Fix security scan issues and harden docker-compose

Hadolint fixes:
- Use printf instead of echo for escape sequences
- Add hadolint ignore for apt pin version (DL3008)

KICS fixes (docker-compose):
- Add security_opt: no-new-privileges to all services
- Add mem_limit and cpus to prevent resource exhaustion
- Add healthcheck to orchard-server in docker-compose.yml

Gitleaks:
- Add .gitleaksignore for false positive (s3_key attribute name)
- Remove allow_failure from secrets job (now blocking)

Also:
- Remove || echo fallback from python_tests (tests should fail pipeline)

docker-compose.yml

@@ -34,6 +34,16 @@ services:
     networks:
       - orchard-network
     restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8080/health"]
+      interval: 30s
+      timeout: 3s
+      start_period: 10s
+      retries: 3
+    security_opt:
+      - no-new-privileges:true
+    mem_limit: 1g
+    cpus: 1.0
 
   postgres:
     image: containers.global.bsf.tools/postgres:16-alpine
@@ -54,6 +64,10 @@ services:
     networks:
       - orchard-network
     restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    mem_limit: 512m
+    cpus: 0.5
 
   minio:
     image: containers.global.bsf.tools/minio/minio:latest
@@ -74,6 +88,10 @@ services:
     networks:
       - orchard-network
     restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    mem_limit: 512m
+    cpus: 0.5
 
   minio-init:
     image: containers.global.bsf.tools/minio/mc:latest
@@ -89,6 +107,10 @@ services:
       "
     networks:
       - orchard-network
+    security_opt:
+      - no-new-privileges:true
+    mem_limit: 128m
+    cpus: 0.25
 
   redis:
     image: containers.global.bsf.tools/redis:7-alpine
@@ -105,6 +127,10 @@ services:
     networks:
       - orchard-network
     restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    mem_limit: 256m
+    cpus: 0.25
 
 volumes:
   postgres-data: