[DEVOPS-1711] Add Docker image for bws versioning for release workflow (

#573)

## Type of change

<!-- (mark with an `X`) -->

```
- [ ] Bug fix
- [ ] New feature development
- [ ] Tech debt (refactoring, code cleanup, dependency upgrades, etc)
- [x] Build/deploy pipeline (DevOps)
- [ ] Other
```

## Objective

Add docker publish to `release-cli.yml` workflow.

<!--Describe what the purpose of this PR is. For example: what bug
you're fixing or what new feature you're adding-->

## Code changes

<!--Explain the changes you've made to each file or major component.
This should help the reviewer understand your changes-->
<!--Also refer to any related changes or PRs in other repositories-->

- **.github/workflows/release-cli.yml:** Add docker publish job to
`release-cli.yml` workflow.
- **.github/workflows/build-cli-docker.yml** Remove unused input.
Publish docker only if building for publish branch

## Before you submit

- Please add **unit tests** where it makes sense to do so

---------

Co-authored-by: Vince Grassia <[email protected]>

.github/workflows/build-cli-docker.yml

@@ -6,11 +6,6 @@ on:
     paths:
       - "crates/bws/**"
   workflow_dispatch:
-    inputs:
-      sdk_branch:
-        description: "Server branch name to deploy (examples: 'master', 'rc', 'feature/sm')"
-        type: string
-        default: master
   pull_request:
     paths:
       - ".github/workflows/build-cli-docker.yml"
@@ -111,7 +106,7 @@ jobs:
           platforms: |
             linux/amd64,
             linux/arm64/v8
-          push: true
+          push: ${{ env.is_publish_branch }}
           tags: ${{ steps.tag-list.outputs.tags }}
           secrets: |
             "GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}"

.github/workflows/release-cli.yml

@@ -8,17 +8,19 @@ on:
       release_type:
         description: "Release Options"
         required: true
-        default: "Initial Release"
+        default: "Release"
         type: choice
         options:
-          - Initial Release
-          - Redeploy
+          - Release
           - Dry Run
 
 defaults:
   run:
     shell: bash
 
+env:
+  _AZ_REGISTRY: bitwardenprod.azurecr.io
+
 jobs:
   setup:
     name: Setup
@@ -120,7 +122,7 @@ jobs:
 
   publish:
     name: Publish bws to crates.io
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     needs:
       - setup
     steps:
@@ -156,3 +158,78 @@ jobs:
           PUBLISH_GRACE_SLEEP: 10
           CARGO_REGISTRY_TOKEN: ${{ steps.retrieve-secrets.outputs.cratesio-api-token }}
         run: cargo-release release publish -p bws --execute --no-confirm
+
+  publish-docker:
+    name: Publish docker versioned and latest image
+    runs-on: ubuntu-22.04
+    needs: setup
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Generate tag list
+        id: tag-list
+        env:
+          VERSION: ${{ needs.setup.outputs.release-version }}
+          DRY_RUN: ${{ inputs.release_type == 'Dry Run' }}
+        run: |
+          if [[ "${DRY_RUN}" == "true" ]]; then
+            REF=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}
+            IMAGE_TAG=$(echo "${REF}" | sed "s#/#-#g")  # slash safe branch name
+            echo "tags=$_AZ_REGISTRY/bws:${IMAGE_TAG},bitwarden/bws:${IMAGE_TAG}" >> $GITHUB_OUTPUT
+          else
+            echo "tags=$_AZ_REGISTRY/bws:${VERSION},bitwarden/bws:${VERSION},$_AZ_REGISTRY/bws:latest,bitwarden/bws:latest" >> $GITHUB_OUTPUT
+          fi
+
+      ########## Set up Docker ##########
+      - name: Set up QEMU emulators
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+
+      ########## Login to Docker registries ##########
+      - name: Login to Azure - Prod Subscription
+        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+        with:
+          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
+
+      - name: Login to Azure ACR
+        run: az acr login -n ${_AZ_REGISTRY%.azurecr.io}
+
+      - name: Login to Azure - CI Subscription
+        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+        with:
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+
+      - name: Retrieve github PAT secrets
+        id: retrieve-secret-pat
+        uses: bitwarden/gh-actions/get-keyvault-secrets@main
+        with:
+          keyvault: "bitwarden-ci"
+          secrets: "github-pat-bitwarden-devops-bot-repo-scope"
+
+      - name: Setup Docker Trust
+        uses: bitwarden/gh-actions/setup-docker-trust@main
+        with:
+          azure-creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+          azure-keyvault-name: "bitwarden-ci"
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
+        with:
+          context: .
+          file: crates/bws/Dockerfile
+          platforms: |
+            linux/amd64,
+            linux/arm64/v8
+          push: ${{ inputs.release_type != 'Dry Run' }}
+          tags: ${{ steps.tag-list.outputs.tags }}
+          secrets: |
+            "GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}"
+
+      - name: Log out of Docker and disable Docker Notary
+        if: ${{ github.event.inputs.release_type != 'Dry Run' }}
+        run: |
+          docker logout
+          echo "DOCKER_CONTENT_TRUST=0" >> $GITHUB_ENV