chore: update GitHub workflow to modern standards

- Add workflow_dispatch trigger with force_push option for manual runs
- Add explicit permissions (contents: read, packages: write)
- Add concurrency control to prevent duplicate workflow runs
- Add GitHub Actions cache for Docker layers (GHA cache)
- Add provenance and SBOM generation for supply chain security
- Add SHA-based image tags for better traceability
- Improve formatting: add step names for all actions
- Consistent YAML formatting with proper spacing

https://claude.ai/code/session_01QtMnCu4uz3GhNjFtqS23LM

Author: claude

.github/workflows/build-and-push.yaml

@@ -1,11 +1,29 @@
 name: Build and Push
+
 on:
   push:
     branches:
       - '**'
     tags:
       - 'v[0-9]+.[0-9]+.[0-9]+'
       - 'v[0-9]+.[0-9]+.[0-9]+-*'
+  workflow_dispatch:
+    inputs:
+      force_push:
+        description: 'Force push to registry even if not latest tag'
+        required: false
+        default: false
+        type: boolean
+
+# Explicit permissions following least-privilege principle
+permissions:
+  contents: read
+  packages: write
+
+# Prevent duplicate workflow runs
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 # env:
 #   ## overrides the docker image name (name is repo name with docker- prefix stripped)
@@ -17,7 +35,7 @@ jobs:
     outputs:
       image: ${{ steps.set.outputs.image }}
     steps:
-      -
+      - name: Set image name
         uses: actions/github-script@v7
         id: set
         with:
@@ -34,18 +52,20 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - uses: hadolint/hadolint-action@v3.1.0
+      - name: Lint Dockerfile
+        uses: hadolint/hadolint-action@v3.1.0
         with:
           dockerfile: Dockerfile
-      -
+
+      - name: Find latest tag
         uses: dysnix/find-latest-tag@v1
         id: latest
         with:
           regex: '^v\d'
           compared-to-tag: ${{ github.ref }}
           repository: ${{ github.repository }}
-      -
-        name: Docker meta
+
+      - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5
         with:
@@ -55,16 +75,18 @@ jobs:
           tags: |
             type=ref,event=tag
             type=ref,event=branch
+            type=sha,prefix=,format=short
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
         with:
-          # amd64 is native platform at the moment and should not be specified here to keep amd64 builds fast
+          # amd64 is native platform and should not be specified here to keep amd64 builds fast
           platforms: linux/arm64
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
-      -
+
+      - name: Login to Docker Hub
         uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USER }}
@@ -75,7 +97,11 @@ jobs:
         with:
           platforms: linux/amd64,linux/arm64
           context: .
-          push: ${{ steps.latest.outputs.newer == 'true' || steps.latest.outputs.equal == 'true' }}
+          push: ${{ steps.latest.outputs.newer == 'true' || steps.latest.outputs.equal == 'true' || inputs.force_push == true }}
           file: Dockerfile
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          provenance: true
+          sbom: true