[#100] Added Docker image with multi-arch CI build, test, and Docker Hub publish.

[AlexSkrypnyk]

Closes #100

Summary

Adds a multi-architecture Docker image for git-artifact so the tool can be used without a local PHP installation. The image is built in a multi-stage Dockerfile, tested end-to-end in CI on every PR and push to main, published as drevops/git-artifact:canary on main pushes, and released to Docker Hub as versioned tags (plus latest) on git tag pushes.

Changes

Dockerfile - Multi-stage build: a builder stage based on php:8.5-cli (digest-pinned) installs Composer and runs composer build to produce the Box PHAR; the runtime stage copies only the PHAR, installs git and openssh-client, bakes in git config --system --add safe.directory '*' to trust the host-mounted source and destination repositories, and sets the PHAR as the ENTRYPOINT.

.dockerignore - Excludes .git, vendor, tests, and other non-essential paths from the build context to keep the image build fast and prevent the host vendor/ from leaking into the builder stage.

.github/workflows/test-docker.yml - Runs on PRs and main pushes: lints the Dockerfile with hadolint, builds the image, then runs a functional test that mounts a real source repo and a bare destination repo and asserts the artifact was pushed to the destination branch. A push-canary-to-registry job (gated on main push, needs the test job) publishes drevops/git-artifact:canary as a multi-arch image (linux/amd64, linux/arm64). Both jobs use persist-credentials: false, least-privilege permissions: contents: read, and concurrency control.

.github/workflows/release-docker.yml - Triggers on tag pushes: multi-arch build and push to Docker Hub (drevops/git-artifact) using docker/build-push-action with tags and labels derived from docker/metadata-action. Authenticates via DOCKER_USER / DOCKER_PASS repo secrets with persist-credentials: false and permissions: contents: read.

README.md - Adds Test Docker, Docker Pulls, and architecture (amd64/arm64) badges, plus an "As a Docker container" installation section with HTTPS and SSH usage examples and an "Image tags" subsection documenting the canary, latest, and versioned tags and how each is published.

Before / After

Before:
  Distribution: PHAR binary (download from GitHub Releases)
               Composer global install
               Composer project dependency

After:
  Distribution: PHAR binary (download from GitHub Releases)
               Composer global install
               Composer project dependency
               Docker image: drevops/git-artifact (linux/amd64 + linux/arm64)
                 - :canary  → published on every main push
                 - :latest  → published on every git tag release
                 - :<tag>   → published on every git tag release

Summary by CodeRabbit

• New Features
  • Added a Docker container for running git-artifact, with multi-architecture (amd64/arm64) builds and a ready-to-use entrypoint.
  • Added Docker CI that lint-checks the Dockerfile, builds the container, and verifies it produces the expected artifact output; on success, publishes a canary image.
  • Added a Docker release workflow that builds and pushes images for tagged releases.
• Documentation
  • Updated README with Docker badges and a new “As a Docker container” setup guide, including mount/SSH guidance and tag usage.
• Chores
  • Improved Docker build context by excluding additional development and build directories/files.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds Docker container support for git-artifact: a new multi-stage Dockerfile builds and packages the binary, a .dockerignore trims the build context, two GitHub Actions workflows handle CI testing (with canary publishing) and tag-based release publishing, and README.md gains Docker badges and installation instructions.

Changes

Docker Container Support

Layer / File(s)	Summary
Multi-stage Dockerfile and build context Dockerfile, .dockerignore	Builder stage installs Composer, runs composer install and composer build to produce the git-artifact binary. Runtime stage installs git and openssh-client, configures Git global safe-directory, copies the binary to /usr/local/bin, and sets it as ENTRYPOINT. .dockerignore excludes .git, .github, .idea, tooling folders, tests, and vendor from the build context.
Test Docker CI workflow .github/workflows/test-docker.yml	Triggers on push to main and PRs to main/feature/**. The test-docker job lints the Dockerfile with Hadolint, builds the image, creates temporary source and bare destination repos, runs the container with mounts and git identity env vars, and asserts the artifact file landed on the expected branch. On push events only, push-canary-to-registry builds and pushes drevops/git-artifact:canary for linux/amd64 and linux/arm64.
Release Docker workflow .github/workflows/release-docker.yml	Triggers on any tag push. Checks out the repo, sets up QEMU and Buildx, logs into Docker Hub using secrets, extracts image metadata, and builds/pushes drevops/git-artifact for linux/amd64 and linux/arm64 using generated tags and labels.
README Docker badges and installation docs README.md	Adds Docker Pulls and Test Docker workflow badges; inserts an "As a Docker container" installation subsection with multi-arch image description, two docker run usage examples for generic and SSH-remote workflows, and documentation of the :version, :latest, and :canary image tags.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding Docker image support with multi-arch CI build, test, and Docker Hub publish capabilities.
Linked Issues check	✅ Passed	The PR fully implements all requirements from issue #100: adds a Dockerfile with Docker container setup, includes CI build pipeline via GitHub Actions workflows, and implements functional tests for the Docker image.
Out of Scope Changes check	✅ Passed	All changes are directly related to the Docker container implementation requirements: Dockerfile, GitHub Actions workflows, .dockerignore, and README documentation updates are all within scope.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/100-docker-container

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 96.91%. Comparing base (c9e8b38) to head (32957e0).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #334   +/-   ##
=======================================
  Coverage   96.91%   96.91%           
=======================================
  Files           6        6           
  Lines         421      421           
=======================================
  Hits          408      408           
  Misses         13       13           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/test-docker.yml:
- Around line 16-17: The concurrency group on line 16 uses github.run_id as the
fallback, which is always unique for each run, preventing push events from being
grouped together. Replace the fallback value from github.run_id to github.ref so
that concurrent pushes to the same branch will share the same concurrency group
and properly cancel previous runs. This ensures that concurrent pushes to main
will cancel each other instead of racing to overwrite the canary artifact.

In `@Dockerfile`:
- Line 49: The RUN git config command uses a wildcard '*' for safe.directory,
which disables Git's ownership protection for all repositories in the container,
creating a security vulnerability. Replace the wildcard '*' with the specific
mount path(s) that your application expects to use, such as the exact directory
path where Git repositories will be mounted or accessed, ensuring that only
those specific trusted directories bypass Git's ownership verification checks.

In `@README.md`:
- Around line 182-189: In the docker run command shown in the README.md example,
replace the SSH remote URL (git@github.com:yourorg/your-repo-destination.git)
with an HTTPS equivalent (https://github.com/yourorg/your-repo-destination.git)
since SSH credentials are not mounted in the Docker container and the command
will fail as written. Keep the SSH remote format only in the second example that
follows this one.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: a2791e1c-d13f-4e0a-ae44-5ef0a5bb07d3

📥 Commits

Reviewing files that changed from the base of the PR and between c9e8b38 and ca43e23.

📒 Files selected for processing (5)

• .dockerignore
• .github/workflows/release-docker.yml
• .github/workflows/test-docker.yml
• Dockerfile
• README.md