Add shared Docker build and infra-deploy actions

[mpinter]

Ports reusable CI building blocks from konto.bratislava.sk and parking-pricing-api into the shared github-actions repo so other repos can consume them centrally.

What's added

• .github/actions/resolve-cache-refs (composite) — resolves master + branch/PR Docker registry cache refs. Uses docker/metadata-action@v6 and actions/github-script@v9.
• .github/actions/setup-docker-build (composite) — wraps resolve-cache-refs + Buildx setup + Docker Hub / Harbor login. Registry credentials passed as inputs (composite actions cannot read the secrets context).
• .github/actions/get-image-tags (composite) — single source of truth for the image tag convention. Always outputs the default image:<short-sha> tag; when a cluster (development/staging/production/aws) is given, also outputs image:<cluster>-<short-sha>. Outputs: default_tag, cluster_tag, and a newline-delimited tags list ready for docker/build-push-action. Composite inputs can't declare enums, so the cluster set is validated at runtime (invalid value fails the step).
• .github/workflows/trigger-infra-deploy.yml (reusable workflow) — dispatches and awaits a deploy in infrastructure-deployment-configuration. app and dispatch_ref (default master) are inputs; INFRA_DEPLOY_PAT must be available on the calling repo.

Notes

• Action versions bumped to latest (actions/github-script v8 → v9; metadata v6, buildx v4, login v4 already current).
• setup-docker-build references resolve-cache-refs by repo ref pinned to this branch (@add-setup-docker-build-action) because cross-repo composite actions can't use local ./ paths. Repoint this to a released tag (@beta/@stable) or SHA after merge — flagged in a comment in the file.

🤖 Generated with Claude Code

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[vidriduch]

This is so unnecessary convoluted. I would suggest something more lean like

TAGS=("${DEFAULT_TAG}")
CLUSTER_TAG=""

if [[ -n "${CLUSTER:-}" ]]; then
  if [[ ! "$CLUSTER" =~ ^(development|staging|production|aws)$ ]]; then
    echo "::error::Invalid cluster '$CLUSTER'. Allowed: development, staging, production, aws (or empty)."
    exit 1
  fi

  CLUSTER_TAG="${IMAGE}:${CLUSTER}-${SHORT_SHA}"
  TAGS+=("$CLUSTER_TAG")
fi

{
  echo "cluster_tag=${CLUSTER_TAG}"
  echo "tags<<EOF"
  printf '%s\n' "${TAGS[@]}"
  echo "EOF"
} >> "$GITHUB_OUTPUT"

Honest confession. I just wrote this, didn't test it, so leaving it up to the reader (? 🙈)

[vidriduch]

Doesn't this mean that somewhere here it should also have needs: [meta]? I get that GH probably does this by itself if referenced, but I would still like it to be explicit

[vidriduch]

Oh, I really dislike that this runs a node script. I don't think that is something we want to do. First of all it takes longer to spin up as just plain runner. You introduce another image/dependency that you need to download to a runner. Not to mention the many issues that nodejs ecosystem had in a last year.

If possible rewrite this into bash. First of all, it is consistent with the rest of the scripts in github-action repo. It lowers the footprint. Make is cleaner and leaner, as this is unnecessary convoluted. We have a javascript function within a very simple step. This can all be avoided with just something like

token=$(jq -er '.["tag-names"][0]' <<< "$INPUT_META_JSON")
if [[ -z "$token" ]]; then
  echo "::error::No metadata-action tag-names value found"
  exit 1
fi

# Strip windows \r and trim
suffixes=$(tr -d '\r' <<<"$INPUT_SUFFIXES" | awk '{$1=$1;print}')
if [[ -z "${suffixes}" ]]; then
  echo "::error::At least one suffix is required"
  exit 1
fi

cache_refs='{}'
for suffix in $suffixes; do
  master="type=registry,ref=${INPUT_IMAGE}:cache-master-${suffix}"
  branch="type=registry,ref=${INPUT_IMAGE}:cache-${token}-${suffix}"

  if [[ "$token" == master ]]; then
    from="$master"
    to="${master},mode=max"
  else
    from="${master}"$'\n'"${branch}"
    to="${branch},mode=max"
  fi

  cache_refs=$(jq -c --arg suf "$suffix" --arg from "$from" --arg to "$to" \
    '.[$suf] = {cache_from: $from, cache_to: $to}' <<< "$cache_refs")
done

echo "cache_refs=$cache_refs" >> "$GITHUB_OUTPUT"

you can probably make it even more leaner, I just wrote this from top of my head.

---

Moreover, consider if this is even necessary. I don't really know how you plan on using it (at the time of this review), but something like

strategy:
  matrix:
    suffix: ['tag1', 'tag2']
steps:
  - uses: docker/build-push-action@v6
    with:
      cache-from: |
        type=registry,ref=${{ env.IMAGE }}:cache-master-${{ matrix.suffix }}
        type=registry,ref=${{ env.IMAGE }}:cache-${{ github.ref_name }}-${{ matrix.suffix }}
      cache-to: type=registry,ref=${{ env.IMAGE }}:cache-${{ github.ref_name }}-${{ matrix.suffix }},mode=max

directly inline in yaml might be a better option.