Scheduled daily builds to update OS dependencies

Problem

All analyzers are required to move to a daily build/publish of the latest production image. The goal is to get OS base image updates daily to improve the security posture of our analyzer images. The daily build/publish configured with a scheduled pipeline, allowing schedule to be adjusted.

• OKR: https://gitlab.com/gitlab-com/gitlab-OKRs/-/work_items/5901
• Policy: Define a policy for Secure analyzer images upda... (#429152 - closed) • Olivier Gonzalez • 17.0

The following will change nightly:

• New image created with latest OS base image packages
• Publish new image to registry
• Update tags for current public version, pointing to latest image

The following will NOT change:

• Changelog will not change
• Version numbers will not change
• Unpublished commits will not be published
• Repository tags will not change

Implementation plan

1. New variable to trigger OS update build scheduled_os_dep_build
2. Build latest pub-v prefixed tag (e.g. pub-v3.7.0, pub-v3.7.0-fips)
3. Find all default-branch conditionals and update if needed for tags
4. build_base*
   1. Update rules to run for both scheduled_os_dep_build and daily_security_scan
5. build
   1. If scheduled_os_dep_build, use last pub-v version
      1. git switch TAG
      2. buildtag.sh use latest pub tag instead of incrementing
6. Create nightly schedule
7. Identify flaky tests and fix them