Previously, we guarded the :latest tag by limiting it to master only,
not merge requests.
Now we need to split this:
- it's safe for merge requests to push to their own SHA, nobody else is
using that SHA
- the merge request tests assume that a docker image is tagged with a
SHA, so the merge request tests require the docker_build step to run.
I'm a bit disappointed I couldn't get this to work in a single step
(hence the undesirable duplication) -- perhaps there's a way to lock
down :latest within a single CI job that I'm missing?
This commit is loosely based off
https://blog.callr.tech/building-docker-images-with-gitlab-ci-best-practices/