Add GitHub Actions workflow to build and push backend Docker image

[echska]

Motivation

• Add CI to build and publish the backend Docker image to GitHub Container Registry when backend code on main changes or via manual trigger.

Description

• Add .github/workflows/backend-docker.yml which checks out the repo, sets up Docker Buildx, logs into GHCR using GITHUB_TOKEN, extracts metadata with docker/metadata-action, and builds and pushes the image from parental-control-system/backend to ghcr.io/${{ github.repository_owner }}/parental-control-backend with sha and latest tags.

Testing

• No automated tests were run as part of this PR; the new workflow is configured to run on push to main and via workflow_dispatch for manual verification.

---

Codex Task

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: af1c32efa6

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Gate the latest tag to the main branch

Because this workflow can be started with workflow_dispatch, a user can run it against a non-main ref while this tag block still publishes latest. In that scenario, an ad-hoc build from a feature or older branch overwrites the production ghcr.io/.../parental-control-backend:latest image even though the push trigger is limited to main; only emit the latest tag when the selected ref is the default/main branch, or restrict manual dispatch accordingly.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Prevent older runs from overwriting latest

When two pushes to main are close together, this workflow has no concurrency cancellation, so the slower, older build can finish after the newer one and republish latest to the older commit. Consumers that pull latest would then get a rollback even though a newer commit already built successfully; add a branch-scoped concurrency group with cancel-in-progress or avoid publishing the mutable tag from every run.

Useful? React with 👍 / 👎.