Cardano Updates

Bumps the actions-deps group with 2 updates: [oasdiff/oasdiff-action](https://github.com/oasdiff/oasdiff-action) and [scala-steward-org/scala-steward-action](https://github.com/scala-steward-org/scala-steward-action).


Updates `oasdiff/oasdiff-action` from 0.0.39 to 0.0.43
- [Release notes](https://github.com/oasdiff/oasdiff-action/releases)
- [Commits](https://github.com/oasdiff/oasdiff-action/compare/f8cb9308b42121e793f835bd14c0b8090420430c...c002f996c3d084acf62ea6dd4f2e7a57b7bc2a35)

Updates `scala-steward-org/scala-steward-action` from 2.86.0 to 2.88.0
- [Release notes](https://github.com/scala-steward-org/scala-steward-action/releases)
- [Commits](https://github.com/scala-steward-org/scala-steward-action/compare/026472ebc0e1f80577b240b249e3dc1494e7041b...b186ab858ce163f9af7b016fac32cfb3f2c2f503)

---
updated-dependencies:
- dependency-name: oasdiff/oasdiff-action
  dependency-version: 0.0.43
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions-deps
- dependency-name: scala-steward-org/scala-steward-action
  dependency-version: 2.88.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-deps
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: William Hankins <[email protected]>

PR #1140 in ouroboros-consensus made the behaviour corresponding to
--only-immutable-db the default and removed the flag.

This commit adds a check and only passes the flag if the db-analyser
supports it.

https://github.com/IntersectMBO/ouroboros-consensus/pull/1140

Signed-off-by: Chris Gianelloni <[email protected]>

Antithesis's image puller rejects `name:tag@sha256:digest` with
"Invalid image name: cannot be empty or contain invalid character"
(verified via run https://github.com/cardano-foundation/cardano-node-antithesis/actions/runs/24998978617).

Switch to canonical OCI digest-only form `name@sha256:digest`. Identical
content guarantee, accepted by Antithesis.

Update push-cardano_node_master_images.sh to skip entries that have no
tag after sanitization — digest-only pins refer to images that already
exist in the registry by definition; there is nothing to rebuild.

Compose entries are now `name:tag@sha256:digest`. The previous regex
captured the whole string and `git rev-list "tag@sha256:..."` failed,
making the workflow skip every cardano-foundation/* image with a
"Tag not found in repo" log.

Strip the digest before the `:` -> ` ` split so name/tag resolution
proceeds normally. The digest stays in compose where Antithesis pulls
by it; publish-images uses the tag side to map to a commit and rebuild.

Promote the tag pin to a digest pin
(@sha256:b67470ccfd16d5d26305fde751accf05789d68387bb17c2ee01ed717cb98b896).
Tags are mutable: txpipe could re-tag v1.9.4 to a different image. Digests
are content-addressed — what we pull is what we built against.

publish-images script only resolves cardano-foundation/* images, so the
oura digest reference is inert for our build pipeline.

Promote tag-only references to tag@sha256:digest across the whole
docker-compose. Tags on a registry are mutable (anyone with push can
re-tag what we depend on); content-addressed digests are not.

Caveat: publish-images.yaml's resolution regex captures the full
"name:tag@sha256:digest" string and tries `git rev-list` on
"tag@sha256:digest" which fails — so it will skip every
cardano-foundation/* image with a "Tag not found in repo" log. This is
intentional for now: the images already exist at the pinned digests, so
Antithesis pulls what was built. Future component changes require either
(a) a manual rebuild + digest update in compose, or
(b) teaching scripts/push-cardano_node_master_images.sh to split on `@`
   and resolve only the tag side.

Pinned digests resolved 2026-04-27 from ghcr.