[production] Add docker build and push CI workflow

[dcroote]

Same as #359 (including image name & tag feedback updates) but for the production branch

[dcroote]

Thanks for the offer @mcoetzee, though I'm not sure I understand you correctly- do you have access to the api3 dockerhub account to generate the token that needs to be saved?

@aquarat perhaps you are the one to ask to assist here? We need two secrets added: DOCKERHUB_USERNAME is simply api3, while DOCKERHUB_TOKEN needs to be generated in docker hub and added.

[mcoetzee]

do you have access to the api3 dockerhub account to generate the token that needs to be saved?

Sorry no I don't, but I do have the ability to add secrets to this repo 👍

[dcroote]

Sorry no I don't, but I do have the ability to add secrets to this repo 👍

Thanks @mcoetzee - could you then add api3 as the value for DOCKERHUB_USERNAME? This should fix the main builds at least.

@aquarat - it looks like we'll still need you for generating a Docker Hub token and adding it as the secret DOCKERHUB_TOKEN when you get the chance.

[mcoetzee]

Thanks @mcoetzee - could you then add api3 as the value for DOCKERHUB_USERNAME?

Done 👍. The main build is passing again ✅

[aquarat]

Sorry I missed this, if I miss something again feel free to message me on Slack. Do you still need this secret added?

[mcoetzee]

Do you still need this secret added?

Yes please @aquarat

[aquarat]

I've updated DOCKERHUB_USERNAME and DOCKERHUB_TOKEN, give it a go 🚀 . Sorry it took so long.

P.S. Only for standard Action runs, not Dependabot Action runs.

[dcroote]

Thanks @aquarat, but it looks like you used api3ci rather than api3 as the DOCKERHUB_USERNAME (given that's where I found the pushed image on docker hub). Is there a reason to not have this image pushed to where all of the other API3 images are (under the api3 username)?

[aquarat]

Hey @dcroote We generally push images to the main image repositories manually because an automated process is arguably easier to compromise and in this case, if the main Action was compromised it would allow someone to upload a malicious image. An example malicious image could be a bad deployer that steals Airnode funds 🤷

But given that this is only triggered from main and production it should be hard to compromise. I'll add credentials for a user that can access the main API3 repos 👌

[dcroote]

Thanks @aquarat! Appreciate the security considerations. Indeed this is only triggered on a push to main or production so it running is controlled by those with write access.

[aquarat]

I've updated the secrets. The new username is api3daodashboard. You'll need to split the DOCKERHUB_USERNAME from the path you push to (the api3daodashboard user can push to api3/dao-dashboard). To clarify: there is no api3 user, Docker Hub uses a user+team based approach, where the permissions to push reside in the team.