Automerge: [CI][Github] Add Fully Qualified Container Names to Best Practices (#165067)

Based on some recent discussion in #162007. Documenting this in the best
practices page so we have something easy to point to in code
review/reference for ourselves now that the repository has been cleaned
up.

Author: boomanaiden154

llvm/docs/CIBestPractices.rst

@@ -136,3 +136,20 @@ branches as follows:
     branches:
       - main
       - releases/*
+
+Container Best Practices
+========================
+
+This section contains best practices/guidelines when working with containers
+for LLVM infrastructure.
+
+Using Fully Qualified Container Names
+-------------------------------------
+
+When referencing container images from a registry, such as in Github Actions
+workflows, or in ``Dockerfile`` files used for building images, prefer fully
+qualified names (i.e., including the registry domain) over just the image.
+For example, prefer ``docker.io/ubuntu:24.04`` over ``ubuntu:24.04``. This
+ensures portability across systems where a different default registry might
+be specified and also prevents attackers from changing the default registry
+to pull in a malicious image instead of the intended one.