From fb9fbce7646189000536d58ad3fd2016b7d6b17a Mon Sep 17 00:00:00 2001
From: Michael Uti <utimichael9@gmail.com>
Date: Mon, 27 Nov 2023 13:47:44 +0100
Subject: [PATCH] ci: use image digest when signing image with cosign

---
 .github/workflows/distroless.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/distroless.yml b/.github/workflows/distroless.yml
index c0147153c52..2e35d37a863 100644
--- a/.github/workflows/distroless.yml
+++ b/.github/workflows/distroless.yml
@@ -74,6 +74,7 @@ jobs:
           docker load < builder_image.tar
 
       - name: Push Images
+        id: image_ref
         run: |
           set -ex
           docker image ls
@@ -103,12 +104,12 @@ jobs:
         with:
           cosign_private_key: '${{ secrets.COSIGN_PRIVATE_KEY }}'
           cosign_password: '${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}'
-          image: 'ghcr.io/${{ env.ORGANIZATION }}/ockam-elixir-base:latest'
+          image: 'ghcr.io/${{ env.ORGANIZATION }}/ockam-elixir-base@${{ steps.image_ref.outputs.BASE }}'
           ref: ${{ steps.image_ref.outputs.BASE }}
 
       - uses: build-trust/.github/actions/image_cosign@custom-actions
         with:
           cosign_private_key: '${{ secrets.COSIGN_PRIVATE_KEY }}'
           cosign_password: '${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}'
-          image: 'ghcr.io/${{ env.ORGANIZATION }}/ockam-elixir-builder:latest'
+          image: 'ghcr.io/${{ env.ORGANIZATION }}/ockam-elixir-builder@${{ steps.image_ref.outputs.BUILDER }}'
           ref: ${{ steps.image_ref.outputs.BUILDER }}