[#587] Build OCI images for release tags

OCI images will be built often (on each PR) to make sure our recipe
doesn't get rusty.
Publishing to the registry will happen only for `v*` tags.

Signed-off-by: Vitaliy Potyarkin <v.potyarkin@yadro.com>

.forgejo/workflows/builds.yml

@@ -3,6 +3,9 @@ on:
   push:
     branches:
       - master
+    tags:
+      - v*
+  workflow_dispatch:
 
 jobs:
   builds:
@@ -25,3 +28,27 @@ jobs:
 
       - name: Check dirty suffix
         run: if [[ $(make version) == *"dirty"* ]]; then echo "Version has dirty suffix" && exit 1; fi
+
+  image:
+    name: OCI image
+    needs:
+      - builds
+    runs-on: docker
+    container: git.frostfs.info/truecloudlab/env:oci-image-builder-bookworm
+    steps:
+      - name: Clone git repo
+        uses: actions/checkout@v3
+
+      - name: Build OCI image
+        run: make image
+
+      - name: Push image to OCI registry
+        run: |
+          echo "$REGISTRY_PASSWORD" \
+            | docker login --username truecloudlab --password-stdin git.frostfs.info
+          make image-push
+        if: >-
+          startsWith(github.ref, 'refs/tags/v') &&
+          (github.event_name == 'workflow_dispatch' || github.event_name == 'push')
+        env:
+          REGISTRY_PASSWORD: ${{secrets.REGISTRY_PASSWORD}}