From 8c1645189b2100a35e20c10968db61d8707e6edc Mon Sep 17 00:00:00 2001
From: Henrik Jess Nielsen <lrihni@egmont.com>
Date: Fri, 22 May 2026 23:46:46 +0200
Subject: [PATCH] ci: use git SHA tag instead of latest for deterministic Nomad
 deploys

---
 .gitea/workflows/deploy.yml | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 18b5c66..42c6468 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -39,14 +39,17 @@ jobs:
 
       - name: Build and push image
         run: |
-          docker build -t ${IMAGE}:latest .
+          SHA=$(echo "$GITHUB_SHA" | cut -c1-8)
+          docker build -t ${IMAGE}:${SHA} -t ${IMAGE}:latest .
+          docker push ${IMAGE}:${SHA}
           docker push ${IMAGE}:latest
+          echo "IMAGE_TAG=${SHA}" >> $GITHUB_ENV
 
       - name: Validate Nomad job
-        run: nomad job validate ${SERVICE_NAME}.nomad
+        run: sed "s|:latest|:${IMAGE_TAG}|g" ${SERVICE_NAME}.nomad | nomad job validate -
 
       - name: Deploy to Nomad
-        run: nomad job run ${SERVICE_NAME}.nomad
+        run: sed "s|:latest|:${IMAGE_TAG}|g" ${SERVICE_NAME}.nomad | nomad job run -
 
       - name: Health check
         run: |