From f706a217d0e658c088d22a7192067e506ddd79a5 Mon Sep 17 00:00:00 2001
From: Joe Laverty <jlav@users.noreply.github.com>
Date: Thu, 19 Mar 2026 16:24:07 -0400
Subject: [PATCH] fix: Use commit SHA instead of mutable branch tag for
 enterprise base (#13498)

---
 .github/workflows/ghcr-build.yml | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/ghcr-build.yml b/.github/workflows/ghcr-build.yml
index 86ba722cec..bd0718e651 100644
--- a/.github/workflows/ghcr-build.yml
+++ b/.github/workflows/ghcr-build.yml
@@ -219,11 +219,9 @@ jobs:
       - name: Determine app image tag
         shell: bash
         run: |
-          # Duplicated with build.sh
-          sanitized_ref_name=$(echo "$GITHUB_REF_NAME" | sed 's/[^a-zA-Z0-9.-]\+/-/g')
-          OPENHANDS_BUILD_VERSION=$sanitized_ref_name
-          sanitized_ref_name=$(echo "$sanitized_ref_name" | tr '[:upper:]' '[:lower:]') # lower case is required in tagging
-          echo "OPENHANDS_DOCKER_TAG=${sanitized_ref_name}" >> $GITHUB_ENV
+          # Use the commit SHA to pin the exact app image built by ghcr_build_app,
+          # rather than a mutable branch tag like "main" which can serve stale cached layers.
+          echo "OPENHANDS_DOCKER_TAG=${RELEVANT_SHA}" >> $GITHUB_ENV
       - name: Build and push Docker image
         uses: useblacksmith/build-push-action@v1
         with: