fix(cdk): Move gVisor OCI bundle creation to build time

[devin-ai-integration]

This PR targets the following PR:

• chore(cdk): Add Firejail and gVisor POC Dockerfiles (do not merge) #399

---

Description

This PR fixes the permissions issue in the gVisor implementation by moving critical privileged operations (creating directories and files) into the root-access part of the Dockerfile and moving the config itself into a dedicated file rather than generating it at runtime.

Type of change

• Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

The Docker image has been built and tested locally with the 'spec' command to verify that the permissions issue is resolved.

Link to Devin run: https://app.devin.ai/sessions/ee56a86fecf641038ef46b91637465b2
Requested by: Aaron

[devin-ai-integration]

🤖 Devin AI Engineer

Original prompt from Aaron:

@Devin - Let's try to improve on the gVisor implementation provided here: <https://github.com/airbytehq/airbyte-python-cdk/pull/399>
Read the devlog in that PR and let's try to fix the permissions issue in gVisor. We'll start by moving critical privileged operations into the root-access part of the Dockerfile (such as creating directories and files) and move the config itself into a dedicated file rather than a cat-to-file in teh bootstrap script as it is now. Stack a PR on top of the existing one, rather than modifying the existing PR.

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add "(aside)" to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring