ci: add Dockerfile and enable Docker Hub publish

[ff4f]

• Add multi-stage Dockerfile (rust:1.88 -> debian:bookworm-slim)
• Add .dockerignore to exclude target/ and dev files
• Uncomment publish-docker job in release.yml
• Bump MSRV to 1.88 in Cargo.toml
• Update Docker tags from seedgen/seedgen to fikridev/seedgen

What

Why

How

Testing

Checklist

• Tests added or updated for the change
• Documentation updated (if user-facing — README, CLI.md, MCP.md, scenarios/)
• cargo fmt && cargo clippy -- -D warnings passes locally
• Snapshot tests reviewed (if generator output changed) — cargo insta review
• No .unwrap() or .expect() in library code (src/ outside cli/ and main.rs)
• No rand::thread_rng() or SystemTime::now() for randomness — only seeded ChaCha8Rng

Summary by CodeRabbit

• Chores

  • Added multi-stage Docker image and runtime packaging with cross-architecture build support
  • Updated Docker publish workflow to enable cross-platform builds and adjusted image repository tags
  • Increased minimum required Rust version to 1.88
  • Excluded local/dev files from Docker build context to slim builds

• Documentation

  • Updated contributing guide to English with clarified PR and review steps
  • Refined automated review configuration and comments for clarity

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

Adds a multi-stage Dockerfile and bumps Rust to 1.88, narrows Docker build context via .dockerignore, updates the release workflow for cross-architecture image publishing to fikridev/seedgen, and refreshes CodeRabbit auto-review and CONTRIBUTING documentation in English.

Changes

Docker build and publish infrastructure

Layer / File(s)	Summary
Rust version and multi-stage Dockerfile Cargo.toml, Dockerfile	Minimum Rust version increased to 1.88. New multi-stage Dockerfile builds seedgen in a Rust builder image and produces a minimal Debian runtime image with seedgen as the ENTRYPOINT and --help as default CMD.
Docker build context optimization .dockerignore	Replaces .dockerignore with a comprehensive ignore list excluding target/, VCS/tooling folders, editor/IDE configs, .DS_Store, logs, examples, most *.md while preserving README.md, and docker-compose.yml.
CI/CD release workflow updates .github/workflows/release.yml	Adds QEMU setup step (docker/setup-qemu-action@v3) before buildx and changes Docker image repository tags to fikridev/seedgen for the build/push step (multi-platform targets preserved).
Docs and review config updates .coderabbit.yaml, CONTRIBUTING.md	Refreshes .coderabbit.yaml initial comments and auto-review formatting; rewrites CONTRIBUTING workflow and checklist items into English and updates Quick Start clone URL.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 I hopped through Docker, neat and spry,
Built seeds beneath a bookworm sky,
Rust bumped up, contexts trimmed tight,
Cross-arch images take their flight,
A little rabbit cheers tonight!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'ci: add Dockerfile and enable Docker Hub publish' accurately summarizes the main changes: adding a Dockerfile and enabling Docker publishing in the CI workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/dockerfile-and-docker-publish

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release.yml:
- Line 107: Replace the mutable tag docker/setup-qemu-action@v3 with an
immutable commit SHA: locate the workflow step that references
docker/setup-qemu-action@v3 and change it to
docker/setup-qemu-action@<full-commit-sha> (the full 40-char commit hash from
the action's repository) so the workflow is pinned to a specific commit; update
any related usage comments to reflect the immutable pin and verify the workflow
still runs in CI.

In `@Dockerfile`:
- Around line 20-30: Create a non-root runtime user and ensure seedgen is
owned/executable by that user: in the final stage (the Debian runtime stage with
ENTRYPOINT ["seedgen"]), install the minimal useradd utility (e.g., adduser or
passwd/useradd package), create an unprivileged user/group (e.g., "appuser"),
chown /usr/local/bin/seedgen to that user and ensure it is executable, and
switch to that user with USER appuser before ENTRYPOINT; reference the runtime
stage, /usr/local/bin/seedgen, and ENTRYPOINT ["seedgen"] when locating where to
make these changes.
- Line 18: The Dockerfile's builder stage runs "cargo build --release --bin
seedgen" without locking dependencies; update the build invocation to include
the --locked flag (i.e., run cargo build --release --bin seedgen --locked) so
Cargo uses the copied Cargo.lock and makes the build deterministic.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: dcbaff47-e6b7-4665-b8a7-89ef5b714fe1

📥 Commits

Reviewing files that changed from the base of the PR and between d799841 and 82984d0.

📒 Files selected for processing (4)

• .dockerignore
• .github/workflows/release.yml
• Cargo.toml
• Dockerfile

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Show the relevant portion around the referenced line
echo "=== release.yml around line 107 ==="
nl -ba .github/workflows/release.yml | sed -n '90,130p'

echo
echo "=== All uses of docker/setup-qemu-action in .github/workflows ==="
rg -n "docker/setup-qemu-action@" .github/workflows || true

Repository: ff4f/seedgen

Length of output: 153

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== release.yml around line 107 ==="
cat -n .github/workflows/release.yml | sed -n '90,130p'

echo
echo "=== All uses of docker/setup-qemu-action in .github/workflows ==="
rg -n "docker/setup-qemu-action@" .github/workflows || true

Repository: ff4f/seedgen

Length of output: 1364

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== release.yml around line 107 ==="
cat -n .github/workflows/release.yml | sed -n '90,130p'

echo
echo "=== All uses of docker/setup-qemu-action in .github/workflows ==="
rg -n "docker/setup-qemu-action@" .github/workflows || true

Repository: ff4f/seedgen

Length of output: 1364

---

Pin docker/setup-qemu-action to an immutable commit SHA (.github/workflows/release.yml line 107 uses docker/setup-qemu-action@v3, a mutable tag). Supply-chain risk—pin to the full commit SHA instead.

Suggested pattern

-      - uses: docker/setup-qemu-action@v3
+      - uses: docker/setup-qemu-action@<full_commit_sha>

🧰 Tools

🪛 zizmor (1.25.2)

[error] 107-107: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml at line 107, Replace the mutable tag
docker/setup-qemu-action@v3 with an immutable commit SHA: locate the workflow
step that references docker/setup-qemu-action@v3 and change it to
docker/setup-qemu-action@<full-commit-sha> (the full 40-char commit hash from
the action's repository) so the workflow is pinned to a specific commit; update
any related usage comments to reflect the immutable pin and verify the workflow
still runs in CI.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Locate and print Dockerfile with line numbers around the referenced line(s)
if [ -f Dockerfile ]; then
  echo "== Dockerfile =="
  nl -ba Dockerfile | sed -n '1,120p'
else
  echo "Dockerfile not found at repo root."
fi

echo
echo "== Searching for Cargo.lock and cargo build flags in Dockerfile =="
rg -n "Cargo\.lock|cargo build|--locked|--frozen|--offline" -S Dockerfile || true

Repository: ff4f/seedgen

Length of output: 134

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Find Dockerfile(s)
echo "== Dockerfiles found =="
fd -a -t f 'Dockerfile' . || true

echo
# Prefer repo-root Dockerfile if it exists; otherwise print first found
if [ -f Dockerfile ]; then
  DOCKERFILE="Dockerfile"
else
  DOCKERFILE="$(fd -a -t f 'Dockerfile' . | head -n 1 || true)"
fi

if [ -z "${DOCKERFILE:-}" ]; then
  echo "No Dockerfile found."
  exit 0
fi

echo "== Using: $DOCKERFILE =="

# Print first 120 lines with line numbers via awk (no nl dependency)
awk 'NR<=120 { printf "%d:%s\n", NR, $0 }' "$DOCKERFILE"

echo
echo "== Search: Cargo.lock / cargo build / --locked / --frozen / --offline =="
rg -n "Cargo\.lock|cargo build|--locked|--frozen|--offline" -S "$DOCKERFILE" || true

Repository: ff4f/seedgen

Length of output: 1020

---

Make the Docker build deterministic by enforcing Cargo.lock (--locked).

Dockerfile copies Cargo.lock into the builder stage, but the build command at line 18 runs cargo build --release --bin seedgen without --locked, so Cargo can update lock resolution (and thus the resulting binary) if Cargo.lock would change—breaking reproducibility.

Suggested patch

-RUN cargo build --release --bin seedgen
+RUN cargo build --release --locked --bin seedgen

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	RUN cargo build --release --bin seedgen
	RUN cargo build --release --locked --bin seedgen

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` at line 18, The Dockerfile's builder stage runs "cargo build
--release --bin seedgen" without locking dependencies; update the build
invocation to include the --locked flag (i.e., run cargo build --release --bin
seedgen --locked) so Cargo uses the copied Cargo.lock and makes the build
deterministic.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Locate Dockerfile(s)
ls -la
fd -H -g 'Dockerfile*' . || true

# Print the Dockerfile content with line numbers (best guess path: ./Dockerfile)
if [ -f Dockerfile ]; then
  echo "---- Dockerfile (head 120) ----"
  nl -ba Dockerfile | head -n 160
fi

# Search for USER directives anywhere
if [ -f Dockerfile ]; then
  echo "---- USER directives ----"
  rg -n --hidden --no-ignore-vcs '^\s*USER\s+' Dockerfile || true
fi

Repository: ff4f/seedgen

Length of output: 1575

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

if [ -f Dockerfile ]; then
  echo "---- Dockerfile (numbered) ----"
  cat -n Dockerfile
else
  echo "Dockerfile not found at repo root"
fi

echo "---- USER directives ----"
rg -n --hidden --no-ignore-vcs '^\s*USER\s+' Dockerfile || true

echo "---- builder stage hints (FROM lines) ----"
rg -n --hidden --no-ignore-vcs '^\s*FROM\s+' Dockerfile || true

echo "---- chown/chmod hints ----"
rg -n --hidden --no-ignore-vcs '(chown|chmod)\b' Dockerfile || true

Repository: ff4f/seedgen

Length of output: 1120

---

Run the runtime image as a non-root user.

The final stage (FROM debian:bookworm-slim) has no USER, so ENTRYPOINT ["seedgen"] runs as root. Create an unprivileged user in the runtime stage, chown/ensure permissions for /usr/local/bin/seedgen, and switch to that user before ENTRYPOINT (and install the required package for useradd/groupadd).

🧰 Tools

🪛 Checkov (3.2.529)

[low] 1-30: Ensure that HEALTHCHECK instructions have been added to container images

(CKV_DOCKER_2)

---

[low] 1-30: Ensure that a user for the container has been created

(CKV_DOCKER_3)

🪛 Hadolint (2.14.0)

[warning] 22-22: Pin versions in apt get install. Instead of apt-get install <package> use apt-get install <package>=<version>

(DL3008)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` around lines 20 - 30, Create a non-root runtime user and ensure
seedgen is owned/executable by that user: in the final stage (the Debian runtime
stage with ENTRYPOINT ["seedgen"]), install the minimal useradd utility (e.g.,
adduser or passwd/useradd package), create an unprivileged user/group (e.g.,
"appuser"), chown /usr/local/bin/seedgen to that user and ensure it is
executable, and switch to that user with USER appuser before ENTRYPOINT;
reference the runtime stage, /usr/local/bin/seedgen, and ENTRYPOINT ["seedgen"]
when locating where to make these changes.