[codex] Add GHCR container workflow

[Che-Zhu]

What changed

• added a GitHub Actions workflow at .github/workflows/container.yml
• PRs to main now build the container image without pushing
• pushes to main and version tags like v0.2.0 now publish the image to ghcr.io/che-zhu/codex-gateway
• documented the published image tags and pull/run flow in README.md and README_zh.md

Why

• the repository already has a working Dockerfile, but there was no automated path to build and publish a reusable image
• this adds a minimal GHCR release path that matches the locally verified Docker build

Impact

• every PR to main gets a container build check
• merges to main publish main and sha-* image tags
• version tags publish semver-style tags and latest

Validation

• built the image locally with docker build --platform linux/amd64 -t codex-gateway:local-test .
• started the built image locally and verified GET /healthz returned success
• parsed the workflow YAML locally to confirm it is valid

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ac535e6e11

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Gate latest tag to stable releases only

The metadata rule currently publishes latest for any tag whose ref starts with refs/tags/v, so creating a pre-release tag like v1.4.0-rc.1 (or any non-final v* tag) will overwrite the public latest image with a non-stable build. This can break users who pull :latest expecting the most recent stable release; consider restricting this condition to stable semver tags (e.g., excluding tags with a prerelease suffix).

Useful? React with 👍 / 👎.