Save digest in build and use for deploy

build/action.yml

@@ -111,7 +111,7 @@ outputs:
     value: ${{ steps.get-outputs.outputs.image-name }}
   image-digest:
     description: 'Name of the Docker image that was built, with digest.'
-    value: ${{ steps.get-outputs.outputs.image-name }}
+    value: ${{ steps.get-outputs.outputs.image-digest }}
 
 runs:
   using: 'composite'
@@ -168,7 +168,7 @@ runs:
     - name: Install 3lv CLI
       uses: 3lvia/cli/setup@trunk
       with:
-        version: '0.28.1' # TODO: remove this (which will get latest version) when 3lv CLI is stable
+        version: 'feat/use-full-image-deploy' # TODO: remove this (which will get latest version) when 3lv CLI is stable
 
     - name: Install Cosign if not using Elvia runner
       if: ${{ !startsWith(runner.name, 'elvia-runner-') && inputs.sign-image == 'true' }}
@@ -218,9 +218,20 @@ runs:
       id: get-outputs
       run: |
         IMAGE_NAME=$(cat /tmp/3lv-cli-output/image-name)
+        IMAGE_DIGEST=$(docker manifest inspect -v "$IMAGE_NAME" | jq -r '.Descriptor.digest')
 
         echo "image-name=$IMAGE_NAME" >> "$GITHUB_OUTPUT"
-        echo "image-digest=$(docker inspect --format='{{index .RepoDigests 0}}' $IMAGE_NAME)" >> "$GITHUB_OUTPUT"
+        echo "image-digest=$IMAGE_DIGEST" >> "$GITHUB_OUTPUT"
+
+        echo "$IMAGE_NAME" > /tmp/build-info-image-name
+        echo "$IMAGE_DIGEST" > /tmp/build-info-image-digest
+
+    - name: Upload build information to artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: 'build-info'
+        path: '/tmp/build-info-*'
+        retention-days: 3
 
     - name: Sign image with Cosign using GitHub OIDC token
       if: ${{ inputs.sign-image == 'true' }}

deploy/action.yml

@@ -130,7 +130,20 @@ runs:
     - name: Install 3lv CLI
       uses: 3lvia/cli/setup@trunk
       with:
-        version: '0.28.1' # TODO: remove this (which will get latest version) when 3lv CLI is stable
+        version: 'feat/use-full-image-deploy' # TODO: remove this (which will get latest version) when 3lv CLI is stable
+
+    - name: Download artifact with build information
+      uses: actions/download-artifact@v4
+      continue-on-error: true # ignore error since we can always use default taag
+      with:
+        name: 'build-info'
+
+    - name: Get image digest and tag from build information
+      shell: bash
+      continue-on-error: true # ignore error since we can always use default taag
+      run: |
+        echo "IMAGE_DIGEST=$(cat build-info-image-digest)" >> "$GITHUB_ENV"
+        echo "IMAGE_TAG=$(cat build-info-image-tag)" >> "$GITHUB_ENV"
 
     - name: Deploy
       shell: bash
@@ -139,19 +152,21 @@ runs:
           --system-name '${{ inputs.namespace }}' \
           --helm-values-file "$HELM_VALUES_FILE" \
           --environment '${{ inputs.environment }}' \
+          --image "$IMAGE" \
           --workload-type '${{ inputs.workload-type }}' \
           --runtime-cloud-provider '${{ inputs.runtime-cloud-provider }}' \
-          --image-tag "$IMAGE_TAG" \
           --add-deployment-annotation \
           --grafana-url "$GRAFANA_URL" \
           --grafana-api-key "$GRAFANA_API_KEY" \
           --run-id '${{ github.run_id }}' \
           '${{ inputs.name }}'
       env:
         HELM_VALUES_FILE: ${{ inputs.helm-values-path == '' && inputs.helm-values-file || inputs.helm-values-path }}
-        IMAGE_TAG: ${{ inputs.override-image-tag == '' && format('{0}-{1}', github.sha, github.run_number) || inputs.override-image-tag }}
+        # Order of precedence: digest if not empty, tag if not empty, finally default to '{sha}-{run_number}'
+        IMAGE: ${{ env.IMAGE_DIGEST != '' && env.IMAGE_DIGEST || (env.IMAGE_TAG != '' && env.IMAGE_TAG || format('{0}-{1}', github.sha, github.run_number)) }}
         # Pass optional inputs as environment variables, since they can be empty.
         # The CLI does not accept empty strings passed to the flags, e.g. `--gke-project-id ''` will cause an error.
+        3LV_IMAGE_DIGEST: ${{ env.IMAGE_DIGEST }}
         3LV_AZURE_TENANT_ID: ${{ inputs.AZURE_TENANT_ID }}
         3LV_AZURE_CLIENT_ID: ${{ inputs.AZURE_CLIENT_ID }}
         3LV_AZURE_FEDERATED_TOKEN: ${{ steps.get-federated-token.outputs.token }}