But in this case the bootstrap step must be done in the production machine, this kinda defeats the purpose of pushing a base image to a container registry, if I’m not mistaken (because this would be done with the intention of not having to bootstrap an image in production, except maybe to run a db migration step or something like that).
This is what I do in non discourse sites I host, I normally use flyway to run migrations in the db, along with some other stuff like emptying the redis cache, but without running other intensive processes, especially ones that depends on external services, like updating https certificates (I would do in a cronjob, except the 1st time, which is fine), or changing the codebase (this would be static in the image, like packages, libraries, and other stuff). It seems discourse uses rake which is fine, but it does other stuff like installing gems, generating assets, updating maxmind db and maybe other services (which would break the rebuild step if, for example, the service is down, or if they change the API, which is rare but could happen).
I’m not saying that discourse should do that way, of course, but generating an image in a CI environment and just running a db migration step in staging/production servers, along with defining the environment variables, is what I would expect, and is easily achievable with other softwares like Wordpress, Mediawiki, Rocketchat, etc… Discourse is the best software for forums IMO, and they might have good reasons to do it the way they do, but for now I would only use the standard install (or multicontainer install) to avoid headaches and just hope that nothing goes wrong with rebuilds.
It seems like the bootstrap should still be done in a production environment, and not in a CI environment to generate a base image to use in both a staging and production environment. Furthermore, not being a standard install is a huge red flag, that can became a headache in the future as the software receives updates.