GHW for building and publishing docker images (#1391)

* add ghw and scripts for docker image deployment

* debug

* add permissions for content

* fix path to the bin folder

* add tags

* rename env

* fix path to docker file

* make polkadot-parachain executable

* fix typo

* fix more typos

* test

* revert back  use of  working directory

* mke bin executable in the artifacts folder

* use cd instead of working directory

* change path to cash

* fix path to cash

* change cache key

* delete old flows

* addressed PR comments

* fix path

* reorg docker files

.github/workflows/release-50_publish-docker.yml

@@ -0,0 +1,206 @@
+name: Release - Publish Docker Image
+
+# This workflow listens to pubished releases or can be triggered manually.
+# It includes releases and rc candidates.
+# It fetches the binaries, checks sha256 and GPG
+# signatures, then builds an injected docker
+# image and publishes it.
+
+on:
+  #TODO: activate automated run later
+  # release:
+  #  types:
+  #    - published
+  workflow_dispatch:
+    inputs:
+      release_id:
+        description: |
+          Release ID.
+          You can find it using the command:
+          curl -s \
+            -H "Authorization: Bearer ${GITHUB_TOKEN}" https://api.github.com/repos/$OWNER/$REPO/releases | \
+            jq '.[] | { name: .name, id: .id }'
+        required: true
+        type: string
+      image_type:
+        description: Type of the image to be published
+        required: true
+        default: rc
+        type: choice
+        options:
+          - rc
+          - release
+      registry:
+        description: Container registry
+        required: true
+        type: string
+        default: docker.io
+      owner:
+        description: Owner of the container image repo
+        required: true
+        type: string
+        default: parity
+      binary:
+        description: Binary to be published
+        required: true
+        default: polkadot
+        type: choice
+        options:
+          - polkadot
+          - staking-miner
+          - polkadot-parachain
+
+permissions:
+  contents: write
+
+env:
+  RELEASE_ID: ${{ inputs.release_id }}
+  ENGINE: docker
+  REGISTRY: ${{ inputs.registry }}
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  DOCKER_OWNER: ${{ inputs.owner || github.repository_owner }}
+  REPO: ${{ github.repository }}
+  BINARY: ${{ inputs.binary }}
+  # EVENT_ACTION: ${{ github.event.action }}
+  EVENT_NAME: ${{ github.event_name }}
+  IMAGE_TYPE: ${{ inputs.image_type }}
+
+jobs:
+  fetch-artifacts:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout sources
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+
+      #TODO: this step will be needed when automated triggering will work
+        #this step runs only if the workflow is triggered automatically when new release is published
+        # if: ${{ env.EVENT_NAME == 'release' && env.EVENT_ACTION != '' && env.EVENT_ACTION == 'published' }}
+        # run: |
+        #   mkdir -p release-artifacts && cd release-artifacts
+
+        #   for f in $BINARY $BINARY.asc $BINARY.sha256; do
+        #     URL="https://github.com/${{ github.event.repository.full_name }}/releases/download/${{ github.event.release.tag_name }}/$f"
+        #     echo " - Fetching $f from $URL"
+        #     wget "$URL" -O "$f"
+        #   done
+        #   chmod a+x $BINARY
+        #   ls -al
+
+      - name: Fetch rc artifacts or release artifacts based on release id
+        #this step runs only if the workflow is triggered manually
+        if: ${{ env.EVENT_NAME  == 'workflow_dispatch' }}
+        run: |
+          . ./.github/scripts/common/lib.sh
+
+          fetch_release_artifacts
+
+      - name: Cache the artifacts
+        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        with:
+          key: artifacts-${{ env.BINARY }}-${{ github.sha }}
+          path: |
+            ./release-artifacts/${{ env.BINARY }}/**/*
+
+  build-container:
+    runs-on: ubuntu-latest
+    needs: fetch-artifacts
+
+    steps:
+      - name: Checkout sources
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+
+      - name: Get artifacts from cache
+        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        with:
+          key: artifacts-${{ env.BINARY }}-${{ github.sha }}
+          fail-on-cache-miss: true
+          path: |
+            ./release-artifacts/${{ env.BINARY }}/**/*
+
+      - name: Check sha256 ${{ env.BINARY }}
+        working-directory: ./release-artifacts/${{ env.BINARY }}
+        run: |
+          . ../../.github/scripts/common/lib.sh
+
+          echo "Checking binary $BINARY"
+          check_sha256 $BINARY && echo "OK" || echo "ERR"
+
+      - name: Check GPG ${{ env.BINARY }}
+        working-directory: ./release-artifacts/${{ env.BINARY }}
+        run: |
+          . ../../.github/scripts/common/lib.sh
+          import_gpg_keys
+          check_gpg $BINARY
+
+      - name: Fetch rc commit and tag
+        if: ${{ env.IMAGE_TYPE == 'rc' }}
+        id: fetch_rc_refs
+        run: |
+          release=release-${{ inputs.release_id }} && \
+          echo "release=${release}" >> $GITHUB_OUTPUT
+
+          commit=$(git rev-parse --short HEAD) && \
+          echo "commit=${commit}" >> $GITHUB_OUTPUT
+
+          tag=$(git name-rev --tags --name-only $(git rev-parse HEAD)) && \
+          [ "${tag}" != "undefined" ] && echo "tag=${tag}" >> $GITHUB_OUTPUT || \
+          echo "No tag, doing without"
+
+      - name: Fetch release tags
+        working-directory: ./release-artifacts/${{ env.BINARY }}
+        if: ${{ env.IMAGE_TYPE == 'release'}}
+        id: fetch_release_refs
+        run: |
+          chmod a+rx $BINARY
+          VERSION=$(./$BINARY --version | awk '{ print $2 }' )
+          release=$( echo $VERSION | cut -f1 -d- )
+          echo "tag=latest" >> $GITHUB_OUTPUT
+          echo "release=${release}" >> $GITHUB_OUTPUT
+
+      - name: Build Injected Container image for polkadot/staking-miner
+        if: ${{ env.BINARY == 'polkadot' || env.BINARY == 'staking-miner' }}
+        env:
+          ARTIFACTS_FOLDER: ./release-artifacts
+          IMAGE_NAME: ${{ env.BINARY }}
+          OWNER: ${{ env.DOCKER_OWNER }}
+          TAGS: ${{ join(steps.fetch_rc_refs.outputs.*, ',') || join(steps.fetch_release_refs.outputs.*, ',') }}
+        run: |
+          ls -al
+          echo "Building container for $BINARY"
+          ./docker/scripts/build-injected.sh
+
+      - name: Build Injected Container image for polkadot-parachain
+        if: ${{ env.BINARY == 'polkadot-parachain' }}
+        env:
+          ARTIFACTS_FOLDER: ./release-artifacts
+          IMAGE_NAME: ${{ env.BINARY }}
+          OWNER: ${{ env.DOCKER_OWNER }}
+          DOCKERFILE: docker/dockerfiles/polkadot-parachain/polkadot-parachain_injected.Dockerfile
+          TAGS: ${{ join(steps.fetch_rc_refs.outputs.*, ',') || join(steps.fetch_release_refs.outputs.*, ',') }}
+        run: |
+          ls -al
+          mkdir -p $ARTIFACTS_FOLDER/specs
+          cp cumulus/parachains/chain-specs/*.json $ARTIFACTS_FOLDER/specs
+
+          echo "Building container for $BINARY"
+          ./docker/scripts/build-injected.sh
+
+      - name: Login to Dockerhub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Push Container image for ${{ env.BINARY }}
+        id: docker_push
+        run: |
+          $ENGINE images | grep ${BINARY}
+          $ENGINE push --all-tags ${REGISTRY}/${DOCKER_OWNER}/${BINARY}
+
+      - name: Check version for the published image for ${{ env.BINARY }}
+        env:
+          RELEASE_TAG: ${{ steps.fetch_rc_refs.outputs.release || steps.fetch_release_refs.outputs.release  }}
+        run: |
+          echo "Checking tag ${RELEASE_TAG} for image ${REGISTRY}/${DOCKER_OWNER}/${BINARY}"
+          $ENGINE run -i ${REGISTRY}/${DOCKER_OWNER}/${BINARY}:${RELEASE_TAG} --version