Add OCI & OpenShift labels to Docker image

[npepinpe]

Description

This PR adds labels to the Docker image following the OCI and OpenShift specs. This includes modifications to the build process to inject the few values which are dynamic, namely:

• the created at ISO 8601 timestamp
• the commit SHA (or revision) of the artifact
• the semantic version of the artifact

You can find the specs here:

• https://github.com/opencontainers/image-spec/blob/main/annotations.md
• https://docs.openshift.com/container-platform/4.10/openshift_images/create-images.html#images-create-metadata_create-images

On top of adding labels, this modifies the Dockerfile a bit and pins the production image to specific sha of the base image, ensuring reproducible builds. In the future we should update this sha when need be, and update the golden file (docker/test/docker-labels.golden.json).

This also adds hadolint to lint our Dockerfile and applies some of the recommendations to it. A new code quality job is added, Docker checks, which runs hadolint and verifies that the labels are as expected. The verification is done via a bash script which grabs the labels from a docker inspect, and compares it with an interpolated golden file (since we have a few dynamic values). The comparison is done using diff, so the output should be familiar to most.

Related issues

related to #9940
blocks #10013

Definition of Done

Not all items need to be done depending on the issue and the pull request.

Code changes:

• The changes are backwards compatibility with previous versions
• If it fixes a bug then PRs are created to backport the fix to the last two minor versions. You can trigger a backport by assigning labels (e.g. backport stable/1.3) to the PR, in case that fails you need to create backports manually.

Testing:

• There are unit/integration tests that verify all acceptance criterias of the issue
• New tests are written to ensure backwards compatibility with further versions
• The behavior is tested manually
• The change has been verified by a QA run
• The impact of the changes is verified by a benchmark

Documentation:

• The documentation is updated (e.g. BPMN reference, configuration, examples, get-started guides, etc.)
• New content is added to the release announcement
• If the PR changes how BPMN processes are validated (e.g. support new BPMN element) then the Camunda modeling team should be informed to adjust the BPMN linting.

Please refer to our review guidelines.

[npepinpe]

Don't worry, I'll split it up into two parts: adding the labels, then updating Jenkins CI, then updating GHA CI.

[npepinpe]

Sample of a failed run:

https://github.com/camunda/zeebe/runs/7690271365?check_suite_focus=true

[npepinpe]

It might be interesting to create a reusable action for building our Docker image now that we have a less straightforward process for building the image.

[github-actions]

Test Results

   810 files  ±    0     810 suites  ±0   1h 42m 17s ⏱️ - 3m 3s
6 224 tests +159  6 213 ✔️ +159  11 💤 ±0  0 ❌ ±0 
6 412 runs  +159  6 401 ✔️ +159  11 💤 ±0  0 ❌ ±0 

Results for commit b447062. ± Comparison against base commit bdc2405.

♻️ This comment has been updated with latest results.

[oleschoenburg]

Cool, thanks for putting so much effort into the verify script 🏅

I only have a few suggestions but nothing that would require another review

[npepinpe]

bors merge

[zeebe-bors-camunda]

Build succeeded:

• Go linting
• Java checks
• Test summary