feat: add goss tests for container validation

Add goss-based testing to validate the built container image:
- nova user exists with correct uid/gid/home/shell
- Required packages installed (openssh-server, openssh-client, iproute2)
- Required directories exist with correct ownership
- SSH hardening config is present

Uses Depot's ephemeral registry to pass the built image between
the build and test jobs without pushing to ghcr.io for PRs.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Signed-off-by: Mohammed Naser <mnaser@vexxhost.com>

Author: mnaser

.github/workflows/image.yml

@@ -15,8 +15,25 @@ jobs:
       id-token: write
       packages: write
       pull-requests: write
+    outputs:
+      build-id: ${{ steps.build.outputs.build-id }}
     steps:
       - uses: vexxhost/docker-atmosphere/.github/actions/build-image@main
+        id: build
         with:
           image-name: nova-ssh
           push: ${{ github.event_name != 'pull_request' }}
+          save: true
+
+  test:
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: depot/setup-action@v1
+      - uses: depot/pull-action@v1
+        with:
+          build-id: ${{ needs.build.outputs.build-id }}
+          tags: nova-ssh:test
+      - uses: e1himself/goss-installation-action@v1
+      - run: dgoss run nova-ssh:test sleep infinity

goss.yaml

@@ -0,0 +1,62 @@
+# SPDX-FileCopyrightText: © 2025 VEXXHOST, Inc.
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+user:
+  nova:
+    exists: true
+    uid: 42424
+    gid: 42424
+    home: /var/lib/nova
+    shell: /bin/bash
+
+group:
+  nova:
+    exists: true
+    gid: 42424
+
+package:
+  openssh-server:
+    installed: true
+  openssh-client:
+    installed: true
+  iproute2:
+    installed: true
+
+file:
+  /var/lib/nova:
+    exists: true
+    owner: nova
+    group: nova
+    filetype: directory
+  /etc/nova:
+    exists: true
+    owner: nova
+    group: nova
+    filetype: directory
+  /var/log/nova:
+    exists: true
+    owner: nova
+    group: nova
+    filetype: directory
+  /var/cache/nova:
+    exists: true
+    owner: nova
+    group: nova
+    filetype: directory
+  /etc/ssh:
+    exists: true
+    owner: nova
+    group: nova
+    filetype: directory
+  /var/run/sshd:
+    exists: true
+    mode: "0755"
+    filetype: directory
+  /etc/ssh/sshd_config.d/00-hardening.conf:
+    exists: true
+    contains:
+      - "Ciphers aes256-ctr,aes192-ctr"
+      - "MACs hmac-sha2-512,hmac-sha2-256"
+      - "KexAlgorithms diffie-hellman-group-exchange-sha256"
+      - "HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521"
+      - "MaxAuthTries 3"