refactor(ci): implement digest-based publishing with artifact coordination

Modernize workflows by eliminating duplicate builds and fixing tag versioning.
Images are built once in ci-docker.yml and pushed by digest to GHCR. Digest
and ref metadata artifacts enable publish.yml to create multi-arch manifests
and distribute to both registries efficiently.

Key Changes:
- ci-docker.yml: Push by digest, export artifacts (digests + ref metadata)
- publish.yml: Download artifacts, create manifests, use type=raw tags
- Fix workflow_run context issue by passing ref metadata via artifacts
- Tag v1.2.3 now correctly creates 1.2.3 + latest image tags
- Performance: GHA cache used (no rebuild)
- Backward compatible: No configuration changes required

Documentation:
- New file: CI_QUICKSTART.md with configuration guide

Signed-off-by: Reza Rajan <28660160+rezarajan@users.noreply.github.com>

Author: rezarajan

.github/workflows/ci-docker.yml

@@ -4,40 +4,106 @@ on:
   pull_request:
     branches: ["main", "release/**"]
     paths:
-      ["Dockerfile", "bin/**", "config/**", ".github/workflows/ci-docker.yml"]
+      ["Dockerfile", "bin/**", "config/**", ".github/workflows/**"]
+  push:
+    branches: ["main"]
+    paths:
+      ["Dockerfile", "bin/**", "config/**", ".github/workflows/**"]
+    tags:
+      - "v*.*.*"
 
 env:
-  REGISTRY: ghcr.io
-  IMAGE_NAME: blinklabs/cardano-node
+  GHCR_IMAGE_NAME: ${{ vars.GHCR_IMAGE_NAME || format('ghcr.io/{0}/cardano-node', github.repository_owner) }}
 
 permissions:
   contents: read
+  packages: write  # Required for pushing to GHCR
 
 jobs:
   build:
     strategy:
       matrix:
-        arch: [amd64, arm64]
-    runs-on: ${{ matrix.arch == 'arm64' && 'ubuntu-24.04-arm' || 'ubuntu-latest' }}
+        include:
+          - platform: linux/amd64
+            runner: ubuntu-latest
+          - platform: linux/arm64
+            runner: ubuntu-24.04-arm
+    runs-on: ${{ matrix.runner }}
     steps:
       - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 https://github.com/actions/checkout/releases/tag/v6.0.0
 
       - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 https://github.com/docker/setup-buildx-action/releases/tag/v3.11.1
 
+      - name: Login to GHCR
+        if: github.event_name == 'push'
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 https://github.com/docker/login-action/releases/tag/v3.6.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Prepare
+        run: |
+          platform=${{ matrix.platform }}
+          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
+          echo "ARCH=${platform##*/}" >> $GITHUB_ENV
+
       - id: meta
-        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 https://github.com/docker/metadata-action/releases/tag/v5.9.0
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 https://github.com/docker/metadata-action/releases/tag/v5.10.0
         with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          flavor: |
-            latest=false
-            suffix=-${{ matrix.arch == 'arm64' && 'arm64v8' || 'amd64' }}
+          images: ${{ env.GHCR_IMAGE_NAME }}
 
-      - name: Build Docker image
+      - name: Build and push by digest
+        id: build
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 https://github.com/docker/build-push-action/releases/tag/v6.18.0
         with:
           context: .
-          push: false
-          tags: ${{ steps.meta.outputs.tags }}
+          platforms: ${{ matrix.platform }}
           labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha,scope=buildkit-${{ matrix.arch }}
-          cache-to: type=gha,mode=max,scope=buildkit-${{ matrix.arch }}
+          tags: ${{ env.GHCR_IMAGE_NAME }}
+          cache-from: type=gha,scope=buildkit-${{ env.ARCH }}
+          cache-to: type=gha,mode=max,scope=buildkit-${{ env.ARCH }}
+          outputs: ${{ github.event_name == 'push' && 'type=image,name-canonical=true,push-by-digest=true,push=true' || 'type=cacheonly' }}
+
+      - name: Export digest
+        if: github.event_name == 'push'
+        run: |
+          mkdir -p ${{ runner.temp }}/digests
+          digest="${{ steps.build.outputs.digest }}"
+          touch "${{ runner.temp }}/digests/${digest#sha256:}"
+          echo "Digest: $digest"
+          echo "Image pushed to GHCR with tags:"
+          echo "${{ steps.meta.outputs.tags }}"
+
+      - name: Upload digest
+        if: github.event_name == 'push'
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 https://github.com/actions/upload-artifact/releases/tag/v5.0.0
+        with:
+          name: digests-${{ env.PLATFORM_PAIR }}
+          path: ${{ runner.temp }}/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  ref-info:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push'
+    steps:
+      - name: Export ref info
+        run: |
+          mkdir -p ${{ runner.temp }}/ref-info
+          echo "${{ github.ref }}" > ${{ runner.temp }}/ref-info/ref.txt
+          echo "${{ github.ref_name }}" > ${{ runner.temp }}/ref-info/ref_name.txt
+          echo "${{ github.ref_type }}" > ${{ runner.temp }}/ref-info/ref_type.txt
+          echo "Exported ref info:"
+          echo "  ref: ${{ github.ref }}"
+          echo "  ref_name: ${{ github.ref_name }}"
+          echo "  ref_type: ${{ github.ref_type }}"
+
+      - name: Upload ref info
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 https://github.com/actions/upload-artifact/releases/tag/v5.0.0
+
+        with:
+          name: ref-info
+          path: ${{ runner.temp }}/ref-info/*
+          if-no-files-found: error
+          retention-days: 1