fix: split Dockerfile with pinned images and add CI workflow (#14)

## Summary

Rewrites the Dockerfile to use sha256-pinned images and proper multi-stage build structure. Adds missing Makefile targets and a Gitea CI workflow.

## Changes

### Dockerfile
- **Lint stage**: `golangci/golangci-lint` v1.64.8 pinned by sha256 — runs `make fmt-check` + `make lint`
- **Test stage**: `golang` 1.22.12 pinned by sha256 — runs `make test` with dependency on lint stage
- Removed redundant final stage (this is a library with no binary to build)
- Both images pinned by digest with version+date comments

### Makefile
- Added `fmt-check` target: verifies `gofmt` compliance without modifying files
- Added `check` target: runs `fmt-check`, `lint`, `test` in sequence
- Added `hooks` target: installs a pre-commit hook that runs `make check`
- Separated `gofmt` check from `lint` target (was previously bundled)
- Changed default target from `test` to `check`

### CI
- Added `.gitea/workflows/check.yml`: runs `docker build .` on push to main and on PRs

## Verification

`docker build --progress plain .` passes — all stages complete successfully.

closes #9

<!-- session: agent:sdlc-manager:subagent:fffa0a5a-5127-4489-a2e0-314c5eaaed68 -->

Co-authored-by: clawbot <clawbot@noreply.git.eeqj.de>
Reviewed-on: #14
Co-authored-by: clawbot <clawbot@noreply.example.org>
Co-committed-by: clawbot <clawbot@noreply.example.org>

.gitea/workflows/check.yml

@@ -0,0 +1,12 @@
+name: check
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - run: docker build .

Dockerfile

@@ -1,39 +1,20 @@
-# First stage: Use the golangci-lint image to run the linter
-FROM golangci/golangci-lint:latest as lint
-
-# Set the Current Working Directory inside the container
-WORKDIR /app
-
-# Copy the go.mod file and the rest of the application code
-COPY go.mod ./
+# Lint stage: format check + golangci-lint
+# golangci-lint v1.64.8 (2025-02-18)
+FROM golangci/golangci-lint@sha256:2987913e27f4eca9c8a39129d2c7bc1e74fbcf77f181e01cea607be437aa5cb8 AS lint
+WORKDIR /src
+COPY go.mod go.sum ./
+RUN go mod download
 COPY . .
+RUN make fmt-check
+RUN make lint
 
-# Run golangci-lint
-RUN golangci-lint run
-
-RUN sh -c 'test -z "$(gofmt -l .)"'
-
-# Second stage: Use the official Golang image to run tests
-FROM golang:1.22 as test
-
-# Set the Current Working Directory inside the container
-WORKDIR /app
-
-# Copy the go.mod file and the rest of the application code
-COPY go.mod ./
+# Test stage: run full test suite
+# golang 1.22.12 (2025-02-04)
+FROM golang@sha256:1cf6c45ba39db9fd6db16922041d074a63c935556a05c5ccb62d181034df7f02 AS test
+# Depend on lint stage so both stages always run
+COPY --from=lint /src/go.sum /dev/null
+WORKDIR /src
+COPY go.mod go.sum ./
+RUN go mod download
 COPY . .
-
-# Run tests
-RUN go test -v ./...
-
-# Final stage: Combine the linting and testing stages
-FROM golang:1.22 as final
-
-# Ensure that the linting stage succeeded
-WORKDIR /app
-COPY --from=lint /app .
-COPY --from=test /app .
-
-# Set the final CMD to something minimal since we only needed to verify lint and tests during build
-CMD ["echo", "Build and tests passed successfully!"]
-
+RUN make test

Makefile

@@ -1,6 +1,6 @@
-.PHONY: test
+.PHONY: test fmt fmt-check lint check docker hooks
 
-default: test
+default: check
 
 test:
 	@go test -v ./...
@@ -9,9 +9,20 @@ fmt:
 	goimports -l -w .
 	golangci-lint run --fix
 
+fmt-check:
+	@test -z "$$(gofmt -l .)" || { echo "gofmt would reformat:"; gofmt -l .; exit 1; }
+
 lint:
 	golangci-lint run
-	sh -c 'test -z "$$(gofmt -l .)"'
+
+check: fmt-check lint test
 
 docker:
 	docker build --progress plain .
+
+hooks:
+	@echo "Installing git hooks..."
+	@mkdir -p .git/hooks
+	@printf '#!/bin/sh\nmake check\n' > .git/hooks/pre-commit
+	@chmod +x .git/hooks/pre-commit
+	@echo "Pre-commit hook installed."