Update action to always build but only publish on release

[samaloney]

No description provided.

[Copilot]

Pull request overview

Updates the Docker image CI workflow to separate building from publishing so images are always built, but only pushed to GHCR on release publication.

Changes:

• Add release.published trigger and split the workflow into build (no push) and publish (push to GHCR) jobs.
• Introduce GHCR login and Docker metadata/tagging via docker/metadata-action.
• Add job-scoped permissions for least-privilege operation.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The job condition uses github.event.release.published, but the release webhook payload does not include a published boolean (it provides action: published and release.published_at). As written, this condition is likely always false and will prevent publishing. Since the workflow is already filtered to on: release: types: [published], consider simplifying the condition to github.event_name == 'release' (or check github.event.action == 'published' / github.event.release.published_at != '').

Suggested change

	if: github.event_name == 'release' && github.event.release.published == true
	if: github.event_name == 'release'

[Copilot]

actions/checkout@v5 is not pinned while the Docker actions in this workflow are pinned to exact SHAs. For supply-chain safety and reproducibility, pin checkout to a commit SHA (or at least align the versioning strategy across all actions in this workflow).

[Copilot]

docker/login-action@v3 is introduced unpinned. For consistency with the other Docker actions in this workflow (already pinned by SHA) and to reduce supply-chain risk, pin this action to a specific commit SHA as well.

Suggested change

	uses: docker/login-action@v3
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f834f