container: Optimize layer cache usage

With the addition of ancillary scripts like `entrypoint.sh`, the `COPY .`
instruction in the build stage results in a full rebuild of the final
image for every change.  To avoid this, we now only copy the files that
are actually required to build the wheel.  The other scripts are copied
later, using an intermediate layer.  This avoids needing a `COPY`
instruction, and therefore a new layer in the final image, for each
script.  Hypothetically, we could use `RUN --mount=bind` and copy the
files with the `install` command, but bind-mounting the build context
doesn't actually work; SELinux prevents the container builder from
accessing the source directory directly.

Containerfile

@@ -18,10 +18,19 @@ RUN --mount=type=cache,target=/var/cache \
 		python3-wheel \
 	&& :
 
-COPY . /src
+COPY .git /src/.git
+COPY xactfetch.py pyproject.toml /src
 
 RUN python3 -m pip wheel -w /wheels /src
 
+
+FROM scratch AS mixin
+
+COPY pinentry-stub.sh /usr/local/bin/pinentry-stub
+
+COPY entrypoint.sh /entrypoint.sh
+
+
 FROM git.pyrocufflink.net/containerimages/dch-base
 
 RUN --mount=type=cache,target=/var/cache \
@@ -66,11 +75,11 @@ ENV PLAYWRIGHT_BROWSERS_PATH=/usr/local/playwright/browsers
 RUN --mount=type=bind,from=build,source=/,target=/build \
 	python3 -m pip install --no-index -f /build/wheels xactfetch \
 	&& cp /build/root/.cargo/bin/rbw* /usr/local/bin/ \
-	&& install /build/src/pinentry-stub.sh /usr/local/bin/pinentry-stub \
-	&& install /build/src/entrypoint.sh /entrypoint.sh \
 	&& playwright install chromium \
 	&& :
 
+COPY --from=mixin / /
+
 VOLUME /var/lib/xactfetch
 
 WORKDIR /var/lib/xactfetch