Switch Apache Debian image to Docker hardened image (dhi.io/httpd)

[Copilot]

• Update docker-bake.hcl: change the Apache Debian variant's runtime image to dhi.io/httpd:${httpd-version}, add build_image = httpd:${httpd-version} for build stages, add build_image to alpine entry too (same as image), propagate build_image context in the target
• Update apache/Dockerfile: replace FROM image AS build and FROM image AS crs_release with FROM build_image; add FROM build_image AS runtime_deps stage that installs runtime packages and collects them into /staging/ via dpkg -L; replace the apt-get install block in the final stage with COPY --from=runtime_deps /staging/ /; remove RUN useradd --system httpd; change httpd → www-data for chown and USER directive; remove gnupg from runtime; add USER root before the privileged setup RUN block (needed since the hardened image defaults to www-data)
• Update .github/workflows/publish.yml: add docker/login-action step to authenticate to dhi.io registry using existing Docker Hub credentials
• Update .github/workflows/verifyimage.yml: add docker/login-action step to authenticate to dhi.io registry
• Update README.md: note the Apache Debian variant now uses the Docker hardened base image

[fzipi]

@copilot fix the ci

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 3693f59f-36a4-4ef4-af43-fc7f48176a77

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch copilot/switch-apache-debian-to-hardened-image

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

@copilot fix the ci

Fixed in d2ee167. The hardened dhi.io/httpd image defaults to running as www-data, so the mkdir/sed/chown setup step was failing with "Permission denied". Added USER root before that RUN block (matching the pattern used in the nginx Dockerfile), then USER www-data is restored at the end.