fix: resolve three pre-existing CI failures

[fatherlinux]

Summary

• Add .gourmand-cache/ to .gitignore and switch gourmand CI to container image (was building from source via cargo)
• Add missing Section III (Containerfile Conventions) to constitution, renumber sections to match parent profile (I-IX)
• Fix Trivy container scan: use docker build instead of podman build on GHA runners

Context

All three failures pre-date the Hummingbird distroless changes. They were present on main before PR #1.

Test plan

• Constitution validator passes locally (pre-commit hook)
• Gourmand runs via container image in CI
• Constitution Validation passes in CI
• Container Security Scan (Trivy) passes in CI

🤖 Generated with Claude Code

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on enhancing the stability and reliability of the continuous integration pipeline by addressing several pre-existing failures. It streamlines the build process by ignoring specific cache directories, formalizes container build standards within the project's constitution, and corrects issues with container scanning tools, ultimately contributing to a more robust and predictable development environment.

Highlights

• CI Stability: Resolved three pre-existing CI failures by updating configurations and documentation.
• Gourmand Configuration: Added .gourmand-cache/ to .gitignore to prevent unnecessary files from being tracked and switched Gourmand CI to use a container image for consistent execution.
• Constitution Update: Incorporated a new Section III on 'Containerfile Conventions' into the project's constitution, detailing multi-stage Hummingbird FIPS build practices, and renumbered subsequent sections accordingly.
• Trivy Scan Fix: Adjusted the Trivy container security scan to utilize docker build instead of podman build on GitHub Actions runners, ensuring proper execution.

Ignored Files

• Ignored by pattern: .github/workflows/** (2)
  • .github/workflows/ci.yml
  • .github/workflows/security.yml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[gemini-code-assist]

Code Review

This pull request updates the project's constitution document, incrementing its version to 1.2.0. It introduces a new section detailing Containerfile Conventions, specifically outlining the multi-stage Hummingbird FIPS build process. Additionally, it updates the .gitignore file to include .gourmand-cache/. A review comment suggests an improvement to the new Containerfile Conventions, recommending that base images should be pinned to specific version tags instead of using latest to ensure reproducible builds.

[gemini-code-assist]

Using the latest tag for base images is discouraged as it can lead to non-reproducible builds. When the latest tag is updated, your builds might fail or behave differently without any changes to your Containerfile. It is a best practice to pin base images to a specific version tag or a digest to ensure build stability and predictability.

For example:

1. **Builder stage** (`quay.io/hummingbird/python:1.2.3-fips-builder`)
2. **Runtime stage** (`quay.io/hummingbird/python:1.2.3-fips`)

Could you please update this convention (and the corresponding Containerfile) to use specific version tags instead of latest?