Pin by digest
A tag like :latest can move. A digest cannot. Pinning by sha256 digest means the artifact you run is exactly the one that passed the 0-CVE gate and was signed, with no chance of a tag drifting underneath you.
The charts already do this
Each chart references its image by digest in values.yaml, never a tag, so you get digest pinning by default:
image: repository: ghcr.io/quenchworks/images/redis digest: "sha256:38a0c67..."When the factory rebuilds an image, a digest contract updates the chart to the new signed digest and re-releases it, so the pin stays current without you chasing tags.
Find a digest
Resolve a tag to its digest with crane, or read it off the catalog page:
crane digest ghcr.io/quenchworks/images/redis:8.8.0# sha256:38a0c67...Pin your own deployment
If you run an image directly, resolve the tag to a digest once, then reference that digest. This runs as-is:
DIGEST=$(crane digest ghcr.io/quenchworks/images/redis:8.8.0)docker pull ghcr.io/quenchworks/images/redis@$DIGESTTo pin a chart to a specific image build, override the digest at install time:
helm install my-redis oci://ghcr.io/quenchworks/charts/redis \ --set image.digest="$DIGEST"Then verify that digest before you ship it.