Bootstrap CI/CD – Finalized Instructions (Phase 1)

Goal
- Provide Docker‑only local checks and Git hooks with parity to future CI. CI workflows are prepared but may remain disabled until runners are ready.

Requirements
- Docker + Docker Compose v2 on the development machine. No host packages beyond Docker are required.

Local Checks
- Entry point: `scripts/ci <phase>` where phase ∈ {format, lint, build, test, security, all}.
- Always runs inside the ci container using `docker/ci.compose.yml`.
- Tools pinned in `ci.Dockerfile`: shfmt, shellcheck, hadolint, yamllint, actionlint, prettier, markdownlint, commitlint.

Hooks
- Install hooks: `make hooks-setup` (copies .githooks/* into .git/hooks).
- pre-commit: runs format + lint.
- commit-msg: runs commitlint (Conventional Commits).
- pre-push: runs build; test and security are present but currently no‑ops.

Convenience Targets
- `make quick` → format + lint.
- `make check` → all phases.
- `make build` → compose validation.

CI (Prepared, optional enablement later)
- .gitea/workflows/ci.yml: builds ci image; runs lint + build.
- .gitea/workflows/release.yml: on pushes to main, creates annotated tag vYYYY.MM.DD-HHMM (UTC).
- .gitea/workflows/nightly.yml: nightly lint run.
- All jobs run inside the ci image; no runner host package installs.

Protected Checks (when CI is enabled)
- Protect: ci / lint, ci / build, ci / commitlint. Add ci / test and ci / security when they exist.

Future Extensions
- Add tests/security phases per repo stack; enable CI branch protections once runners are ready; optionally add pre-commit framework as an alternative to native hooks.