Build Ubuntu CI containers on GitHub Actions

[SWilson4]

This PR attempts to accomplish the following:

• Move our CI image build logic from CircleCI to GitHub Actions,
• Stop building images for Linux distributions not listed as supported platforms for liboqs,
• Start building images for Ubuntu Jammy and Noble on arm64, and
• Rework our CI tagging system to use multiarch images.

Fixes #81, fixes #74.

Related issues: open-quantum-safe/liboqs#1780.

I'm leaving this as draft until the necessary environment variables/secrets are added (cc @ryjones). And, until it's not a Friday, since this could break all of our CI, and I'd rather not deal with that on the weekend. :)

I may need to further update these Dockerfiles (e.g., to add a dependency) once I have a chance to use them in liboqs CI while working on open-quantum-safe/liboqs#1780.

[ryjones]

@SWilson4 looks like I need to make a dockerhub token? anything else?

[baentsch]

Why Jammy? It's not listed in https://github.com/open-quantum-safe/liboqs/blob/main/PLATFORMS.md
Focal is listed, but shouldn't be (if this lands) -- so remove this once PLATFORMS gets updated?

[SWilson4]

My intent was to update PLATFORMS.md to list support for Focal, Jammy, and Noble (i.e., every Ubuntu LTS version still receiving standard security maintenance) on x86_64 and arm64. Do we really want to support only the latest LTS? Focal will be receiving security updates for another year and Jammy for another three.

[baentsch]

Makes some sense -- although I would limit this to the last two LTS' to also minimize our support obligation (if we see it and act on it as such, i.e., to respond/fix issues found on any Tier 1 platform listed).

But is it really necessary & worth while running all platforms at every push/PR? What about running only latest on push/PR and latest-1 only in the weekly regression and release runs?

[SWilson4]

That seems reasonable to me.

[baentsch]

Logically LGTM; some nits and questions on efficiency.

[SWilson4]

@SWilson4 looks like I need to make a dockerhub token? anything else?

It would be nice but not necessary to have the dockerhub username (oqsbot) saved in a non-secret variable. Other than that nothing.

[ryjones]

@SWilson4 I've added DOCKERHUB_TOKEN as an org secret, and granted access only to this repo, for now.

[baentsch]

@SWilson4 I've added DOCKERHUB_TOKEN as an org secret, and granted access only to this repo, for now.

What does it take to also add it to oqs-demos, @ryjones ? Would allow implementing open-quantum-safe/oqs-demos#294

[baentsch]

@SWilson4 I've added DOCKERHUB_TOKEN as an org secret, and granted access only to this repo, for now.

What does it take to also add it to oqs-demos, @ryjones ? Would allow implementing open-quantum-safe/oqs-demos#294

Disregard. It already works there -- just wonder why now :-)

[SWilson4]

I'm going to merge now so that I can try out these images in liboqs CI. I may need to add additional dependencies in a follow-up PR.

[SWilson4]

This failed at merge due to an incorrect Docker Hub login. :( Could you please take a look @ryjones?

[ryjones]

@SWilson4 fixed :)