Avoid pushing new manifest for every build

This is a great project, however I think there's an important pitfall: every time the CI pipeline runs, it will build a new image and push it unconditionally for the registry, even if the actual contents of the image only differs by timestamps.

While this may not be detrimental in CI or even for the registry, it's not good for downstream users: those who set up their container to auto-upgrade will receive daily upgrades, and thus the service will restart also on a daily basis.

The way we solved this in tpo/tpa/base-images is to use the mtree tool to actually compare the contents of the newly built image with the registry image's contents, and only trigger a push when there are real differences (eg. new files, different checksums, etc.). The code that we use for this is here: https://gitlab.torproject.org/tpo/tpa/base-images/-/blob/main/.gitlab-ci.yml?ref_type=heads#L105-115

I'd be happy to help implement this here if you'd like.