ci: add Docker Hub release workflow with ARM64 support

[olegshmuelov]

Summary

• Add .github/workflows/docker-release.yml — builds and pushes multi-arch (amd64 + arm64) Docker images to Docker Hub on v* tag push
• Fix Dockerfile alpine base image SHA pin from amd64-only platform digest to manifest list digest, enabling ARM64 builds

Context

Supersedes the Docker Hub workflow portion of #218. The remaining changes in #218 (Makefile, README, GitLab CI) can be evaluated separately.

Finding

F-ssv-dkg-034: Docker Hub CI missing — no docker image published on tag

Test

• Verified golang base image SHA is already a manifest list (multi-arch safe)
• Verified alpine SHA was amd64-only; replaced with manifest list digest
• Full validation requires a test tag push

---

UPDATE: Bumped Go 1.25.8 → 1.25.9 across ci.yml, releases.yml, Dockerfile, and go.mod to resolve 3 stdlib CVEs flagged by govulncheck (GO-2026-4947, GO-2026-4946, GO-2026-4870 — crypto/x509 and crypto/tls).

[olegshmuelov]

@vaclav-ssvlabs This PR needs a DOCKERHUB_TOKEN secret to push images. Could you check if an org-level secret already exists, or add one? Happy to adjust the secret name if there's a preferred convention.

[vaclav-ssvlabs]

LGTM, token was added to the repo as SSV_DKG_DOCKERHUB_TOKEN - so please adjust.

Only small note - do we want to also push ssvlabs/ssv-dkg:latest? As you mentioned in one of PRs for ssv-oracle, this could be dangerous in case we need to do a patch for an older release, and this would override the latest with an older version.

It is more of a question of workflow if this scenario can ever happen.

I assume the multi-platform CI is expected to work, as I didn't test this myself and assume it works.

[olegshmuelov]

LGTM, token was added to the repo as SSV_DKG_DOCKERHUB_TOKEN - so please adjust.

updated to SSV_DKG_DOCKERHUB_TOKEN.

Only small note - do we want to also push ssvlabs/ssv-dkg:latest? As you mentioned in one of PRs for ssv-oracle, this could be dangerous in case we need to do a patch for an older release, and this would override the latest with an older version.

It is more of a question of workflow if this scenario can ever happen.

I assume the multi-platform CI is expected to work, as I didn't test this myself and assume it works.

Keeping latest for now, consistent with ssv-oracle. If we ever need to patch an older release we can revisit, but for a DKG tool the scenario is unlikely.