fix: prevent nonroot docker builds from being tagged as latest

[zzeleznick]

Description

Customers have reported issues with running our latest semgrep release versions 1.38.0 and 1.38.2. This is due to our non-root docker image having the latest tag applied.

As noted in actions/checkout#956 and actions/checkout#1014, non-root containers seem to fail during the checkout step with an error message like

/usr/bin/docker exec  5b033937ed15061a8f606fa5f3805d0794caf9e04e3c12576fda15d25bde22ab sh -c "cat /etc/*release | grep ^ID"
node:internal/fs/utils:344
    throw err;
    ^

Error: EACCES: permission denied, open '/__w/_temp/_runner_file_commands/save_state_c7001c04-a974-4f62-8e53-a488[14](https://github.com/SensoftInc/imx8mp_yocto/actions/runs/3490287639/jobs/5841522655#step:3:15)7475c5'

Addresses #8601

Fix

• Apply false to latest field (see docs) and community note Prevent adding latest tag docker/metadata-action#161

PR checklist:

• Purpose of the code is evident to future readers
• Tests included or PR comment includes a reproducible test plan
• Documentation is up-to-date
• A changelog entry was added to changelog.d for any user-facing change
• Change has no security implications (otherwise, ping security team)

If you're unsure about any of this, please see:

• Contribution guidelines!
• One of the more specific guides located here

[github-actions]

🚫 The whole benchmark suite is too slow: +9.7% (+1.097 s)

14 benchmarks, 9.7% slower on average.

Individual deviations greater than 20% from the baseline are reported. An individual performance degradation of over 30% or a global degradation of over 7% is an error and will block the pull request. See run output for full results ('Show all checks' > 'Tests / semgrep benchmark tests' 'Details').

[bmahe]

Makes sense.
Thanks @zzeleznick !

[aryx]

superseded by #8615 for now

[cgdolan]

Heads up that this will prevent customers from getting the auto-updating non-root images we promised with returntocorp/semgrep:latest-nonroot. Looks like the suffix option to docker-metadata-action applies to all tags except latest (sigh) which is why non-root images sometimes got pushed to latest (there was a race between the root and non-root docker push actions where the last one won). I think the fix is actually to set suffix=-nonroot,onlatest=true.