ci: Add workflows to push, pull, and validate docker images (#1676)

## Relevant issue(s)

Resolves #1674 
Resolves #1266

## Description

This PR adds a GitHub Action workflow that builds and publishes DefraDB
container images to DockerHub & GitHub container registries.

Push Docker images to registries Job:
https://github.com/sourcenetwork/defradb/actions/runs/5651002188

Pull Docker image Job:
https://github.com/sourcenetwork/defradb/actions/runs/5651962572

Validate containerfile job:
https://github.com/sourcenetwork/defradb/actions/runs/5652056549

GitHub Container Image:
https://github.com/sourcenetwork/defradb/pkgs/container/defradb

DockerHub Container Image:
https://hub.docker.com/repository/docker/sourcenetwork/defradb/general

## Tasks

- [x] I made sure the code is well commented, particularly
hard-to-understand areas.
- [x] I made sure the repository-held documentation is changed
accordingly.
- [x] I made sure the pull request title adheres to the conventional
commit style (the subset used in the project can be found in
[tools/configs/chglog/config.yml](tools/configs/chglog/config.yml)).
- [x] I made sure to discuss its limitations such as threats to
validity, vulnerability to mistake and misuse, robustness to
invalidation of assumptions, resource requirements, ...

## How has this been tested?

Manual

Specify the platform(s) on which this was tested:
- MacOS

.github/workflows/pull-docker-image.yml

@@ -0,0 +1,51 @@
+# Copyright 2023 Democratized Data Foundation
+#
+# Use of this software is governed by the Business Source License
+# included in the file licenses/BSL.txt.
+#
+# As of the Change Date specified in that file, in accordance with
+# the Business Source License, use of this software will be governed
+# by the Apache License, Version 2.0, included in the file
+# licenses/APL.txt.
+
+# This workflow validates that the images pushed to the container
+# registries can be pulled then run sucessfully.
+name: Pull Docker Image Workflow
+
+on:
+  workflow_run:
+    # Warning: this workflow must NOT:
+    # - interact with any new code.
+    # - checkout new code.
+    # - build/compile anything (only pull).
+    # - make any indirect calls (i.e. make xyz, or npm install, etc.)
+    # Note this workflow:
+    # - will use the base's (or default) workflow file's state.
+    # - doesn't run on the PR or the branch coming in, it runs on the default branch.
+    # - has read-write repo token
+    # - has access to secrets
+    workflows: ["Push Docker Image To Registries Workflow"]
+    types:
+      - completed
+
+jobs:
+  pull-docker-image:
+    name: Pull docker image job
+
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        image_tag:
+          - sourcenetwork/defradb:latest
+          - ghcr.io/sourcenetwork/defradb:latest
+
+    steps:
+      - name: Pull Docker image
+        run: docker pull ${{ matrix.image_tag }}
+
+      - name: Test Docker image
+        run: docker run --rm ${{ matrix.image_tag }}

.github/workflows/push-docker-image-to-registries.yml

@@ -0,0 +1,83 @@
+# Copyright 2023 Democratized Data Foundation
+#
+# Use of this software is governed by the Business Source License
+# included in the file licenses/BSL.txt.
+#
+# As of the Change Date specified in that file, in accordance with
+# the Business Source License, use of this software will be governed
+# by the Apache License, Version 2.0, included in the file
+# licenses/APL.txt.
+
+# This workflow builds a Docker container image, if the build is successful
+# then it will deploy the image to DockerHub & GitHub container registries.
+name: Push Docker Image To Registries Workflow
+
+on:
+  push:
+    tags:
+      - 'v[0-9]+.[0-9]+.[0-9]+'
+
+env:
+  TEST_TAG: sourcenetwork/defradb:test
+
+jobs:
+  push-docker-image-to-registries:
+    name: Push Docker image to registries job
+
+    runs-on: ubuntu-latest
+
+    permissions:
+      packages: write
+      contents: read
+
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v3
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Build Docker image
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          file: tools/defradb.containerfile
+          load: true
+          tags: ${{ env.TEST_TAG }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+      - name: Test Docker image
+        run: docker run --rm ${{ env.TEST_TAG }}
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: |
+            sourcenetwork/defradb
+            ghcr.io/${{ github.repository }}
+      
+      - name: Push Docker images
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          file: tools/defradb.containerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

.github/workflows/validate-containerfile.yml

@@ -0,0 +1,58 @@
+# Copyright 2023 Democratized Data Foundation
+#
+# Use of this software is governed by the Business Source License
+# included in the file licenses/BSL.txt.
+#
+# As of the Change Date specified in that file, in accordance with
+# the Business Source License, use of this software will be governed
+# by the Apache License, Version 2.0, included in the file
+# licenses/APL.txt.
+
+# This workflow tests that the container build is successful and
+# that the built container runs successfully.
+name: Validate Containerfile Workflow
+
+on:
+  pull_request:
+    branches:
+      - master
+      - develop
+    paths:
+      - '.github/workflows/validate-containerfile.yml'
+      - 'tools/defradb.containerfile'
+
+  push:
+    branches:
+      - master
+      - develop
+
+env:
+  TEST_TAG: sourcenetwork/defradb:test
+
+jobs:
+  validate-containerfile:
+    name: Validate containerfile job
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v3
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Build Docker image
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          file: tools/defradb.containerfile
+          load: true
+          tags: ${{ env.TEST_TAG }}
+
+      - name: Test Docker image
+        run: docker run --rm ${{ env.TEST_TAG }}
+

tools/defradb.containerfile

@@ -9,11 +9,16 @@ WORKDIR /repo/
 COPY go.mod go.sum Makefile ./
 RUN make deps:modules
 COPY . .
+# manually copy libwasmer.so to fix linking issue https://github.com/wasmerio/wasmer-go/issues/281
+RUN export WASMER_ARCH=$(go env GOHOSTARCH | sed "s/arm64/aarch64/") && \
+    export WASMER_PATH=$(go env GOMODCACHE)/github.com/wasmerio/[email protected]/wasmer/packaged/lib/linux-$WASMER_ARCH/libwasmer.so && \
+    cp $WASMER_PATH /lib/libwasmer.so
 RUN make build
 
 # Stage: RUN
-FROM gcr.io/distroless/base-debian11
+FROM debian:bookworm-slim
 COPY --from=BUILD /repo/build/defradb /defradb
+COPY --from=BUILD /lib/libwasmer.so /lib/libwasmer.so
 
 # Documents which ports are normally used.
 # To publish the ports: `docker run -p 9181:9181` ...