Pin database Docker images and show digests in CI

[harupy]

What changes are proposed in this pull request?

This PR addresses MSSQL schema instability caused by Docker image updates and improves CI observability:

1. Pin all database images to specific digests to prevent automatic updates from changing schema/behavior
2. Update MSSQL schema file with constraint names from the current image
3. Add --digests flag to show SHA256 digests in CI logs

Background

MSSQL Docker image was recently updated from a2fbff321505 (1.61GB) to 55c3fe0f8428 (1.79GB):

REPOSITORY                       TAG       IMAGE ID       CREATED        SIZE
postgres                         latest    80c0891f5de9   11 hours ago   456MB
mcr.microsoft.com/mssql/server   latest    a2fbff321505   3 weeks ago    1.61GB 👈
mysql                            latest    f6b0ca07d79d   3 weeks ago    934MB

→

REPOSITORY                       TAG       DIGEST                                                                    IMAGE ID       CREATED        SIZE
postgres                         latest    sha256:c1f0abd909b477d6088c72e4cd6eb01ea525344caca1b58689ae884204369502   80c0891f5de9   20 hours ago   456MB
mcr.microsoft.com/mssql/server   latest    sha256:54b23ca766287dab5f6f55162923325f07cdec6ccb42108f37c55c87e7688ebd   55c3fe0f8428   3 weeks ago    1.79GB 👈
mysql                            latest    sha256:569c4128dfa625ac2ac62cdd8af588a3a6a60a049d1a8d8f0fac95880ecdbbe5   f6b0ca07d79d   4 weeks ago    934MB

SQL Server auto-generates foreign key constraint names with hex suffixes based on internal object IDs. When the Docker image updates, these IDs change, resulting in different constraint names even though the schema structure remains identical.

Example constraint name changes:

• FK__experimen__exper__4F7CD00D → FK__experimen__exper__628FA481
• FK__model_vers__name__5812160E → FK__model_vers__name__6B24EA82

Pinned image digests

All database images are now pinned to prevent future automatic updates:

• PostgreSQL: sha256:c1f0abd909b477d6088c72e4cd6eb01ea525344caca1b58689ae884204369502
• MySQL: sha256:569c4128dfa625ac2ac62cdd8af588a3a6a60a049d1a8d8f0fac95880ecdbbe5
• MSSQL: sha256:54b23ca766287dab5f6f55162923325f07cdec6ccb42108f37c55c87e7688ebd

How is this PR tested?

• Existing unit/integration tests

The MSSQL schema file is auto-generated during CI runs. This update ensures the checked-in schema matches the pinned Docker image.

Does this PR require documentation update?

• No. You can skip the rest of this section.

Release Notes

Is this a user-facing change?

• No. You can skip the rest of this section.

What component(s), interfaces, languages, and integrations does this PR affect?

Components

• area/build: Build and test infrastructure for MLflow

How should the PR be classified in the release notes? Choose one:

• rn/none - No description will be included. The PR will be mentioned only by the PR number in the "Small Bugfixes and Documentation Updates" section

Should this PR be included in the next patch release?

• Yes (this PR will be cherry-picked and included in the next patch release)
• No (this PR will be included in the next minor release)

---

🤖 Generated with Claude Code

[github-actions]

@harupy Thank you for the contribution! Could you fix the following issue(s)?

⚠ Invalid PR template

This PR does not appear to have been filed using the MLflow PR template. Please copy the PR template from here and fill it out.

[harupy]

The latest tag of the mssql image was updated yesterday:
https://mcr.microsoft.com/en-us/artifact/mar/mssql/server/tag/latest

[harupy]

Added digest to pin the image

[BenWilson2]

Fantastic solution. We should probably give proper aliases to those FKEYs some day... just so that don't have these crazy auto-generated names. This approach looks great as a workaround for now (we'll eventually need to update the images due to security reports / CVEs of older images or when MSFT takes them down I imagine)