Publish Docker image to ghcr.io on master push

[Copilot]

The Docker workflow only built the image locally and never published it. Updated to push to GitHub Container Registry after successful builds on master.

• Replace manual docker build with docker/build-push-action@v6
• Authenticate to ghcr.io via docker/login-action@v3 using GITHUB_TOKEN (no external secrets needed)
• Tag images with latest (on default branch) and short SHA via docker/metadata-action@v5
• Push only on push events to master; PR builds remain build-only
• Add packages: write permission to enable ghcr.io push

---

⚡ Quickly spin up Copilot coding agent tasks from anywhere on your macOS or Windows machine with Raycast.

[Copilot]

Pull request overview

Updates the existing Docker GitHub Actions workflow so that images are built on PRs but are published to GitHub Container Registry (ghcr.io) when changes are pushed to master.

Changes:

• Add job-level packages: write permission to enable publishing to GHCR.
• Replace the manual docker build step with Buildx + docker/build-push-action@v6.
• Add GHCR login and docker/metadata-action@v5-driven tagging, pushing only on push events.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

packages: write is granted for the entire job, including pull_request runs. Even though the workflow doesn’t push on PRs, least-privilege is to avoid write-scoped tokens when executing PR code. Consider splitting into two jobs (PR build with read-only permissions, push job with packages: write and if: github.event_name == 'push'), or moving the publishing steps into a separate workflow triggered only on push to master with elevated permissions.