DRAFT: add test and scan for docker images

[blairdrummond]

NOTE: I don't think this PR is ready, since the arm/v6 and arm/v7 images are failing pytest due to missing dependencies (gcc and friends). But it's pretty close.

Closes #1344 . Using a build-matrix for the platforms and this test, we test all the platforms in parallel. I also threw in container scanning.

Switch pip install to use either tags or commit shas

Notably! This also changes the Dockerfile so that it accepts tags or commit-shas.

# It's backwards compatible with tags, but also lets you use shas
root@712071df17af:/# pip install git+git://github.com/simonw/datasette.git@0.56                                                                                                                                            
Collecting git+git://github.com/simonw/datasette.git@0.56                                                                                                                                                                  
  Cloning git://github.com/simonw/datasette.git (to revision 0.56) to /tmp/pip-req-build-u6dhm945                                                                                                                          
  Running command git clone -q git://github.com/simonw/datasette.git /tmp/pip-req-build-u6dhm945                                                                                                                           
  Running command git checkout -q af5a7f1c09f6a902bb2a25e8edf39c7034d2e5de                                                                                                                                                 
Collecting Jinja2<2.12.0,>=2.10.3                                                                            
  Downloading Jinja2-2.11.3-py2.py3-none-any.whl (125 kB) 

This lets you build the containers in CI every push for testing, which maybe resolves this problem?

Workflow run example

You can see the results in my workflow here. The commit history is different because I squashed this branch, also in the testing branch I had to change github.com/simonw to github.com/blairdrummond for the CI to pick up my git_sha.

Why did the builds fail?

NOTE: The results of all the tests fail, but for different reasons! A few fail to install Rust, the amd64 passes the tests (phew!) but has critical CVEs which fail the container scan, the Arm/v6 and Arm/v7 seem to fail to install the test dependencies due to missing programs like gcc. (gcc is not sufficient though, as this run indicates)

[blairdrummond]

Note, the CVEs are probably resolvable with this #1296 . My experience is that Ubuntu seems to manage these better? Though that is surprising :/

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 91.56%. Comparing base (7b106e1) to head (56cba8f).
Report is 1028 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1348   +/-   ##
=======================================
  Coverage   91.56%   91.56%           
=======================================
  Files          34       34           
  Lines        4282     4282           
=======================================
  Hits         3921     3921           
  Misses        361      361           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.