feat: 🐳 multi-stage Docker builds, immutable release pipeline, CHANGELOG automation

[lelia]

Summary

Overhauls the Docker build and release infrastructure for socket-basics: multi-stage Dockerfiles with pinned binary deps, a full GHCR + Docker Hub publish pipeline with fail-fast testing, and automated CHANGELOG + release notes. Establishes an opinionated immutable release posture — no :latest or floating v2 tag — with SHA pinning + Dependabot as the recommended consumption pattern.

Adds

• Multi-stage Dockerfile and app_tests/Dockerfile — Trivy, TruffleHog, Go, uv pulled
  via named FROM stages (Dependabot-trackable); python:3.12-slim base; BuildKit cache mounts
• publish-docker.yml — build → smoke test → integration test → push to GHCR + Docker Hub
  → GitHub Release + CHANGELOG update; fail-fast, per-job least-privilege permissions
• docs/releasing.md — maintainer release process guide including immutable tag setup
• .github/PULL_REQUEST_TEMPLATE.md — release checklist baked into every PR
• commit-lint.yml + .commitlintrc.yml — Conventional Commits enforcement on PR titles
• Full retroactive CHANGELOG.md from 1.0.2; automated update on every release via
  scripts/update_changelog.py

Changes

• Tag convention: v-prefix (v2.0.0) with immutable-only releases; :latest and
  floating major tags (v2) intentionally not published
• docs/github-action.md pinning strategies rewritten — SHA + Dependabot leads,
  includes security philosophy section explaining why we're opinionated
• python-tests.yml gains two CI assertions: version file sync + action.yml image
  ref matches pyproject.toml (auto-activates once pre-built image switch lands)
• smoke-test.yml and python-tests.yml simplified to flat jobs (no matrix overhead
  while only one Docker image is in CI scope)

Removes

• .hooks/version-check.py + .claude/commands/bump-version.md — auto-bump-on-commit
  antipattern; replaced by the CI assertions above

---

⚠️ NOT in this PR (deferred to v2.0.0 release PR):

• Version bump in version.py / pyproject.toml
• action.yml switch from image: Dockerfile to image: docker://ghcr.io/socketdev/socket-basics:2.0.0

[ahmadnassri]

one major thing missing here, is version bumping the action.yml file before committing each new tag

[lelia]

one major thing missing here, is version bumping the action.yml file before committing each new tag

true, it's sort of a chicken-and-egg issue with the initial overhaul that this PR introduces. but the idea will be, once this is merged in and tested, that we create a second PR to actually switch everything over to the new v2.0.0 versioning convention. there's now a CI gate in python-tests.yml which asserts that action.yml matches pyproject.toml and will fail if there's a mismatch; this will become a hard failure once we switch over to v2.0.0. lastly, the dedicated guide in docs/releasing.md covers the full checklist of release requirements including an action.yml callout specifically.

[ahmadnassri]

it's sort of a chicken-and-egg issue

I'v previously relied on automated versioning with conventional commit messaging (see example with semantic-release)

to enforce using conventional commits:

• either using GitHub Enterprise Rulesets for commit message (preferred for our use-case).
• or using an Action

[lelia]

it's sort of a chicken-and-egg issue

I'v previously relied on automated versioning with conventional commit messaging (see example with semantic-release)

to enforce using conventional commits:

• either using GitHub Enterprise Rulesets for commit message (preferred for our use-case).
• or using an Action

got it, thanks for the example, I've incorporated this approach into publish-docker.yml and also updated the PR release template / docs to note the new handling of action.yml.