Pin base image digests and add Renovate for automated updates

Renovate will open PRs automatically when debian:bookworm-slim or
debian:sid-slim receive updates (e.g. security patches), keeping the
container current without relying solely on scheduled rebuilds.

.github/workflows/build.yaml

@@ -98,9 +98,9 @@ jobs:
           echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
           # debian:bookworm-slim has no riscv64 image; fall back to sid-slim for that platform
           if [ "$platform" = "linux/riscv64" ]; then
-            echo "RUNTIME_IMAGE=debian:sid-slim" >> $GITHUB_ENV
+            echo "RUNTIME_IMAGE=debian:sid-slim@sha256:a145cf2bc72431523b8f5d152e9cbcc20cfaeccdb7626802f5ce6fb31a6f58bb" >> $GITHUB_ENV
           else
-            echo "RUNTIME_IMAGE=debian:bookworm-slim" >> $GITHUB_ENV
+            echo "RUNTIME_IMAGE=debian:bookworm-slim@sha256:74a21da88cf4b2e8fde34558376153c5cd80b00ca81da2e659387e76524edc73" >> $GITHUB_ENV
           fi
 
       - name: Set version

build/Dockerfile

@@ -1,10 +1,10 @@
 # ARG before any FROM is global and available in FROM instructions.
 # debian:bookworm-slim is the default; the workflow overrides to debian:sid-slim for riscv64
 # since bookworm has no riscv64 image.
-ARG RUNTIME_IMAGE=debian:bookworm-slim
+ARG RUNTIME_IMAGE=debian:bookworm-slim@sha256:74a21da88cf4b2e8fde34558376153c5cd80b00ca81da2e659387e76524edc73
 
 # debian:sid-slim is required for the build stage to support riscv64 (golang:bookworm does not).
-FROM debian:sid-slim AS build
+FROM debian:sid-slim@sha256:a145cf2bc72431523b8f5d152e9cbcc20cfaeccdb7626802f5ce6fb31a6f58bb AS build
 
 ARG version
 

renovate.json

@@ -0,0 +1,15 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": ["config:recommended"],
+  "docker": {
+    "pinDigests": true
+  },
+  "packageRules": [
+    {
+      "matchManagers": ["dockerfile"],
+      "matchPackageNames": ["debian"],
+      "commitMessageTopic": "debian base image",
+      "schedule": ["at any time"]
+    }
+  ]
+}