Pin Docker version in devcontainer

[geropl]

Summary

Pins the docker-in-docker devcontainer feature to Docker/Moby 28 instead of allowing the feature to install the current latest engine.

The current unpinned setup installed Moby 29.4.3 with containerd 2.3.0. In this Ona environment, the feature-generated docker-init.sh left dockerd unable to connect to its managed containerd process, causing Docker commands to fail with Cannot connect to the Docker daemon at unix:///var/run/docker.sock.

Validation

• gitpod environment devcontainer validate .devcontainer/devcontainer.json
• gitpod automations validate .gitpod/automations.yaml

Rebuild notes

I attempted devcontainer rebuilds after the config change. The Docker feature install step completed, but the runner failed during BuildKit image export with a containerd ref lock:

failed to open writer: ref moby/1/bf70s19s2cw173yz22okwy4dl locked ... unavailable

That failure happens after the devcontainer feature installation and appears to be a runner-side image export/cache issue rather than a schema or Docker configuration error.

[ona-integrations]

Reviewed the changes. Implementation looks solid: good code quality, appropriate test coverage, and follows established patterns. No significant concerns. The version pin is a clean, targeted fix that makes the dev environment more deterministic than the prior unpinned state.

Docs review: ran a docs-drift check (code-only PR); no documentation updates are required, as this is internal contributor dev-environment configuration with no user-visible, API, CLI, or operational impact.

Low-risk determination: Escalate to human review
This change does not meet all low-risk criteria or has review findings requiring human attention before merge.

• Size: Pass — additions (3) + deletions (1) = 4 lines, far below the 1,000-line threshold.
• Protobuf: Pass — No protobuf (.proto) definitions added or modified; only .devcontainer/devcontainer.json changed.
• Database migrations: Pass — No database migration files added or modified.
• Infrastructure/CI: Fail — .devcontainer/devcontainer.json is development-environment/platform configuration. The PR pins the docker-in-docker feature engine to Docker/Moby 28, changing the container runtime provisioned for every contributor's dev environment. This counts as platform/infrastructure configuration being modified, which fails this criterion.
• Auth and authorisation: Pass — No auth, RBAC, roles, permissions, scopes, policies, guards, ACLs, route protection, session handling, or entitlement checks touched. The change is a devcontainer feature version pin.
• Audit logging and monitoring: Pass — No audit logging, monitoring, metrics, tracing, alerting, or observability configuration affected.