fix: swap Chainguard JRE to BellSoft Liberica JRE 21

Chainguard free tier only offers :latest (currently JDK 26, unpinned);
the :openjdk-21 tag requires a paid subscription, breaking CI.

Switch both Dockerfiles to bellsoft/liberica-runtime-container:jre-21-slim-glibc:
- Pinned to JDK 21 LTS
- Smallest image (199 MB vs 441/491 MB)
- glibc-based Alpaquita Linux, sh-only (no bash, no pkg manager)
- Free, multi-arch (amd64 + arm64)
- Has sh — required by cameleer-server's DeploymentExecutor (withCmd "sh -c")

Use nobody:nobody (65534) instead of Chainguard's nonroot (65532).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Dockerfile

@@ -20,12 +20,11 @@ COPY src/ src/
 COPY --from=frontend /ui/dist/ src/main/resources/static/
 RUN --mount=type=cache,target=/root/.m2/repository ./mvnw package -DskipTests -U -B
 
-# Runtime: Chainguard Wolfi-based JRE (glibc, daily CVE refresh, non-root by default)
-FROM cgr.dev/chainguard/jre:openjdk-21
+# Runtime: BellSoft Liberica JRE 21 on Alpaquita Linux (glibc, minimal, 199 MB)
+FROM bellsoft/liberica-runtime-container:jre-21-slim-glibc
 WORKDIR /app
-USER root
-RUN mkdir -p /data/jars && chown -R nonroot:nonroot /data
-COPY --chown=nonroot:nonroot --from=build /build/target/*.jar app.jar
-USER nonroot
+RUN mkdir -p /data/jars && chown -R nobody:nobody /data /app
+COPY --chown=nobody:nobody --from=build /build/target/*.jar app.jar
+USER nobody
 EXPOSE 8080
 ENTRYPOINT ["java", "-jar", "app.jar"]