Pin monitoring stack images by digest

Reads live RepoDigests of each running monitoring container and
freezes the compose to the exact image manifest. Brings the
monitoring stack to the same digest-pin discipline as the
stateful tier-1 services. influxdb3-core was already pinned.

Affected: prometheus, alertmanager, alertmanager-ntfy-bridge,
blackbox-exporter, loki, promtail, grafana, node-exporter,
cadvisor (plus a second python:3.13-alpine for the bootstrap
dashboard importer).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

monitoring/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   prometheus:
-    image: prom/prometheus:v3.7.3
+    image: prom/prometheus:v3.7.3@sha256:49214755b6153f90a597adcbff0252cc61069f8ab69ce8411285cd4a560e8038
     container_name: monitoring-prometheus
     restart: unless-stopped
     command:
@@ -25,7 +25,7 @@ services:
       - cadvisor
 
   alertmanager:
-    image: prom/alertmanager:v0.28.1
+    image: prom/alertmanager:v0.28.1@sha256:27c475db5fb156cab31d5c18a4251ac7ed567746a2483ff264516437a39b15ba
     container_name: monitoring-alertmanager
     restart: unless-stopped
     command:
@@ -42,7 +42,7 @@ services:
       - no-new-privileges:true
 
   alertmanager-ntfy-bridge:
-    image: python:3.13-alpine
+    image: python:3.13-alpine@sha256:420cd0bf0f3998275875e02ecd5808168cf0843cbb4d3c536432f729247b2acc
     container_name: monitoring-alertmanager-ntfy-bridge
     restart: unless-stopped
     dns:
@@ -63,7 +63,7 @@ services:
       - no-new-privileges:true
 
   blackbox-exporter:
-    image: prom/blackbox-exporter:v0.27.0
+    image: prom/blackbox-exporter:v0.27.0@sha256:a50c4c0eda297baa1678cd4dc4712a67fdea713b832d43ce7fcc5f9bea05094d
     container_name: monitoring-blackbox-exporter
     restart: unless-stopped
     dns:
@@ -81,7 +81,7 @@ services:
       - no-new-privileges:true
 
   loki:
-    image: grafana/loki:3.7.2
+    image: grafana/loki:3.7.2@sha256:191d4fdfb7264f16989f0a57f320872620a5a7c2ceeec6229212c4190ec49b86
     container_name: monitoring-loki
     restart: unless-stopped
     command:
@@ -97,7 +97,7 @@ services:
       - no-new-privileges:true
 
   promtail:
-    image: grafana/promtail:3.6.10
+    image: grafana/promtail:3.6.10@sha256:2a0f5e3e160ee5d549c585f6cc4f4e1c566ff783324a424bd75bc16503fc660e
     container_name: monitoring-promtail
     restart: unless-stopped
     command:
@@ -115,7 +115,7 @@ services:
       - loki
 
   grafana:
-    image: grafana/grafana:12.4.3
+    image: grafana/grafana:12.4.3@sha256:2e986801428cd689c2358605289c90ab37d2b39e24808874971f54c99bcdc412
     container_name: monitoring-grafana
     restart: unless-stopped
     dns:
@@ -273,7 +273,7 @@ services:
         echo "Dashboard import complete."
 
   node-exporter:
-    image: prom/node-exporter:v1.9.1
+    image: prom/node-exporter:v1.9.1@sha256:d00a542e409ee618a4edc67da14dd48c5da66726bbd5537ab2af9c1dfc442c8a
     container_name: monitoring-node-exporter
     restart: unless-stopped
     command:
@@ -295,7 +295,7 @@ services:
       - no-new-privileges:true
 
   cadvisor:
-    image: ghcr.io/google/cadvisor:v0.53.0
+    image: ghcr.io/google/cadvisor:v0.53.0@sha256:c3770bd6fc6c6a9cb2b47143e6b3cc3fdd9d20a8453dffbb7e09a145e7e0c4e4
     container_name: monitoring-cadvisor
     restart: unless-stopped
     command: