chore(docker): migrate trustlab to bake and make app images env-neutral

[kilemensi]

Summary

This PR migrates trustlab to the Bake-based Docker build flow and incorporates shared fixes discovered while
validating the existing techlabblog migration.

It also moves migrated app images toward a more environment-neutral model by removing unnecessary build-time env
coupling and relying on runtime/server configuration where appropriate.

Changes

• migrate trustlab to docker-bake.hcl with a dedicated app Dockerfile
• keep techlabblog aligned with shared Docker/Bake fixes
• improve reusable GitHub Actions workflow support for optional build secrets
• tighten deploy workflow secret/permission handling
• improve local developer flow via scripts/bake-up.sh
• add scripts/revalidate.mjs for authenticated post-deploy ISR revalidation
• add per-app Dokku app.json files under docker/apps/<app>/
• move per-app Docker platform artifacts to docker/apps/<app>/
• migrate all workflows to Node.js 24 (aligned with the Node version used in Docker base images)
• fix revalidateDelete condition inversion in revalidateCache.js (was if (!path), so deletions never triggered revalidation)
• change trustlab getStaticPaths to return { paths: [], fallback: "blocking" } — pages are no longer pre-rendered at build time; they are generated on first request per environment, which is required for the env-neutral image model
• included revalidate.mjs script that is used by dokku.scripts.postdeploy to rebuild major pages at deployment time.

Notes

• techlabblog was already migrated before this PR; this change mainly focuses on trustlab plus shared hardening/
  cleanup
• Docker/Dokku platform artifacts now live under docker/, not inside app source trees
• trustlab local builds should go through the env-loaded flow (scripts/bake-up.sh) because Payload still requires build-time secrets during next build
• trustlab build still emits url.parse() deprecation warnings from upstream dependency/framework code during next build; this is not introduced by this PR

Validation

• make trustlab succeeds
• trustlab builds successfully via the env-loaded local path
• both runtime images now include:
  • app-specific app.json
  • shared scripts/revalidate.mjs
• Bake target, secret, and workflow contracts were reviewed end-to-end

Screenshots

N/A

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e0c54fce3c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[kilemensi]

jest is failing and I'm assuming it's related to #1043 @CodeForAfrica/tech ? We may have to upgrade to v30 to get the memory issues fixed.

Otherwise, over to you for reviews.

[kilemensi]

Speak now (in the next hour) or forever hold your peace @CodeForAfrica/tech

[maquchizi]

Quite a bit of changes but LGTM. CI is failing for some reason. I've re-ran the failing jobs, let's see how that goes.