fix(minio): bake bootstrap.sh into image instead of bind-mounting

Closes #506.

Under Docker-out-of-Docker (the production Gitea Actions runner), the
host daemon resolves the relative bind-mount path against the host
filesystem — not the runner container's /workspace. The script is not
there, so Docker creates an empty directory at /bootstrap.sh and the
entrypoint fails with `/bootstrap.sh: Is a directory`.

Bake the script into a tiny derived image (infra/minio/Dockerfile) so
there is no runtime path resolution. Works in DooD, regular Docker,
and CI.

Unblocks the staging / production deploy pipelines from #497 / #499
and turns the Compose Bucket Idempotency CI job green.

Verified locally:
- `docker compose ... config --quiet` parses
- `docker compose ... build create-buckets` builds the image
- bootstrap.sh exists as a +x file at /bootstrap.sh inside the image

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

infra/minio/Dockerfile

@@ -0,0 +1,16 @@
+# Derived MinIO Client image with the idempotent bootstrap script baked in.
+#
+# Why a custom image instead of a bind-mount?
+# The production Gitea Actions runner is Docker-out-of-Docker. A
+# `./infra/minio/bootstrap.sh:/bootstrap.sh:ro` mount resolves the path
+# against the HOST filesystem (the host daemon owns the bind), not the
+# runner container's `/workspace/...`. The path doesn't exist on the host
+# and Docker auto-creates an empty directory at the mount target — the
+# entrypoint then fails with `/bootstrap.sh: Is a directory`. Baking the
+# script in removes runtime path resolution entirely. See #506.
+FROM minio/mc:RELEASE.2025-08-13T08-35-41Z
+
+COPY bootstrap.sh /bootstrap.sh
+RUN chmod +x /bootstrap.sh
+
+ENTRYPOINT ["/bin/sh", "/bootstrap.sh"]