Recommend pulling during each CI stage

From Slack conversation, we should recommend docker build --pull -t $CONTAINER_TEST_IMAGE . so that if people are using docker caches on their runners, it’ll fetch fresh dependencies. It takes slightly longer, but means you don’t get stuck without security patches to base images.

Likewise, if you're not using unique image tags, then:

    - docker pull $CONTAINER_TEST_IMAGE
    - docker run $CONTAINER_TEST_IMAGE echo "test1"

[Using the git SHA in your image tag should make this unnecessary since each build will be unique and you shouldn't ever have a stale image. But doing an explicit pull before run probably doesn't add much time either.]

Admin message

Admin message

Recommend pulling during each CI stage