fix(deps): adjust creation of chart README.md (open-component-model#1905)

<!-- markdownlint-disable MD041 -->
#### What this PR does / why we need it

open-component-model#1881
fails because it updates the image tag with pinned digest in the
README.md. This is unwanted behaviour because it makes the README.md
unreadable. The adjustment in the Task `helm/docs` remove any pinned
digest from the README.md

#### Which issue(s) this PR fixes

Fixes and supersedes
open-component-model#1881

#### Testing

Check out this branch and run `task helm/docs` in
`kubernetes/controller`

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Chores**
* Pinned external dependencies and container images to specific
versions, ensuring reproducible builds, enhanced security through image
immutability, and consistent deployments across all environments.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Frederic Wilhelm <frederic.wilhelm@sap.com>
Co-authored-by: ocmbot[bot] <125909804+ocmbot[bot]@users.noreply.github.com>
Co-authored-by: Gerald Morrison <67469729+morri-son@users.noreply.github.com>

Author: 3 people

.github/workflows/conformance.yml

@@ -47,7 +47,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           sparse-checkout: conformance/scenarios/sovereign
-      - uses: actions/setup-go@v6
+      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
         with:
           go-version-file: conformance/scenarios/sovereign/components/notes/go.mod
       - name: Install Task

conformance/scenarios/sovereign/components/notes/Dockerfile

@@ -1,5 +1,5 @@
 # Multi-stage build for sovereign-notes application
-FROM golang:1.25-alpine AS builder
+FROM golang:1.25-alpine@sha256:f6751d823c26342f9506c03797d2527668d095b0a15f1862cddb4d927a7a4ced AS builder
 
 # Set working directory
 WORKDIR /app

conformance/scenarios/sovereign/components/postgres/deploy/chart/values.yaml

@@ -4,7 +4,7 @@ replicaCount: 1
 image:
   repository: postgres
   pullPolicy: IfNotPresent
-  tag: "18"
+  tag: "18@sha256:69e8582b781cb44fa4557b98ed586fe68361e320d9b12f9707494335634f4f3d"
 
 nameOverride: ""
 fullnameOverride: "postgres"

kubernetes/controller/Taskfile.yml

@@ -216,7 +216,11 @@ tasks:
     desc: "Generate Helm chart documentation"
     deps: [helm-docs]
     dir: chart
-    cmd: '"{{.HELM_DOCS}}"'
+    cmds:
+      - '"{{.HELM_DOCS}}"'
+      # Strip SHA digests from README.md for cleaner documentation
+      # The digest is kept in values.yaml for security, but removed from docs for readability
+      - sed -i'' -e 's/@sha256:[a-f0-9]\{64\}//g' README.md
     sources:
       - chart/values.yaml
       - chart/README.md

kubernetes/controller/chart/values.yaml

@@ -12,7 +12,7 @@ manager:
     # -- Controller image repository
     repository: ghcr.io/open-component-model/kubernetes/controller
     # -- Controller image tag
-    tag: latest
+    tag: latest@sha256:5580df055651f7d28557d502157d29d6b11bc7b303d110dd9e605220b1481759
     # -- Image pull policy
     pullPolicy: IfNotPresent
   ## Controller concurrency settings