use SHA256 explicitly for all image names

Synchronisation between different systems is hard. In particular it is hard if each system has mutable identifiers. In this module we have three systems: the local docker daemon, the source registry and the Google Container Registry. Each of those systems have mutable identifiers (image "tags") and immutable ones (SHA256 checksums).

Previously we tried to use the human-friendly tags so that it was clear that the correct image was being pulled/pushed. This failed in both clarity and correctness; it was unclear for which system the tag name which appeared was for and this lead to incorrect behaviour as noted in the comments of #2 (closed).

In retrospect, the use of mutable identifiers was always going to cause synchronisation problems. As such we move to using the immutable SHA256 identifiers everywhere we can.

Only the docker_registry_image.source data source now gets the unfiltered source image. Everywhere else we explicitly use the SHA256 checksum returned by that data resource. This means that it is explicit which image should be pulled and which should be pushed.

The only appreciable downside is that we lose local tagging: an image named registry.example.com/foo:some-tag will appear untagged if one runs "docker image list" locally. On the other hand, having a local image tag is dangerous if the tags are mutable since one does not know if the local tag corresponds to the source repository without pulling so perhaps this can be considered the addition of a feature rather than the removal of one?

Closes #2 (closed)