Fix z3 install and CN tests for Dockerfiles

.github/workflows/docker.yml

@@ -1,8 +1,14 @@
 name: docker
 
 on:
+  # Run this action every day
   schedule:
     - cron: '30 18 * * *'
+  # Run this action any time any dockerfile changes
+  pull_request:
+    paths:
+      - 'Dockerfile.**'
+      - '**docker.yml'
 
 env:
   CERBERUS_IMAGE_ID: ghcr.io/rems-project/cerberus/cn
@@ -44,7 +50,7 @@ jobs:
       with:
         context: .
         platforms: linux/amd64,linux/arm64
-        push: true
+        push: ${{ github.event_name != 'pull_request' }}
         tags: ${{env.CERBERUS_IMAGE_ID}}:release
         file: Dockerfile.ubuntu
         github-token: ${{ secrets.GITHUB_TOKEN }}
@@ -76,7 +82,7 @@ jobs:
       with:
         context: .
         platforms: linux/amd64,linux/arm64
-        push: true
+        push: ${{ github.event_name != 'pull_request' }}
         tags: ${{env.CERBERUS_IMAGE_ID}}:release-redhat
         file: Dockerfile.redhat
         attests: type=sbom
@@ -85,6 +91,7 @@ jobs:
 
   test-docker-images:
     runs-on: ubuntu-latest
+    needs: [docker-release-redhat, docker-release-ubuntu]
     strategy:
       matrix:
         tag: [release, release-redhat]
@@ -94,4 +101,4 @@ jobs:
     - name: Run CN CI tests
       run: |
         docker pull ${{env.CERBERUS_IMAGE_ID}}:${{ matrix.tag }}
-        docker run -v $PWD:/work ${{env.CERBERUS_IMAGE_ID}}:${{ matrix.tag }} tests/run-cn.sh
+        docker run -v $PWD:/work -w /work ${{env.CERBERUS_IMAGE_ID}}:${{ matrix.tag }} bash tests/run-cn.sh

Dockerfile.redhat

@@ -1,21 +1,13 @@
+# Build a minimal cerberus release image
 FROM redhat/ubi9:9.4
 
-# Install basic dependencies
+# Install system packages
 RUN yum update -y && \
     yum install -y xz sudo gcc unzip \
     diffutils patch pkgconfig bzip2 \
     git perl wget ca-certificates \
     mpfr-devel gmp-devel m4
 
-# Install additional FEDORA packages
-# from https://www.cyberciti.biz/faq/install-epel-repo-on-an-rhel-8-x/
-# Currently the FEDORA packages are needed only for Z3
-# NOTE: we might have to eventually use *only* RedHat packages
-# which would mean installing Z3 directly from the release page
-RUN yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm && \
-    yum update -y && \
-    yum install -y z3
-
 # Install OPAM
 # See https://opam.ocaml.org/doc/1.2/Install.html
 RUN curl -fsSL https://opam.ocaml.org/install.sh | sh
@@ -26,6 +18,7 @@ RUN opam init --disable-sandboxing
 ADD . /opt/cerberus
 WORKDIR /opt/cerberus
 RUN opam install --deps-only  ./cerberus-lib.opam ./cn.opam
+RUN opam install z3
 
 RUN eval `opam env` \
   && make install_cn

Dockerfile.ubuntu

@@ -1,6 +1,7 @@
-# Build a minimal release image
+# Build a minimal cerberus release image
 FROM ubuntu:22.04
 
+# Install system packages
 RUN apt-get update
 RUN apt-get upgrade -y
 RUN apt-get install -y opam libgmp-dev libmpfr-dev