Updates to container images

[mtneug]

This patch updates the build files for container images and adds a GitHub actions workflow. Further, the registry is changed to ghcr.io. Changes are separated by commit.

[lkiesow]

This will create latest and main tagged container images from pull request branches. They aren't pushed, but this might still be confusing.

I think that's what these docker Actions take care of:
https://github.com/opencast/opencast-admin-interface/blob/aec24429505cdd9d12f4587b027ed916a7090c11/.github/workflows/deploy-container-image.yaml#L32-L44

But to be fair, I just copied them from a college who ensured me that this is what I wanted :D

[mtneug]

As you said, this only tags images within the build environment. In my CI pipelines, I usually tag images with any potential tag and push if necessary. For this reason, I don't use docker/build-push-action directly, as I want to control if and what tags are pushed.

[lkiesow]

I don't think this will work since you are trying to use the GITHUB_TOKEN secret in an environment which is controlled by the pull request author, isn't it? This would need to be pull_request_target.

[mtneug]

GITHUB_TOKEN is only used in steps with the condition github.event_name == 'push'. The idea of including pull_request is to check if the container image still builds with the PR.

[lkiesow]

I sometimes reference commits hashes specifically if I need a newer version which is not yet released. Removing them after one day means that it could easily be that you couldn't re-deploy something. What do you think about increasing this to a year?

[mtneug]

ok

[lkiesow]

To make builds reproducible, I suggest

Suggested change

	RUN npm i
	RUN npm ci

[mtneug]

ok

[mtneug]

The latest commits also update Alpine and the container-retention-policy action.