Refactor the CI workflows and scripts to make it clearer

.github/actions/build-single-image/action.yml

@@ -0,0 +1,74 @@
+name: Build staged image (single arch)
+description: Build (and optionally push) a single-arch staged image to GHCR.
+
+inputs:
+  ghcr_token:
+    description: Token to login to ghcr.io
+    required: false
+  docker_file:
+    description: Path to Dockerfile
+    required: true
+  tag:
+    description: Image tag under ghcr.io/confidential-containers/staged-images
+    required: true
+  arch:
+    description: Architecture suffix for tags (e.g. x86_64, aarch64, s390x)
+    required: true
+  platform:
+    description: Optional build target platform (e.g. linux/amd64)
+    required: false
+    default: ""
+  context:
+    description: Build context directory
+    required: false
+    default: "."
+  build_args:
+    description: Extra build args string (e.g. --build-arg FOO=bar)
+    required: false
+    default: ""
+  build_option:
+    description: Extra docker build options (e.g. --push)
+    required: false
+    default: ""
+
+runs:
+  using: composite
+  steps:
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+
+    - name: Login to GHCR Container Registry
+      uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+      if: contains(inputs.build_option, '--push')
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ inputs.ghcr_token }}
+
+    - name: Build image
+      shell: bash
+      run: |
+        set -euo pipefail
+        commit_sha="${GITHUB_SHA}"
+        platform_args=()
+        if [ -n "${{ inputs.platform }}" ]; then
+          platform_args+=(--platform "${{ inputs.platform }}")
+        fi
+
+        # Parse build options and args into arrays to avoid shell injection.
+        build_option_args=()
+        if [ -n "${{ inputs.build_option }}" ]; then
+          read -r -a build_option_args <<< "${{ inputs.build_option }}"
+        fi
+        build_args_array=()
+        if [ -n "${{ inputs.build_args }}" ]; then
+          read -r -a build_args_array <<< "${{ inputs.build_args }}"
+        fi
+        docker buildx build --provenance false \
+          "${platform_args[@]}" \
+          -f "${{ inputs.docker_file }}" \
+          "${build_option_args[@]}" \
+          "${build_args_array[@]}" \
+          -t "ghcr.io/confidential-containers/staged-images/${{ inputs.tag }}:${commit_sha}-${{ inputs.arch }}" \
+          -t "ghcr.io/confidential-containers/staged-images/${{ inputs.tag }}:latest-${{ inputs.arch }}" \
+          "${{ inputs.context }}"

.github/workflows/build-and-push-staged-images.yml

@@ -0,0 +1,49 @@
+name: Staged Images
+
+on:
+  pull_request:
+    branches: ["main"]
+    paths-ignore:
+      - '**/*.md'
+  push:
+    branches:
+      - main
+
+permissions: {}
+
+jobs:
+  build_staged_images_pr:
+    name: Build staged images (all) [PR]
+    if: github.event_name == 'pull_request'
+    permissions:
+      contents: read
+    uses: ./.github/workflows/workflow-call-build-staged-images.yml
+    with:
+      image_group: all
+      build_option: ''
+
+  build_staged_images_push:
+    name: Build staged images (all) [push]
+    if: github.event_name == 'push'
+    permissions:
+      packages: write
+      contents: read
+    uses: ./.github/workflows/workflow-call-build-staged-images.yml
+    with:
+      image_group: all
+      build_option: --push
+    secrets:
+      GHCR_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  publish_manifests:
+    name: Publish multi-arch manifests
+    needs: build_staged_images_push
+    if: github.event_name == 'push'
+    permissions:
+      packages: write
+      contents: read
+    uses: ./.github/workflows/workflow-call-publish-staged-manifests.yml
+    with:
+      tags: '["kbs","kbs-grpc-as","coco-as-grpc","coco-as-restful","rvps","kbs-client-image"]'
+    secrets:
+      GHCR_TOKEN: ${{ secrets.GITHUB_TOKEN }}