We're currently using labels in our dockerfiles for things like the golang builder and the base ubi9 minimal image.

However this has some disadvantages:

• We will only get new base image updates when a build happens (it is not triggered by a new base image being available)
• We don't know what base image is used without inspecting the logs or the image itself - if we have the digest in our code we can see exactly what digests are used more easily

Would like to be able to use the renovate recommended digest pinning where we provide both a label and a digest to give renovate a label to follow: https://docs.renovatebot.com/docker/#digest-pinning