ci: only build when image-affecting files change

Add path filters so the workflow runs only when the Dockerfile, nginx config,
site assets or .dockerignore change. CI-config, Renovate-config and docs
changes (such as a Renovate bump of a CI action) no longer trigger a build or
release. workflow_dispatch is added for manual runs after pipeline changes.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

.gitea/workflows/build-and-publish.yml

@@ -1,10 +1,31 @@
 name: Build and publish container
 
+# Only run when files that affect the built image change. Updates to CI
+# config, Renovate config, or docs (e.g. a Renovate bump of the checkout
+# action) do not change the image and so do not trigger a build or release.
+# Use workflow_dispatch to run manually after a pipeline change.
 on:
   push:
     branches: [main]
+    paths:
+      - 'Dockerfile'
+      - 'default.conf'
+      - 'index.html'
+      - 'styles.css'
+      - 'script.js'
+      - 'messages.js'
+      - '.dockerignore'
   pull_request:
     branches: [main]
+    paths:
+      - 'Dockerfile'
+      - 'default.conf'
+      - 'index.html'
+      - 'styles.css'
+      - 'script.js'
+      - 'messages.js'
+      - '.dockerignore'
+  workflow_dispatch:
 
 defaults:
   run:
@@ -18,7 +39,7 @@ jobs:
       packages: write
     steps:
       - name: Checkout
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        uses: actions/checkout@v4
         with:
           # Full history and tags are required to derive the next version
           # from the conventional-commit messages since the last release.
@@ -94,21 +115,21 @@ jobs:
           echo "Computed bump=${bump}, release=${release}, base=${base}"
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3
+        uses: docker/setup-qemu-action@v3
 
       - name: Set up Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
+        uses: docker/setup-buildx-action@v3
 
       - name: Log in to the Gitea container registry
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
+        uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.repository_owner }}
           password: ${{ secrets.PACKAGES_TOKEN }}
 
       - name: Build and push
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
+        uses: docker/build-push-action@v6
         with:
           context: .
           platforms: linux/amd64,linux/arm64

Dockerfile

@@ -1,7 +1,7 @@
 # Lightweight, non-root nginx serving the static site.
 # Runs as user "nginx" and listens on 8080, ready to sit behind an
 # external reverse proxy that terminates TLS and forwards requests.
-FROM nginxinc/nginx-unprivileged:1.27-alpine-slim
+FROM nginxinc/nginx-unprivileged:1.31-alpine-slim@sha256:6616de6eaa82bc2ee3541fa287a8fca7dc7271e6374e9402014dbd13f4a980ae
 
 COPY default.conf /etc/nginx/conf.d/default.conf
 COPY --chown=nginx:nginx index.html styles.css script.js messages.js /usr/share/nginx/html/