image-build: optional token input -> docker login to pull private base images

Org is 'limited' so buildx 401s pulling a private FROM base. Add an optional ci-bot token input; when set, docker/login-action authenticates before build (mirrors image-push). Public-base builds (base = FROM debian) omit it. Removes the need for a separate per-workflow login step.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

action.yaml

@@ -26,6 +26,14 @@ inputs:
       Empty = no test.
     required: false
     default: ''
+  token:
+    description: |
+      ci-bot token (CI_BOT_TOKEN) for `docker login code.fritzlab.net`. Required
+      when the Dockerfile's FROM is a PRIVATE fritzlab image (e.g. FROM
+      code.fritzlab.net/fritzlab/base) — the org is `limited`, so buildx can't pull
+      it anonymously. Omit for public-base builds (e.g. base itself = FROM debian).
+    required: false
+    default: ''
 outputs:
   tag:
     description: Numeric tag assigned to the built image (= github.run_number)
@@ -33,6 +41,16 @@ outputs:
 runs:
   using: composite
   steps:
+    # Authenticate so buildx can pull PRIVATE fritzlab base images (org is
+    # `limited`). No-op when `token` is empty (public-base builds).
+    - name: Log in to code.fritzlab.net
+      if: ${{ inputs.token != '' }}
+      uses: docker/login-action@v3
+      with:
+        registry: code.fritzlab.net
+        username: ci-bot
+        password: ${{ inputs.token }}
+
     - name: Build (load to local docker)
       uses: docker/build-push-action@v6
       with: