ocis_full: reintroduce env interpolation with pinned tag+digest defaults

[Copilot]

Image override env vars in .env (e.g. TRAEFIK_DOCKER_TAG, OCIS_DOCKER_TAG, TIKA_IMAGE, COLLABORA_DOCKER_TAG, etc.) were non-functional after the switch to hard-pinned image: name:tag@sha256:... in compose files — editing .env had no effect on which images were pulled.

Description

Reintroduce env interpolation across all affected compose files using ${VAR:-pinned_tag@sha256:digest} syntax. The pinned digest remains the secure default; users can override via .env when needed. Renovate continues updating pinned defaults in compose files via the docker-compose manager.

Compose file changes — all hardcoded image: lines replaced with env interpolation:

# Before
image: traefik:v3.6.7@sha256:a9890c...
image: owncloud/ocis:8.0.0@sha256:41e6d7...
image: collabora/code:25.04.8.1.1@sha256:3c58d0...

# After
image: traefik:${TRAEFIK_DOCKER_TAG:-v3.6.7@sha256:a9890c...}
image: ${OCIS_DOCKER_IMAGE:-owncloud/ocis}:${OCIS_DOCKER_TAG:-8.0.0@sha256:41e6d7...}
image: collabora/code:${COLLABORA_DOCKER_TAG:-25.04.8.1.1@sha256:3c58d0...}

Files updated: docker-compose.yml, ocis.yml, collabora.yml, onlyoffice.yml, tika.yml, clamav.yml, mailserver.yml, web_extensions/importer.yml

.env changes:

• Removed misleading "Documentation/manual override only" comments; variables now describe that empty = use compose-pinned default
• Cleared ONLYOFFICE_DOCKER_TAG from 9.2.1.1 (digest-less, would bypass pinning) to empty so the compose default applies

Related Issue

Motivation and Context

The "manual override only" documentation was misleading: users had no way to change the pulled image version via .env after the hard-pin migration. This restores the expected behaviour while keeping digest pinning as the secure default path.

How Has This Been Tested?

• test environment: verified docker compose config resolves images to the pinned tag+digest when env vars are empty, and to the override value when set

Screenshots (if appropriate):

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Technical debt
• Tests only (no source changes)

Checklist:

• Code changes
• Unit tests added
• Acceptance tests added
• Documentation ticket raised:

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[update-docs]

Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes.

[mmattel]

There is a working ocis_full deployment setup created by intention.
If you compare this PR vs what we actual have, this PR is totally nuts.
Can one pls stop this unwanted and unnecessary AI stuff which only creates senseless overhead...

@kobergj