ci: mirror golang:1.25 alongside python:3.12-slim, switch coraza-spoa FROM

Cloudflare's bot-management incident on 2026-05-12 took out docker.io blob
pulls twice in one day — first for python:3.12-slim (mirrored in 5a2ebf9),
then again for golang:1.25 when the PR 1 coraza-spoa build hit the same
R2-via-Cloudflare failure on the build stage's base image.

Restructure .gitea/workflows/mirror-base-image.yaml into a matrix that
iterates over a list of (src, dst_path, tag) entries. Adding a new base
image is now a one-line matrix entry. fail-fast: false so one image's
upstream being down doesn't block refreshing the others.

Switch coraza-spoa/Dockerfile's build stage FROM to the in-house golang
mirror. Runtime FROM (gcr.io/distroless/static-debian12:nonroot) stays
on upstream — distroless is on Google's registry, separate from Docker
Hub's Cloudflare R2 setup, and didn't fail during today's incident.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

coraza-spoa/Dockerfile

@@ -11,10 +11,12 @@
 
 ARG CORAZA_SPOA_VERSION=v0.7.1
 
-# golang:1.25 from docker.io. Mirror to repo.anhonesthost.net if Cloudflare
-# reliability becomes a recurring concern (the 2026-05-12 incident drove
-# the same mirror for python:3.12-slim in the parent Dockerfile).
-FROM golang:1.25 AS build
+# golang:1.25 from the in-house mirror. The 2026-05-12 Cloudflare incident
+# took out docker.io blob pulls TWICE in one day (first for python:3.12-slim,
+# then for this image's golang:1.25), so both are mirrored at
+# repo.anhonesthost.net via the .gitea/workflows/mirror-base-image.yaml
+# weekly job.
+FROM repo.anhonesthost.net/cloud-hosting-platform/golang:1.25 AS build
 ARG CORAZA_SPOA_VERSION
 WORKDIR /src
 RUN apt-get update \