Use manifest digest for signing

Instead of using the image name and tag, use the image name and the manifest sha256. This allows to verify the image sha256 in logs etc. and gets rid of the following warning from cosign: ``` WARNING: Image reference ghcr.io/home-assistant/amd64-builder:dev uses a tag, not a digest, to identify the image to sign. ```
home-assistant · Aug 12, 2024 · a161d0f · a161d0f
1 parent 1eac7a4
commit a161d0f
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/builder.sh b/builder.sh
@@ -389,7 +389,8 @@ function run_build() {
     fi
 
     # Singing image (cosign)
-    cosign_sign "${repository}/${image}:${version}"
+    image_id=$(docker inspect --format='{{index .RepoDigests 0}}' "${repository}/${image}:${version}")
+    cosign_sign "${image_id}"
 }
 
 function convert_to_json() {