ci: auto-pin nx-webmail image digest in compose

.github/workflows/publish-nx-webmail-image.yml

@@ -10,15 +10,18 @@ on:
       - ".github/workflows/publish-nx-webmail-image.yml"
 
 permissions:
-  contents: read
+  contents: write
   packages: write
 
 jobs:
   publish:
+    if: github.actor != 'github-actions[bot]'
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
@@ -57,6 +60,30 @@ jobs:
             ${{ steps.meta.outputs.image }}:${{ steps.meta.outputs.version }}
             ${{ steps.meta.outputs.image }}:latest
 
+      - name: Pin digest in docker-compose
+        shell: bash
+        run: |
+          digest="${{ steps.build.outputs.digest }}"
+          if [ -z "$digest" ]; then
+            echo "No digest returned by build step" >&2
+            exit 1
+          fi
+          pinned="    image: ${{ steps.meta.outputs.image }}:${{ steps.meta.outputs.version }}@${digest}"
+          sed -i -E "s|^    image: .*|$pinned|" nx-webmail/docker-compose.yml
+
+      - name: Commit digest pin
+        shell: bash
+        run: |
+          if git diff --quiet -- nx-webmail/docker-compose.yml; then
+            echo "No docker-compose digest changes to commit."
+            exit 0
+          fi
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git add nx-webmail/docker-compose.yml
+          git commit -m "nx-webmail: pin image digest [skip ci]"
+          git push
+
       - name: Summary
         shell: bash
         run: |