chore: harden Dockerfiles and add devops CODEOWNERS

[mpastecki]

Summary

• Pin Alpine runtime packages to exact versions (Alpine 3.21)
• Pin Debian runtime packages to exact versions (bookworm) where applicable
• Upgrade base images to current stable (Alpine 3.21, Debian bookworm)
• Apply hadolint best practices: SHELL pipefail, --no-cache/--no-install-recommends, shell variable quoting, merged RUN layers
• Add CODEOWNERS rules for /.github/, /.github/CODEOWNERS, and **/Dockerfile owned by @babylonlabs-io/devops

[Copilot]

Pull request overview

This PR hardens the project's Dockerfile and establishes DevOps team ownership for CI/CD and container configuration files. The changes upgrade the Alpine base image from 3.16 to 3.21, pin runtime package versions for reproducibility, and add CODEOWNERS rules to ensure proper review of infrastructure-related changes.

Changes:

• Upgraded Alpine base image from 3.16 to 3.21 in the runtime stage
• Pinned runtime packages (bash, curl, jq) to exact versions for Alpine 3.21
• Added hadolint ignore directive for build-time package installations
• Added CODEOWNERS entries for the DevOps team covering .github/, CODEOWNERS itself, and all Dockerfiles

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File	Description
contrib/images/staking-api-service/Dockerfile	Upgraded Alpine base image to 3.21, pinned runtime package versions, and added hadolint ignore for builder stage
.github/CODEOWNERS	Added DevOps team ownership for CI/CD directories and Dockerfiles

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

According to the PR description, this change aims to apply hadolint best practices including the SHELL pipefail directive. However, the SHELL directive with pipefail is missing from the runtime stage. Consider adding SHELL ["/bin/sh", "-o", "pipefail", "-c"] before the RUN commands to ensure pipefail is enabled for safer script execution.

Suggested change

	SHELL ["/bin/sh", "-o", "pipefail", "-c"]

[Copilot]

The CODEOWNERS rule /.github/CODEOWNERS @babylonlabs-io/devops creates a circular ownership pattern where the CODEOWNERS file itself is owned by devops, potentially conflicting with or duplicating the rule on line 4 that already assigns /.github/ to devops. This line appears redundant since /.github/ ownership already covers this file. Consider removing this line to avoid confusion.

Suggested change

/.github/CODEOWNERS @babylonlabs-io/devops

[Copilot]

The PR description mentions "Pin Debian runtime packages to exact versions (bookworm) where applicable" but no Debian-based Dockerfiles are present in the repository or modified in this PR. Only Alpine-based Dockerfiles exist. Consider updating the PR description to accurately reflect that only Alpine packages are being pinned, or clarify what "where applicable" means in this context.

[Copilot]

A hadolint ignore directive for DL3018 (pin versions in apk add) has been added to the builder stage, which contradicts the PR's goal of hardening Dockerfiles by pinning package versions. While build tools often don't need pinned versions since the image is ephemeral, for consistency with the runtime stage and the PR's stated objectives, consider either pinning these build dependencies or adding a comment explaining why pinning is not necessary for the builder stage.

Suggested change

	# Builder image is ephemeral and not shipped to production; build tools are intentionally left
	# unpinned here to simplify maintenance. DL3018 is ignored only for this builder stage.