It appears that the machine images backing Workstations are static—they're based on a container image, but if that container changes (which can happen if the config points to the latest tag), the workstation config doesn't update. This means that even when the workstations are recycled, new ones aren't necessarily based on a fresh, patched container image. :(

So, the pipelines for rebuilding container images (which use the cloudbuild.yaml configs in the cloud-workstations folder of this repo) should be extended to also update workstation config (after the new image is built and pushed).

[or, separate pipelines could monitor for new versions of the containers and then trigger workstation rebuilds based on that event]