Build: pin dependencies by hash

[AkihiroSuda]

Description

Currently, the dependencies such as containerd and runc are not pinned by the hash:

moby/hack/dockerfile/install/containerd.installer

Lines 13 to 19 in a1836eb

	: "${CONTAINERD_VERSION:=v2.2.0}"
	install_containerd() (
	echo "Install containerd version $CONTAINERD_VERSION"
	git clone https://github.com/containerd/containerd.git "$GOPATH/src/github.com/containerd/containerd"
	cd "$GOPATH/src/github.com/containerd/containerd"
	git checkout -q "$CONTAINERD_VERSION"

These dependencies are also consumed by docker-ce-packaging here: https://github.com/docker/docker-ce-packaging/blob/7e726fa319c261676d06b6ae10c04a3df80e4c48/static/Makefile#L43-L58

Tasks:

• Integrate rego to buildx add rego integration to source policies docker/buildx#3539
• Update Dockerfile to replace RUN git clone <GITURL> to ADD <GITURL> Dockerfile: use Git SourceOp #51638
• Replace go install @TAG to use ADD <GITURL> Dockerfile: use Git SourceOp #51638
• Switch away from https://github.com/moby/moby/tree/a1836eb2834010c69cbf6de80095508f084fa6b4/hack/dockerfile/install to ADD <GITHRL> rm -r hack/dockerfile/install #51640
• Switch away from https://github.com/moby/moby/blob/a1836eb2834010c69cbf6de80095508f084fa6b4/hack/dockerfile/cli.sh to ADD <GITURL>, or maybe COPY --from=docker:VERSION /usr/local/bin/docker rm hack/dockerfile/cli.sh #51639
• Create Dockerfile.rego to pin the dependencies

Previous attempts:

• Dockerfile: verify the git tags with the hashes #49674
• Dockerfile: verify the git tags with the hashes #51626