Create release with image digest on new tag

This is a follow-up of this MR thread.

When a new tag for the cloud-deploy image is created, the Release stage job will run:

release-tag:
  <<: *docker
  stage: release
  script:
    - 'echo ${CI_JOB_TOKEN} | docker login --password-stdin -u $CI_REGISTRY_USER $CI_REGISTRY'
    - echo "Using tag $CI_COMMIT_TAG for image"
    - docker pull "$BUILD_IMAGE_NAME"
    - docker tag "$BUILD_IMAGE_NAME" "$CI_REGISTRY_IMAGE:latest"
    - docker tag "$BUILD_IMAGE_NAME" "$CI_REGISTRY_IMAGE:$CI_COMMIT_TAG"
    - docker push "$CI_REGISTRY_IMAGE:latest"
    - docker push "$CI_REGISTRY_IMAGE:$CI_COMMIT_TAG"
  only:
    - tags

When this new image is tagged, we should also retrieve its digest. Based on the discussion in the thread posted above, using the digest of an image is the most secure way to pull it.

We should then:

• retrieve programmatically the image digest upon its build.
• create a Release note (via the Release API(?)) to communicate this digest to users effectively.

The release note should look like:

cc @ogolowinski