🐳 Multi-stage docker builds, publish pipelines, v2 versioning, CHANGELOG automation

[lelia]

Summary

• Rewrites both Dockerfiles as multi-stage builds with Dependabot-trackable binary deps
  (Trivy, TruffleHog, Go, uv all pulled via named FROM stages); python:3.12-slim base;
  BuildKit cache mounts throughout
  • Note: app_tests/Dockerfile now follows the same multi-stage pattern, but is not included in CI yet due to missing source files, the reconciliation of which is out of scope for this PR (see TODO in scripts/ci_matrix.py).
• New publish-docker.yml: build → smoke test → integration test → push to GHCR + Docker Hub
  → floating v2 tag → GitHub Release + CHANGELOG update. Fail-fast; images only published if
  all tests pass. Per-job permissions (deny-by-default at workflow level).
• Dynamic pipeline pattern: scripts/ci_matrix.py (Python) generates the job matrix
  at runtime; all three workflow orchestrators are thin YAML wrappers
• Clean break to v2.0.0 tag convention (v-prefix + floating major tag), following GitHub
  Actions marketplace standard. Old 1.x.x tags unchanged.
• Full retroactive CHANGELOG from 1.0.2; automated update on every release

⚠️ NOT in this PR (deferred to v2.0.0 release PR):

• Version bump in version.py / pyproject.toml
• action.yml switch from image: Dockerfile to image: docker://ghcr.io/socketdev/socket-basics:2.0.0

🚨 DO NOT MERGE PR UNTIL EXTERNAL WIRING IS COMPLETE

[ahmadnassri]

one major thing missing here, is version bumping the action.yml file before committing each new tag

[lelia]

one major thing missing here, is version bumping the action.yml file before committing each new tag

true, it's sort of a chicken-and-egg issue with the initial overhaul that this PR introduces. but the idea will be, once this is merged in and tested, that we create a second PR to actually switch everything over to the new v2.0.0 versioning convention. there's now a CI gate in python-tests.yml which asserts that action.yml matches pyproject.toml and will fail if there's a mismatch; this will become a hard failure once we switch over to v2.0.0. lastly, the dedicated guide in docs/releasing.md covers the full checklist of release requirements including an action.yml callout specifically.