ci: unify PR workflows and fix multi-arch image push

Merge test.yaml and test_image.yaml into pull-request-ci.yaml with
sequential jobs to avoid Nix cache rate limits. Push test images
tagged pr-<id> on pull requests. Fix digest file concatenation bug
in both pull-request-ci and publish workflows.

Author: tembleking

.github/workflows/publish.yaml

@@ -63,6 +63,7 @@ jobs:
       contents: read
       packages: write
     strategy:
+      max-parallel: 1
       matrix:
         include:
           - arch: amd64
@@ -102,6 +103,7 @@ jobs:
 
           mkdir -p /tmp/digests
           cp /tmp/digest /tmp/digests/${{ matrix.arch }}
+          echo >> /tmp/digests/${{ matrix.arch }}
 
       - name: Upload digest
         uses: actions/upload-artifact@v5

.github/workflows/test_image.yaml .github/workflows/pull-request-ci.yaml.github/workflows/test_image.yaml renamed to .github/workflows/pull-request-ci.yaml

@@ -1,5 +1,5 @@
 ---
-name: Test Image Build
+name: Pull Request CI
 
 on:
   pull_request:
@@ -10,13 +10,45 @@ on:
   workflow_dispatch:
 
 concurrency:
-  group: "test-image-${{ github.workflow }}-${{ github.event.pull_request.head.label || github.head_ref || github.ref }}"
+  group: "pr-ci-${{ github.event.pull_request.head.label || github.head_ref || github.ref }}"
   cancel-in-progress: true
 
 jobs:
-  test_build:
-    name: Test Build (${{ matrix.arch }})
+  build-and-test:
+    name: Build and Test
     runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: nix develop --command bash {0}
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v5
+
+      - name: Install Nix
+        # Pinned to v21 commit SHA for supply-chain safety.
+        # To update: git ls-remote https://github.com/DeterminateSystems/nix-installer-action.git <tag>
+        uses: DeterminateSystems/nix-installer-action@c5a866b6ab867e88becbed4467b93592bce69f8a # v21
+
+      - name: Enable Nix cache
+        # Pinned to v13 commit SHA for supply-chain safety.
+        # To update: git ls-remote https://github.com/DeterminateSystems/magic-nix-cache-action.git <tag>
+        uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39 # v13
+        with:
+          use-flakehub: false
+
+      - name: Build
+        run: go build ./...
+
+      - name: Run Checks
+        run: just check
+        env:
+          SYSDIG_MCP_API_HOST: ${{ vars.SYSDIG_MCP_API_HOST }}
+          SYSDIG_MCP_API_TOKEN: ${{ secrets.SYSDIG_MCP_API_SECURE_TOKEN }}
+
+  test-image:
+    name: Test Image (${{ matrix.arch }})
+    runs-on: ubuntu-latest
+    needs: [build-and-test]
     defaults:
       run:
         shell: nix develop --command bash {0}
@@ -85,6 +117,7 @@ jobs:
 
           mkdir -p /tmp/digests
           cp /tmp/digest /tmp/digests/${{ matrix.arch }}
+          echo >> /tmp/digests/${{ matrix.arch }}
 
       - name: Upload digest
         uses: actions/upload-artifact@v5
@@ -94,10 +127,10 @@ jobs:
           if-no-files-found: error
           retention-days: 1
 
-  push_pr_image:
+  push-pr-image:
     name: Push PR image to GitHub Packages
     runs-on: ubuntu-latest
-    needs: [test_build]
+    needs: [test-image]
     if: github.event_name == 'pull_request'
     permissions:
       contents: read