fix(github): fix Trivy scanning - rely on sha tagged image

.github/workflows/build.yml

@@ -26,15 +26,15 @@ jobs:
         docker build --tag ghcr.io/tgagor/centos-stream --cache-from ghcr.io/tgagor/centos-stream .
         docker run --name tgagor-centos-stream ghcr.io/tgagor/centos-stream true
         docker export tgagor-centos-stream | docker import - ghcr.io/tgagor/centos-stream
-        docker tag ghcr.io/tgagor/centos-stream ghcr.io/tgagor/centos-stream:${GITHUB_REF##*/}
+        docker tag ghcr.io/tgagor/centos-stream ghcr.io/tgagor/centos-stream:${{ github.sha }}
         docker tag ghcr.io/tgagor/centos-stream ghcr.io/tgagor/centos-stream:${GITHUB_REF##*/}
         docker push ghcr.io/tgagor/centos-stream
         docker push ghcr.io/tgagor/centos-stream:${GITHUB_REF##*/}
 
     - name: Run Trivy vulnerability scanner
       uses: aquasecurity/trivy-action@master
       with:
-        image-ref: ghcr.io/tgagor/centos-stream
+        image-ref: ghcr.io/tgagor/centos-stream:${{ github.sha }}
         format: template
         template: '@/contrib/sarif.tpl'
         # don't fail