[BRE-1004] Add GHCR Support to Build/Publish workflows

[vgrassia]

🎟️ Tracking

• BRE-1004

📔 Objective

Adds GitHub Container Registry (GHCR) support to the build and publish workflows, making GHCR the primary registry while retaining Azure Container Registry (ACR) as a secondary target.

build.yml

• Adds _GHCR_REGISTRY: "ghcr.io/bitwarden" environment variable
• Adds GHCR login to the build job; images are now tagged and pushed to both GHCR and ACR
• Sets primary_tag output to the GHCR tag
• Includes GHCR short-SHA dev tag alongside the existing ACR dev tag
• Broadens Cosign signing condition from refs/heads/main to is_publish_branch (covers rc and hotfix-rc as well)
• Replaces Azure login in the docker-stub job with GHCR login, and updates setup image references to use $_GHCR_REGISTRY

publish.yml

• Adds a GHCR publish section (login → skopeo copy → logout) before the existing ACR section, publishing the versioned image to GHCR on release

[github-actions]

Checkmarx One – Scan Summary & Details – ab11ba13-91c8-42f5-86ff-f56e20a32c02

---

New Issues (2)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1592	details Method at line 1592 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
2		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1419	details Method at line 1419 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector

---

Fixed Issues (1)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 293

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 57.62%. Comparing base (5aae028) to head (73f7555).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #7263   +/-   ##
=======================================
  Coverage   57.62%   57.62%           
=======================================
  Files        2033     2033           
  Lines       89619    89619           
  Branches     7978     7978           
=======================================
  Hits        51642    51642           
  Misses      36117    36117           
  Partials     1860     1860           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud