chore: enable SBOM attestation for image builds (#16852)

- Added SBOM (Software Bill of Materials) generation during Docker build
to enhance traceability. Refer to Docker documentation on SBOM:
https://docs.docker.com/build/metadata/attestations/sbom/
- Updated Docker build scripts to use BuildKit for provenance and SBOM
support: https://docs.docker.com/build/metadata/attestations/
- Configured Docker daemon in dogfood image to support the Containerd
snapshotter feature to improve performance:
https://docs.docker.com/engine/storage/containerd/

> [!Important]
> We also need to enable `containerd` on depot runners.
> <img width="587" alt="image"
src="https://github.com/user-attachments/assets/1d7f87c7-fdcc-462a-babe-87ac6486ad09"
/>



## Testing

- Tested locally with ` docker buildx build --sbom=true --output
type=local,dest=out -f Dockerfile .` to verify that an SBOM file is
generated.
- Tested in
[CI](https://github.com/coder/coder/actions/runs/13731162662/job/38408790980?pr=16852#step:17:1)
to ensure the image builds without any errors.


Also closes coder/internal#88

.github/workflows/release.yaml

@@ -361,6 +361,7 @@ jobs:
           file: scripts/Dockerfile.base
           platforms: linux/amd64,linux/arm64,linux/arm/v7
           provenance: true
+          sbom: true
           pull: true
           no-cache: true
           push: true

dogfood/contents/files/etc/docker/daemon.json

@@ -1,3 +1,6 @@
 {
-	"registry-mirrors": ["https://mirror.gcr.io"]
+	"registry-mirrors": ["https://mirror.gcr.io"],
+	"features": {
+		"containerd-snapshotter": true
+	}
 }

scripts/build_docker.sh

@@ -136,10 +136,12 @@ fi
 
 log "--- Building Docker image for $arch ($image_tag)"
 
-docker build \
+docker buildx build \
 	--platform "$arch" \
 	--build-arg "BASE_IMAGE=$base_image" \
 	--build-arg "CODER_VERSION=$version" \
+	--provenance true \
+	--sbom true \
 	--no-cache \
 	--tag "$image_tag" \
 	-f Dockerfile \