cosign sbom: WARNING: Image reference uses a tag, not a digest, to identify the image to sign.

Describe the bug

Cosign atttest uses tag instead of digest

Expected behavior

Should find digest and use it

Actual behavior

WARNING: Image reference registry.gitlab.com/.../main:latest uses a tag, not a digest, to identify the image to sign.
    This can lead you to sign a different image than the intended one. Please use a
    digest (example.com/ubuntu@sha256:abc123...) rather than tag
    (example.com/ubuntu:latest) for the input to cosign. The ability to refer to
    images by tag will be removed in a future release.