i guess we rawdogging digests over here

.woodpecker/build.yml

@@ -56,6 +56,17 @@ steps:
   when:
   - event: push
     branch: main
+- name: gather-digests
+  image: quay.io/skopeo/stable:latest
+  environment:
+    DOCKER_USER:
+      from_secret: registry_username
+    DOCKER_PASS:
+      from_secret: registry_password
+  commands:
+  - dnf install -y jq
+  - skopeo inspect --raw docker://dev.shielddagger.com/shielddagger/heimdall:latest | jq .'manifests[] | select(.platform.architecture=="arm64").digest' > digest-arm64
+  - skopeo inspect --raw docker://dev.shielddagger.com/shielddagger/heimdall:latest | jq .'manifests[] | select(.platform.architecture=="amd64").digest' > digest-amd64
 - name: image-scan
   image: aquasec/trivy
   environment:
@@ -67,9 +78,8 @@ steps:
     TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db
     TRIVY_CHECKS_BUNDLE_REPOSITORY: public.ecr.aws/aquasecurity/trivy-checks
   commands:
-  - docker login dev.shielddagger.com --username $TRIVY_USER --password $TRIVY_USER
+  - export ARM64_DIGEST=$(cat digest-arm64)
-  - docker pull dev.shielddagger.com/opensource/discord-notifier:latest
+  - trivy image --platform linux/arm64 --debug dev.shielddagger.com/opensource/discord-notifier@$ARM64_DIGEST --exit-code 1 --username $TRIVY_USER --severity HIGH,CRITICAL
-  - trivy image --platform linux/arm64 --debug dev.shielddagger.com/opensource/discord-notifier:latest --exit-code 1 --username $TRIVY_USER --severity HIGH,CRITICAL
   when:
   - event: push
     branch: main