Restructure os version layout

[AnHeuermann]

Issue

Fixes #48

Changes

Key images by OS/OS-version built from a CI matrix (.ci/matrix.yml).

• ubuntu/Dockerfile: one multi-stage Dockerfile for all Ubuntu versions
  (22.04/24.04/26.04); base = full stage, add-ons (cmake-4) = extra stages

• single .github/workflows/build.yml pipeline: discover -> build -> release
  -> publish GHCR (signed) + Nexus, so a token-created release still publishes

  

• debian/almalinux/arch: empty multi-stage placeholders, absent from the matrix

• README + RELEASING document the layout and release flow

[AnHeuermann]

@coderabbitai review

[AnHeuermann]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

📝 Walkthrough

Walkthrough

Replaces a single flat Dockerfile and two separate publish workflows with a monorepo-style setup: a multi-stage parameterized ubuntu/Dockerfile, OS placeholder Dockerfiles, a .ci/matrix.yml image definition file, a Python query tool (matrix.py), a Bash publish script (publish.sh), and a unified GitHub Actions pipeline (build.yml) covering discover → build → release → publish-to-GHCR-and-Nexus.

Changes

Monorepo CI Pipeline Overhaul

Layer / File(s)	Summary
Ubuntu multi-stage Dockerfile and OS placeholders ubuntu/Dockerfile, almalinux/Dockerfile, arch/Dockerfile, debian/Dockerfile	ubuntu/Dockerfile defines base, venv, full, and cmake-4 stages parameterized by UBUNTU_VERSION. Placeholder Dockerfiles for AlmaLinux, Arch, and Debian are added as comment-only stubs explicitly excluded from CI. The old flat Dockerfile is removed.
CI matrix schema and Python query tool .ci/matrix.yml, .ci/matrix.py	matrix.yml defines Ubuntu 22.04, 24.04, and 26.04 entries (with cmake-4 add-on for 24.04). matrix.py provides load_images(), cmd_all() (JSON output), cmd_image(tag) (shell assignments), and main() CLI dispatch with tag validation via regex.
Publish script .ci/publish.sh	Bash script that evals matrix.py image "$TAG" to load build parameters, runs docker buildx --push for the base and each add-on stage under both moving and immutable tags, optionally cosign-signs all tags when SIGN=true, and prints the pushed tag list.
Unified GitHub Actions pipeline .github/workflows/build.yml, .github/workflows/release.yml	build.yml adds discover, build, release, publish-ghcr (with cosign verification), and publish-nexus jobs; trigger patterns updated to *-*.*.* tags. release.yml updates the tag pattern and removes default-branch detection, always setting --latest=false. Old publish.yml and publish-nexus.yml are deleted.
Documentation and release guide README.md, RELEASING.md, .gitignore	README is rewritten to document the OS-keyed image model, tagging rules, repo structure, and CI pipeline. RELEASING.md is added with semver rules, end-to-end release steps, add-on instructions, and Arch snapshot guidance. .gitignore gains .vscode/ and CLAUDE.md.

Sequence Diagram(s)

sequenceDiagram
  participant dev as Developer
  participant gha as GitHub Actions
  participant matrix as matrix.py
  participant buildx as docker buildx
  participant ghcr as GHCR
  participant nexus as Nexus
  participant cosign as cosign

  dev->>gha: push tag (os-version-semver)
  gha->>matrix: matrix.py all → JSON matrix
  matrix-->>gha: image list
  gha->>buildx: build base + add-on stages (--load)
  gha->>gha: create/update GitHub Release (--latest=false)

  rect rgba(100, 149, 237, 0.5)
    note over gha,cosign: publish-ghcr
    gha->>matrix: matrix.py image TAG → shell vars
    matrix-->>gha: build params
    gha->>ghcr: docker buildx --push (moving + immutable tags)
    gha->>cosign: cosign sign --yes each tag
    gha->>cosign: cosign verify each tag
  end

  rect rgba(144, 238, 144, 0.5)
    note over gha,nexus: publish-nexus
    gha->>matrix: matrix.py image TAG → shell vars
    matrix-->>gha: build params
    gha->>nexus: docker buildx --push (moving + immutable tags)
  end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly identifies the main change: restructuring the OS/version-based repository layout around a matrix-based approach for managing OS variants and versions.
Description check	✅ Passed	The description is directly related to the changeset, referencing the Ubuntu Dockerfile restructuring, matrix-based CI, and the consolidated build pipeline that the PR implements.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 6

🧹 Nitpick comments (1)

ubuntu/Dockerfile (1)

47-67: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Use --no-install-recommends on package installs.

These install steps currently pull recommended packages by default, which increases image size and attack surface for every published image variant.

Proposed patch

 RUN apt-get update \
   && apt-get upgrade -qy \
   && apt-get dist-upgrade -qy \
-  && apt-get install -qy \
+  && apt-get install -qy --no-install-recommends \
     ca-certificates \
     curl \
     gnupg \
     lsb-release \
@@
 FROM base AS venv
 RUN apt-get update \
-  && apt-get install -qy python3-pip python3-venv \
+  && apt-get install -qy --no-install-recommends python3-pip python3-venv \
   && rm -rf /var/lib/apt/lists/*
@@
 RUN apt-get update \
   && . /etc/os-release \
   && case "${VERSION_ID}" in \
        22.04) qt="${QT_PKGS_22_04}" ;; \
        *)     qt="${QT_PKGS}" ;; \
      esac \
-  && apt-get install -qy ${COMMON_PKGS} ${qt} \
+  && apt-get install -qy --no-install-recommends ${COMMON_PKGS} ${qt} \
   && apt-get clean \
   && rm -rf /var/lib/apt/lists/*

Also applies to: 73-75, 156-164

Source: Linters/SAST tools

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e0109505-7866-440e-8690-1bdf31658c9e

📥 Commits

Reviewing files that changed from the base of the PR and between 028e1d2 and 476537d.

📒 Files selected for processing (15)

• .ci/matrix.py
• .ci/matrix.yml
• .ci/publish.sh
• .github/workflows/build.yml
• .github/workflows/publish-nexus.yml
• .github/workflows/publish.yml
• .github/workflows/release.yml
• .gitignore
• Dockerfile
• README.md
• RELEASING.md
• almalinux/Dockerfile
• arch/Dockerfile
• debian/Dockerfile
• ubuntu/Dockerfile

💤 Files with no reviewable changes (3)

• .github/workflows/publish.yml
• Dockerfile
• .github/workflows/publish-nexus.yml

[sjoelund]

I would perhaps rename "ubuntu/Dockerfile" to "apt/Dockerfile" instead. They are pretty much the same when it comes to dependencies

[sjoelund]

Is that important? A list would be much more natural...

[sjoelund]

Simply make the tags v2.1.0 instead and rebuild the images based on that. Needing to tag multiple things is annoying.

[sjoelund]

@AnHeuermann I pushed my rust deps