From fcc105f460f6a98ba5af819f46018050fd877dac Mon Sep 17 00:00:00 2001
From: Lukas Piwowarski <lpiwowar@redhat.com>
Date: Wed, 18 Feb 2026 19:21:18 +0100
Subject: [PATCH] Enable image digests in bundle generation

Set USE_IMAGE_DIGESTS=true when running make bundle to pin images
using SHA256 digests. This improves security and reproducibility,
and simplifies releases to the community-operators catalog (we can just
extract the content of the bundle image, make minor modifications and
we are ready for the release).
---
 .github/workflows/build-and-push.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build-and-push.yaml b/.github/workflows/build-and-push.yaml
index 29498b29..7d30fdf8 100644
--- a/.github/workflows/build-and-push.yaml
+++ b/.github/workflows/build-and-push.yaml
@@ -70,7 +70,7 @@ jobs:
 
       - name: Generate bundle
         run: |
-          make bundle IMG=$OPERATOR_IMAGE
+          make bundle IMG=$OPERATOR_IMAGE USE_IMAGE_DIGESTS=true
           make bundle-build BUNDLE_IMG=$BUNDLE_IMAGE
           docker tag $BUNDLE_IMAGE $BUNDLE_IMAGE_LATEST
           make bundle-push BUNDLE_IMG=$BUNDLE_IMAGE