feat(ci): move Linux CI to UBI 10 container images

Replace ubuntu-latest + setup-cpp with UBI 10 container images for all
Linux CI jobs, eliminating devcontainer/CI drift and enabling IWYU and
Bloaty in CI. Intel coverage now works via llvm-cov from oneAPI.

- Add Containerfile.intel extending main image with Intel oneAPI
- Add build-ci-image.yml to build/push images to GHCR
- Split ci.yml into Linux (container), macOS, and Windows jobs
- Update CodeQL workflow to use container
- Add gcovr, lizard, bloaty to main Containerfile

Resolves #6

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: viniciusferrao

.devcontainer/Containerfile

@@ -23,12 +23,23 @@ RUN dnf install -y \
 # Static analysis and documentation
 RUN dnf install -y cppcheck doxygen graphviz
 
+# Bloaty McBloatface — binary size analyzer (build from source)
+ARG BLOATY_VERSION="v1.1"
+RUN dnf install -y re2-devel protobuf-devel capstone-devel && \
+    git clone --branch ${BLOATY_VERSION} --depth 1 \
+        https://github.com/google/bloaty.git /tmp/bloaty && \
+    cmake -S /tmp/bloaty -B /tmp/bloaty/build \
+        -DCMAKE_BUILD_TYPE=Release -G Ninja && \
+    cmake --build /tmp/bloaty/build -j && \
+    cmake --install /tmp/bloaty/build && \
+    rm -rf /tmp/bloaty
+
 # Editors
 RUN dnf install -y neovim nano
 
 # Python packages
 RUN python3 -m pip install --upgrade pip setuptools && \
-    python3 -m pip install conan && \
+    python3 -m pip install conan gcovr lizard && \
     conan --version
 
 # Conan configuration for containers

.devcontainer/Containerfile.intel

@@ -0,0 +1,28 @@
+# Intel oneAPI CI image — extends the main CI image with ICX/ICPX
+ARG BASE_IMAGE=ghcr.io/versatushpc/cmake_template/ci:latest
+FROM ${BASE_IMAGE}
+
+# Intel oneAPI repository
+RUN rpm --import https://yum.repos.intel.com/intel-gpg-keys/GPG-PUB-KEY-INTEL-SW-PRODUCTS.PUB && \
+    cat > /etc/yum.repos.d/oneAPI.repo << 'EOF'
+[oneAPI]
+name=Intel oneAPI repository
+baseurl=https://yum.repos.intel.com/oneapi
+enabled=1
+gpgcheck=1
+gpgkey=https://yum.repos.intel.com/intel-gpg-keys/GPG-PUB-KEY-INTEL-SW-PRODUCTS.PUB
+EOF
+
+# Install Intel oneAPI DPC++/C++ compiler
+RUN dnf install -y intel-oneapi-compiler-dpcpp-cpp && \
+    dnf clean all && rm -rf /var/cache/dnf
+
+# Make Intel compiler available without setvars.sh
+# The compiler binaries and libraries are under /opt/intel/oneapi/compiler/latest
+ENV PATH="/opt/intel/oneapi/compiler/latest/bin:${PATH}" \
+    LD_LIBRARY_PATH="/opt/intel/oneapi/compiler/latest/lib:${LD_LIBRARY_PATH}" \
+    CMAKE_PREFIX_PATH="/opt/intel/oneapi/compiler/latest:${CMAKE_PREFIX_PATH}" \
+    CC="icx" \
+    CXX="icpx"
+
+CMD ["/bin/bash"]

.github/workflows/build-ci-image.yml

@@ -0,0 +1,86 @@
+name: build-ci-image
+
+on:
+  push:
+    branches: [master, main]
+    paths:
+      - '.devcontainer/Containerfile'
+      - '.devcontainer/Containerfile.intel'
+      - '.github/workflows/build-ci-image.yml'
+  schedule:
+    # Weekly rebuild — picks up UBI 10 base image security updates
+    - cron: '0 6 * * 1'
+  workflow_dispatch:
+
+env:
+  REGISTRY: ghcr.io
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build-ci-image:
+    name: CI image
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Image metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ github.repository }}/ci
+          tags: |
+            type=raw,value=latest
+            type=sha,prefix=sha-,format=short
+
+      - name: Build and push CI image
+        uses: docker/build-push-action@v6
+        with:
+          context: .devcontainer
+          file: .devcontainer/Containerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+  build-ci-intel-image:
+    name: CI Intel image
+    runs-on: ubuntu-latest
+    needs: build-ci-image
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Image metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ github.repository }}/ci-intel
+          tags: |
+            type=raw,value=latest
+            type=sha,prefix=sha-,format=short
+
+      - name: Build and push Intel CI image
+        uses: docker/build-push-action@v6
+        with:
+          context: .devcontainer
+          file: .devcontainer/Containerfile.intel
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            BASE_IMAGE=${{ env.REGISTRY }}/${{ github.repository }}/ci:latest