Harden zot registry, pt 1 (#231)

## Summary
- Enable OIDC + API key authentication on zot with anonymous pull preserved
- Enforce tag immutability for version tags
- Adopt commit-SHA-based container image tagging

Details in the [[harden-zot-registry]] Mikado chain (`mise run docs-mikado harden-zot-registry`).

## Test plan
- [ ] Anonymous pull still works
- [ ] Unauthenticated push fails (401)
- [ ] CI container builds pass with new auth and tagging
- [ ] `mise run services-check` passes

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/231

docs/how-to/deployment/build-container-image.md

@@ -1,6 +1,6 @@
 ---
 title: Build Container Image
-modified: 2026-02-19
+modified: 2026-02-20
 last-reviewed: 2026-02-15
 tags:
   - how-to
@@ -38,7 +38,13 @@ A container can have one or both build files. The directory name becomes the ima
 dagger call build --src=. --container-name=<name>
 ```
 
-**Nix** — test with nix-build (requires nix, e.g. on [[ringtail]]):
+**Nix** — test with Dagger (no local nix required):
+
+```bash
+dagger call build-nix --src=. --container-name=<name> export --path=./<name>.tar.gz
+```
+
+Or with nix-build directly (requires nix, e.g. on [[ringtail]]):
 
 ```bash
 nix-build containers/<name>/default.nix -o result