refactor: use only goreleaser to build unsigned chainlink images in one workflow

[momentmaker]

• refactors all the current build process workflow for development into one workflow using goreleaser
• adds an additional job running in parallel using goreleaser with the current docker-build that builds the final release image

For a PR to build the image, it needs to have a build-publish label attached to the PR.

The new image builds will be with the following:

PR builds: pr-{pr-num}-{sha} tag
Trunk builds: develop-{sha} tag
Release branch builds: release-{sha} tag
Manual dispatch builds: {sha} tag

It will have a suffix of either amd64 or arm64 and then there could be another suffix after that with -plugins that will include plugins in the image.

It builds 4 images with the follow tags:

• ${build_tag}-amd64
• ${build_tag}-amd64-plugins
• ${build_tag}-arm64
• ${build_tag}-arm64-plugins

Tested:

old:
https://github.com/smartcontractkit/chainlink/actions/runs/10309014772?pr=14034

with label trigger:
https://github.com/smartcontractkit/chainlink/actions/runs/10321502972/job/28574553533?pr=14034

with label trigger and matrix split with summary:
https://github.com/smartcontractkit/chainlink/actions/runs/10360943876?pr=14034

with just build - no publish:
https://github.com/smartcontractkit/chainlink/actions/runs/10376300994?pr=14034

Pulled the arm64 images (with and without plugins) and runs in my local env.

Notes:

I tried to use matrix on os but it looks like we can't use macos-latest runners because docker is not installed on those runners yet:
docker/setup-buildx-action#343
https://github.com/orgs/community/discussions/19197

---

Apparently for the goreleaser split there are two commands to run:

goreleaser release --split
goreleaser continue --merge

but continue --merge does not work for snapshot builds so it errors out and without the continue --merge skip the checksum.txt never gets generated so there is no checksum for the binary.
goreleaser/goreleaser#4811

[chainchad]

Did we want this to be false if it was from a PR unless that PR had a specific label?

[momentmaker]

we are enabling to publish to the private sdlc ecr. it's a custom thing we created because the regular goreleaser release with snapshot does not do publish at all.

or did you mean we don't want to publish for any pr - just pr with the label build-publish?

chainlink/.github/actions/goreleaser-build-sign-publish/action_utils

Lines 83 to 86 in 96829b0

	if [[ $ENABLE_DOCKER_PUBLISH == "true" ]]; then
	_publish_snapshot_images
	_publish_snapshot_manifests
	fi

[chainchad]

did you mean we don't want to publish for any pr - just pr with the label build-publish

This. Just to minimize the number of images we publish that won't ever get used. But I'm assuming we would use this workflow to build and then optionally publish. Is there still a separate workflow that builds?

[momentmaker]

ahh I had created the conditional here:

chainlink/.github/workflows/build-publish-develop-pr.yml

Lines 38 to 43 in 96829b0

	else
	if [[ ${{ github.event.label.name }} == 'build-publish' ]]; then
	echo "image-tag=pr-${{ github.event.number }}-${short_sha}" | tee -a $GITHUB_OUTPUT
	echo "build-publish=true" | tee -a $GITHUB_OUTPUT
	fi
	fi

so only the label build-publish will be built and published
it starts out with being false:

chainlink/.github/workflows/build-publish-develop-pr.yml

Line 29 in 96829b0

echo "build-publish=false" | tee -a $GITHUB_OUTPUT

[chainchad]

I see. That will skip the build and publish docker job if the label is not on the PR, right? I guess I was assuming that we would have this workflow to cover all normal builds too (PR's without the label) and in those cases, we don't want to publish the image (if the label isn't on the PR).

[kalverra]

I'd like it if we could hook our E2E tests (which run on almost every PR) into this build step as well and not have our own custom one any more. Is requiring the build-publish tag necessary for this?

[momentmaker]

yeah great point - looking over your ticket I had added this :)

chainlink/.github/workflows/build-publish-develop-pr.yml

Lines 9 to 17 in 37d617b

	workflow_dispatch:
	inputs:
	git_ref:
	description: "The git ref to check out"
	required: true
	build-publish:
	description: "Whether to build and publish - defaults to just build"
	required: false
	default: "false"

would this solve your issue?
of course we will need to tweak the goreleaser-build-sign-publish composite action a bit

[chainchad]

@kalverra that's going to be big (avoid all of those unnecessary builds). Glad you're thinking about that.

We might need to push all images from PRs to ECR though if you're going to use it from tests (unless we used artifacts but...). In that case maybe we have a way to differentiate between docker images from PR's that can be pruned out quickly via lifecycle rules (only used for tests) and docker images from PR's that might need to run in longer tests.

[momentmaker]

I see QA has different set of secrets for ECR? it pushes to a different repo no?

[chainchad]

Right now it does, but I think @kalverra is considering using this image for the tests. If so, we'd need to push all PR images to ECR for your tests, right?

[cl-sonarqube-production]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube