Avoid pulling from DockerHub in CI

DockerHub has started rate-limiting requests from the same IP, so the GNOME GitLab CI runners often run above this limit and jobs start failing. Instead, use CI templates to build images and store them in GNOME GitLab's own container registry.

This change is unfortunately difficult to separate from a bunch of tweaks and small bug fixes, because we are forced to upgrade to a newer version of cppcheck (1.90) than the one that we had previously used from the cppcheck image on DockerHub. On the plus side, cppcheck now catches a lot more stuff, and so will be more useful, but on the minus side we have to fix all the stuff that the new version catches, in the same merge request.