ci: add GHCR docker publish workflow

[jrswab]

Adds a GitHub Actions workflow to build and push a Docker image to GHCR on every version tag.

• Triggers on v* tags (same as release.yml, fully independent)
• Publishes ghcr.io/jrswab/axe with x.y.z, x.y, x, and latest tags
• Uses GITHUB_TOKEN — no extra secrets needed
• GHA layer caching for fast rebuilds
• Includes artifact attestation (build provenance)

Closes #26

Summary

This PR introduces a GitHub Actions workflow that automatically builds and publishes Docker images to GitHub Container Registry whenever a version tag is pushed. The workflow uses GITHUB_TOKEN for authentication (eliminating the need for additional secrets), generates multiple image tags for semantic versioning, implements layer caching for improved build performance, and includes artifact attestation for supply chain security. This addresses the need to provide pre-built Docker images for users who prefer not to build locally.

Changelog

Added

• GitHub Actions workflow "Publish Docker Image" that builds and pushes Docker images to ghcr.io/jrswab/axe on version tag pushes
• Automatic image tagging with full semantic version (x.y.z), major.minor (x.y), major (x), and latest tags
• GitHub Actions layer caching for faster Docker image rebuilds
• Artifact attestation and build provenance tracking for supply chain security

[coderabbitai]

📝 Walkthrough

Walkthrough

A new GitHub Actions workflow is added that automatically publishes Docker images to GitHub Container Registry when version tags are pushed. The workflow handles authentication, extracts semantic versioning metadata, builds images with layer caching via Docker Buildx, and generates provenance attestations.

Changes

Cohort / File(s)	Summary
Docker Publishing Automation .github/workflows/docker-publish.yml	New workflow file that orchestrates Docker image builds and pushes to GHCR on version tag events, including metadata extraction, Buildx setup, layer caching, and attestation generation.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐳 A workflow takes flight,
Tags trigger the build with delight,
Containers take form,
Docker's new norm,
Pushed to the registry bright! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely describes the main change: adding a GitHub Actions workflow for publishing Docker images to GHCR.
Linked Issues check	✅ Passed	The changes fully implement the objective from issue #26 by establishing automated Docker image builds and pushes to GHCR on version tags.
Out of Scope Changes check	✅ Passed	All changes are directly related to the stated objective of adding a GHCR Docker publish workflow; no extraneous modifications detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/ghcr-docker-publish

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/docker-publish.yml (1)

37-41: The explicit latest tag here is redundant (and won't activate anyway).

The condition enable={{is_default_branch}} evaluates to false on tag-triggered events, so line 41 won't emit latest. However, this doesn't actually break the workflow—the type=semver rules above automatically generate latest by default in docker/metadata-action. The explicit line is unnecessary duplication with a dead condition. Clean it up by removing it entirely:

Suggested fix

          tags: |
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=semver,pattern={{major}}
-           type=raw,value=latest,enable={{is_default_branch}}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/docker-publish.yml around lines 37 - 41, Remove the
redundant explicit latest tag entry from the docker metadata tags block: delete
the line with "type=raw,value=latest,enable={{is_default_branch}}" under the
tags key because the type=semver rules already generate latest and the enable
conditional is false for tag-triggered events; ensure you leave the other semver
tag lines intact and preserve YAML indentation/formatting for the tags list.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/docker-publish.yml:
- Around line 37-41: Remove the redundant explicit latest tag entry from the
docker metadata tags block: delete the line with
"type=raw,value=latest,enable={{is_default_branch}}" under the tags key because
the type=semver rules already generate latest and the enable conditional is
false for tag-triggered events; ensure you leave the other semver tag lines
intact and preserve YAML indentation/formatting for the tags list.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f91e902b-0e54-4d37-a4ae-94e6380914d1

📥 Commits

Reviewing files that changed from the base of the PR and between ac24302 and 56e6e7c.

📒 Files selected for processing (1)

• .github/workflows/docker-publish.yml