Build docker images in CI

[fdupress]

This adds a pipeline to generate base, build and formosa containers in CI for release branches (tagged by the release tag). This captures the software environment at the time of release and should help ensure we have stable-ish artefacts going forward.

[fdupress]

Right—putting this one on pause. It is silly to run this as a matrix when the base is build in all 3 jobs, but can't be shared. I need to rethink this—including whether we want to publish the base and build images.

On the plus side, the build is working.

[fdupress]

Notes to self on debugging the pipeline.

All images got built.

base-box got pushed successfully (and is in the container repository), but the push for build-box failed despite successful authentication.

The failure happened shortly after 15 minutes. I may need to split the job, add dependencies between jobs, and make sure we cache as much of the work as possible.

[fdupress]

Note to self on debugging: https://ghcr.info/easycrypt/ needs to be accessed from a browser to give this repo permission to administer container images from CI. You learn something new every day.

[fdupress]

Reviewers, I am interested in opinions on using latest or stable or release or something else as the name of the branch that follows the latest release.

Currently, it's latest. Publishing container images tagged for that branch (which is useful in setting up the CI of maintained proofs to follow the release cycle) will then overwrite the latest tag. This feels fine to me, but I'd like external thoughts.

Other than this decision: this is ready to go minus the REVERT ME. Container repository pollution will be cleaned up afterwards.

This does not produce images with a full EasyCrypt or Formosa setup. (No test box, and no formosa-test box, the configuration for which does not even exist.)