From bc2885c5c755f903534f406b202da5f02bd3b672 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christopher=20M=C3=BChl?= <toki@toph.so>
Date: Wed, 18 Feb 2026 13:23:18 +0100
Subject: [PATCH] feat: pin server image to digest at deploy time

---
 deploy-static-site/action.yaml | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/deploy-static-site/action.yaml b/deploy-static-site/action.yaml
index 38ca3c5..05a781f 100644
--- a/deploy-static-site/action.yaml
+++ b/deploy-static-site/action.yaml
@@ -49,7 +49,7 @@ runs:
   steps:
     - name: Install tools
       shell: bash
-      run: NIXPKGS_ALLOW_UNFREE=1 nix profile install --impure nixpkgs#nomad nixpkgs#awscli2
+      run: NIXPKGS_ALLOW_UNFREE=1 nix profile install --impure nixpkgs#nomad nixpkgs#awscli2 nixpkgs#skopeo
 
     - name: Build site
       shell: bash
@@ -77,6 +77,14 @@ runs:
           /tmp/site.tar.gz \
           "s3://${{ inputs.s3-bucket }}/sites/${{ inputs.domain }}/${SITE_HASH}.tar.gz"
 
+    - name: Resolve server image digest
+      shell: bash
+      run: |
+        DIGEST=$(skopeo inspect --format '{{.Digest}}' "docker://${{ inputs.server-image }}")
+        IMAGE_REPO="${{ inputs.server-image }}"
+        IMAGE_REPO="${IMAGE_REPO%%:*}"
+        echo "SERVER_IMAGE_PINNED=${IMAGE_REPO}@${DIGEST}" >> $GITHUB_ENV
+
     - name: Deploy Nomad job
       shell: bash
       run: |
@@ -88,7 +96,7 @@ runs:
         NOMAD_ADDR: ${{ inputs.nomad-addr }}
         DOMAIN: ${{ inputs.domain }}
         SITE_HASH: ${{ env.SITE_HASH }}
-        SERVER_IMAGE: ${{ inputs.server-image }}
+        SERVER_IMAGE: ${{ env.SERVER_IMAGE_PINNED }}
         DATACENTER: ${{ inputs.datacenter }}
         S3_BUCKET: ${{ inputs.s3-bucket }}