fix: confine Docker copy dependency sources

[fsabiu]

Description

Confine Dockerfile COPY and ADD dependency sources to the configured
Skaffold build context before dependency walking or build-context packaging.

Skaffold already treats these sources as relative to the build context. This
change makes that boundary explicit by resolving each source against the
workspace and rejecting any source that resolves outside it.

The new regression coverage checks both:

• a direct parent-path source in the project Dockerfile;
• a parent-path source inherited from base-image ONBUILD metadata.

User Facing Changes

Skaffold now returns an error when a Dockerfile COPY or ADD source resolves
outside the artifact build context instead of treating the outside path as a
dependency.

Tests

go test ./pkg/skaffold/docker

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[gemini-code-assist]

Code Review

This pull request implements validation to prevent Docker COPY commands from accessing files outside the build context. It introduces a new helper function resolveCopySourceInWorkspace to validate and resolve source paths, and includes unit tests to ensure that paths resolving outside the workspace are correctly rejected. Feedback was provided regarding a performance improvement to avoid redundant absolute path calculations for the workspace within loops.