ci: migrate to netresearch/.github reusable container workflows

[CybotTM]

Summary

Phase 4 of the container-CI consolidation across Netresearch container repos. Delegates 4 of phpbu-docker's CI workflows to the reusables in netresearch/.github that snipe-it-docker-compose-stack has been battle-testing in Phases 1-3. The build job and the trivy CVE job stay inline behind a structural blocker (docker buildx bake multi-target shape — flagged below).

What migrated

Workflow	Job(s) migrated	Before (lines)	After (lines)	Notes
scorecard.yml	full file	36	38	Delegates to scorecard.yml@main. Slight bump from added doc comments.
build.yml	extracted lint job → new lint.yml	193	185	build job stays inline (bake multi-target).
(new) lint.yml	hadolint + bake-graph-validate	—	54	hadolint via lint-container.yml@main; bake-validate inline (single-stage docker buildx bake --print).
test.yml	structure-test job	131	127	Delegates to smoke-test-container.yml@main; smoke-test matrix (TZ injection, read-only fs, simulate-mode) stays inline.
security.yml	gitleaks job	70	67	Delegates to gitleaks.yml@main (betterleaks, no license needed); trivy stays inline (bake-built local scan).

Net total bytes: +41 lines on disk but 9 fewer third-party-action SHA pins to maintain (30 → 21) — the reusables own that supply-chain surface centrally.

What stays inline, and why

• build.yml::build — uses docker buildx bake with two targets (minimal + full from docker-bake.hcl) plus a shared GHA cache and a combined cosign sign + SLSA attest + trivy scan over both variants in one job. Migration to build-container.yml@main would require either two parallel reusable matrix calls (duplicating the bake tag fan-out into metadata-tags) or abandoning docker-bake.hcl entirely. Per task rule 10 (no workarounds for structural blockers), flagging as an upstream follow-up rather than inventing a kludge.
• release.yml — same bake multi-target shape plus GitHub Release creation. Same blocker.
• security.yml::trivy — currently does local bake build then scans both variants. The security-container.yml reusable is for already-published images. Migratable only after build.yml moves off bake.
• test.yml::smoke-test matrix — phpbu-specific surface (TZ env-var sanitisation against injection, read-only filesystem, simulate-mode with fixture config, full-variant tool presence). Outside the reusable's structure-test scope.
• auto-merge.yml + cleanup-packages.yml — explicitly out of scope (Dependabot/Renovate auto-merge orchestration; ghcr retention).

Upstream follow-ups (do NOT block this PR)

1. build.yml + release.yml bake refactor — decide whether to keep docker-bake.hcl (and accept that build-container.yml@main is not reachable) or refactor to a matrix of reusable calls. Needs design discussion; not within this PR's scope.
2. SonarCloud githubactions:S7637 ("use SHA hash for actions") — the new caller stubs pin netresearch/.github to @main (hard constraint ci: bump actions/checkout from 4 to 6 #3, mandated by the user, memory ref feedback_no_sha_pin_own_reusables). Same rule-deactivation already done at project-Quality-Profile level for snipe-it; phpbu-docker likely needs the same treatment if it's SC-scanned. Cosmetic — does not affect runtime.
3. Renovate digest-pinning auto-merge.yml — independent observation from the audit. Commit 309fca0 ("chore(deps): update netresearch/.github digest to 22155f1") pinned netresearch/.github by SHA digest in .github/workflows/auto-merge.yml, which violates the org no-SHA-pin-for-netresearch/* policy. Likely needs a renovate.json packageRules exclusion for netresearch/.github. Tracking separately — not part of this PR (rule: do not touch auto-merge.yml).

Hard-constraint compliance checklist

• All netresearch/.github reusable refs use @main, never @<sha> (verified: grep -nE "netresearch/\.github" .github/workflows/*.yml).
• All third-party action refs in the new files SHA-pinned with version-tag comments.
• SPDX headers on new files use "Netresearch DTT GmbH".
• All 4 commits signed (G flag from git log --format='%G?') and Signed-off-by: matches git config user.email.
• Conventional-commit prefixes, no AI attribution.
• No secrets: inherit anywhere in the migrated files.
• All migrated/new files end with single newline (tail -c 2 | xxd -p → *0a, never 0a0a).
• Atomic commits per workflow file, explicit-path git add.
• No workarounds for the bake structural blocker — surfaced for user decision.

Test plan

• CI runs on the PR (build, lint, scorecard, test, security workflows triggered by pull_request event).
• hadolint via reusable handles the existing Dockerfile (was on hadolint-action@v3.3.0; reusable pins hadolint v2.14.0).
• container-structure-test via reusable produces equivalent output to the previous inline bake-then-CST flow against phpbu:ci (minimal stage).
• betterleaks via gitleaks.yml@main scans the full history (cf. memory feedback_gitleaks_full_history_scan — there's nothing in this repo's history that should trigger, but SARIF should upload cleanly).
• Scorecard SARIF appears in the Security tab after merge to main.

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[sonarqubecloud]

Quality Gate failed

Failed conditions
4 Security Hotspots

See analysis details on SonarQube Cloud

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.