Pin expected commit when building Leiningen from source

[cap10morgan]

Addresses official-images feedback from @yosifkit on the Leiningen 2.13.0 source-build:

We recommend to also check that this checked out commit is the expected commit id (d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030) on the off chance that the tag is changed.

What

After git clone --branch $LEIN_VERSION + git verify-tag, also assert the checked-out HEAD matches the expected commit:

git verify-tag $LEIN_VERSION && \
[ "$(git rev-parse HEAD)" = "d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030" ] && \

so a moved or re-pointed upstream tag can't slip a different commit past us (belt-and-suspenders with the existing GPG tag verification).

The expected commit is recorded per release in lein/release-commits and threaded into the template; an unknown version throws at generation time rather than silently building an unverifiable image.

Verification

• Confirmed refs/tags/2.13.0^{} on Codeberg dereferences to d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030 (what git rev-parse HEAD resolves to after checkout).
• Regenerated all lein Dockerfiles (bb dockerfiles); cljfmt clean; bb test 12 tests / 51 assertions, 0 failures.
• Built the debian-bookworm-slim-11 lein image end-to-end — the commit-pin step passed and lein version reports Leiningen 2.13.0.

[cap10morgan]

@Quantisan Going to go ahead and merge to free up the lein version bump, but let me know if you'd like to see any changes in here.