fix: stop emitting only :latest Docker tag (policy compliance)

[ashsolei]

Summary

Removes the tags-override: override in .github/workflows/ci-docker.yml that suppressed the
reusable workflow defaults and caused this fork to publish only the mutable
:latest tag from its CI.

Why

iAiFy policy tags-no-bare-latest
forbids Docker image builds that emit only :latest. Without a
SHA-prefixed or semver tag, rollbacks lose meaning, audit cannot identify
which image ran, and cosign/SBOM attestations have nothing stable to bind to.

What changed

Deleted the tags-override: block so the reusable
Ai-road-4-You/enterprise-ci-cd/.github/workflows/ci-docker.yml applies
its default tag strategy:

type=sha,prefix=sha-
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=raw,value=latest,enable={{is_default_branch}}

Test plan

• CI green on this PR.
• After merge: next image push carries both sha-<short> and latest.

Policy

Closes the offender slot for this repo in the
bare-:latest audit.

🤖 Generated with Claude Code

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: dc0eb5ae-6adb-4485-b075-225d05a2fb01

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/fix-tags-override

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}