ci(release): publish gts-spec-tests image to ghcr.io on tags

[aviator5]

• Add release-tests-image workflow that publishes the e2e test runner to ghcr.io/globaltypesystem/gts-spec-tests on every vX.Y.Z tag.
• Enforce that the tag's major.minor matches the spec version in README.md; release only from the canonical GlobalTypeSystem/gts-spec repo; build multi-arch (linux/amd64, linux/arm64); produce vX.Y.Z and vX.Y tags; create a GitHub Release with auto-generated notes.
• Document the published image in tests/README.md (pull/run/pin) and the release process in CONTRIBUTING.md.
• Align Dockerfile header comments with the published image name and point users at the GHCR image.

Summary by CodeRabbit

• Documentation

  • Enhanced contributing guide with release process and versioning requirements
  • Expanded test running guide with Docker workflow examples and image publishing details
  • Added specification version marker to README

• Chores

  • Implemented automated GitHub Actions workflow for publishing multi-architecture test Docker images to GitHub Container Registry on version releases

[coderabbitai]

Warning

Rate limit exceeded

@aviator5 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 38 minutes and 38 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2e40cafd-87b4-4890-bbf4-3cb4fe849fa5

📥 Commits

Reviewing files that changed from the base of the PR and between 8e8bb70 and 7cf9be8.

📒 Files selected for processing (2)

• .github/dependabot.yml
• .github/workflows/release-tests-image.yml

📝 Walkthrough

Walkthrough

This PR introduces a complete release and Docker publishing system for the GTS specification test suite. It adds a GitHub Actions workflow that automatically builds and publishes multi-arch Docker images to GHCR on semver tag pushes, with version validation against a README.md marker, along with supporting documentation for both maintainers and users.

Changes

Release workflow and Docker image publishing

Layer / File(s)	Summary
Version marker specification README.md	README.md declares the GTS specification version as 0.11 via a machine-readable HTML comment that serves as the canonical version source for the release workflow.
Release workflow implementation .github/workflows/release-tests-image.yml	GitHub Actions workflow triggers on v*.*.* tags, validates the tag's MAJOR.MINOR portion against the README.md version marker, sets up multi-arch Docker build (amd64/arm64), logs into GHCR, computes version-derived image tags, builds and publishes the image from tests/Dockerfile, and creates a GitHub Release with Docker usage examples.
Docker image and test documentation tests/Dockerfile, tests/README.md	Dockerfile updates documentation comments to reference the published GHCR image and uses the standardized gts-spec-tests image name in build/run examples. tests/README.md expands test execution guidance with Docker-recommended workflow, image tag selection, and concrete docker run commands; test cases checklist (OP#1–OP#11 and sub-items) is repositioned after test running instructions.
Release process documentation CONTRIBUTING.md	Introduces a Releases section describing the README.md version marker contract, CI validation enforcement, GHCR image tagging rules (vX.Y.Z and rolling vX.Y per-release, no latest tag), and the maintainer-only release tagging process and workflow steps.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• GlobalTypeSystem/gts-spec#71: Introduces the initial tests/Dockerfile that this PR's workflow and documentation reference.

Suggested reviewers

• Artifizer

Poem

🐰 A version marker takes its place,
A workflow builds with Docker's grace,
Multi-arch images shipped with care,
Through GHCR into the air!
Release and roll, so clean and bright,
The test suite runs exactly right. ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: adding CI/release automation to publish a Docker image to GHCR on version tags, which is the core objective of this PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release-tests-image.yml:
- Around line 21-22: Add a defense-in-depth change to the workflow's Checkout
step by setting persist-credentials to false on the actions/checkout@v4
invocation: update the Checkout step (uses: actions/checkout@v4) to include
persist-credentials: false so the GITHUB_TOKEN is not written into .git/config
and cannot be accidentally persisted or leaked if the workflow later caches or
uploads the .git directory.
- Line 22: The workflow currently pins actions by tag (e.g.,
actions/checkout@v4, docker/setup-qemu-action@v3, docker/setup-buildx-action@v3,
docker/login-action@v3, docker/metadata-action@v5, docker/build-push-action@v6,
softprops/action-gh-release@v2); replace those tag references with their
corresponding immutable commit SHAs (the reviewer provided verified SHAs) across
all occurrences (lines referenced: 22, 65, 68, 71, 79, 92, 102) so each uses:
entry is updated to uses: <owner>/<repo>@<commit-sha> to hard-pin the exact
commit for supply-chain security.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f3c3610e-41ca-4f8f-b22a-f44570fc8e02

📥 Commits

Reviewing files that changed from the base of the PR and between 3d4d3eb and 8e8bb70.

📒 Files selected for processing (5)

• .github/workflows/release-tests-image.yml
• CONTRIBUTING.md
• README.md
• tests/Dockerfile
• tests/README.md