build: build the Sipi image with Bazel (rules_oci) instead of sbt

[subotic]

What

Carves the daschswiss/knora-sipi image build out of sbt into Bazel. The image
is overlay-only (the upstream Sipi image plus the DSP Lua scripts), so it moves
with zero rules_scala involvement. This is the deliberate first step
toward a Bazel monorepo: dsp-api keeps sbt for the JVM images (dsp-api,
dsp-ingest); the Sipi image is now produced by rules_oci.

Changes

• Toolchain (mirrors sipi & dsp-repository): flake.nix dev shell with
  bazelisk + a bazel wrapper, JDK 25, just/cacert/crane; .envrc (use flake); .bazelversion pinned to 9.1.1; .bazelrc/.bazelignore;
  flake.lock + MODULE.bazel.lock committed.
• Bazel build: MODULE.bazel (rules_oci 2.3.0 + rules_pkg 1.2.0, Sipi base
  pinned per-arch by digest) and sipi/BUILD.bazel (//sipi:load local,
  //sipi:push multi-arch publish).
• build.sbt: removed the sipi project (no Scala sources) and its
  aggregate/dependsOn references; kept knoraSipiVersion and
  Dependencies.sipiImage.
• Makefile: docker-build-sipi-image → bazel run //sipi:load + version
  tag; docker-publish-sipi-image → bazel run //sipi:push -t latest -t <version>. Order stays sipi-before-ingest; the tag is sourced from make docker-image-tag (sbt remains the version source of truth).
• CI: the jobs that build/publish the image install Nix
  (DeterminateSystems/determinate-nix-action@v3 +
  magic-nix-cache-action@v13) and run the make target inside nix develop.

Why a per-arch digest base, not the index

The arm64 entry of daschswiss/sipi:v5.0.1 carries a v8 variant, which a bare
linux/arm64 platform request does not match. Pulling each platform's single
image manifest by digest sidesteps index/variant matching. The published index
still carries linux/amd64 + linux/arm64/v8, matching the old buildx set.

Verified locally

• Nix shell: Java 25.0.3, Bazel 9.1.1, crane, just.
• bazel build //sipi:image //sipi:index; loaded image runs as root,
  exposes 1024, has the maintainer label and all 20 Lua scripts.
• make docker-build-sipi-image: build.sbt loads cleanly; loaded tag ==
  make docker-image-tag.
• dsp-ingest cross-build: make docker-build-ingest-image resolved FROM daschswiss/knora-sipi:<version> to the Bazel-built image and extracted
  /sbin/sipi, /sipi, tini, ffmpeg, ffprobe.
• Workflows pass actionlint.

Not run in this branch (please confirm in CI)

Full docker compose up --wait, the test-it/test-e2e suites, the multi-arch
push, and the GitHub Actions runs themselves.

Note

The image-level Docker HEALTHCHECK is dropped (not part of the OCI image
spec); docker-compose.yml and k8s already define their own Sipi probes.

🤖 Generated with Claude Code

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85.97%. Comparing base (e67ea33) to head (1b22444).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #4159   +/-   ##
=======================================
  Coverage   85.97%   85.97%           
=======================================
  Files         538      538           
  Lines       30462    30462           
  Branches     3561     3561           
=======================================
  Hits        26190    26190           
  Misses       4272     4272           

Flag	Coverage Δ
e2e	85.97% <ø> (ø)
integration	85.97% <ø> (ø)
unit	85.97% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.