chore(ci): address lint findings in build-docker.yml (#15245)
## Summary
This re-creates #15145, with fixes following the revert in #15174.
The overall approach is the same, except that I've added an explicit
permissions block to `docker-annotate-base` that should cover the needed
permissions in that job.
(One confusion is around how that wasn't failing before -- FWICT it was
receiving the default `GITHUB_TOKEN`, which doesn't include `id-token:
write` or `packages: write`. So it _should_ have been failing even
before I explicitly did `permissions: {}`...)
Edit: Oh, I see why -- the actual release process does a
`workflow_call`, so this inherits its `GITHUB_TOKEN` from
`release.yml:custom-build-docker`, which in turn has the right
permissions granted to it.
## Test Plan
See what happens in CI. Plus maybe we could do a release dry-run?
Signed-off-by: William Woodruff <william@astral.sh>
