Migrate multi-arch Docker builds to GitHub Actions

[DeathGun44]

PR description

Following up on Discord discussion with Simon, this PR introduces a standalone GitHub Actions workflow (.github/workflows/docker-publish.yml) to handle multi-arch Docker builds and publishing, made by first understanding the architecture used by web3signer.

Architecture

• Native runners: ubuntu-latest (amd64) + besu-arm64 (arm64) — no QEMU emulation
• Digest handoff: push-by-digest=true during matrix build; manifest job assembles via docker buildx imagetools create with immutable @sha256 refs — correctly handles OCI indices on Docker 29's containerd image store
• Layer caching: GHA cache-from/cache-to scoped per arch; write-once on the test-load step, read-only on the push step
• Concurrency & permissions: cancellation group + explicit contents: read per job

Co-existence
No Gradle tasks were removed or modified. This workflow runs in parallel with develop.yml and draft-release.yml during the transition period. Follow-up PRs will deprecate the legacy pipeline once this is proven stable.

Fixed Issue(s)

fixes #9818

Thanks for sending a pull request! Have you done the following?

• Checked out our contribution guidelines?
• Considered documentation and added the doc-change-required label to this PR if updates are required — no doc changes required, CI-only workflow addition
• Considered the changelog and included an update if required — no changelog entry needed, internal CI infrastructure change
• For database changes considered compatibility — not applicable

[siladu]

Hi @DeathGun44 I don't think an all-in-one workflow is the right approach for Besu, I have laid out a migration plan here #10236

[siladu]

Probably should close this PR in favour of new migration plan but will leave open for further discussion first.

I will block this however since triggering upon tag push is not how besu release process works and we shouldn't merge that.

[DeathGun44]

Closing this in favour of the incremental migration plan in #10236.

Thanks @siladu @jflo . Appreciate the earlier direction from Simon on Discord too.

After digging through the existing workflows and Gradle tasks more carefully, I can see why the all-in-one approach doesn't work here. Correct me if I'm wrong, but my main takeaways are:

Besu doesn't publish docker on tag push the tag is created ahead of time for offline testing, and then draft-release is manually triggered via workflow_dispatch. My workflow would've fired prematurely on every tag push, which could break the release process.

The four separate workflows (develop-pr, develop, draft-release, docker-promote) each map to a distinct stage in the release lifecycle, so keeping them separate is intentional. Merging them into one with conditional logic would make things harder to maintain and more error-prone.

That said, the core GHA docker patterns from this PR (build-push-action with load: true, push-by-digest, imagetools create, per-arch cache scoping) should still carry over into Phase 1 of #10236 just applied within the existing workflow files instead of a new standalone one.

I am starting work on #10236 with develop-pr.yml as the first and safest migration target. Happy to get any other pointers while i work on that aswell!

[siladu]

@DeathGun44 I agree with your statements above, with one minor correction:

The four separate workflows (develop-pr, develop, draft-release, docker-promote) each map to a distinct stage in the release lifecycle, so keeping them separate is intentional.

develop-pr and develop are PR cycle, not related to the "release lifecycle" per se (although develop tag is published for each commit to main branch)

draft-release and docker-promote are only run for a full besu release and should only be run once per release version. They are not run for release candidates in our current process.

build-push-action with load: true, push-by-digest, imagetools create, per-arch cache scoping

Unless you spot something special in the gradle tasks, I would think whatever teku/web3signer are doing for build-push-action would suit Besu. We'll take a closer look once new PR is up.