snippet → comment workflow posts a diff-stat + instructions, no push.
• Fork generator-modified: test fork PR editing generate-dockerfiles.ps1 → "skipped for safety" comment.
• Permissions audit in the Actions run UI matches the declared scopes.

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 648a92e72a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Copilot]

Pull request overview

Adds PR-time automation to keep docker/generated/* aligned with docker/snippets/** and docker/images.json, reducing maintainer intervention when contributors forget to run the generator.

Changes:

• Introduces a same-repo PR workflow that regenerates Dockerfiles and pushes the result back to the PR branch.
• Introduces a fork-safe PR workflow that regenerates using the base branch generator + head branch snippet data and comments when drift is detected (or skips when the generator script is modified).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
.github/workflows/regen-dockerfiles-push.yml	Regenerates docker/generated/* for same-repo PRs and pushes a regen commit back to the PR branch.
.github/workflows/regen-dockerfiles-comment.yml	For fork PRs, runs a trusted regeneration using base generator + PR data and posts a comment when generated Dockerfiles drift.