Fix commit sha being used instead of tag for tagged pipelines

The change introduced in
https://gitlab.com/gitlab-org/gitlab/-/merge_requests/74627 started
setting the CI_APPLICATION_TAG in the Auto DevOps template so that it
could be used in the CS_DEFAULT_BRANCH_IMAGE value while still being
overridden by the calling template. This unintentionally introduced a
breaking change for tagged pipelines using the Build template, because
the default value for CI_APPLICATION_TAG is the CI_COMMIT_TAG (if it
exists) rather then the CI_COMMIT_SHA. This change fixes the issue by
referencing CI_COMMIT_SHA in the CS_DEFAULT_BRANCH_IMAGE, and no longer
setting the CI_APPLICATION_TAG value in the Auto DevOps template. It is
fine if this does not match the CI_APPLICATION_TAG value, because the
image tag is currently ignored when CS_DEFAULT_BRANCH_IMAGE is processed
by the security report parser.

Changelog: fixed

lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml

@@ -54,8 +54,7 @@ variables:
   # KUBE_INGRESS_BASE_DOMAIN: domain.example.com
 
   # Allows Container-Scanning to correctly correlate image names when using Jobs/Build.gitlab-ci.yml
-  CI_APPLICATION_TAG: $CI_COMMIT_SHA
-  CS_DEFAULT_BRANCH_IMAGE: $CI_REGISTRY_IMAGE/$CI_DEFAULT_BRANCH:$CI_APPLICATION_TAG
+  CS_DEFAULT_BRANCH_IMAGE: $CI_REGISTRY_IMAGE/$CI_DEFAULT_BRANCH:$CI_COMMIT_SHA
 
   POSTGRES_USER: user
   POSTGRES_PASSWORD: testing-password