.github(lint_dockerfile): add dockle job

[ee7]

Our CI already lints our Dockerfile with hadolint. Add checking with dockle too.

dockle seems to have extra security-auditing functionality. For example, the hadolint workflow succeeded back when the Dockerfile didn't set USER.

For more details, see dockle's comparison table of Dockerfile checking tools. For the features listed in that table, dockle claims to do everything that hadolint does. But I believe hadolint does do things that dockle doesn't. So let's not remove hadolint, and just use both for now.

In the future, we could add a vulnerability scanner too.

The latest release of the action uses dockle 0.4.10. Pin to the latest commit of the action, which uses dockle 0.4.13.

The current output is:

INFO    - CIS-DI-0005: Enable Content trust for Docker
    * export DOCKER_CONTENT_TRUST=1 before docker pull/build
INFO    - CIS-DI-0006: Add HEALTHCHECK instruction to the container image
    * not found HEALTHCHECK statement

Later, we can consider:

• resolving those items
• setting the exit-level to 'info'

This PR sets accept-key: 'PATH' to avoid the output:

FATAL   - CIS-DI-0010: Do not store credential in environment variables/files
    * Suspicious ENV key found : PATH on ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/zig (You can suppress it with --accept-key)