Enhance CI/CD Pipeline with Secure Docker BuildKit Stage

Description

The current CI/CD pipeline lacks an automated Docker image building stage. To prepare the application for streamlined deployments and ensure environmental consistency, we need to integrate a secure Docker build process that generates and validates production-ready images.

Following best practices, this implementation avoids the legacy and insecure Docker-in-Docker (dind) approach in favor of a modern, daemonless BuildKit architecture.

Requirements

Secure Build Architecture: Implement docker buildx using the docker-container driver on self-hosted VM runners.
Dual Image Generation: Automate the building of both the main application (app) and the database initialization (db-init) containers.
Redundancy-Proof Caching: Utilize inline registry caching (type=registry) to minimize build times and ensure efficiency.
Automated Validation: Integrate a live PostgreSQL service within the CI job to verify that the db-init image can successfully execute migrations (init_db.py).
Dynamic Tagging: Tag images with the Git commit SHA and branch name; update the latest tag on the default branch.

Technical Details

Field	Value
CI Tool	GitLab CI
Build Engine	Docker BuildKit (`buildx`)
Storage	GitLab Container Registry
Database Service	`postgis/postgis:15-3.3` (matching production)

Proposed Changes

Update .gitlab-ci.yml to include the build stage.
Define the docker-build job with the necessary environment variables and service configurations.
Implement before_script to initialize the isolated BuildKit container instance.
Add validation logic to the script section to run docker run ... init_db.py after the build completes.

Definition of Done

Pipeline successfully builds and pushes app and db-init images to the registry.
The db-init validation step passes, confirming migrations are functional.
Images are correctly tagged and cached for future runs.
No privileged mode or dind services are used in the job configuration.