Finalize smoke-runner image and task image digest pins

[mdheller]

Summary

Replace all REPLACE_WITH_VERIFIED_DIGEST placeholders in the SourceOS smoke-runner image lane with verified known-good digests.

This follows the merged release-lane scaffolds:

• PR socios: add Katello seeding, lifecycle, and ISO smoke scaffolds #57: OS build substrate, Smart Proxy, live ISO smoke runner, image scaffold
• PR socios: add smoke-runner base image digest verification policy #59: base-image verification and evidence publication policy
• PR socios: resolve smoke-runner task image digests #60: task-image digest-resolution receipt

Scope

Resolve and pin digests for:

• images/sourceos-smoke-runner/image-policy.yaml base image
• images/sourceos-smoke-runner/task-image-policy.yaml task images
• Tekton pipeline defaults where release-grade enforcement requires digest-pinned refs

Task images to verify:

• Buildah image
• Syft image
• Grype image
• Cosign image
• Skopeo image(s)
• BusyBox/utility image

Acceptance criteria

• Verified base image digest replaces REPLACE_WITH_VERIFIED_DIGEST in image-policy.yaml
• Verified task image digests replace REPLACE_WITH_VERIFIED_DIGEST in task-image-policy.yaml
• Pipeline defaults are updated or documented so release-grade runs use digest-pinned refs
• A digest-resolution receipt from the pipeline is attached or referenced in the PR
• No unverified digest values are committed
• Documentation explains how to refresh digests safely

Non-goals

• Do not change SourceOS catalog publication authority in this issue
• Do not enable release promotion automatically
• Do not introduce proprietary tooling

Progress impact

Completing this moves the OS build substrate v0 from ~99% to effectively complete for digest policy enforcement.