…ignore

- Pin base images to manifest list SHA digests (multi-arch safe)
- Add ca-certificates and tzdata to both builder and runtime stages
- Optimize layer caching: copy go.mod/go.sum before source, use BuildKit cache mounts
- Run container as non-root user (appuser, UID 10001)
- Move VOLUME from /root/.rudder to /home/appuser/.rudder (writable by appuser)
- Add COPY --link for independent runtime layer snapshots
- Add .dockerignore at repo root to exclude .git, secrets, and docker meta-files

Closes DEX-259

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

🔒 Scanned for secrets using gitleaks 8.28.0