ADD: GitHub Action - improved build workflow

[derekclair]

References:

• Linked PRs: Jenkins Pipeline for building docker images #45, GitHub Action for building docker images #44
• Reviewers requested: @luiscamachopt @mstrong98

Summary

Update the Docker build workflow to run multi-job builds (build, appserver, tools) with shared metadata, caching, and provenance/SBOM enabled.

Differences vs PR#44

• Scope: This PR strictly limits changes to the workflow file; PR#44 touches multiple files and routing.
• Jobs: This PR uses three separate jobs (build-build-image, build-appserver-image, build-tools-image) with explicit cache scopes; PR#44 used a single job focusing on appserver/tools.
• Metadata: This PR uses docker/metadata-action@v5 for all images with branch, run number, and platform version tags; PR#44 used simpler tags.
• Caching: Adds type=gha with scoped keys and registry buildcache for all jobs; PR#44 used only GHA cache for appserver/tools.
• Push behavior: Controlled via workflow_dispatch input push_images; PR#44 had unconditional pushes for appserver/tools.
• Provenance/SBOM: Enabled for all images; PR#44 did not enable provenance or sbom.
• Annotations: Includes annotations from metadata action; PR#44 didn’t add annotations.

Differences vs PR#45

• CI system: This PR is GitHub Actions only; PR#45 is a Jenkins pipeline.
• Registry source: This PR pulls base images using docker/login-action with ${{ vars.registry }}; PR#45 requires changing FROM iqgeo-delivery-build to harbor.delivery.iqgeo.cloud/{{ my_project }}/platform-build in Dockerfiles.
• Secrets usage: This PR uses vars + secrets.registry_password; PR#45 uses container registry username/password secrets with a different naming scheme.
• Outputs: This PR records build digests and exposes metadata outputs per job; PR#45 focuses on Jenkins job behavior.

Notes

• Once approved, we can toggle push_images during workflow_dispatch runs as needed.

[derekclair]

Guard against running on template repository

Since this is a template repository, consider adding a condition to prevent the workflow from running on the template repo itself. We could add this to the jobs:

if: github.repository != 'IQGeo/utils-project-template'

This ensures the workflow only runs in repos created from this template, not on the template itself.

build-build-image:
  if: github.repository != 'IQGeo/utils-project-template'
  runs-on: ubuntu-latest
  # ... rest of job

Alternatively, we could:

• Add a top-level workflow condition (less pragmatic)
• Disable the workflow in repository settings → Actions (but this affects all workflows)

[luiscamachopt]

Thanks @derekclair. Shall we close #44 (superseded by this one) and #45( I think we'll focus on the github action for now, and they'll still be available for review)?
I'm also looking at the pipelines used by the products and their tagging strategy, so I'll probably put together an alternative merging things from the two approaches.