docker: add distroless container build

[maxhuebler]

docker: add distroless container build option

This PR introduces support for building Prometheus container images based on distroless as an alternative to the current busybox-based images. The new distroless images contain only the statically linked Prometheus binaries, CA certificates, and timezone data, minimizing the attack surface and reducing vulnerability scanner noise.

Key changes:

• Adds Dockerfile.distroless for building minimal images using gcr.io/distroless/static:nonroot as the base.
• Copies CA certificates and timezone data from a small build stage (Debian).
• Integrates a common-docker-distroless target into Makefile.common to build these images for all configured architectures.
• Ensures required binaries and npm license assets are built before the image build.
• No changes to the default image build flow; distroless images are opt-in.

Rationale:

• Removes busybox and shell utilities from the final image, as Prometheus does not require them at runtime.
• Reduces the number of reported vulnerabilities for end users and organizations using automated container scanning.
• Aligns with best practices for minimal, secure container images.

Which issue(s) does the PR fix:

• If there are no dependencies to Busybox, such as shell scripts, lets consider just the statically linked binary, CA and TZ data in the Prometheus container images.
• Minimizing the footprint would help the end-user organizations to focus on the real vulnerabilities. Organizations that do container scanning are easily overloaded by the amount of vulnerabilities. They might not have the capacity to see if each one of those is exploitable. Someone not knowing any better might see many Prometheus ecosystem images show up on their vulnerabilities radar and staying there for some time. This also becomes a problem for whoever runs their observability stack.
• Discussion from my PR in Add prom/busybox:alpine image busybox#66 (Add prom/busybox:alpine image) to fix vulnerabilities on busybox.

Does this PR introduce a user-facing change?

[ENHANCEMENT] Added support for building Prometheus container images using distroless as a base. Use `make common-docker-distroless` to build minimal images containing only the Prometheus binaries, CA certificates, and timezone data.

[jkataja]

With the currently used distroless image, the output will not be as described. Instead it would need to be based on scratch to contain only the statically linked binary and minimal data.

[jkataja]

Turns out the GoogleContainerTools distroless image already includes CA certs and TZ data. This is only required with scratch.

[jkataja]

The first stage is not required with this image. Using scratch will produce the most minimal image.

[jkataja]

The parameters need to be added to this stage

Suggested change

	ARG ARCH
	ARG OS

[jkataja]

With scratch this should be done in the first stage, as the image will not have mkdir chown etc.

[roidelapluie]

I did not notice this.
I made #17876 which should provide more flexibility and looks more simple by using google's distroless images. My PR also works with current CI setup.