Use BASE_IMAGE variable to avoid registry metadata resolution in CI

[JAORMX]

Summary

• Fix CI "Build Images" workflow failing with 401 Unauthorized when building agent images (claude-code, codex, opencode)
• The root cause: docker buildx bake resolves FROM image metadata from the registry even when a contexts override points to a locally-built target. Since the GHCR images are private/require auth, the metadata resolution fails with 401 before the contexts redirect can take effect
• Replace the hardcoded FROM ghcr.io/stacklok/brood-box/base:latest in each Dockerfile with ARG BASE_IMAGE + FROM ${BASE_IMAGE}, and pass the BASE_IMAGE variable from docker-bake.hcl so that bake resolves the base from the locally-built target:base without ever hitting the registry

Changes

• docker-bake.hcl: Add BASE_IMAGE variable (defaults to ${REGISTRY}/base:latest), pass it as a build arg to each agent target, and use it in the contexts key
• images/claude-code/Dockerfile: Replace hardcoded FROM with ARG BASE_IMAGE + FROM ${BASE_IMAGE}
• images/codex/Dockerfile: Same change
• images/opencode/Dockerfile: Same change

Test plan

• Verify the "Build Images" CI workflow passes without 401 errors
• Verify local task image-all still builds successfully
• Verify standalone docker build of individual Dockerfiles still works (the ARG default preserves the original registry reference as fallback)

🤖 Generated with Claude Code