Use specific ref for trivy scan on release

.github/workflows/docker.yml

@@ -37,14 +37,15 @@ jobs:
           elif [[ $GITHUB_REF == refs/pull/* ]]; then
             VERSION=pr-${{ github.event.number }}
           fi
-          TAGS="${REGISTRY}${IMAGE}:${VERSION}"
+          REF="${REGISTRY}${IMAGE}:${VERSION}"
+          TAGS="${REF}"
           if [[ $VERSION =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
-            TAGS="${REGISTRY}${IMAGE}:${VERSION}"
             MINOR=${VERSION%.*}
             MAJOR=${MINOR%.*}
-            TAGS="$TAGS,${REGISTRY}${IMAGE}:${MINOR},${REGISTRY}${IMAGE}:${MAJOR}"
+            TAGS="${TAGS},${REGISTRY}${IMAGE}:${MINOR},${REGISTRY}${IMAGE}:${MAJOR}"
           fi
           echo "version=${VERSION}" >> $GITHUB_OUTPUT
+          echo "ref=${REF}" >> $GITHUB_OUTPUT
           echo "tags=${TAGS}" >> $GITHUB_OUTPUT
           echo "created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
 
@@ -99,7 +100,7 @@ jobs:
         uses: aquasecurity/trivy-action@master
         if: ${{ github.event_name != 'pull_request' || inputs.tag != '' }}
         with:
-          image-ref: ${{ steps.env.outputs.tags }}
+          image-ref: ${{ steps.env.outputs.ref }}
           format: 'table'
           exit-code: '1'
           ignore-unfixed: true