fix: missing tag and specify tag to anchore/syft

mguzman14 · mguzman14 · commit 77fb5da733cd · 2025-12-09T15:41:42.000+01:00
diff --git a/.github/workflows/build_and_push.yml b/.github/workflows/build_and_push.yml
@@ -38,7 +38,7 @@ jobs:
           docker run --rm \
           -v /var/run/docker.sock:/var/run/docker.sock \
           -v "$PWD":/work \
-          anchore/syft:latest "$FULL_IMAGE" -o syft-json > sbom.syft.json
+          anchore/syft:v1.38.0 "$FULL_IMAGE" -o syft-json > sbom.syft.json
           test -s sbom.syft.json && echo "SBOM created: sbom.syft.json"
 
       - name: 📤 Upload SBOM artifact
@@ -85,5 +85,5 @@ jobs:
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
         run: |
           printf '%s' "$COSIGN_PRIVATE_KEY" > cosign.key
-          cosign sign --key cosign.key $FINAL_TAG
+          cosign sign --key cosign.key $FULL_IMAGE
           shred -u cosign.key || rm -f cosign.key
