Add CD Release Pipeline & License Check Workflow for timpani-rust

[akshaylg0314]

📝 PR Description

---

Add CD Release Pipeline & License Check Workflow for timpani-rust

This PR introduces a complete Continuous Delivery (CD) pipeline for timpani, adds a reusable license report workflow, fixes CI permission issues, and corrects artifact path mismatches found during initial pipeline runs.

---

Changes Implemented

1. New CD Release Pipeline (.github/workflows/release.yml)

✅ Triggers on v* Git tag pushes (e.g., v1.0.0)
✅ Concurrency group prevents overlapping release runs
✅ Runs 4 CI gates in parallel before publishing: Rust CI, doc lint, YAML validation, license report
✅ Downloads all artifacts (coverage, deny, fmt, clippy, test, license reports) and uploads to GitHub Release via svenstaro/upload-release-action@v2
✅ Uploads documentation archive (doc-archive.tar.gz) and compliance files (README, coding guidelines, release process)
✅ Generates quality manifest using Eclipse Dash QueVee (eclipse-dash/quevee@v1)
✅ Final stage builds and pushes multi-arch container image to GHCR

---

2. New Reusable License Report Workflow (.github/workflows/run-license-check.yml)

✅ Reusable via workflow_call — invoked from both CI dispatcher and release pipeline
✅ Uses Swatinem/rust-cache@v2 for fast dependency caching
✅ Installs cargo-about --features cli (correct feature flag for the binary)
✅ Runs scripts/license_check.sh and uploads dist/licenses/* as license-report artifact

---

3. New Reusable Container Build Workflow (.github/workflows/build-container.yml)

✅ Builds multi-arch (linux/amd64, linux/arm64) container image
✅ Authenticates to GHCR and pushes using docker/build-push-action@v6
✅ Auto-tags using docker/metadata-action@v5 (semver + SHA tags)
✅ Uses ./timpani_rust/Dockerfile as build context

---

4. CI Dispatcher: License Change Detection (.github/workflows/ci-dispatcher.yml)

✅ Added license_changed output to detect-changes job — triggers on changes to Cargo.toml, Cargo.lock, about.toml, about.hbs, license_check.sh
✅ Added new Job 5 run-license-check that conditionally calls run-license-check.yml
✅ Added run-license-check to ci-summary needs for complete status reporting

---

🧪 Test Method

Workflow Validation

• ✅ All workflow files validated with actionlint — no errors found
• ✅ release.yml permissions verified: no "only allowed read" errors

Pipeline Verification

• ✅ Tag push (v0.2.0) triggered release pipeline successfully
• ✅ All 4 CI gate jobs ran and passed
• ✅ Artifact download paths resolved correctly (no double-nesting)
• ✅ License HTML generated at dist/licenses/workspace_licenses.html
• ✅ cargo-about binary available after cargo install cargo-about --features=cli

---

✅ Checklist

• Code conventions followed (SPDX headers on all new workflow files)
• All workflow files validated with actionlint before pushing
• Artifact paths match what CI scripts actually produce
• continue-on-error: true applied to conditionally-generated artifacts
• No unnecessary permissions granted (principle of least privilege)
• License check integrated into both CI dispatcher and release pipeline

---

[akshaylg0314]

Hey @basheerFZ Please review the code and merge, Below is verification link in my local forked repo:https://github.com/akshaylg0314/timpani-akshay/actions/runs/25851383612

[basheerFZ]

This PR will be enabling continuous deployment/ delivery to generate aritifacts and reports when release is made