fix: update supervised image ca-certificates pin

[iblancasa]

Summary

• Update supervised image Alpine ca-certificates pins to 20260611-r0.
• Fix release workflows for supervised collector, CDOT, and eBPF profiler images.

Why

• Alpine 3.22 now serves ca-certificates 20260611-r0. The old 20260413-r0 pin fails in fresh CI builds.

Validation

• Built supervised collector locally with docker build --pull --no-cache.
• Built supervised CDOT locally with docker build --pull --no-cache.
• Built supervised eBPF profiler locally with docker build --pull --no-cache.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 31ebc2f2d9

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Use a ca-certificates pin available on arm64

The release jobs for the supervised images build linux/amd64,linux/arm64 (for example, .github/workflows/otel-supervised-collector-release.yml sets those platforms), but Alpine v3.22's aarch64 package page currently lists ca-certificates as 20260413-r0, not 20260611-r0 (https://pkgs.alpinelinux.org/package/v3.22/main/aarch64/ca-certificates). On the arm64 leg, apk add --no-cache ca-certificates=20260611-r0 cannot satisfy the package, so the multi-platform release build fails before publishing; the same pin was added to the CDOT and eBPF Dockerfiles as well.

Useful? React with 👍 / 👎.

[iblancasa]

Checked against live Alpine 3.22 repos and Buildx. Both release platforms currently resolve ca-certificates to 20260611-r0:

• docker run --rm --platform linux/amd64 alpine:3.22 sh -c "apk update >/dev/null && apk policy ca-certificates" -> 20260611-r0
• docker run --rm --platform linux/arm64 alpine:3.22 sh -c "apk update >/dev/null && apk policy ca-certificates" -> 20260611-r0
• docker buildx build --pull --no-cache --platform linux/amd64,linux/arm64 ... otel-supervised-collector passes with this pin.

So the pin looks valid now. I also updated the harness to validate both release platforms, not just host arch.