All container refs in the index container should use pinned digests.

This includes (but is not limited to):

• catalog entities (which will be handled in 1.10 when we switch away from using wrappers by default), so out of scope of this issue
• generated dynamic-plugins.default.yaml (where we have currently tag references, we should have digests)
• index.json (where we have currently tag references, we should have digests)

If we can use :tag@sha256:digest format like in containerfiles, eg., registry.access.redhat.com/ubi9/go-toolset:9.7-1763038106@sha256:380d6de9bbc5a42ca13d425be99958fb397317664bb8a00e49d464e62cc8566c, great!

Armel: Only the @sha256:digest format is acceptable, as skopeo does not support this format.

If not, we can use @sha256:digest format, and provide a nearby comment one line above in the yaml files that exposes the tag for easier legibility.

We could also have comment with the build's timestamp for additional metadata to help support and debugging.