ci: generic improvement and cleanup of workflow

.github/workflows/build-push.yml

@@ -9,6 +9,7 @@ on:
 
 env:
   BUILDBOT_VERSION: 3.8.0
+  GITHUB_SHA_LEN: 8
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -42,8 +43,8 @@ jobs:
       - name: Stylecheck with black
         run: black phase1/master.cfg
 
-  build-test-push:
-    name: Build, test and push containers
+  build-test:
+    name: Build and Test container
     runs-on: ubuntu-latest
     needs: test-lint
 
@@ -53,17 +54,20 @@ jobs:
     strategy:
       fail-fast: ${{ github.event_name == 'pull_request' }}
       matrix:
-        container_flavor:
-          - master
-          - worker
+        include:
+          - container_flavor: master
+            container_verify_string: "buildmaster configured in /master"
+          - container_flavor: worker
+            container_test_command: "--env BUILDWORKER_NAME=X --env BUILDWORKER_PASSWORD=Y"
+            container_verify_string: "worker configured in /builder"
 
     steps:
       - name: Checkout
         uses: actions/checkout@v3
 
       - name: Environment variables
         run: |
-          echo "GIT_SHA_SHORT=${GITHUB_SHA::8}" >> $GITHUB_ENV
+          echo "GIT_SHA_SHORT=${GITHUB_SHA::${{ env.GITHUB_SHA_LEN }}}" >> $GITHUB_ENV
 
       - name: Build container and export it to local Docker
         uses: docker/build-push-action@v4
@@ -75,40 +79,53 @@ jobs:
             BUILDBOT_VERSION=${{ env.BUILDBOT_VERSION }}
             OPENWRT_VERSION=${{ env.GIT_SHA_SHORT }}
 
-      - name: Test master Docker container
-        if: matrix.container_flavor == 'master'
+      - name: Test ${{ matrix.container_flavor }} Docker container
         run: |
-          docker run --detach --name test-master local/master
+          docker run --detach ${{ matrix.container_test_command }} --name test-${{ matrix.container_flavor }} local/${{ matrix.container_flavor }}
           sleep 5
-          docker logs test-master | tee master.log
-          grep "buildmaster configured in /master" master.log
+          docker logs test-${{ matrix.container_flavor }} | tee ${{ matrix.container_flavor }}.log
+          grep "${{ matrix.container_verify_string }}" ${{ matrix.container_flavor }}.log
+
+  deploy:
+    name: Push Container
+    if: github.event_name != 'pull_request' || github.repository_owner != 'openwrt'
+    runs-on: ubuntu-latest
+    needs: build-test
+
+    environment: production
 
-      - name: Test worker Docker container
-        if: matrix.container_flavor == 'worker'
+    permissions:
+      packages: write
+
+    strategy:
+      matrix:
+        container_flavor:
+          - master
+          - worker
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Environment variables
         run: |
-          docker run --detach --env BUILDWORKER_NAME=X --env BUILDWORKER_PASSWORD=Y --name test-worker local/worker
-          sleep 5
-          docker logs test-worker | tee worker.log
-          grep "worker configured in /builder" worker.log
+          echo "GIT_SHA_SHORT=${GITHUB_SHA::${{ env.GITHUB_SHA_LEN }}}" >> $GITHUB_ENV
 
       - name: Docker meta
         id: meta
-        if: github.event_name != 'pull_request' || github.repository_owner != 'openwrt'
         uses: docker/metadata-action@v4
         with:
           images: name=ghcr.io/${{ github.repository }}/build${{ matrix.container_flavor }}-v${{ env.BUILDBOT_VERSION }}
 
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v2
-        if: github.event_name != 'pull_request' || github.repository_owner != 'openwrt'
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build container again and push it
         uses: docker/build-push-action@v4
-        if: github.event_name != 'pull_request' || github.repository_owner != 'openwrt'
         with:
           push: true
           tags: ${{ steps.meta.outputs.tags }}