Add ACR cache-hit checks to avoid Docker Hub rate limits on Nexus image pulls

[Copilot]

Every pipeline run unconditionally calls az acr import for the Nexus image, hitting Docker Hub even when the image is already cached in ACR. This causes intermittent 429: TOOMANYREQUESTS failures that block CI for up to 6 hours.

What is being addressed

• bundle_runtime_image_build.sh always imports from Docker Hub on every publish, regardless of whether the image already exists in ACR.
• deploy_nexus_container.sh proceeds directly to docker pull with no preflight check, giving a confusing retry-then-timeout failure if the image was never imported.

How is this addressed

• devops/scripts/bundle_runtime_image_build.sh — before az acr import, query ACR for the target tag and skip the import if it already exists:

  if az acr repository show-tags \
    --name "${ACR_NAME}" \
    --repository "${image_name}" \
    --query "[?@=='${version}'] | [0]" \
    --output tsv 2>/dev/null | grep -qx "${version}"; then
    echo "Image ${image_name}:${version} already exists in ACR ${ACR_NAME}; skipping import"
    exit 0
  fi

  Query errors (repository not yet created, transient network blip) are suppressed so execution falls through to the import, which will surface real auth/network failures.

• templates/shared_services/sonatype-nexus-vm/scripts/deploy_nexus_container.sh — after ACR login succeeds, run docker manifest inspect before entering the pull retry loop. Exits immediately with a clear diagnostic if the image is absent:

  if ! docker manifest inspect "$NEXUS_IMAGE" > /dev/null 2>&1; then
    echo "ERROR - Image $NEXUS_IMAGE is missing from ACR ${ACR_NAME}. Ensure the bundle was published with the correct image tag."
    exit 1
  fi

[rudolphjacksonm]

/test-extended 84b2c45

[github-actions]

🤖 pr-bot 🤖

🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/26521694588 (with refid d8e27863)

(in response to this comment from @rudolphjacksonm)