Pin the cpython_autoconf container to a sha256 manifest

The container hasn't needed an update in 2 years. I propose pinning the container image used by the release process to the sha256 manifest instead of the tag in order to prevent any compromise there from being automatically used during the release.