Auto-pull new workspace image when registry digest advances

`docker_container.image` was a floating `:base` tag string, which Docker's
cache treats as "already have it" — `coder update` / workspace restart
would keep running the old image even after CI pushed a new one.

Add a `docker_registry_image` data source that reads the current remote
digest and a `docker_image` resource with `pull_triggers = [<digest>]` so
every `terraform apply` re-checks the registry: when the digest changes,
the image is re-pulled, `image_id` changes, and `docker_container.workspace`
replans to recreate with the new image. `projects_volume` (per-workspace)
survives the recreate; `coder-shared` and `coder-<owner>-home-persist`
aren't in state so they're untouched.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: chapterjason

main.tf

@@ -402,9 +402,23 @@ resource "docker_volume" "projects_volume" {
   }
 }
 
+# Re-pull the workspace image on every plan when the registry digest has
+# advanced. The data source reads the remote digest; docker_image.pull_triggers
+# fires when it changes, yielding a new local image_id; the container depends
+# on that image_id so a new push → container recreate on next apply.
+data "docker_registry_image" "workspace" {
+  name = local.workspace_images[data.coder_parameter.workspace_image.value]
+}
+
+resource "docker_image" "workspace" {
+  name          = data.docker_registry_image.workspace.name
+  pull_triggers = [data.docker_registry_image.workspace.sha256_digest]
+  keep_locally  = true
+}
+
 resource "docker_container" "workspace" {
   count   = data.coder_workspace.me.start_count
-  image   = local.workspace_images[data.coder_parameter.workspace_image.value]
+  image   = docker_image.workspace.image_id
   runtime = "sysbox-runc"
 
   name     = "coder-${data.coder_workspace_owner.me.name}-${lower(data.coder_workspace.me.name)}"