[DX-3522] Release testing

[Tofel]

• trigger legacy, CCIP in-memory tests CRE tests and DF1 and CRE upgrade tests, when a new CL image is published
• trigger nightly legacy tests from Docker Build instead of fixed schedule

---

Add action to resolve CL image to use with following characteristics:

• Supports two input modes:
  • Full image mode via chainlink_full_image (/: or /@sha256:).
  • Composed ECR mode via chainlink_image_repo + tag fallback chain (chainlink_image_tag -> chainlink_version -> github.sha).

• Enforces input safety/consistency:
  • chainlink_full_image is mutually exclusive with chainlink_image_repo and chainlink_image_tag.
  • Validates full-image format and fails fast with clear ::error:: messages on invalid combinations/format.
• In composed mode, defaults repo to chainlink and builds:
  • ${QA_AWS_ACCOUNT_NUMBER}.dkr.ecr.${QA_AWS_REGION}.amazonaws.com/:<resolved_tag>
• Exposes the final value through action output resolved_image for downstream workflow steps.

---

Tested:

• nightly with public image ✅
• nightly with nightly image ✅
• CRE smoke & regression in PR ✅
• CRE smoke with public image ✅
• CRE smoke with private image

[github-actions]

✅ No conflicts with other open PRs targeting develop

[trunk-io]

     

View Full Report ↗︎ ⋅ Docs

[Copilot]

Pull request overview

Risk Rating: HIGH (changes to CI/CD workflows that gate releases and nightly testing)

This PR updates GitHub Actions workflows to run legacy system tests and CRE system/regression tests based on newly published Chainlink images (and shifts “nightly” execution to be driven by Docker Build / build-publish workflows rather than a fixed cron in the system-tests workflow itself).

Changes:

• Convert (Nightly) System Tests to be reusable (workflow_call) / parameterized, and add logic to resolve the Chainlink image reference from inputs.
• Update integration workflows to pass the new chainlink_image_repo input name to CRE reusable workflows.
• Trigger legacy + CRE tests from image build/publish workflows (docker-build, build-publish) and enable calling integration-in-memory tests via workflow_call.

Scrupulous human review areas:

• The new “Resolve Chainlink image” bash logic in system-tests-nightly.yml, cre-system-tests.yaml, and cre-regression-system-tests.yaml (input validation + image ref construction).
• The new post-build test triggers in build-publish.yml and docker-build.yml (ensuring intended event coverage, permissions, and failure behavior).

Reviewer recommendations (per CODEOWNERS):

• @smartcontractkit/devex-cicd (explicit owner for .github/workflows/build-publish.yml, and owner for /.github/**)
• @smartcontractkit/devex-tooling and/or @smartcontractkit/core (owners for /.github/**)

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
.github/workflows/system-tests-nightly.yml	Makes system tests reusable/parameterized and adds Chainlink image resolution logic.
.github/workflows/integration-tests.yml	Updates CRE reusable workflow input name from ecr_name to chainlink_image_repo.
.github/workflows/integration-in-memory-tests.yml	Adds workflow_call input and allows execution when called as a reusable workflow.
.github/workflows/docker-build.yml	Calls system tests workflow after image build on schedule/dispatch.
.github/workflows/cre-system-tests.yaml	Adds new image inputs and resolves Chainlink image before running CRE system tests.
.github/workflows/cre-regression-system-tests.yaml	Adds new image inputs and resolves Chainlink image before running CRE regression tests.
.github/workflows/build-publish.yml	Triggers CRE regression, legacy system tests, and CCIP in-memory tests after publish.

[Copilot]

Pull request overview

Copilot reviewed 14 out of 17 changed files in this pull request and generated 3 comments.

[cl-sonarqube-production]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube

[erikburt]

Shouldn't this have a ${{ github.sha }}?

[erikburt]

Why does the workflow_call use develop but the workflow_dispatch use ${{ github.sha }}?

[erikburt]

Update this to:

@183a1442edf41672e66566b7fc560e297a290896 # v2.1.1

[erikburt]

Brief header comment would be nice

# Resolves the Chainlink Docker image to use based on environment variables.
# Priority:
#   1. If CHAINLINK_FULL_IMAGE is set, use it directly (must include registry and tag/digest).
#   2. Otherwise, construct the image from:
#        - Repository: CHAINLINK_IMAGE_REPO (default: "chainlink")
#        - Tag: CHAINLINK_IMAGE_TAG or fallback to CHAINLINK_VERSION
#        - Registry: AWS ECR using AWS_ACCOUNT_NUMBER and AWS_REGION
# Enforces mutual exclusivity between FULL_IMAGE and repo/tag inputs, and validates required fields.

[erikburt]

Is there a requirement to having these inline? This seems fine for now, but I think it would make sense to have a post-build-publish.yml workflow that is either called by this one, or is dispatched using a workflow_run: [completed] event (https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#workflow_run)

It would allow us to:

1. actually test the post-workflow steps
2. stop polluting release workflows with arbtirary testing jobs

---

This can be done later because it's not particularly easy to pass information between these jobs, so that would need to be figured out.

[erikburt]

From what I can tell, this workflow is not being executed/tested by this PR. It is only run on nightlies at the moment.

IMO it makes sense to update this workflow and the nightly workflow in a separate PR and let it bake to test that it's working before referencing it in our release workflow.

[erikburt]

This already runs on tag pushes, so if we're adding it to be called from the release pipeline which also runs on tag pushes, it will run twice.

[erikburt]

v6

[erikburt]

Update.

[Tofel]

will be broken down into more PRs