fix(docker): build without buildx with non-root user

[miki725]

• [x] Followed the steps in the contributor's guide: https://crashoverride.com/docs/other/contributing#filing-the-pull-request
• [x] PR title uses semantic commit messages
• [x] Filled out the template to a useful degree
• [x] Updated CHANGELOG.md if necessary

Issue

when using distroless image without buildx, some builds can fail

Description

When chalk needs to copy both /chalk.json and /chalk in the build, it needs to set correct permissions on the file. Without buildx, as it cannot leverage COPY --chmod, Chalk needs to manually adjust permissions by:

COPY chalk.json /chalk.json
RUN chmod 0444 /chalk.json

However for distroless images RUN cannot work as there is no chmod executable and so the build will fail.

Now for this case we attempt to use multi-stage builds if possible as we can use busybox image which has the capability to run chmod and then we copy that into the final image. Something like:

FROM busybox AS chalk_json
COPY chalk.json /chalk.json
RUN chmod 0444 /chalk.json

FROM scratch
COPY --from=chalk_json /chalk.json /chalk.json

There is still an edge case where this will fail when docker doesnt support multi-stage builds but at that point we have no other options so wrapping will fail without any other recourse.

Testing

➜ make tests args="test_docker.py::test_scratch --logs"

[ee7]

I've realised the pre-existing tests already assert that semver.parseVersion silently parses strings that are invalid semantic versions, so no need for any action on that in this PR.

I'll open a low-priority ticket that could be closed with e.g. just a file rename and a couple of comments.

[ee7]

(Approved again).