fix(docs/deploy): harden public docs deployment and pin images

Add a pod-level security context to the nginx container in the public
docs deployment (non-root uid 101, dropped capabilities, read-only
root filesystem, RuntimeDefault seccomp) and rebind it to unprivileged
port 8080 so it does not need CAP_NET_BIND_SERVICE. The nginx PID and
proxy temp paths move under a tmpfs-backed emptyDir so the read-only
root filesystem does not break startup.

Replace the mutable :main tags on both containers with immutable
sha256 digests and switch imagePullPolicy to IfNotPresent so each
rollout references an auditable artifact instead of whatever happens
to be tagged :main when the pod starts. The docs-deploy workflow now
overlays the freshly built docs digest via `kustomize edit set image`
so the manifest stays accurate without a manual edit on each push to
main. The docs Dockerfile pins its node and nginx-micro base images
to specific versions for the same reason.

Ref: AWOO-011, AWOO-012
Assisted-by: Claude Opus 4.7 via Claude Code
Signed-off-by: Xe Iaso <me@xeiaso.net>

docs/manifest/cfg/nginx/nginx.conf

@@ -1,7 +1,7 @@
 user nginx;
 worker_processes 2;
 error_log /dev/stdout warn;
-pid /nginx.pid;
+pid /tmp/nginx.pid;
 
 events {
   worker_connections 1024;
@@ -12,11 +12,17 @@ http {
   default_type application/octet-stream;
   access_log /dev/stdout;
 
+  client_body_temp_path /tmp/client_body;
+  proxy_temp_path /tmp/proxy;
+  fastcgi_temp_path /tmp/fastcgi;
+  uwsgi_temp_path /tmp/uwsgi;
+  scgi_temp_path /tmp/scgi;
+
   sendfile on;
   keepalive_timeout 65;
 
   server {
-    listen 80 default_server;
+    listen 8080 default_server;
     server_name _;
 
     error_page 404 /404.html;