cosign: pass digest instead of tag

[viceice]

we need to refactor cosign calling, it's now generating a warning and will error out in future

• https://github.com/sigstore/cosign/pull/2313

> cosign sign ghcr.io/containerbase/node:14.15.0
  /home/runner/.cosign/cosign sign ghcr.io/containerbase/node:14.15.0
  Generating ephemeral keys...
  Retrieving signed certificate...

          Note that there may be personally identifiable information associated with this signed artifact.
          This may include the email address associated with the account with which you authenticate.
          This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later.
  Successfully verified SCT...
  WARNING: Image reference ghcr.io/containerbase/node:14.15.0 uses a tag, not a digest, to identify the image to sign.

  This can lead you to sign a different image than the intended one. Please use a
  digest (example.com/ubuntu@sha256:abc123...) rather than tag
  (example.com/ubuntu:latest) for the input to cosign. The ability to refer to
  images by tag will be removed in a future release.
  tlog entry created with index: 12478726
  Pushing signature to: ghcr.io/containerbase/node

[viceice]

we need to fix that asap

https://github.com/containerbase/sidecar/actions/runs/4313179005/jobs/7524653717

[viceice]

write meta-file

https://github.com/renovatebot/renovate/blob/79706e6e90e279872d2ca0299200a60674e21bd0/tools/utils/docker.ts#L45