disable manual deploys from tagging images with full commit SHA

[cmharlow]

Jira: https://mozilla-hub.atlassian.net/browse/SE-2508

What this PR does:

• disables tagging of manual delivery pipeline-generated Docker images with the full Commit SHA
• images tagged with full commit SHA are limited to use by Gitflow-automated stage & production images, so only images that have gone through stage are promoted to production
• This also means you can run manual delivery pipeline only for dev & stage environments, but you cannot run it for prod / none of the images from those pipelines will ever be looked up for promotion to prod.

[smarnach]

This feels odd to me, and there's definitely some aspect here that I don't understand. In my opinion it should always be safe to tag images with git hashes. If these images get accidentally promoted to prod, then we have a problem elsewhere. Maybe we can discuss this in person tomorrow.

[cmharlow]

@smarnach pushed up changes discussed this AM - take a look & let me know what you think. I'd like to test it too while we have the prod flux disabled so we can see if the images are doing what we want.

wrt pinning the plugin versions, they're all on commits that don't match releases or branches unfortunately, so i'll need to add quite a bit of more code in the yaml to set that up. Not sure we want to do that right away or not, so I just at least captured current prod's plugins' commits.

[smarnach]

Looks good to me.