INFRA-785 - switch publish-containers.yml to shared workflow

[stmpn]

I have tested new version of the workflow by creating saleor-dashboard fork (https://github.com/stmpn/saleor-dashboard-ghcr-build-test) and creating new tag there: https://github.com/stmpn/saleor-dashboard-ghcr-build-test/releases/tag/21.3.2

Logs:
https://github.com/stmpn/saleor-dashboard-ghcr-build-test/actions/runs/21401050368

Result:
https://github.com/stmpn/saleor-dashboard-ghcr-build-test/pkgs/container/saleor-dashboard-ghcr-build-test

[changeset-bot]

⚠️ No Changeset found

Latest commit: 31b3721

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[Copilot]

Pull request overview

This PR refactors the container publishing workflow to use a shared workflow from the saleor-internal-actions repository. The change simplifies the workflow by delegating the multi-platform Docker build and push logic to a centralized, reusable workflow.

Changes:

• Refactored workflow into three jobs: prepare-variables, build-push (using shared workflow), and summary
• Switched from inline docker/build-push-action to the shared build-push-image-multi-platform.yaml workflow
• Maintained the same build arguments (COMMIT_ID, PROJECT_VERSION) and GHCR publishing functionality

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (main@1a8279b). Learn more about missing BASE report.
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #6281   +/-   ##
=======================================
  Coverage        ?   42.50%           
=======================================
  Files           ?     2494           
  Lines           ?    43259           
  Branches        ?    10181           
=======================================
  Hits            ?    18389           
  Misses          ?    23547           
  Partials        ?     1323           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[witoszekdev]

lgtm, is there a reason we have third build with unknown/unknown?

[NyanKiyoshi]

lgtm, is there a reason we have third build with unknown/unknown?

@witoszekdev that manifest contains a provenance attestation which can be used to validate the provenance (similarly as PNPM does)

Manifest list:

$ docker buildx imagetools inspect 'ghcr.io/saleor/saleor-dashboard:3.22.26'
Name:      ghcr.io/saleor/saleor-dashboard:3.22.26
MediaType: application/vnd.oci.image.index.v1+json
Digest:    sha256:3a6d18015e270f12ef658ed48f3330e70167c37b55989839a224e266bd300bd5

Manifests:
  Name:        ghcr.io/saleor/saleor-dashboard:3.22.26@sha256:234373b5fadb5bbb800a946ddf1657e4e315641d3f4dfc5e820a84447c18370b
  MediaType:   application/vnd.oci.image.manifest.v1+json
  Platform:    linux/amd64

  Name:        ghcr.io/saleor/saleor-dashboard:3.22.26@sha256:cee43125acfab2f1a3bff793e87f8ea417f9d1abd8514ef0c487897b20b819d5
  MediaType:   application/vnd.oci.image.manifest.v1+json
  Platform:    linux/arm64

  Name:        ghcr.io/saleor/saleor-dashboard:3.22.26@sha256:03be2071affe97a35d92602c5e74d8e907076f73058646307b25a4f313896b90
  MediaType:   application/vnd.oci.image.manifest.v1+json
  Platform:    unknown/unknown
  Annotations:
    vnd.docker.reference.digest: sha256:234373b5fadb5bbb800a946ddf1657e4e315641d3f4dfc5e820a84447c18370b
    vnd.docker.reference.type:   attestation-manifest

  Name:        ghcr.io/saleor/saleor-dashboard:3.22.26@sha256:11e454ff047bf1215a4b12586c7feac936abcb6d8fb83fb9960c3d17d678c4d0
  MediaType:   application/vnd.oci.image.manifest.v1+json
  Platform:    unknown/unknown
  Annotations:
    vnd.docker.reference.digest: sha256:cee43125acfab2f1a3bff793e87f8ea417f9d1abd8514ef0c487897b20b819d5
    vnd.docker.reference.type:   attestation-manifest

To inspect the provenance attestation in JSON:

$ docker buildx imagetools inspect \
    'ghcr.io/saleor/saleor-dashboard:3.22.26' \
    --format  "{{ json .Provenance }}" | less

Relevant upstream documentation:

• https://docs.docker.com/build/metadata/attestations/attestation-storage/
• https://docs.docker.com/build/metadata/attestations/slsa-provenance/

Note: this is nothing new, our previous (and still existing) images are shipping a provenance attestation as well 🙂

[stmpn]

Had to rebase from main :(

[witoszekdev]

fyi @stmpn it's better to just use merge instead of rebase, at least in dashboard repo, because we squash PRs anyway and it doesn't discard reviews + we have a clean diff when re-reviewing (rebase means we have to read entire PR again 😅):

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The action version actions/checkout@v6 is inconsistent with the rest of the codebase, which consistently uses actions/checkout@v4. Since my knowledge cutoff is January 2025 and it's currently January 29, 2026, I cannot verify if v6 exists. However, to maintain consistency with the existing codebase, consider using actions/checkout@v4 instead, unless there's a specific requirement for v6.