Containerize Action to prevent environment pollution and improve isolation

[kivra-pauoli]

Description

Currently, this Action builds and executes an escript directly within the runner's host environment after setup-beam runs. While functional, this approach has two primary drawbacks:

• Environment Pollution: It forces a specific Erlang/Rebar3 version onto the consumer's CI path, which can conflict with the project's actual requirements in subsequent steps.
• Lack of Isolation: The Action's dependencies and the consumer's environment are tightly coupled.

Proposed Solution: Docker-based Action

By wrapping the tool in a Docker container, we can treat the Action as a standalone binary. This ensures that the Erlang runtime used by the Action remains entirely separate from the version required by the user's application code.

Security & Attestation Requirements

When moving to Docker, we must ensure we don't inadvertently leak credentials.

• Avoid --env for Secrets: We should avoid passing sensitive tokens via standard environment variables or build arguments, as these can be captured in logs or metadata.

• Provenance Attestations: Per Docker's CI guidance, default provenance attestations can expose build arguments.

• Implementation Detail: We should utilize secret mounts or GitHub’s native input handling to pass tokens securely without exposing them in the image's history or attestations.

Acceptance Criteria

• Create a Dockerfile to package the escript and its minimal runtime.
• Update action.yml to use the docker runs-type.
• Verify that the runner’s host Erlang version remains unchanged after the Action executes.
• Implement a secure method for token passing (e.g., mounting secrets rather than build-args).