Hide health checks and publish Docker Hub images

[ChiragAgg5k]

Summary

• Hide noisy GET /healthz uvicorn access logs while keeping other access logs visible.
• Publish staging and production deployment images to both GHCR and Docker Hub using the existing TAG value.
• Keep the assets repo update scoped to .mcp.image.tag, matching appwrite-labs/assets-applications#23 where the repository is switched to Docker Hub (appwrite/mcp).

Testing

• uv run --group dev ruff check src tests
• uv run --group dev black --check src tests
• uv run python -m unittest discover -s tests/unit -q
• Smoke-tested HTTP server: /healthz returns 200 without access log noise; /mcp still logs the 401 request.
• Parsed .github/workflows/production.yml and .github/workflows/staging.yml as YAML.

[greptile-apps]

Greptile Summary

This PR hides health-check access logs and publishes deployment images to Docker Hub. The main changes are:

• Adds a uvicorn access-log filter for GET /healthz.
• Publishes staging and production images to both GHCR and Docker Hub.
• Adds explicit workflow permissions for checkout and GHCR package publishing.
• Keeps deployment tag updates scoped to .mcp.image.tag.

Confidence Score: 4/5

The changes are focused and covered by targeted tests plus workflow parsing and smoke checks.

No code issues were identified, and the described validation covers the HTTP logging behavior and workflow YAML shape. Remaining risk is mainly in external registry publishing behavior that depends on repository secrets and CI environment configuration.

T-Rex Logs

What T-Rex did

• I inspected the initial server logs and saw health checks returning 200 for GET /healthz and GET /healthz?ready=1, with GET /mcp returning 401 Unauthorized.
• I observed the post-state logs showing GET /healthz and GET /healthz?ready=1 returning 200, with no uvicorn access log lines for health endpoints, while GET /mcp remained 401 Unauthorized.
• I analyzed the Docker Hub workflow state before changes, noting base commit, staging and production tags, and that GHCR login/tag were present while Docker Hub login/tag were absent, with yq updating only .["mcp"].image.tag.
• I reviewed the after-state workflow, confirming registry details for Docker Hub and docker.io, login via environment variables, build-push tags for both registries, and that the yq check indicates no changes to repository or image fields aside from the intended tag update.

_{Ran code and verified through T-Rex}

_{Reviews (2): Last reviewed commit: "Allow deployment workflows to publish pa..." | Re-trigger Greptile}