Add the build matrix and tag-name primitives

[fnando]

What

Adds the scaffolding the publish workflow will sit on top of — the canonical tag generator and a builds.json-driven build matrix.

• scripts/tag-names.sh — single source of truth for image tag construction. Given a (stellar-cli-version, rust-version, [platform], [variant]), prints the canonical tag (no registry/repo prefix). Encodes the four tag shapes (standard ± multi-arch ± variant) so build, publish, smoke-test, and docs never disagree on naming.
• scripts/resolve-matrix.sh — reads builds.json and emits a {"include": [...]} JSON matrix for fromJson() consumption. Iterates each stellar_cli_versions[] entry × its declared rust_versions × [amd64, arm64], plus a row per variants[] entry × arch. With the current builds.json (2 cli versions, 1+2 rusts, no variants) it emits 6 rows.
• .shellcheckrc — external-sources=true and source-path=SCRIPTDIR so sourced libs resolve, and a global disable=SC2016 (we use single-quoted jq expressions like '.foo[$v]' everywhere — $v is a jq variable, not a bash one).
• Two new lint jobs in .github/workflows/lint.yml:
  • shellcheck — ludeeus/action-shellcheck@v2.0.0 (SHA-pinned), severity style, scoped to scripts/.
  • matrix-smoke — runs resolve-matrix.sh and asserts .include | length > 0 so a broken builds.json or matrix script breaks lint CI before the publish workflow tries to consume the output.
• Both new jobs gated by the existing complete aggregator.

Why

The publish workflow (next PR) needs two primitives that don't belong inline in the workflow file: deterministic tag construction and a matrix resolver. Splitting them out makes them locally runnable, individually testable, and reusable by other consumers (smoke-test, future verifier docs).

Depends on

#1 (skeleton) — this branch is based on it. Base will auto-update to main once #1 merges.

Notable choices

• Flag-name vocabulary stays consistent. tag-names.sh uses --stellar-cli-version/--rust-version/--platform/--variant to match every other script — even though here some of these are inputs and newest-pair.sh uses the same names as selectors.
• Matrix output keys mirror flag names (stellar_cli_version, rust_version, etc.) so workflow steps can pass ${{ matrix.stellar_cli_version }} directly to build-image.sh --stellar-cli-version ....
• SC2016 disabled globally rather than per-line. The single-quoted-jq pattern is everywhere; per-line annotations would clutter every script for a check that's always wrong here.
• SC2034 disabled per-line on the two namerefs (updates, resolved) and on BUILDS_SCHEMA_PATH. These are real cross-file/cross-function uses shellcheck can't statically see.

Out of scope

The publish workflow itself (multi-arch buildx push, manifest list join, SLSA attestation, SBOM). Those land in subsequent PRs that consume the matrix and tag-names primitives this PR adds.

Verification

• ./scripts/tag-names.sh --stellar-cli-version 26.0.0 --rust-version 1.94.0 → 26.0.0-rust1.94.0
• ./scripts/tag-names.sh ... --platform linux/amd64 → 26.0.0-rust1.94.0-amd64
• ./scripts/tag-names.sh ... --variant l0 --platform linux/arm64 → l0-26.0.0-rust1.94.0-arm64
• ./scripts/resolve-matrix.sh --pretty produces 6 rows for the current builds.json
• ./scripts/resolve-matrix.sh | jq -e '.include | length > 0' exits 0
• shellcheck scripts/*.sh scripts/lib/*.sh is clean

[Copilot]

Pull request overview

This PR adds foundational scripting and CI lint scaffolding to support a future publish workflow: a canonical image tag generator and a builds.json-driven GitHub Actions build matrix resolver.

Changes:

• Added scripts/tag-names.sh to generate canonical image tags from (stellar-cli version, rust version, platform?, variant?).
• Added scripts/resolve-matrix.sh to emit a fromJson()-compatible {"include":[...]} matrix derived from builds.json.
• Added ShellCheck configuration and CI jobs (shellcheck, resolve-matrix smoke) to validate shell scripts and matrix generation in lint.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
scripts/tag-names.sh	New canonical tag construction script (variant + arch suffix handling).
scripts/resolve-matrix.sh	New matrix generator script emitting a GitHub Actions include matrix from builds.json.
scripts/refresh-stellar-cli-digests.sh	Adds per-line ShellCheck suppression for a nameref-consumed associative array.
scripts/refresh-rust-digests.sh	Adds per-line ShellCheck suppression for a nameref-consumed associative array.
scripts/lib/common.sh	Adds ShellCheck suppression for a sourced constant used cross-script.
.shellcheckrc	Configures ShellCheck to follow sources and disables SC2016 globally for jq patterns.
.github/workflows/lint.yml	Adds ShellCheck job and a matrix-generation smoke test job, both gated by complete.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[leighmcculloch]

Do I understand correctly that this gets rid of bespoke image names, all images must fit the standard form? 👍🏻

[fnando]

Do I understand correctly that this gets rid of bespoke image names, all images must fit the standard form? 👍🏻

@leighmcculloch yes, exactly. This PR removes variants[] entirely from the schema and the tag-construction code. All images must fit the standard form: <cli>-rust<rust> for the per-pair multi-arch list, and <cli>-rust<rust>-<arch> for the per-arch single-architecture manifest SEP-58 references. There's no longer any prefixed bespoke-image scheme.

If/when a real bespoke pairing comes up, we'd reintroduce variant support alongside the build-side machinery that closes that gap, as a single coherent change.