chore: pin example Dockerfiles digests and simplify dynamic module bump workflow

[shahar-h]

What this PR does / why we need it:
Refactor the dynamic module dependency bump process and pin all example
Dockerfile images by digest.

• Dynamic module bump simplification: Rework bump-envoy-dynamic-modules.sh
  to read the envoy version directly from DefaultEnvoyProxyImage in
  api/v1alpha1/shared_types.go instead of requiring a CLI argument. On main
  (where the image is distroless-dev) the script exits cleanly; on release
  branches it extracts the version automatically. This eliminates the need to
  pass ENVOY_VERSION through the Makefile, build-args, and Dockerfile ARGs.
  • Remove ARG ENVOY_VERSION / ARG ENVOY_IMAGE_DIGEST from the dynamic
    module Dockerfile; use direct FROM lines with digest pins instead.
  • Remove ENVOY_VERSION variable from examples/dynamic-module-test/Makefile
    and --build-arg passthrough.
  • Remove ENVOY_PROXY_VERSION parsing from tools/make/examples.mk and
    simplify the update-dynamic-module-deps target.
  • Update RELEASING.md to reflect the simplified
    make update-dynamic-module-deps command (no argument needed).
• Dockerfile digest pinning: Pin all images in example Dockerfiles with
  SHA256 digests to improve reproducibility and supply-chain security.
• Dependabot: Add "/examples/*" to the Docker package ecosystem in
  dependabot.yml so digest pins are kept up to date automatically.

Which issue(s) this PR fixes:
N/A

Release Notes: No

[netlify]

✅ Deploy Preview for cerulean-figolla-1f9435 ready!

Name	Link
🔨 Latest commit	beb101c
🔍 Latest deploy log	https://app.netlify.com/projects/cerulean-figolla-1f9435/deploys/69d2ad247546910008185300
😎 Deploy Preview	https://deploy-preview-8678--cerulean-figolla-1f9435.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 74.50%. Comparing base (b64158c) to head (beb101c).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #8678   +/-   ##
=======================================
  Coverage   74.50%   74.50%           
=======================================
  Files         243      243           
  Lines       38670    38670           
=======================================
  Hits        28810    28810           
  Misses       7868     7868           
  Partials     1992     1992           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[shahar-h]

/retest

[jukie]

Won't this be fairly noisy? This will change with every envoy commit

[arkodg]

+1

[jukie]

Maybe we pin here to a specific dev commit and we manually bump like go-control-plane?

We'd still want release branches to target a release envoy version though.

[shahar-h]

Good point — the noise concern applies equally to the github.com/envoyproxy/envoy/source/extensions/dynamic_modules Go module in examples/dynamic-module-test/go.mod, which uses a pseudo-version pinned to a commit. However, Dependabot doesn't support updating Go pseudo-versions (see dependabot/dependabot-core#2028), so the Go module is currently stuck on a month-old commit with no automatic updates. Meanwhile, the distroless-dev Docker tag is mutable and always resolves to the latest envoy build, so every image pull gets the newest commit — creating a growing version skew between the Docker image and the Go module.

I see two options:

Option 1: Use envoy per-commit image tags
Switch from distroless-dev to commit-tagged images (e.g. distroless-dev-6f94ab127f45cf93a29da0a740c7e84d466d14fb). This lets us pin both the Go module and the Docker image to the exact same envoy commit. Dependabot won't try to update commit-based tags (they're not semver-comparable), so there's no noise. We can either update both manually as needed, or create a dedicated weekly workflow that bumps both to the latest envoy main commit in a single PR. During releases, the bump script would still override both — the image to a specific release tag (e.g. distroless-v1.37.0) and the Go module to a commit from the corresponding release branch.

Option 2: Keep using distroless-dev tag
Keep the current distroless-dev tag with a digest pin. Dependabot handles weekly digest updates automatically. For the Go module, we'd need a separate workflow to bump the pseudo-version since Dependabot can't do it. The downside is that the Docker image and Go module are updated independently and may point to different envoy commits.

Please share your thoughts.

---

Note: We should also consider migrating to Renovate, which natively supports both Go pseudo-version updates and tool directive dependency updates (see envoyproxy/gateway#6213 (comment)). That would eliminate the need for a custom workflow entirely, but it's a larger migration that should be evaluated separately.

[shahar-h]

@arkodg @jukie