Chore/build release (burnt-labs#239)

Modify CI/CD flows to insure tests run against the same binaries for releases

Author: 2xburnt

.github/workflows/aws-ecr.yml

@@ -0,0 +1,89 @@
+name: Build and Push Docker Images
+
+# reusable workflow, do not add triggers
+on:
+  workflow_call:
+  workflow_dispatch:
+
+env:
+  GHCR: ghcr.io/${{ github.repository }}
+  PLATFORMS: linux/amd64
+
+jobs:
+  build-docker:
+    name: Build Docker Images
+    runs-on: ubuntu-latest
+    environment: CI
+    permissions:
+      id-token: write
+      contents: read
+      packages: write
+
+    steps:
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: us-east-1
+          role-to-assume: ${{ secrets.AWS_OIDC_ROLE }}
+
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Check out code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+          fetch-tags: true
+          ref: ${{ github.ref }}
+
+      - name: Set up docker buildx for push
+        uses: docker/setup-buildx-action@v3
+
+
+      - name: Metadata for xion container
+        id: meta-xion
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            burntnetwork/xion
+            ${{ env.GHCR }}/xion
+            385156030167.dkr.ecr.us-east-1.amazonaws.com/burnt/xiond
+          tags: |
+            type=sha
+            type=semver,pattern={{version}},enable=${{ github.event_name == 'push' }}
+            type=raw,value=latest,enable={{is_default_branch}}
+
+      - name: Prepare xion build environment
+        run: |
+          echo "VERSION=$(shell echo $(shell git describe --tags) | sed 's/^v//')" >> $GITHUB_ENV
+          echo "COMMIT=$(shell git log -1 --format='%H')" >> $GITHUB_ENV
+          echo "TAG_VERSION=$(shell git rev-parse --short HEAD)" >> $GITHUB_ENV
+
+      - name: Build and push xion image
+        uses: docker/build-push-action@v5
+        env:
+          COMMIT: ${{ env.COMMIT }}
+          VERSION: ${{ env.VERSION }}
+          TAG_VERSION: ${{ env.TAG_VERSION }}
+        with:
+          push: true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          target: release
+          platforms: ${{ env.PLATFORMS }}
+          tags: ${{ steps.meta-xion.outputs.tags }}
+          labels: ${{ steps.meta-xion.outputs.labels }}

.github/workflows/docker-build.yml

@@ -0,0 +1,15 @@
+name: Docker Scout
+
+on:
+  workflow_dispatch:
+
+jobs:
+  build-docker-scout:
+    name: Build and Push Docker Images
+    uses: burnt-labs/xion/.github/workflows/docker-build.yml@wf1
+    secrets: inherit
+
+  docker-scout:
+    needs: build-docker-scout
+    name: Docker Scout
+    uses: burnt-labs/xion/.github/workflows/docker-scout.yml@wf1

.github/workflows/docker-hub.yml

@@ -1,55 +1,39 @@
----
 name: Docker Scout
 
+# reusable workflow, do not add triggers
 on:
-  pull_request:
-  workflow_dispatch:
+  workflow_call:
 
 jobs:
-
-  build:
+  docker-scout:
     name: Docker Scout
     runs-on: ubuntu-latest
     environment: CI
+    permissions:
+      contents: read
+      pull-requests: write
 
+    strategy:
+      matrix:
+        platform: [linux/amd64]
     steps:
-      - name: Check out code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-          fetch-tags: true
-
       - name: Login to Docker Hub
         uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_HUB_USERNAME }}
           password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
-
-      - name: Set up Docker buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Extract metadata for docker
-        id: meta
+      - name: Get Docker Image
+        id: meta-scout
         uses: docker/metadata-action@v5
         with:
-          images: burnt/xion
+          images: |
+            burntnetwork/xion
           tags: |
-            type=raw,value=scout,priority=1000
-
-      - name: Build Docker image
-        uses: docker/build-push-action@v5
-        with:
-          context: .
-          push: false
-          load: true
-          tags: ${{ steps.meta.outputs.tags }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-          target: release
-
-      - name: Run Docker Scout
+            type=sha
+      - name: Run Docker Scout amd64
         uses: docker/scout-action@v1
         with:
           command: cves
           only-fixed: true
-          image: ${{ steps.meta.outputs.tags }}
+          platform: ${{ matrix.platform }}
+          image: ${{ steps.meta-scout.outputs.tags }}

.github/workflows/docker-scout-run.yml

@@ -29,7 +29,7 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: golangci-lint-xiond
-        uses: golangci/golangci-lint-action@v4
+        uses: golangci/golangci-lint-action@v5
         with:
           version: latest
           args: --timeout=10m --tests=false