chore: update reusable docker pipeline to v0.16.1

[mpastecki]

Summary

Updates reusable_docker_pipeline.yml to v0.16.1 (d2299e8).

What changes in v0.16.1

• Lint failures block publishing: dockerfile_lint is now a dependency of docker_build, so Hadolint failures will block image publishing

What changed in v0.16.0

• Scan-before-push: Trivy filesystem + image scans run before any registry push
• Secret scanning: source code and image layer secret detection
• Scans enabled by default: docker_scan: true, trivy_nofail: false, hadolint_nofail: false
• DockerHub push disabled by default: push_to_dockerhub now defaults to false
• Job Summary: scan results appear directly in the GitHub Actions run summary
• SARIF upload: vulnerability findings surface in GitHub Security tab (public repos)
• Build caching: scan build layers are reused via cache-from for push steps

[Copilot]

Pull request overview

This PR updates the reusable Docker pipeline workflow from v0.15.0 to v0.16.1, introducing stricter security and quality controls for Docker image publishing. The update enables scan-before-push functionality, makes lint and security scan failures block image publishing by default, and includes several other security enhancements.

Changes:

• Updated reusable_docker_pipeline.yml reference from commit 22ae8ed (v0.15.0) to d2299e8 (v0.16.1)
• Removed trailing whitespace from the workflow file
• Implicitly adopts new defaults: hadolint_nofail: false, trivy_nofail: false, and push_to_dockerhub: false

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.