Enable docker digest pinning

[AaronMoat]

This is important for reproducible builds.

It's a best practise per Renovate, and they have a good explanation here: https://docs.renovatebot.com/docker/#digest-pinning.

Digest Pinning
We recommend that you pin your Docker images to an exact digest. By pinning to a digest you make your Docker builds immutable, every time you do a pull you get the same content.

If you work with dependencies in the JavaScript/npm ecosystem, you may be used to exact versions being immutable. For example, if you set a version like 2.0.1, you and your colleagues always get the exact same "code".

Docker's tags are not immutable versions, even if tags look like a version. You probably expect myimage:1 and > myimage:1.2 to change over time, but you might incorrectly assume that myimage:1.2.0 never changes. Although it probably shouldn't, the reality is that any Docker image tag can change content, and potentially break.

By replacing Docker tags with Docker digests as the image's primary identifier you'll get immutable builds. Working with strings like FROM node@sha256:d938c1761e3afbae9242848ffbb95b9cc1cb0a24d889f8bd955204d347a7266e is hard. > Luckily Renovate can update the digests for you.

When pinning a digest, Renovate retains the Docker tag in the FROM line for readability, like this: FROM node:14.15.1@sha256:d938c1761e3afbae9242848ffbb95b9cc1cb0a24d889f8bd955204d347a7266e.

[72636c]

This makes perfect sense if we can keep the review load manageable (automerge? 🌶️)

[AaronMoat]

Ah yeah we might need a new schedule. This change only turns on pinning, but more updates could get triggered as a result of the pin. I'll monitor internally to confirm before merging this :)

[AaronMoat]

I've added a weekly automerge schedule; there was no need to change the non-critical as it's caught by the "all dependencies" group explicitly with matchUpdateTypes including digest.