BuildKit has been the default builder since Docker Engine 23.0 (Feb 2023),
so prefixing the example build commands with DOCKER_BUILDKIT=1 is redundant
on any supported install. Replace the prefix with an explicit prerequisite
note so the requirement lives with the user's environment, not the example.
The build relies on BuildKit secret mounts (--secret) to keep apps.json
tokens out of image layers, which is why a real BuildKit-default engine
is mandatory rather than merely recommended.
Addresses review feedback on PR #1861.
APPS_JSON_BASE64 is stored in image layer metadata, permanently exposing
private repo tokens (GitHub PATs) to anyone with image pull access.
Replace --build-arg with --mount=type=secret so that apps.json is only
available during the RUN step and never committed to any layer.
Refs: https://docs.docker.com/reference/build-checks/secrets-used-in-arg-or-env/
