From 4bb24db6682acdccc9c91291e44b1d328a379ea8 Mon Sep 17 00:00:00 2001
From: Kevin Minehart <5140827+kminehart@users.noreply.github.com>
Date: Tue, 9 Jun 2026 09:05:06 +0200
Subject: [PATCH] chore: capture and use image digest in Dockerfile

---
 .github/workflows/release.yaml | 12 ++++++++----
 Dockerfile                     |  2 +-
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index f952abc..4abe20b 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -5,7 +5,7 @@ name: release
 # on main branch merge:
 # 1. Calculate next semantic version tag (autotag)
 # 2. Build and push Dockerfile.base (ghcr.io/planetscale/ghcommit-action)
-# 3. Update version tag in Dockerfile, commit change
+# 3. Update image digest in Dockerfile, commit change
 # 4. Create GitHub Release for the new version
 
 on:
@@ -80,17 +80,21 @@ jobs:
 
       - name: Build and push Dockerfile.base (ghcr.io/planetscale/ghcommit-action)
         run: |
-          # build and push a multi-arch image:
+          set -euo pipefail
+          # build and push a multi-arch image, capturing the resulting digest:
           image="ghcr.io/planetscale/ghcommit-action:v${new_version}"
           docker buildx build \
             -f Dockerfile.base \
             --platform linux/amd64,linux/arm64 \
+            --metadata-file "${RUNNER_TEMP}/metadata.json" \
             --output type=image,name=$image,oci-mediatypes=true,compression=zstd,push=true \
             .
+          digest=$(jq -er '."containerimage.digest"' "${RUNNER_TEMP}/metadata.json")
+          echo "image_digest=${digest}" >> "${GITHUB_ENV}"
 
-      - name: Update image version in Dockerfile
+      - name: Update image digest in Dockerfile
         run: |
-          sed -i'' -Ee "s/ghcommit-action:v(.*)/ghcommit-action:v${new_version}/" Dockerfile
+          sed -i'' -Ee "s|ghcommit-action@sha256:[a-f0-9]+|ghcommit-action@${image_digest}|" Dockerfile
 
       - name: Commit changes
         uses: planetscale/ghcommit-action@343f41817a6a0f882f18bbc59fdd37f49452736f # v0.2.19
diff --git a/Dockerfile b/Dockerfile
index a3a367a..005e4c7 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1 +1 @@
-FROM ghcr.io/planetscale/ghcommit-action:v0.2.21
+FROM ghcr.io/planetscale/ghcommit-action@sha256:f1ed906140bd82cb951602f46f36fb4dcf4128e7782d3aaadf2dc1228ba90525