Add multi-stage Dockerfile for donext-core (Go binary)

[tayebmokni]

Summary

Define and ship the canonical donext-core multi-stage Dockerfile that produces a small, distroless, signed image of the Go binary used for api, worker, cron, and migrate modes. This is the single image for the Go codebase; all five Go process classes invoke it with different serve flags.

Design reference

• docs/09-deployment-ops.md §2.2 (donext-core Dockerfile canonical) and §2.1 (image strategy decision)

Acceptance criteria

• Multi-stage Dockerfile in deploy/docker/Dockerfile.core (or repo-equivalent) using golang:1.23-alpine build + gcr.io/distroless/static-debian12:nonroot runtime
• Build args plumbed for VERSION, COMMIT, BUILD_DATE and stamped into internal/build via -ldflags
• Image embeds migrations via go:embed (no out-of-image migration files)
• CGO disabled, netgo,osusergo tags, -trimpath, -s -w
• Ports 8080 (http) and 9090 (metrics) exposed
• Runs as nonroot:nonroot; final image size under ~35 MB
• Default CMD ["serve","api"]; supports serve worker, serve cron, migrate
• CI builds amd64 + arm64 manifest; SBOM attached via cosign attach sbom; cosign keyless signed

Dependencies

none

Complexity

M