chore: docker workflow refactor

.github/workflows/ci.yml

@@ -0,0 +1,81 @@
+---
+name: CI
+"on":
+  push:
+    branches:
+      - main
+  pull_request:
+  merge_group:
+
+permissions: {}
+jobs:
+  determine-image-tag:
+    name: Determine Image Tag
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    outputs:
+      tag: ${{ steps.set-tag.outputs.tag }}
+    steps:
+      - name: Set image tag
+        id: set-tag
+        run: |
+          if [ -n "${{ github.event.pull_request.number }}" ]; then
+            TAG="pr-${{ github.event.pull_request.number }}"
+            echo "::notice::Using PR-based tag: $TAG"
+          else
+            # Sanitize ref_name by replacing / with -
+            TAG="${{ github.ref_name }}"
+            TAG="${TAG//\//-}"
+            echo "::notice::Using branch/tag-based tag: $TAG"
+          fi
+
+          # Validate tag format
+          if [[ ! "$TAG" =~ ^[a-zA-Z0-9._-]+$ ]]; then
+            echo "::error::Invalid image tag format: $TAG"
+            exit 1
+          fi
+
+          echo "tag=$TAG" >> $GITHUB_OUTPUT
+
+  lint:
+    permissions:
+      contents: read
+    uses: ./.github/workflows/lint.yml
+
+  docker:
+    needs: determine-image-tag
+    uses: ./.github/workflows/docker-build-push.yml
+    secrets: inherit
+    permissions:
+      contents: read
+      packages: write
+    with:
+      image-tag: ${{ needs.determine-image-tag.outputs.tag }}
+      apps: |
+        [
+          {"name": "ev-node-evm-single", "dockerfile": "apps/evm/single/Dockerfile"},
+          {"name": "ev-node-testapp", "dockerfile": "apps/testapp/Dockerfile"}
+        ]
+
+  test:
+    permissions:
+      actions: read
+      contents: read
+    uses: ./.github/workflows/test.yml
+    secrets: inherit
+
+  docker-tests:
+    needs: [determine-image-tag, docker]
+    uses: ./.github/workflows/docker-tests.yml
+    secrets: inherit
+    permissions:
+      contents: read
+    with:
+      image-tag: ${{ needs.determine-image-tag.outputs.tag }}
+
+  proto:
+    permissions:
+      contents: read
+      pull-requests: write
+    uses: ./.github/workflows/proto.yml

.github/workflows/docker-build-push.yml

@@ -0,0 +1,50 @@
+---
+# This workflow builds and pushes Docker images to GHCR
+name: Build Docker Images
+permissions: {}
+"on":
+  workflow_call:
+    inputs:
+      image-tag:
+        required: true
+        type: string
+        description: 'Docker image tag (e.g., v1.2.3, pr-123, sha-abc123)'
+      apps:
+        required: true
+        type: string
+        description: 'JSON array of apps to build (e.g., [{"name": "testapp", "dockerfile": "apps/testapp/Dockerfile"}])'
+
+jobs:
+  build-images:
+    name: Build ${{ matrix.app.name }}
+    # skip building images for merge groups as they are already built on PRs and main
+    if: github.event_name != 'merge_group'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    strategy:
+      matrix:
+        app: ${{ fromJson(inputs.apps) }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push ${{ matrix.app.name }} Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ${{ matrix.app.dockerfile }}
+          push: true
+          platforms: linux/amd64,linux/arm64
+          tags: ghcr.io/${{ github.repository_owner }}/${{ matrix.app.name }}:${{ inputs.image-tag }}

.github/workflows/docker-tests.yml

@@ -0,0 +1,51 @@
+---
+# This workflow runs tests that require Docker images to be built first
+name: Docker E2E Tests
+permissions: {}
+"on":
+  workflow_call:
+    inputs:
+      image-tag:
+        required: true
+        type: string
+  workflow_dispatch:
+    inputs:
+      image-tag:
+        description: 'Docker image tag to use for tests (e.g., v1.2.3, pr-123, sha-abc123)'
+        required: true
+        type: string
+
+jobs:
+  docker-tests:
+    permissions:
+      contents: read
+    name: Docker E2E Tests
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - name: set up go
+        uses: actions/setup-go@v6
+        with:
+          go-version-file: ./test/docker-e2e/go.mod
+      - name: Run Docker E2E Tests
+        run: make test-docker-e2e
+        env:
+          EV_NODE_IMAGE_REPO: ghcr.io/${{ github.repository_owner }}/ev-node-testapp
+          EV_NODE_IMAGE_TAG: ${{ inputs.image-tag }}
+
+  docker-upgrade-tests:
+    name: Docker Upgrade E2E Tests
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - name: set up go
+        uses: actions/setup-go@v6
+        with:
+          go-version-file: ./test/docker-e2e/go.mod
+      - name: Run Docker Upgrade E2E Tests
+        run: make test-docker-upgrade-e2e
+        env:
+          EVM_SINGLE_IMAGE_REPO: ghcr.io/${{ github.repository_owner }}/ev-node-evm-single
+          EVM_SINGLE_NODE_IMAGE_TAG: ${{ inputs.image-tag }}

.github/workflows/lint.yml

@@ -1,7 +1,10 @@
+---
 # lint runs all linters in this repository
-# This workflow is triggered by ci_release.yml workflow
+# This workflow is triggered by ci.yml workflow
 name: lint
-on:
+permissions:
+  contents: read
+"on":
   workflow_call:
 
 jobs:
@@ -13,8 +16,8 @@
       - uses: actions/setup-go@v6
         with:
           go-version-file: ./go.mod
-        # This steps sets the GIT_DIFF environment variable to true
-        # if files defined in PATTERS changed
+      # This steps sets the GIT_DIFF environment variable to true
+      # if files defined in PATTERS changed
       - uses: technote-space/[email protected]
         with:
           # This job will pass without running if go.mod, go.sum, and *.go
@@ -30,32 +33,57 @@
           github-token: ${{ secrets.github_token }}
         if: env.GIT_DIFF
 
-  # hadolint lints the Dockerfile
   hadolint:
-    uses: evstack/.github/.github/workflows/[email protected] # yamllint disable-line rule:line-length
-    with:
-      dockerfile: Dockerfile
-      failure-threshold: error
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - uses: hadolint/[email protected]
+        with:
+          recursive: true
+          failure-threshold: error
 
   yamllint:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+      - uses: technote-space/[email protected]
+        with:
+          PATTERNS: |
+            **/*.yml
+            **/*.yaml
       - uses: evstack/.github/.github/actions/[email protected]
+        if: env.GIT_DIFF
 
   markdown-lint:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+      - uses: technote-space/[email protected]
+        with:
+          PATTERNS: |
+            **/*.md
       - uses: evstack/.github/.github/actions/[email protected]
+        if: env.GIT_DIFF
 
   # Checks that the .goreleaser.yaml file is valid
   goreleaser-check:
     runs-on: ubuntu-latest
     steps:
       - name: checkout
         uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+      - uses: technote-space/[email protected]
+        with:
+          PATTERNS: |
+            .goreleaser.yaml
+            .goreleaser.yml
       - uses: goreleaser/goreleaser-action@v6
         with:
           version: latest
           args: check
+        if: env.GIT_DIFF