Publish RC container images (#7556)

* WIP

* Add missing checkout

* Add debuggin

* Fix VAR name

* Bug fix

* Rework jobs

* Revert "Rework jobs"

This reverts commit 2bfa79fd3ae633c17403b838f9a5025f0f7fc3f3.

* Add cache

* Add temp default for testing

* Add missing checkout

* Fix patch

* Comment out the GPG check for now

* Rename polkadot_injected_release into a more appropriate polkadot_injected_debian

* Refactoring / renaming

* Introduce a generic image for binary injection

* Flag files to be deleted and changes to be done

* WIP

* Fix multi binaries images

* Add test build scripts

* Remove old file, add polkadot build-injected script

* Fix doc

* Fix tagging

* Add build of the injected container

* Fix for docker

* Remove the need for TTY

* Handling container publishing

* Fix owner and registry

* Fix vars

* Fix repo

* Fix var naming

* Fix case when there is no tag

* Fix case with no tag

* Handle error

* Fix spacings

* Fix tags

* Remove unnecessary grep that may fail

* Add final check

* Clean up and introduce GPG check

* Add doc

* Add doc

* Update doc/docker.md

Co-authored-by: Mira Ressel <mira@parity.io>

* type

Co-authored-by: Mira Ressel <mira@parity.io>

* Fix used VAR

* Improve doc

* ci: Update .build-push-image jobs to use the new build-injected.sh

* ci: fix path to build-injected.sh script

* Rename the release artifacts folder to prevent confusion due to a similar folder in the gitlab CI

* ci: check out polkadot repo in .build-push-image

This seems far cleaner than copying the entire scripts/ folder into our
job artifacts.

* feat(build-injected.sh): make PROJECT_ROOT configurable

This lets us avoid a dependency on git in our CI image.

* ci: build injected images with buildah

* ci: pass full image names to zombienet

* Add missing ignore

---------

Co-authored-by: Mira Ressel <mira@parity.io>

polkadot/scripts/ci/common/lib.sh

@@ -193,3 +193,73 @@ check_bootnode(){
     echo "    Bootnode appears unreachable"
     return 1
 }
+
+# Assumes the ENV are set:
+# - RELEASE_ID
+# - GITHUB_TOKEN
+# - REPO in the form paritytech/polkadot
+fetch_release_artifacts() {
+  echo "Release ID : $RELEASE_ID"
+  echo "Repo       : $REPO"
+  echo "ARTIFACT_FOLDER: $ARTIFACT_FOLDER"
+
+  curl -L -s \
+    -H "Accept: application/vnd.github+json" \
+    -H "Authorization: Bearer ${GITHUB_TOKEN}" \
+    -H "X-GitHub-Api-Version: 2022-11-28" \
+    https://api.github.com/repos/${REPO}/releases/$RELEASE_ID > release.json
+
+  # Get Asset ids
+  ids=($(jq -r '.assets[].id' < release.json ))
+  count=$(jq '.assets|length' < release.json )
+
+  # Fetch artifacts
+  mkdir -p ${ARTIFACT_FOLDER}
+  pushd ${ARTIFACT_FOLDER} > /dev/null
+
+  iter=1
+  for id in "${ids[@]}"
+  do
+      echo " - $iter/$count: downloading asset id: $id..."
+      curl -s -OJ -L -H "Accept: application/octet-stream" \
+          -H "Authorization: Token ${GITHUB_TOKEN}" \
+          "https://api.github.com/repos/${REPO}/releases/assets/$id"
+      iter=$((iter + 1))
+  done
+
+  ls -al --color
+  popd > /dev/null
+}
+
+# Check the checksum for a given binary
+function check_sha256() {
+    echo "Checking SHA256 for $1"
+    shasum -qc $1.sha256
+}
+
+# Import GPG keys of the release team members
+# This is done in parallel as it can take a while sometimes
+function import_gpg_keys() {
+  GPG_KEYSERVER=${GPG_KEYSERVER:-"keyserver.ubuntu.com"}
+  SEC="9D4B2B6EB8F97156D19669A9FF0812D491B96798"
+  WILL="2835EAF92072BC01D188AF2C4A092B93E97CE1E2"
+  EGOR="E6FC4D4782EB0FA64A4903CCDB7D3555DD3932D3"
+  MARA="533C920F40E73A21EEB7E9EBF27AEA7E7594C9CF"
+  MORGAN="2E92A9D8B15D7891363D1AE8AF9E6C43F7F8C4CF"
+
+  echo "Importing GPG keys from $GPG_KEYSERVER in parallel"
+  for key in $SEC $WILL $EGOR $MARA $MORGAN; do
+    (
+      echo "Importing GPG key $key"
+      gpg --no-tty --quiet --keyserver $GPG_KEYSERVER --recv-keys $key
+      echo -e "5\ny\n" | gpg --no-tty --command-fd 0 --expert --edit-key $key trust;
+    ) &
+  done
+  wait
+}
+
+# Check the GPG signature for a given binary
+function check_gpg() {
+    echo "Checking GPG Signature for $1"
+    gpg --no-tty --verify -q $1.asc $1
+}