feat: validate ci/main.go container images in pre-commit (#413)

## Summary

- Adds `scripts/check_ci_images.sh`: extracts every `From("...")` image reference from `ci/main.go` and runs `skopeo inspect --no-creds` on each one (manifest-only, no layer pull, no daemon required)
- Adds `task check-ci-images` task in `Taskfile.yml` that runs the script
- Adds `ci-image-exists` hook to `.pre-commit-config.yaml` that fires only when `ci/main.go` is staged (using `files: ^ci/main\.go$` rather than `always_run`, to avoid a network round-trip on every unrelated commit)
- Adds `skopeo` to the Nix devShell so the tool is on PATH when the hook runs via `nix develop --command`

This catches a bad image tag (like `ghcr.io/cirruslabs/flutter:3.44.1` not yet published) at commit time, before the push reaches CI.

## Test plan

- Stage a change to `ci/main.go` bumping a `From("...")` tag to a non-existent version → hook rejects commit with NOT FOUND
- Stage a change with valid image tags → hook prints OK for each image and allows the commit
- Stage a change to any other file → `ci-image-exists` hook is skipped entirely

Closes #407

Co-authored-by: Thomas SharedInbox <sharedinbox@thomas-guettler.de>
Reviewed-on: https://codeberg.org/guettli/sharedinbox/pulls/413

.pre-commit-config.yaml

@@ -42,3 +42,9 @@ repos:
         entry: "bash -c 'git --no-pager grep \"dagger call\" -- \":!.pre-commit-config.yaml\" | grep -v \"\\-\\-progress=plain\" && echo \"ERROR: All dagger calls must include --progress=plain\" && exit 1 || exit 0'"
         pass_filenames: false
         always_run: true
+      - id: ci-image-exists
+        name: verify container images in ci/main.go are reachable
+        language: system
+        entry: bash -c 'cd "$(git rev-parse --show-toplevel)" && nix develop --command task check-ci-images'
+        pass_filenames: false
+        files: ^ci/main\.go$

Taskfile.yml

@@ -700,6 +700,11 @@ tasks:
         fi
         echo "Hygiene check passed."
 
+  check-ci-images:
+    desc: Verify that all container images referenced in ci/main.go are reachable
+    cmds:
+      - scripts/check_ci_images.sh
+
   _integrations:
     internal: true
     run: once

flake.nix

@@ -99,6 +99,7 @@
               httplib2
             ]))  # used by stalwart-dev/start and deploy_playstore.py
             fgj      # Codeberg/Forgejo CLI (like gh for GitHub)
+            skopeo   # inspect OCI image manifests without pulling layers (used by check-ci-images)
           ]);
 
           shellHook = ''

scripts/check_ci_images.sh

@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+# Verify that every container image referenced in ci/main.go is reachable.
+# Runs skopeo inspect (manifest-only, no layer pull) for each From("...") call.
+set -euo pipefail
+
+ROOT=$(git rev-parse --show-toplevel)
+FILE="$ROOT/ci/main.go"
+
+images=$(grep -oP 'From\("\K[^"]+' "$FILE" | sort -u)
+
+if [ -z "$images" ]; then
+  echo "check-ci-images: no From() image references found in $FILE"
+  exit 0
+fi
+
+fail=0
+while IFS= read -r image; do
+  printf "check-ci-images: %-55s" "$image"
+  if skopeo inspect --no-creds "docker://$image" > /dev/null 2>&1; then
+    echo "OK"
+  else
+    echo "NOT FOUND"
+    fail=1
+  fi
+done <<< "$images"
+
+if [ "$fail" -eq 1 ]; then
+  echo ""
+  echo "ERROR: one or more container images in ci/main.go could not be resolved."
+  echo "Fix the image tag before committing."
+  exit 1
+fi