Add backend Docker build/push workflow and improve Snyk IaC workflow

[echska]

Motivation

• Add automated CI to build and push the backend Docker image to GHCR for changes under parental-control-system/backend.
• Improve the Infrastructure-as-Code scanning workflow to run Snyk in a container and produce SARIF results for GitHub Code Scanning.
• Tighten and clarify workflow permissions and use more recent actions to ensure reliable scanning and artifact publishing.

Description

• Added a new GitHub Actions workflow /.github/workflows/backend-docker.yml that checks out the repo, sets up Docker Buildx, logs into GHCR, extracts metadata with docker/metadata-action@v5, and builds/pushes the image from parental-control-system/backend/Dockerfile using docker/build-push-action@v6 with SHA and latest tags.
• Updated /.github/workflows/snyk-infrastructure.yml to remove legacy comments, normalize branch syntax, add security-events: write and actions: read permissions, and run the job inside the snyk/snyk:alpine container.
• Replaced the old Snyk action usage with an explicit run that authenticates via snyk auth "$SNYK_TOKEN" and executes snyk iac test --sarif-file-output=snyk.sarif || true to produce a SARIF file.
• Switched the SARIF uploader to github/codeql-action/upload-sarif@v4 and made the upload conditional with if: always() && hashFiles('snyk.sarif') != '' to avoid errors when no SARIF is generated.

Testing

• No automated tests were executed as part of this change; these are CI workflow additions and modifications that will run on the next push to main or on manual dispatch.

---

Codex Task

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e25726d3e9

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Keep forked PR scans from failing at auth

Because this workflow still runs on pull_request, forked PRs do not receive SNYK_TOKEN, so this newly unguarded snyk auth "$SNYK_TOKEN" exits before the || true scan/upload path can run. That regresses the previous continue-on-error behavior and makes external PR checks fail rather than just omitting Snyk results; guard this step or skip it when the secret is unavailable.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Restore scheduled IaC scans

This on: block now only runs Snyk on pushes and PRs, whereas the previous workflow also had a weekly Monday schedule. That means IaC findings that appear because Snyk's rules change, or because existing configuration becomes newly vulnerable, will not be refreshed in code scanning until someone happens to change the repository; keep the scheduled trigger if continuous infrastructure scanning is still expected.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Restrict latest publishes to main

Because this workflow also allows workflow_dispatch, a manual run selected on any non-main ref will still publish the raw latest tag here. That can overwrite the production-looking GHCR tag with unmerged backend code; either gate this tag/push to refs/heads/main or avoid publishing latest for manual non-main runs.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Use a glibc-based Snyk job container

Running the whole job in the snyk/snyk:alpine container also moves the JavaScript actions in this job (actions/checkout@v4 and github/codeql-action/upload-sarif@v4) into an Alpine/musl environment. Those actions are executed with the runner's bundled Node binary, which expects glibc, so the workflow can fail before Snyk ever scans; use a glibc-based Snyk image or run only the CLI invocation in the Snyk container.

Useful? React with 👍 / 👎.