feat!: Docker CI - Security added & Tagging updates - 2 (#1327)

## Overview

ℹ️ Same content as:
[1320](#1320), I had an
issue and the PR was closed...

Hello team, 

Hope you’re doing well 

The following PR contains some changes in the Docker CI, build &
publish.

I’ve added some features:
- File renamed: `amd64-docker-build.yml` -> `docker-build-publish.yml`
*We will be able to use a matrix for building the container in different
architectures.*

- This CI is triggered when
  - When push to any branch
  - When creating `PRs`
  - When there's a new hotfix (when push to main branch)
  - When push tags `(v0.0.0/v0.0.0-alpha/v0.0.0-beta/v0.0.0-rcX)`
- Only push new Docker images when they are in `main` or `v*` (blocking
forks for security)

- Security: 
[Trivy](https://www.aquasec.com/products/trivy/) added to the CI, this
is the first step during the build, it scans the image and provide us a
table summary in case we have any CVE, if everything goes well, it
continues with the next step.
*It’s not going to block the CI in case of bugs, though I think it will
be good for us, stop it and fix them.*

- Docker tagging:
  - Git short SHA => for example: `a594b69`
  - Tag ID => for example: `0.0.1`
- Provided some additional metadata to the images:
  - Maintainer  =>   "maintainer": "CelestiaOrg"
  - Description => "CelestiaOrg repository celestiaorg/celestia-app"
- URL to the specific commit => "commit_url":
"a594b69"
- Docker pull command => "docker_pull_command": "docker pull
ghcr.io/celestiaorg/celestia-app:a594b691"

---

## Checklist

- [x] Required CI checks are passing
- [x] Linked issues closed with keywords


---

## Blockers

Hello team!
I'll need to add some permissions to allow the CI to have the access to
the packages.

This is an error that I'm having:
[link](https://github.com/celestiaorg/celestia-app/actions/runs/4058197292/jobs/6984898432)

```
ERROR: failed to solve: failed to push ghcr.io/celestiaorg/celestia-app:pr-1320: unexpected status: 403 Forbidden
Error: buildx failed with: ERROR: failed to solve: failed to push ghcr.io/celestiaorg/celestia-app:pr-1320: unexpected status: 403 Forbidden
```

Thanks in advance!

cc: @evan-forbes @rootulp  @Bidon15 @sysrex 

Please, ping me when you'll going to merge it, just to check that
everything goes fine 😊
Thank you team!

--- 
Closes Issue: [37](celestiaorg/devops#37)

.github/workflows/docker-build-publish.yml

@@ -0,0 +1,107 @@
+name: Docker Build & Publish
+
+on:
+  push:
+    branches:
+      - "**"
+    tags:
+      - "v[0-9]+.[0-9]+.[0-9]+"
+      - "v[0-9]+.[0-9]+.[0-9]+-alpha.[0-9]+"
+      - "v[0-9]+.[0-9]+.[0-9]+-beta.[0-9]+"
+      - "v[0-9]+.[0-9]+.[0-9]+-rc[0-9]+"
+  pull_request:
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+  MAINTAINER: CelestiaOrg
+  DESCRIPTION: CelestiaOrg repository ${{ github.repository }}
+
+jobs:
+  docker-security:
+    runs-on: "ubuntu-latest"
+    steps:
+      - name: Checkout
+        uses: "actions/checkout@v3"
+
+      - name: Build and Push
+        uses: docker/build-push-action@v3
+        with:
+          push: false
+          platforms: linux/amd64
+          # we're building the container before the scan, use the local tag for
+          # refer to it later
+          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:local
+
+      - name: Run Trivy vulnerability scanner
+        # source: https://github.com/aquasecurity/trivy-action
+        # https://github.com/marketplace/actions/aqua-security-trivy
+        uses: aquasecurity/trivy-action@master
+        with:
+          # here we use the local tag that we've built before
+          image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:local'
+          format: 'table'
+          #exit-code: '1' # uncomment to stop the CI if the scanner fails
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+
+  docker-build:
+    runs-on: "ubuntu-latest"
+    # wait until the security scanner will be done
+    needs: docker-security
+    permissions:
+      contents: write
+      packages: write
+
+    steps:
+      - name: Checkout
+        uses: "actions/checkout@v3"
+
+      - name: Login to GHCR
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Add SHORT_SHA to ENV
+        run: echo "SHORT_SHA=`echo ${GITHUB_SHA} | cut -c1-8`" >> $GITHUB_ENV
+
+      - name: Extract Docker Metadata
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          # yamllint disable
+          labels: |
+            maintainer=${{ env.MAINTAINER }}
+            commitUrl=https://github.com/${{ github.repository }}/commit/${{ github.sha }}
+            dockerPull=docker pull ${{ env.REGISTRY }}/${{ github.repository }}:${{ env.SHORT_SHA }}
+            org.opencontainers.image.description=${{ env.DESCRIPTION }}
+          tags: |
+            # output minimal (short sha)
+            type=raw,value={{sha}}
+            # output v0.2.1
+            type=semver,pattern=v{{version}}
+            # pull request event
+            type=ref,enable=true,prefix=pr-,suffix=,event=pr
+          # yamllint enable
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      # We always build the image but we only push if we are on the `main`
+      # branch or a versioned `v*` branch
+      - name: Build and PushDocker Image
+        uses: docker/build-push-action@v3
+        with:
+          platforms: linux/amd64,linux/arm64
+          # yamllint disable
+          # The following line, is execute as an if statement, only push when
+          # the branch is main or starts with v*
+          push: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') }}
+          # yamllint enable
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          file: Dockerfile