Move migration image rollout ownership from Terraform to deploy workflow

[Copilot]

Summary

Terraform was still trying to own mutable Container Apps image tags for the migration job, which made terraform apply fail when expected ACR tags were not present yet. This change keeps Terraform focused on resource shape while deploy owns image rollout with commit-tagged images.

• Terraform ownership boundary

  • infra/migrations.tf
  • Migration job image switched from migrations:latest to migrations:bootstrap
  • Added lifecycle ignore for template[0].container[0].image so Terraform does not manage post-create image rollouts

• Deploy preflight for required bootstrap image

  • .github/workflows/deploy.yml
  • Replaced inline bootstrap build/push logic in the Terraform job with a preflight check
  • Terraform stage now fails early with a clear error when required bootstrap image is missing

• Shared local + CI guardrail

  • infra/scripts/preflight-bootstrap-images.sh
  • New script validates required bootstrap image presence (migrations:bootstrap) in ACR
  • Emits actionable guidance for seeding the image when missing
  • Used by workflow and available for local preflight parity

• Docs update

  • docs/migrations.md
  • Documented bootstrap image contract and preflight usage, and clarified that deploy uses SHA-tagged runtime rollout

resource "azurerm_container_app_job" "migrations" {
  lifecycle {
    ignore_changes = [
      template[0].container[0].image,
    ]
  }

  template {
    container {
      image = "${azurerm_container_registry.main.login_server}/migrations:bootstrap"
    }
  }
}

Checklist

• This PR changes both api/alembic/versions/ AND app code that depends on the new schema. If checked, explain why the split isn't being followed.