Find PR merge sha after PR merged

Desired outcome: the product of a PR is a Docker container. We push this to the registry for test deployment. Upon merging in that PR in to main we want to retag the Docker container with latest. We don’t rebuild as we need to retain the integrity chain.

Diagram:

I am having difficulties with finding the commit upon looking at the push event on main.

Steps taken:

We tag the Docker container with the following tags:

# ...
        uses: docker/metadata-action@v3
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          tags: |
            type=edge
            type=sha,prefix=sha-,format=long
            type=ref,event=branch
            type=ref,event=pr
#...

And we push that Docker container to the registry.

Now, when this PR gets merged, a NEW merge commit is created on top of main, which is different from the sha that we get during the pull_request build.
This causes trouble as I cannot find back that Docker container created by this particular PR.

I have the option ‘Require branches to be up to date before merging’ enabled, and I don’t allow rebasing, nor squashing.

What I’ve tried:
I have tried tagging the container with the sha of the HEAD of the incoming branch, i.e. the PR:

        uses: docker/metadata-action@v3
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          tags: |
            type=edge
            type=raw,prefix=sha-,value=${{ github.event.pull_request.head.sha }}

This works, as this sha is retained AFTER the merge, but it feels incorrect.

Any other way of solving this?