chore: docker workflow refactor (#2820)

## 🎯 Summary

This PR refactors the Docker build and release workflows to improve
maintainability, security, and separation of concerns. The changes
reorganize Dockerfiles into a consistent `apps/` directory structure and
split monolithic workflows into focused, reusable components.

---

## 📋 Changes

### Workflow Refactoring

- __Separated workflows__ for better modularity:

  - `ci.yml` - Main CI orchestrator with image tag determination
  - `docker.yml` - Reusable Docker build workflow
  - `docker-tests.yml` - Docker image testing workflow
  - `release.yml` - Tag-based release workflow for app publishing

- __Removed__ `ci_release.yml` (deprecated/consolidated into new
structure)

- __Enhanced__ `test.yml` - Simplified by removing Docker build logic
(134 lines removed)

### Docker Organization

- __Moved Dockerfiles__ to standardized locations:

  - `Dockerfile` → `apps/testapp/Dockerfile`
  - `da/cmd/local-da/Dockerfile` → `apps/local-da/Dockerfile`
  - Updated `apps/grpc/single/Dockerfile` and `docker-compose.yml`

- __Removed__ `Dockerfile.da` (consolidated)

### Documentation

- __Added__ `.github/RELEASE_QUICK_START.md` (231 lines)

  - Quick reference guide for Docker and Go module releases

## 🔄 Workflow Architecture

```javascript
┌─────────────┐
│   ci.yml    │  (Main orchestrator)
└──────┬──────┘
       │
       ├──► lint.yml
       ├──► docker.yml ──► Build images
       ├──► test.yml
       ├──► docker-tests.yml ──► Test images
       └──► proto.yml

┌─────────────────┐
│  release.yml    │  (Tag-based releases)
└─────────────────┘
       │
       └──► Build & push versioned images to GHCR
```

---

## 📝 Release Process

### Docker App Releases (Automated)

```bash
git tag evm/single/v0.2.0
git push origin evm/single/v0.2.0
# Workflow automatically builds and publishes to GHCR
```

### Tag Format

`{app-path}/v{major}.{minor}.{patch}`

Examples:

- `evm/single/v0.2.0` → `ghcr.io/evstack/ev-node-evm-single:v0.2.0`
- `testapp/v1.0.0` → `ghcr.io/evstack/ev-node-testapp:v1.0.0`

See [RELEASE_QUICK_START.md](.github/RELEASE_QUICK_START.md) for
complete guide.

---------

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

Author: 2 people

.github/workflows/ci.yml

@@ -0,0 +1,81 @@
+---
+name: CI
+"on":
+  push:
+    branches:
+      - main
+  pull_request:
+  merge_group:
+
+permissions: {}
+jobs:
+  determine-image-tag:
+    name: Determine Image Tag
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    outputs:
+      tag: ${{ steps.set-tag.outputs.tag }}
+    steps:
+      - name: Set image tag
+        id: set-tag
+        run: |
+          if [ -n "${{ github.event.pull_request.number }}" ]; then
+            TAG="pr-${{ github.event.pull_request.number }}"
+            echo "::notice::Using PR-based tag: $TAG"
+          else
+            # Sanitize ref_name by replacing / with -
+            TAG="${{ github.ref_name }}"
+            TAG="${TAG//\//-}"
+            echo "::notice::Using branch/tag-based tag: $TAG"
+          fi
+
+          # Validate tag format
+          if [[ ! "$TAG" =~ ^[a-zA-Z0-9._-]+$ ]]; then
+            echo "::error::Invalid image tag format: $TAG"
+            exit 1
+          fi
+
+          echo "tag=$TAG" >> $GITHUB_OUTPUT
+
+  lint:
+    permissions:
+      contents: read
+    uses: ./.github/workflows/lint.yml
+
+  docker:
+    needs: determine-image-tag
+    uses: ./.github/workflows/docker-build-push.yml
+    secrets: inherit
+    permissions:
+      contents: read
+      packages: write
+    with:
+      image-tag: ${{ needs.determine-image-tag.outputs.tag }}
+      apps: |
+        [
+          {"name": "ev-node-evm-single", "dockerfile": "apps/evm/single/Dockerfile"},
+          {"name": "ev-node-testapp", "dockerfile": "apps/testapp/Dockerfile"}
+        ]
+
+  test:
+    permissions:
+      actions: read
+      contents: read
+    uses: ./.github/workflows/test.yml
+    secrets: inherit
+
+  docker-tests:
+    needs: [determine-image-tag, docker]
+    uses: ./.github/workflows/docker-tests.yml
+    secrets: inherit
+    permissions:
+      contents: read
+    with:
+      image-tag: ${{ needs.determine-image-tag.outputs.tag }}
+
+  proto:
+    permissions:
+      contents: read
+      pull-requests: write
+    uses: ./.github/workflows/proto.yml

.github/workflows/ci_release.yml

@@ -0,0 +1,50 @@
+---
+# This workflow builds and pushes Docker images to GHCR
+name: Build Docker Images
+permissions: {}
+"on":
+  workflow_call:
+    inputs:
+      image-tag:
+        required: true
+        type: string
+        description: 'Docker image tag (e.g., v1.2.3, pr-123, sha-abc123)'
+      apps:
+        required: true
+        type: string
+        description: 'JSON array of apps to build (e.g., [{"name": "testapp", "dockerfile": "apps/testapp/Dockerfile"}])'
+
+jobs:
+  build-images:
+    name: Build ${{ matrix.app.name }}
+    # skip building images for merge groups as they are already built on PRs and main
+    if: github.event_name != 'merge_group'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    strategy:
+      matrix:
+        app: ${{ fromJson(inputs.apps) }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push ${{ matrix.app.name }} Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ${{ matrix.app.dockerfile }}
+          push: true
+          platforms: linux/amd64,linux/arm64
+          tags: ghcr.io/${{ github.repository_owner }}/${{ matrix.app.name }}:${{ inputs.image-tag }}

.github/workflows/docker-build-push.yml

@@ -0,0 +1,51 @@
+---
+# This workflow runs tests that require Docker images to be built first
+name: Docker E2E Tests
+permissions: {}
+"on":
+  workflow_call:
+    inputs:
+      image-tag:
+        required: true
+        type: string
+  workflow_dispatch:
+    inputs:
+      image-tag:
+        description: 'Docker image tag to use for tests (e.g., v1.2.3, pr-123, sha-abc123)'
+        required: true
+        type: string
+
+jobs:
+  docker-tests:
+    permissions:
+      contents: read
+    name: Docker E2E Tests
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - name: set up go
+        uses: actions/setup-go@v6
+        with:
+          go-version-file: ./test/docker-e2e/go.mod
+      - name: Run Docker E2E Tests
+        run: make test-docker-e2e
+        env:
+          EV_NODE_IMAGE_REPO: ghcr.io/${{ github.repository_owner }}/ev-node-testapp
+          EV_NODE_IMAGE_TAG: ${{ inputs.image-tag }}
+
+  docker-upgrade-tests:
+    name: Docker Upgrade E2E Tests
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - name: set up go
+        uses: actions/setup-go@v6
+        with:
+          go-version-file: ./test/docker-e2e/go.mod
+      - name: Run Docker Upgrade E2E Tests
+        run: make test-docker-upgrade-e2e
+        env:
+          EVM_SINGLE_IMAGE_REPO: ghcr.io/${{ github.repository_owner }}/ev-node-evm-single
+          EVM_SINGLE_NODE_IMAGE_TAG: ${{ inputs.image-tag }}

.github/workflows/docker-tests.yml

@@ -1,7 +1,10 @@
+---
 # lint runs all linters in this repository
-# This workflow is triggered by ci_release.yml workflow
+# This workflow is triggered by ci.yml workflow
 name: lint
-on:
+permissions:
+  contents: read
+"on":
   workflow_call:
 
 jobs:
@@ -13,8 +16,8 @@ jobs:
       - uses: actions/setup-go@v6
         with:
           go-version-file: ./go.mod
-        # This steps sets the GIT_DIFF environment variable to true
-        # if files defined in PATTERS changed
+      # This steps sets the GIT_DIFF environment variable to true
+      # if files defined in PATTERS changed
       - uses: technote-space/[email protected]
         with:
           # This job will pass without running if go.mod, go.sum, and *.go
@@ -30,32 +33,57 @@ jobs:
           github-token: ${{ secrets.github_token }}
         if: env.GIT_DIFF
 
-  # hadolint lints the Dockerfile
   hadolint:
-    uses: evstack/.github/.github/workflows/[email protected] # yamllint disable-line rule:line-length
-    with:
-      dockerfile: Dockerfile
-      failure-threshold: error
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - uses: hadolint/[email protected]
+        with:
+          recursive: true
+          failure-threshold: error
 
   yamllint:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+      - uses: technote-space/[email protected]
+        with:
+          PATTERNS: |
+            **/*.yml
+            **/*.yaml
       - uses: evstack/.github/.github/actions/[email protected]
+        if: env.GIT_DIFF
 
   markdown-lint:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+      - uses: technote-space/[email protected]
+        with:
+          PATTERNS: |
+            **/*.md
       - uses: evstack/.github/.github/actions/[email protected]
+        if: env.GIT_DIFF
 
   # Checks that the .goreleaser.yaml file is valid
   goreleaser-check:
     runs-on: ubuntu-latest
     steps:
       - name: checkout
         uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+      - uses: technote-space/[email protected]
+        with:
+          PATTERNS: |
+            .goreleaser.yaml
+            .goreleaser.yml
       - uses: goreleaser/goreleaser-action@v6
         with:
           version: latest
           args: check
+        if: env.GIT_DIFF