zecdev · Great-DoA · Feb 21, 2026 · Feb 21, 2026 · Feb 21, 2026
diff --git a/.github/workflows/build-images.yml b/.github/workflows/build-images.yml
@@ -0,0 +1,73 @@
+name: Build and Publish Images
+
+on:
+  push:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  packages: write
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_PREFIX: ghcr.io/${{ github.repository_owner }}/zeckit
+
+jobs:
+  build:
+    name: Build and push images
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - name: zebra
+            context: docker/zebra
+            file: docker/zebra/Dockerfile
+          - name: lightwalletd
+            context: docker/lightwalletd
+            file: docker/lightwalletd/Dockerfile
+          - name: zaino
+            context: docker/zaino
+            file: docker/zaino/Dockerfile
+          - name: zingo
+            context: docker/zingo
+            file: docker/zingo/Dockerfile
+          - name: faucet
+            context: zeckit-faucet
+            file: zeckit-faucet/Dockerfile
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.IMAGE_PREFIX }}-${{ matrix.name }}
+          tags: |
+            type=ref,event=branch
+            type=sha,format=short,prefix=sha-
+            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          context: ${{ matrix.context }}
+          file: ${{ matrix.file }}
+          push: true
+          platforms: linux/amd64
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha,scope=${{ matrix.name }}
+          cache-to: type=gha,mode=max,scope=${{ matrix.name }}
diff --git a/.github/workflows/ci-action-test.yml b/.github/workflows/ci-action-test.yml
@@ -0,0 +1,160 @@
+# ============================================================
+# ZecKit – CI Self-Test for the Published Action
+# ============================================================
+# Exercises the root action.yml and the reusable golden-e2e
+# workflow against both backends on every push/PR to main.
+#
+# This is also the workflow that prospective callers can use as
+# a copy-paste reference for their own repos.
+# ============================================================
+
+name: Action CI Self-Test
+
+on:
+  push:
+    branches:
+      - main
+      - develop
+      - 'release/**'
+  pull_request:
+    branches:
+      - main
+      - develop
+  workflow_dispatch:
+    inputs:
+      backend:
+        description: 'Backend to test (zaino | lwd | both)'
+        required: false
+        default: 'both'
+      upload_artifacts:
+        description: 'Artifact upload policy (always | on-failure | never)'
+        required: false
+        default: 'on-failure'
+
+permissions:
+  contents: read
+  packages: read
+
+# ============================================================
+# STRATEGY MATRIX
+# ============================================================
+jobs:
+
+  # ----------------------------------------------------------
+  # Determine which backends to run based on trigger
+  # ----------------------------------------------------------
+  set-matrix:
+    name: Set test matrix
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.matrix.outputs.matrix }}
+    steps:
+      - name: Build backend matrix
+        id: matrix
+        shell: bash
+        run: |
+          requested="${{ github.event.inputs.backend }}"
+
+          if [[ "$requested" == "zaino" ]]; then
+            echo 'matrix={"backend":["zaino"]}' >> "$GITHUB_OUTPUT"
+          elif [[ "$requested" == "lwd" ]]; then
+            echo 'matrix={"backend":["lwd"]}' >> "$GITHUB_OUTPUT"
+          else
+            # Default: both backends
+            echo 'matrix={"backend":["zaino","lwd"]}' >> "$GITHUB_OUTPUT"
+          fi
+
+  # ----------------------------------------------------------
+  # Run the golden E2E flow via the COMPOSITE ACTION directly
+  # ----------------------------------------------------------
+  composite-action-test:
+    name: "Composite Action – ${{ matrix.backend }}"
+    needs: set-matrix
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJson(needs.set-matrix.outputs.matrix) }}
+
+    steps:
+      - name: Checkout ZecKit
+        uses: actions/checkout@v4
+
+      - name: Run ZecKit E2E composite action (self-test)
+        id: e2e
+        uses: ./
+        with:
+          backend:                 ${{ matrix.backend }}
+          startup_timeout_minutes: '10'
+          block_wait_seconds:      '75'
+          send_amount:             '0.05'
+          send_memo:               'CI self-test – ${{ matrix.backend }}'
+          upload_artifacts:        ${{ github.event.inputs.upload_artifacts || 'on-failure' }}
+          ghcr_token:              ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Print action outputs
+        if: always()
+        shell: bash
+        run: |
+          echo "unified_address       : ${{ steps.e2e.outputs.unified_address }}"
+          echo "transparent_address   : ${{ steps.e2e.outputs.transparent_address }}"
+          echo "shield_txid           : ${{ steps.e2e.outputs.shield_txid }}"
+          echo "send_txid             : ${{ steps.e2e.outputs.send_txid }}"
+          echo "final_orchard_balance : ${{ steps.e2e.outputs.final_orchard_balance }} ZEC"
+          echo "block_height          : ${{ steps.e2e.outputs.block_height }}"
+          echo "test_result           : ${{ steps.e2e.outputs.test_result }}"
+
+      - name: Assert test_result is 'pass'
+        shell: bash
+        run: |
+          result="${{ steps.e2e.outputs.test_result }}"
+          if [[ "$result" != "pass" ]]; then
+            echo "::error::Golden E2E returned test_result='$result' (expected 'pass')."
+            exit 1
+          fi
+          echo "✓ test_result=pass"
+
+  # ----------------------------------------------------------
+  # Run the same flow via the REUSABLE WORKFLOW
+  # (validates workflow_call path end-to-end)
+  # ----------------------------------------------------------
+  reusable-workflow-test:
+    name: "Reusable Workflow – zaino"
+    needs: set-matrix
+    uses: ./.github/workflows/golden-e2e.yml
+    with:
+      backend:                 'zaino'
+      startup_timeout_minutes: 10
+      block_wait_seconds:      75
+      send_amount:             0.05
+      send_memo:               'Reusable workflow self-test'
+      upload_artifacts:        'on-failure'
+    secrets:
+      ghcr_token: ${{ secrets.GITHUB_TOKEN }}
+
+  # ----------------------------------------------------------
+  # Gate: all matrix jobs must pass
+  # ----------------------------------------------------------
+  ci-gate:
+    name: CI Gate
+    needs:
+      - composite-action-test
+      - reusable-workflow-test
+    runs-on: ubuntu-latest
+    if: always()
+    steps:
+      - name: Check all jobs
+        shell: bash
+        run: |
+          composite="${{ needs.composite-action-test.result }}"
+          reusable="${{ needs.reusable-workflow-test.result }}"
+
+          echo "composite-action-test : $composite"
+          echo "reusable-workflow-test: $reusable"
+
+          if [[ "$composite" != "success" || "$reusable" != "success" ]]; then
+            echo "::error::One or more E2E jobs failed."
+            exit 1
+          fi
+          echo "✓ All CI jobs passed."
diff --git a/.github/workflows/e2e-test.yml b/.github/workflows/e2e-test.yml
@@ -11,10 +11,16 @@ on:
       - develop
   workflow_dispatch:
 
+permissions:
+  contents: read
+  packages: read
+
 jobs:
   e2e-tests:
     name: ZecKit E2E Test Suite
-    runs-on: self-hosted
+    runs-on: ubuntu-latest
+    env:
+      IMAGE_PREFIX: ghcr.io/${{ github.repository_owner }}/zeckit
 
     timeout-minutes: 60
 
@@ -81,6 +87,36 @@ jobs:
 
           echo "✓ Cleanup complete (images preserved)"
           echo ""
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Select best prebuilt tag
+        run: |
+          image_prefix="$(echo "${IMAGE_PREFIX}" | tr '[:upper:]' '[:lower:]')"
+          echo "ZECKIT_IMAGE_PREFIX=${image_prefix}" >> "$GITHUB_ENV"
+          short_sha="${GITHUB_SHA::7}"
+          branch_tag="$(echo "${GITHUB_REF_NAME}" | tr '/' '-')"
+          candidates=("sha-${short_sha}" "${branch_tag}" "main" "latest")
+
+          for tag in "${candidates[@]}"; do
+            if docker manifest inspect "${image_prefix}-zaino:${tag}" >/dev/null 2>&1; then
+              echo "Using prebuilt tag: ${tag}"
+              echo "ZECKIT_IMAGE_TAG=${tag}" >> "$GITHUB_ENV"
+              exit 0
+            fi
+          done
+
+          echo "No prebuilt tag found; will fall back to local build"
+          echo "ZECKIT_IMAGE_TAG=sha-${short_sha}" >> "$GITHUB_ENV"
+
+      - name: Pull prebuilt images (zaino profile)
+        run: |
+          docker compose --profile zaino pull || echo "Prebuilt images not found; compose will build locally."
 
       - name: Build CLI binary
         run: |