feat: use digest to keep track of state of tools image

Makefile

@@ -1,3 +1,6 @@
+# If using QubesOS, the smart card must be connected directly to the qube,
+# rather than using a 'vault' qube.
+
 BACKEND_TF := $(wildcard infra/backend/*.tf)
 MAIN_TF := $(wildcard infra/main/*.tf)
 ENVIRONMENT := production
@@ -29,16 +32,14 @@ clean:
 update-tools:
 	./src/make/update.sh
 
+.PHONY: shell
+shell: out/tools-image.digest
+	$(call run-container, -v ./secrets:/secrets, $(shell cat $<))
+
 .PHONY: credentials
 credentials: \
 	$(CACHE_DIR)/secrets/credentials.tfvars
 
-# If using QubesOS, the smart card must be connected directly to the qube,
-# rather than using a 'vault' qube.
-.PHONY:
-shell: build-container
-	$(call run-container, -v ./secrets:/secrets)
-
 $(KEY_DIR)/%.asc:
 	$(call fetch_pgp_key,$(basename $(notdir $@)))
 
@@ -129,9 +130,8 @@ config/$(ENVIRONMENT).tfbackend: | \
 		-state $(ENVIRONMENT).tfstate \
 		'
 
-.PHONY: build-container
-build-container:
-	docker build -t git.distrust.co/public/stack-tools -f Containerfile.tools .
+out/tools-image.digest: Containerfile.tools | out
+	docker build -f Containerfile.tools -q . > $@
 
 GPG_TTY ?= $(shell tty)
 
@@ -140,11 +140,11 @@ define run-container
 		-e GPG_TTY="$(GPG_TTY)" \
 		-v $(shell gpgconf --list-dirs agent-socket):/root/.gnupg/S.gpg-agent:ro \
 		-v $(shell gpgconf --list-dirs homedir):/root/.gnupg:rw \
-		git.distrust.co/public/stack-tools
+		$(2)
 endef
 
 .PHONY: new-apply
-new-apply: build-container
+new-apply: out/tools-image.digest 
 	$(call run-container,'\
 		echo $$GPG_AGENT_INFO; \
 		ls -l /S.gpg-agent; \