deployment: add ci workflow to build base docker image

[idan-starkware]

No description provided.

[cursor]

PR Summary

Low Risk
CI-only change that publishes container images; no application or auth logic is modified, though mis-tagged manual runs could point consumers at the wrong image.

Overview
Adds a manual GitHub Actions workflow (Base-Image-Builder) to build and publish the shared base image from deployments/images/base/Dockerfile to GHCR at ghcr.io/<repo>/base.

Operators must supply a version tag on every run; an optional tag_latest input (default on) also moves the latest tag to that build. The job uses the same pattern as other publish workflows: registry login with GITHUB_TOKEN, docker/metadata-action for tags/labels, and docker/build-push-action with packages: write.

^{Reviewed by Cursor Bugbot for commit 3d91034. Bugbot is set up for automated code reviews on this repo. Configure here.}

[reviewable-StarkWare]

This change is 

[avi-starkware]

Do we want to add SBOM as @albert-starkware suggested in https://starkwareindustries.slack.com/archives/C07G63D47DW/p1781162811094369?thread_ts=1781093378.689549&cid=C07G63D47DW
?

@avi-starkware reviewed 1 file and all commit messages, and made 6 comments.
Reviewable status: all files reviewed, 5 unresolved discussions (waiting on idan-starkware).

---

.github/workflows/base_image_builder.yml line 26 at r1 (raw file):

jobs:
  docker-build-push:
    runs-on: namespace-profile-small-ubuntu-24-04-amd64

Add timeout to match repo conventions.

Suggestion:

  docker-build-push:
    runs-on: namespace-profile-small-ubuntu-24-04-amd64
    timeout-minutes: 60

---

.github/workflows/base_image_builder.yml line 32 at r1 (raw file):

        uses: actions/checkout@v6

      # Login to a Docker registry except on PR

This currently doesn't run on PRs, so we should delete this comment

---

.github/workflows/base_image_builder.yml line 35 at r1 (raw file):

      # https://github.com/docker/login-action
      - name: Login to registry ${{ env.REGISTRY }}
        uses: docker/login-action@v2.1.0

Can we use newer versions of this action (as we do in the transaction prover image push)?

Suggestion:

        uses: docker/login-action@v4

---

.github/workflows/base_image_builder.yml line 46 at r1 (raw file):

      - name: Extract Docker metadata
        id: meta
        uses: docker/metadata-action@v6.1.0

Here we use a newer action (repo uses 4.1.1)

Code quote:

        uses: docker/metadata-action@v6.1.0

---

.github/workflows/base_image_builder.yml line 58 at r1 (raw file):

      # https://github.com/docker/build-push-action
      - name: Build and push Docker image
        uses: docker/build-push-action@v7.2.0

Also uses a newer action than the rest of the repo (uses 6.13.0)

Code quote:

        uses: docker/build-push-action@v7.2.0