CI: Build docker images in GHA, store cache inline and push to GHCR (#3380)

This PR is a potential model for nipreps using GHA to build Docker
images. The latest build (from a previous commit's cache) took 2
minutes, including checkout, build and push. If the cache needs
rebuilding, it's <10 minutes. This is a vast improvement from Circle all
on it's own.

I will make a separate PR to start triggering Circle builds from GHA
after build. I would like to get to a model of:

```mermaid
graph LR;
  subgraph GitHub;
    test & build
  end
  subgraph Circle
    build --> ds005 & ds054 & ds210
  end
  subgraph gh2["GitHub"]
    test & ds005 & ds054 & ds210 --> deploy
  end
```

Where Circle runs anything where we want inspectable artifacts and
nothing else. For SDCflows, it would be tests again, but with artifact
saving turned on.

Author: effigies

.circleci/config.yml

@@ -47,6 +47,7 @@ _check_skip_job: &check_skip_job
     cd /tmp/src/fmriprep
     COMMIT_MSG="$(git show -s --format=%s)"
     DOCBUILD="$(echo ${COMMIT_MSG} | grep -i -E '^docs?(\(\w+\))?:')"
+    SKIP_ALL="$(echo ${COMMIT_MSG} | grep -i -E '\[skipcircle\]')"
     SKIP_PYTEST="$(echo ${COMMIT_MSG} | grep -i -E '\[skip[ _]?tests\]')"
     SKIP_DS005="$(echo ${COMMIT_MSG} | grep -i -E '\[skip[ _]?ds005\]' )"
     SKIP_DS054="$(echo ${COMMIT_MSG} | grep -i -E '\[skip[ _]?ds054\]' )"
@@ -62,6 +63,9 @@ _check_skip_job: &check_skip_job
     elif [[ -n "$DOCSBUILD" ]]; then  # always try to skip docs builds
       echo "Only docs build"
       circleci step halt
+    elif [ -n "$SKIP_ALL" ]; then
+      echo "Skipping all!"
+      circleci step halt
     elif [ -n "$CHECK_PYTEST" -a -n "$SKIP_PYTEST" ]; then
       echo "Skipping pytest"
       circleci step halt

.github/workflows/docker.yml

@@ -0,0 +1,60 @@
+name: Docker build
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [ "master", "main", "maint/*", "gha-docker-build" ]
+    tags: "*"
+  pull_request:
+    branches: [ "master", "main", "maint/*" ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+  FORCE_COLOR: true
+
+jobs:
+  build-container:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Docker buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log into registry ${{ env.REGISTRY }}
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: |
+            type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:master
+            type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TARGET_BRANCH }}
+            type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.tags[0] }}
+          cache-to: type=inline
+        env:
+          TARGET_BRANCH: ${{ github.base_ref || github.ref_name }}