Use Production Docker Registry environment for pushing to docker

[Kay-Zee]

This change will allow better control of the build process for containers.

Environments allow control over
a) Additional approval for usage of the environment/secrets, and
b) Allows admins to limit which branches can access the secrets

As of writing, the Production Docker Registry environment requires @Kay-Zee or @sjonpaulbrown approval to push to the docker registry, but this will be expanded once testing is complete.

Also, branches are limited to master and v0.37, which means we will have to update v0.37 to the new "active" branch whenever that happens. This should be exceedingly rare with our current release schedule.

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 41.27%. Comparing base (c14ac33) to head (fbe32b5).

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #6562      +/-   ##
==========================================
- Coverage   41.50%   41.27%   -0.24%     
==========================================
  Files        1935     2031      +96     
  Lines      137793   145883    +8090     
==========================================
+ Hits        57197    60208    +3011     
- Misses      74690    79454    +4764     
- Partials     5906     6221     +315     

Flag	Coverage Δ
unittests	41.27% <ø> (-0.24%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[sjonpaulbrown]

The protection rules for the environment will ensure that the workflow can only be executed from the specified branches, but it will not enforce that a specific tag cannot be built. If the intention is to "block" any tags or branches that are not master or v0.37, this will not work as the workflow takes an input that is used to dynamically checkout the repo. If we want to automatically enforce this, we would need to restructure the workflows.

As long as we are ok with this being the responsibility of the reviewer, this should be ok, but I did want to call out that the enforcement of this will not be automatic.

[Kay-Zee]

I will likely change this setup to no longer be manual dispatch, and only work off the two "active" branches. The manual setup is mostly for testing purposes. We can discuss if we want to keep the manual or go back to the auto build based on tag, but i'm inclined for the latter. At least for the CD workflow.