Renovate: auto-update container image when it is updated.
Because Debian bookworm periodically gets security updates, the container in the tpo/tpa/container-images registry is updated with a new image when that happens. We want to rebuild against that new image when it changes.
In order to do that:
- set the current digest of the current container image in the registry
- configure renovate to track docker digests
- configure renovate to auto-merge docker digest changes if they are from our registry
- configure renovate to not auto-merge docker digest changes otherwise