Fix Docker workflow: use static permissions value (#250)

## Summary

- Replace dynamic expression in `permissions.packages` with static `write` value
- GitHub Actions rejects expressions in permission declarations at parse time, which caused all 369 Docker workflow runs to fail before executing any step
- Push-gating is already handled by `if` conditions on the login and build-push steps

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Wes McKinney <wesm@users.noreply.github.com>

Author: wesm

.github/workflows/docker.yml

@@ -19,12 +19,62 @@ env:
   IMAGE_NAME: ${{ github.repository }}
 
 jobs:
-  build:
+  # PR validation: build and smoke-test only, no registry access
+  validate:
+    if: github.event_name == 'pull_request'
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      # Only allow package writes for pushes to main/tags, not PRs
-      packages: ${{ github.event_name != 'pull_request' && 'write' || 'read' }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+
+      - name: Build multi-arch (no push)
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: false
+          build-args: |
+            VERSION=test
+            COMMIT=${{ github.sha }}
+            BUILD_DATE=${{ github.event.head_commit.timestamp }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Smoke test (amd64)
+        run: |
+          docker buildx build \
+            --platform linux/amd64 \
+            --load \
+            --tag msgvault:test \
+            --build-arg VERSION=test \
+            --build-arg COMMIT=$(echo $GITHUB_SHA | cut -c1-8) \
+            --build-arg BUILD_DATE=$(date -u +%Y-%m-%dT%H:%M:%SZ) \
+            .
+
+          docker run --rm msgvault:test version
+          docker run --rm msgvault:test --help
+
+          mkdir -p /tmp/msgvault-test && chmod 777 /tmp/msgvault-test
+          docker run --rm -v /tmp/msgvault-test:/data msgvault:test init-db
+          test -f /tmp/msgvault-test/msgvault.db || { echo "FATAL: database not created"; exit 1; }
+          rm -rf /tmp/msgvault-test
+
+  # Publish: build multi-arch and push to GHCR (main/tags only)
+  publish:
+    if: github.event_name != 'pull_request'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
 
     steps:
       - name: Checkout
@@ -37,7 +87,6 @@ jobs:
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
       - name: Log in to Container Registry
-        if: github.event_name != 'pull_request'
         uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry: ${{ env.REGISTRY }}
@@ -76,7 +125,7 @@ jobs:
         with:
           context: .
           platforms: linux/amd64,linux/arm64
-          push: ${{ github.event_name != 'pull_request' }}
+          push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           build-args: |
@@ -85,34 +134,3 @@ jobs:
             BUILD_DATE=${{ steps.build_args.outputs.build_date }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
-
-      - name: Test image (amd64)
-        if: github.event_name == 'pull_request'
-        run: |
-          # Build single-arch for testing
-          docker buildx build \
-            --platform linux/amd64 \
-            --load \
-            --tag msgvault:test \
-            --build-arg VERSION=test \
-            --build-arg COMMIT=$(echo $GITHUB_SHA | cut -c1-8) \
-            --build-arg BUILD_DATE=$(date -u +%Y-%m-%dT%H:%M:%SZ) \
-            .
-
-          # Smoke test: version command
-          echo "--- Version test ---"
-          docker run --rm msgvault:test version
-
-          # Smoke test: help command
-          echo "--- Help test ---"
-          docker run --rm msgvault:test --help
-
-          # Smoke test: init-db (creates database)
-          echo "--- Init DB test ---"
-          mkdir -p /tmp/msgvault-test && chmod 777 /tmp/msgvault-test
-          docker run --rm -v /tmp/msgvault-test:/data msgvault:test init-db
-          test -f /tmp/msgvault-test/msgvault.db || { echo "FATAL: database not created"; exit 1; }
-          echo "Database created successfully"
-
-          # Cleanup
-          rm -rf /tmp/msgvault-test

.gitignore

@@ -41,6 +41,7 @@ __pycache__/
 
 # Nix
 .direnv/
+result
 
 # Claude Code
 .claude/

Dockerfile

@@ -1,6 +1,6 @@
 # Build stage
 # Pin by digest for reproducibility; update periodically
-FROM golang:1.25-bookworm@sha256:7af46e70d2017aef0b4ce2422afbcf39af0511a61993103e948b61011233ec42 AS builder
+FROM golang:1.25-bookworm@sha256:29e59af995c51a5bf63d072eca973b918e0e7af4db0e4667aa73f1b8da1a6d8c AS builder
 
 # Install build dependencies for CGO (SQLite, DuckDB)
 RUN apt-get update && apt-get install -y --no-install-recommends \

flake.nix

@@ -11,41 +11,39 @@
         nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" "aarch64-darwin" "x86_64-darwin" ] (
           system: fn nixpkgs.legacyPackages.${system}
         );
+
+      # Pin Go 1.25.9 until nixpkgs-unstable catches up from staging
+      goPinned = pkgs: pkgs.go_1_25.overrideAttrs (old: rec {
+        version = "1.25.9";
+        src = pkgs.fetchurl {
+          url = "https://go.dev/dl/go${version}.src.tar.gz";
+          hash = "sha256-DsnvjrzqCXqsN97K6fCachi0Uc2Wvn1u1RPY5Lz5Cc8=";
+        };
+      });
     in
     {
       packages = forAllSystems (pkgs: {
-        default =
-          let
-            # Pin Go 1.25.8 until nixpkgs-unstable catches up from staging
-            go_pinned = pkgs.go_1_25.overrideAttrs (old: rec {
-              version = "1.25.8";
-              src = pkgs.fetchurl {
-                url = "https://go.dev/dl/go${version}.src.tar.gz";
-                hash = "sha256-6YjUokRqx/4/baoImljpk2pSo4E1Wt7ByJgyMKjWxZ4=";
-              };
-            });
-          in
-          (pkgs.buildGoModule.override { go = go_pinned; }) {
-            pname = "msgvault";
-            version = "0.11.0";
-            src = ./.;
-            vendorHash = "sha256-JtfZwLpeyVsX/Yvb3EV7L+Gk/lFYaMJcrmID6eEvz84=";
-            proxyVendor = true;
-            subPackages = [ "cmd/msgvault" ];
-            tags = [ "fts5" ];
-            ldflags = [
-              "-X github.com/wesm/msgvault/cmd/msgvault/cmd.Version=nix-dev"
-            ];
-          };
+        default = (pkgs.buildGoModule.override { go = goPinned pkgs; }) {
+          pname = "msgvault";
+          version = "0.11.0";
+          src = ./.;
+          vendorHash = "sha256-JtfZwLpeyVsX/Yvb3EV7L+Gk/lFYaMJcrmID6eEvz84=";
+          proxyVendor = true;
+          subPackages = [ "cmd/msgvault" ];
+          tags = [ "fts5" ];
+          ldflags = [
+            "-X github.com/wesm/msgvault/cmd/msgvault/cmd.Version=nix-dev"
+          ];
+        };
       });
 
       devShells = forAllSystems (pkgs: {
         default = pkgs.mkShell {
-          packages = with pkgs; [
-            go
-            golangci-lint
-            gcc
-            prek
+          packages = [
+            (goPinned pkgs)
+            pkgs.golangci-lint
+            pkgs.gcc
+            pkgs.prek
           ];
         };
       });

go.mod

@@ -1,6 +1,6 @@
 module github.com/wesm/msgvault
 
-go 1.25.8
+go 1.25.9
 
 require (
 	github.com/BurntSushi/toml v1.6.0