build: cache docker layers, configurable engine, bump owasp/pnpm

- CI workflow uses BuildKit inline cache + --cache-from previous :latest;
  NVD_REFRESH build-arg busts the OWASP layer on schedule/dispatch so
  weekly rebuilds still refresh NVD while push builds reuse cached layers.
- build-and-push.ps1 reads CONTAINER_ENGINE from .env (docker default,
  podman supported); add .env.example.
- Bump OWASP Dependency-Check 12.2.1 -> 12.2.2 and pnpm 11.0.6 -> 11.1.1.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.gitea/workflows/build-and-push.yaml

@@ -74,8 +74,26 @@ jobs:
                 --password-stdin
 
       - name: Build image
+        env:
+          DOCKER_BUILDKIT: "1"
         run: |
+          # Pull the previous :latest to use as a layer cache source.
+          # First builds (no prior image) fail this pull — that's fine.
+          docker pull "${{ steps.meta.outputs.tag_latest }}" || true
+
+          # On schedule / manual dispatch, bust the OWASP NVD layer so the
+          # weekly rebuild actually refreshes the NVD database. Push builds
+          # leave it empty so unchanged layers stay cached.
+          NVD_REFRESH=""
+          if [ "${{ github.event_name }}" = "schedule" ] || \
+             [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            NVD_REFRESH="$(date +%Y%m%d)"
+          fi
+
           docker build \
+            --build-arg BUILDKIT_INLINE_CACHE=1 \
+            --build-arg NVD_REFRESH="${NVD_REFRESH}" \
+            --cache-from "${{ steps.meta.outputs.tag_latest }}" \
             --label "org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}" \
             --label "org.opencontainers.image.revision=${{ github.sha }}" \
             -t "${{ steps.meta.outputs.tag_sha }}" \