fix: addressed review comments

Author: amanstep

.github/workflows/docker.yml

@@ -1,22 +1,55 @@
-name: Docker Push
+name: Publish docker image
+
 on:
-  push:
-    tags: ['v*']
+  workflow_dispatch:
+    inputs:
+      release_tag:
+        description: 'Tag to release'
+        required: true
+        type: string
+
+permissions:
+  contents: read
+  packages: write
+
 jobs:
-  build:
-    runs-on: ubuntu-latest
-    environment: main
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v4
-      - name: Log in to Docker Hub
-        run: echo $DOCKER_TOKEN | docker login --username=anishathalye --password-stdin
-        env:
-          DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
-      - name: Compute tag
-        id: tag
-        run: echo ::set-output name=TAG ::anishathalye/proof-html:${GITHUB_REF#refs/tags/v}
-      - name: Build image
-        run: docker build . -t ${{ steps.tag.outputs.TAG }}
-      - name: Publish image
-        run: docker push ${{ steps.tag.outputs.TAG }}
+    build:
+        runs-on: ubuntu-latest
+        if: startsWith(github.event.inputs.release_tag, 'v')
+        steps:
+        - name: Harden the runner (Audit all outbound calls)
+          uses: step-security/harden-runner@v2
+          with:
+            egress-policy: audit
+
+        - name: Checkout
+          uses: actions/checkout@v5
+        - name: Validate tag format
+          run: |
+            TAG=${{ github.event.inputs.release_tag }}
+            if ! echo "$TAG" | grep -Eq '^v[0-9]+\.[0-9]+\.[0-9]+$'; then
+              echo "❌ Invalid tag format: $TAG"
+              exit 1
+            fi
+            echo "✅ Valid semver tag: $TAG"
+        - name: Log in to GitHub Container Registry
+          uses: docker/login-action@v3
+          with:
+            registry: ghcr.io
+            username: ${{ github.actor }}
+            password: ${{ secrets.GITHUB_TOKEN }}
+
+        - name: Set up QEMU for ARM builds
+          uses: docker/setup-qemu-action@v3
+
+        - name: Set up Docker Buildx
+          uses: docker/setup-buildx-action@v3
+
+        - name: Build and push Docker image
+          uses: docker/build-push-action@v6
+          with:
+            context: .
+            push: true
+            platforms: linux/amd64,linux/arm64
+            tags: |
+              ghcr.io/${{ github.repository }}:${{ github.event.inputs.release_tag }}

README.md

@@ -141,8 +141,6 @@ jobs:
             https://en.wikipedia.org/wiki/Main_Page
           ignore_url_re: |
             ^https://twitter.com/
-          swap_urls: |
-            {"^https://www.anishathalye.com/": "/"}
 ```
 
 ## Running locally