Add GitHub Actions CI and switch to ghcr.io image

Builds and pushes to ghcr.io on every push to main.
Compose now pulls the published image instead of building locally,
so Watchtower can auto-update the container.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: Andrew

.github/workflows/build.yml

@@ -0,0 +1,33 @@
+name: Build and Push Docker Image
+
+on:
+  push:
+    branches: [main]
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          tags: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}

docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   secretlair:
-    build: .
+    image: ghcr.io/epiphanyplx/secret-lair-monitor:latest
     container_name: secretlair
     restart: unless-stopped
     env_file: .env