[DX-3584] Run smoke tests after releasing an image

[Tofel]

When a new image has been published we will now run:

• CRE smoke tests
• CRE regression tests
• legacy smoke tests

Example run via "hacked" Docker Build ✅ :

• no problems with permissions
• correct image was resolved and used in tests

[github-actions]

✅ No conflicts with other open PRs targeting develop

[trunk-io]

     

View Full Report ↗︎ ⋅ Docs

[Copilot]

Pull request overview

Risk Rating: MEDIUM

Adds post-release validation by running multiple system test suites against the newly published Chainlink image.

Changes:

• Replaces the existing post-build workflow interface to accept a core image tag input and adds jobs for legacy + CRE smoke/regression suites.
• Updates the build/publish pipeline to call the new post-build publish workflow after the core image build.
• Minor workflow UX improvement by naming the devenv compatibility job.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
.github/workflows/post-build-publish.yml	Renames workflow and inputs; adds legacy + CRE smoke/regression reusable-workflow invocations.
.github/workflows/build-publish.yml	Switches post-build to call post-build-publish.yml and passes the image identifier.
.github/workflows/devenv-compat.yml	Adds an explicit job name for easier run readability.

Scrupulous human review focus (high-impact areas):

• The new “image identifier” contract (chainlink_core_image_tag / chainlink_image_tag) and how it is resolved into an actual Docker image reference across all invoked reusable workflows.

Comments suppressed due to low confidence (3)

.github/workflows/post-build-publish.yml:10

• The input description has a typo ("tagto"). Please correct it to improve readability (e.g., "image tag to use for the tests").
  .github/workflows/post-build-publish.yml:9
• chainlink_core_image_tag is declared as required: false but it is passed directly into downstream reusable workflows as chainlink_image_tag, where it is required and ultimately used to resolve/pull the Chainlink image. If this input is omitted/empty, these jobs will fail at runtime. Consider making this input required (or giving it a default), or guard the test jobs with an if: inputs.chainlink_core_image_tag != '' condition.
  .github/workflows/post-build-publish.yml:74
• chainlink_image_tag is being set to a tag|digest string (e.g., v2.3.4|sha256:...). The downstream workflows resolve the image by concatenating ...:${CHAINLINK_IMAGE_TAG} (see .github/scripts/resolve-chainlink-image.sh), which would yield an invalid Docker reference because | is not allowed in image tags. To ensure the tests pull the intended published image, pass only the tag here, or switch the contract to pass a full image reference that uses the standard digest syntax (repo@sha256:... or repo:tag@sha256:...) and update the resolver accordingly.

[Tofel]

Superseded by #22063