Use docker buildx imagetools for multi-arch manifest creation

[siladu]

Following #9817

Instead of disabling provenance, we could switch to using docker buildx imagetools create which handles OCI indices.

Context

• CI runners were upgraded from Docker 27 to 29.
• Docker Engine 29's containerd image store became the default for fresh installs (https://docs.docker.com/engine/release-notes/29/).
• Provenance attestations have been enabled by default since Buildx v0.10 (mode=min), but with Docker's classic image store they were silently lost — the classic store doesn't support them (https://docs.docker.com/build/metadata/attestations/)
• Docker 29 switches the default to containerd image store for fresh installs, which does support attestations
• So now docker build + docker push preserves the provenance attestation, turning every pushed image into an OCI index (manifest list with image + attestation)
• docker manifest create rejects OCI indices as sources

For the docker buildx imagetools create alternative, the docs confirm it accepts manifest lists and OCI indices as sources natively: https://docs.docker.com/reference/cli/docker/buildx/imagetools/create/

Sources:

• https://docs.docker.com/engine/release-notes/29/
• https://docs.docker.com/engine/release-notes/28/
• https://docs.docker.com/build/metadata/attestations/
• https://docs.docker.com/build/metadata/attestations/slsa-provenance/
• https://docs.docker.com/reference/cli/docker/buildx/imagetools/create/
• https://docs.docker.com/reference/cli/docker/buildx/build/