Enhance Docker workflow with gated publish

Expand workflow triggers to push/pull_request on main and dev and to PR
reviews. Run lint/test only for non-review events or when a review is
approved. Add a docker-test job that smoke-tests the built image. Add a
docker-publish job that resolves SHA and stable tags (latest/dev),
builds
the releasable image, and optionally pushes when PUSH_IMAGE=true. Update
docs/deployment.md

.gitea/workflows/docker.yml

@@ -1,74 +1,129 @@
 name: docker
 
 on:
-  push:
-  pull_request:
+    push:
+        branches:
+            - main
+            - dev
+    pull_request:
+        branches:
+            - main
+            - dev
+    pull_request_review:
+        types:
+            - submitted
 
 jobs:
-  lint:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Set up Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: '3.12'
-      - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install -r requirements-dev.txt
-      - name: Run lint
-        run: |
-          ruff check src tests
-          ruff format --check src tests
-          black --check src tests
-          mypy src
+    lint:
+        if: ${{ github.event_name != 'pull_request_review' || github.event.review.state == 'approved' }}
+        runs-on: ubuntu-latest
+        steps:
+            - name: Checkout
+              uses: actions/checkout@v4
+            - name: Set up Python
+              uses: actions/setup-python@v5
+              with:
+                  python-version: "3.12"
+            - name: Install dependencies
+              run: |
+                  python -m pip install --upgrade pip
+                  pip install -r requirements-dev.txt
+            - name: Run lint
+              run: |
+                  ruff check src tests
+                  ruff format --check src tests
+                  black --check src tests
+                  mypy src
 
-  test:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Set up Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: '3.12'
-      - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install -r requirements-dev.txt
-      - name: Run tests
-        run: pytest --cov=aegis_gitea_mcp --cov-report=term-missing --cov-fail-under=80
+    test:
+        if: ${{ github.event_name != 'pull_request_review' || github.event.review.state == 'approved' }}
+        runs-on: ubuntu-latest
+        steps:
+            - name: Checkout
+              uses: actions/checkout@v4
+            - name: Set up Python
+              uses: actions/setup-python@v5
+              with:
+                  python-version: "3.12"
+            - name: Install dependencies
+              run: |
+                  python -m pip install --upgrade pip
+                  pip install -r requirements-dev.txt
+            - name: Run tests
+              run: pytest --cov=aegis_gitea_mcp --cov-report=term-missing --cov-fail-under=80
 
-  docker-build:
-    runs-on: ubuntu-latest
-    needs: [lint, test]
-    env:
-      IMAGE_NAME: aegis-gitea-mcp
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
+    docker-test:
+        if: ${{ github.event_name != 'pull_request_review' || github.event.review.state == 'approved' }}
+        runs-on: ubuntu-latest
+        needs: [lint, test]
+        env:
+            IMAGE_NAME: aegis-gitea-mcp
+        steps:
+            - name: Checkout
+              uses: actions/checkout@v4
 
-      - name: Build image tagged with commit SHA
-        run: |
-          SHA_TAG="${GITHUB_SHA:-${CI_COMMIT_SHA:-local}}"
-          docker build -f docker/Dockerfile -t ${IMAGE_NAME}:${SHA_TAG} .
+            - name: Build candidate image
+              run: |
+                  SHA_TAG="${GITHUB_SHA:-${CI_COMMIT_SHA:-local}}"
+                  docker build -f docker/Dockerfile -t ${IMAGE_NAME}:${SHA_TAG} .
 
-      - name: Tag latest on main
-        run: |
-          REF_NAME="${GITHUB_REF_NAME:-${CI_COMMIT_REF_NAME:-}}"
-          SHA_TAG="${GITHUB_SHA:-${CI_COMMIT_SHA:-local}}"
-          if [ "${REF_NAME}" = "main" ]; then
-            docker tag ${IMAGE_NAME}:${SHA_TAG} ${IMAGE_NAME}:latest
-          fi
+            - name: Smoke-test image
+              run: |
+                  SHA_TAG="${GITHUB_SHA:-${CI_COMMIT_SHA:-local}}"
+                  docker run --rm --entrypoint python ${IMAGE_NAME}:${SHA_TAG} -c "import aegis_gitea_mcp"
 
-      - name: Optional registry push
-        if: ${{ vars.PUSH_IMAGE == 'true' }}
-        run: |
-          SHA_TAG="${GITHUB_SHA:-${CI_COMMIT_SHA:-local}}"
-          docker push ${IMAGE_NAME}:${SHA_TAG}
-          REF_NAME="${GITHUB_REF_NAME:-${CI_COMMIT_REF_NAME:-}}"
-          if [ "${REF_NAME}" = "main" ]; then
-            docker push ${IMAGE_NAME}:latest
-          fi
+    docker-publish:
+        runs-on: ubuntu-latest
+        needs: [lint, test, docker-test]
+        if: >-
+            (github.event_name == 'push' && (github.ref_name == 'main' || github.ref_name == 'dev')) ||
+            (github.event_name == 'pull_request_review' &&
+             github.event.review.state == 'approved' &&
+             (github.event.pull_request.base.ref == 'main' || github.event.pull_request.base.ref == 'dev'))
+        env:
+            IMAGE_NAME: aegis-gitea-mcp
+            PR_BASE_REF: ${{ github.event.pull_request.base.ref }}
+            PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+        steps:
+            - name: Checkout
+              uses: actions/checkout@v4
+              with:
+                  ref: ${{ github.event.pull_request.head.sha || github.sha }}
+
+            - name: Resolve tags
+              id: tags
+              run: |
+                  EVENT_NAME="${GITHUB_EVENT_NAME:-${CI_EVENT_NAME:-}}"
+                  REF_NAME="${GITHUB_REF_NAME:-${CI_COMMIT_REF_NAME:-}}"
+                  BASE_REF="${PR_BASE_REF:-${GITHUB_BASE_REF:-${CI_BASE_REF:-}}}"
+                  SHA_TAG="${GITHUB_SHA:-${CI_COMMIT_SHA:-local}}"
+
+                  if [ "${EVENT_NAME}" = "pull_request_review" ]; then
+                    TARGET_BRANCH="${BASE_REF}"
+                    SHA_TAG="${PR_HEAD_SHA:-$SHA_TAG}"
+                  else
+                    TARGET_BRANCH="${REF_NAME}"
+                  fi
+
+                  if [ "${TARGET_BRANCH}" = "main" ]; then
+                    STABLE_TAG="latest"
+                  elif [ "${TARGET_BRANCH}" = "dev" ]; then
+                    STABLE_TAG="dev"
+                  else
+                    echo "Unsupported target branch '${TARGET_BRANCH}'"
+                    exit 1
+                  fi
+
+                  echo "sha_tag=${SHA_TAG}" >> "${GITHUB_OUTPUT}"
+                  echo "stable_tag=${STABLE_TAG}" >> "${GITHUB_OUTPUT}"
+
+            - name: Build releasable image
+              run: |
+                  docker build -f docker/Dockerfile -t ${IMAGE_NAME}:${{ steps.tags.outputs.sha_tag }} .
+                  docker tag ${IMAGE_NAME}:${{ steps.tags.outputs.sha_tag }} ${IMAGE_NAME}:${{ steps.tags.outputs.stable_tag }}
+
+            - name: Optional registry push
+              if: ${{ vars.PUSH_IMAGE == 'true' }}
+              run: |
+                  docker push ${IMAGE_NAME}:${{ steps.tags.outputs.sha_tag }}
+                  docker push ${IMAGE_NAME}:${{ steps.tags.outputs.stable_tag }}

docs/deployment.md

@@ -39,7 +39,7 @@ Workflows live in `.gitea/workflows/`:
 
 - `lint.yml`: ruff + format checks + mypy.
 - `test.yml`: lint + tests + coverage fail-under `80`.
-- `docker.yml`: gated Docker build (depends on lint+test), SHA tag, `latest` on `main`.
+- `docker.yml`: lint + test + docker smoke-test gating; image publish on push to `main`/`dev` and on approved PR review targeting `main`/`dev`; tags include commit SHA plus `latest` (`main`) or `dev` (`dev`).
 
 ## Production Recommendations