renovate: automerge updates to Dockerfile

[nadiamoe]

Together with release-on-main-push, this should make most of this repo maintenance free, other than updating actions.

[mem]

Uhm...

The whole story behind pinning sha's is that if a bad actor breaks into whatever, they might be able to republish an artifact under the same version but with a different sha.

Renovate will update the sha if it changes (without the version changing), won't it?

So letting it automerge that kind of change is counter to the idea of pinned versions providing a safety net against that scenario, isn't it?

[nadiamoe]

The whole story behind pinning sha's is that if a bad actor breaks into whatever, they might be able to republish an artifact under the same version but with a different sha.

That is one way to see it. The way I see it, which I think it's more pragmatic, is that I get updates from people who push over an existing tag. There are valid and less valid reasons to do it, but the sheer reality is that people do it anyway.

Renovate will update the sha if it changes (without the version changing), won't it?

Yes

So letting it automerge that kind of change is counter to the idea of pinned versions providing a safety net against that scenario, isn't it?

Yes, it's a tradeoff I'm taking. I think the security losses are minimal compared with the benefits we get from hands-off maintenance, but we can discuss that.

On the question of "why bother SHA pinning if we're automerging", I think it's better to have it pinned regardless. Not only for the reason outlined above (we get upgrades if someone willingly retags), but because that event is logged, tested, and revertable.