Correctly pin cosign-verify action in build-image action (#281)

sairon · web-flow · commit 537e6bc898a1 · 2026-03-17T14:05:16.000+01:00
The build-image action was using branch reference to the previous PR branch
when calling the cosign-verify. It was pointed to that because when the actions
are reused, the path is evaluated relative to the repo that's using them - so
we can't simply use local path here. We've got unfortunately a chicken-egg
situation then, so we must always pin the verify action to the previous
release.
diff --git a/actions/build-image/action.yml b/actions/build-image/action.yml
@@ -114,7 +114,7 @@ runs:
     - name: Verify cache image ${{ inputs.image }}:${{ inputs.cache-image-tag }}
       if: inputs.cosign == 'true'
       id: verify_cache
-      uses: home-assistant/builder/actions/cosign-verify@gha-builder
+      uses: home-assistant/builder/actions/cosign-verify@dd86b0a3ee041ecc3f6512c0bfbc73a0cc724ce6 # 2026.03.0
       with:
         image: ${{ inputs.image }}:${{ inputs.cache-image-tag }}
         cosign-identity: ${{ inputs.cosign-identity || env.DEFAULT_COSIGN_IDENTITY }}
@@ -125,7 +125,7 @@ runs:
 
     - name: Verify base image
       if: inputs.push == 'true' && inputs.cosign-base-verify != '' && inputs.cosign-base-identity != ''
-      uses: home-assistant/builder/actions/cosign-verify@gha-builder
+      uses: home-assistant/builder/actions/cosign-verify@dd86b0a3ee041ecc3f6512c0bfbc73a0cc724ce6 # 2026.03.0
       with:
         image: ${{ inputs.cosign-base-verify }}
         cosign-identity: ${{ inputs.cosign-base-identity }}
