Set mod time & revision via ldflags; Sign docker image with actions/attest

[tangrufus]

• Fix duplicate -ldflags in Dockerfile (combined into single value)
• Add actions/checkout step to publish workflow
• Add attestations: read permission to deploy workflow
• Fix Revision default value typo: devl → devel (matching Go toolchain convention)
• Remove accidentally committed serve binary

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[codecov]

Codecov Report

❌ Patch coverage is 0% with 16 lines in your changes missing coverage. Please review.
✅ Project coverage is 91.28%. Comparing base (d1f1814) to head (7333cec).
⚠️ Report is 8 commits behind head on main.

Files with missing lines	Patch %	Lines
cmd/serve/main.go	0.00%	16 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main      #38      +/-   ##
==========================================
+ Coverage   90.97%   91.28%   +0.30%     
==========================================
  Files          22       22              
  Lines        4767     4751      -16     
==========================================
  Hits         4337     4337              
+ Misses        398      382      -16     
  Partials       32       32              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

This PR switches build stamping from VCS build info to explicit -ldflags variables (mod time + revision), adds local tasks to build/run the container image with those stamps, and replaces Cosign signing/verification with GitHub’s native actions/attest + gh attestation verify in the publish/deploy workflows.

Changes:

• Add mise tasks/env for building and running a locally tagged image with stamped build args.
• Introduce ModTime/Revision linker-stamped variables in cmd/serve and use them for startup logging + 304 mod-time behavior.
• Update Docker build and GitHub workflows to pass build args and generate/verify GitHub attestations instead of Cosign.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
mise.toml	Adds DOCKER env and image/image:build tasks to build/run the dev image with MOD_TIME/REVISION args.
mise.local-example.toml	Documents overriding DOCKER (e.g., to use Podman).
cmd/serve/main.go	Adds linker-stamped globals and replaces debug build-info based stamping with explicit RFC3339 parsing/fallback.
Dockerfile	Accepts MOD_TIME/REVISION build args and stamps them into the binary via -ldflags.
.github/workflows/publish.yml	Passes MOD_TIME/REVISION build args and attests the pushed image with actions/attest.
.github/workflows/deploy.yml	Verifies the image using gh attestation verify and deploys by digest.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.