diff --git a/.github/workflows/container-build.yml b/.github/workflows/container-build.yml
index 2027bbcb0..88d9d87a8 100644
--- a/.github/workflows/container-build.yml
+++ b/.github/workflows/container-build.yml
@@ -31,6 +31,7 @@ jobs:
     permissions:
       id-token: write
       contents: read
+      pull-requests: read
 
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
@@ -76,4 +77,4 @@ jobs:
       - name: container
         run: |
           echo "Formated Label: ${{ steps.labels.outputs.FORMATED_LABELS }}"
-          KO_PREFIX=gcr.io/projectsigstore/fulcio/ci/fulcio FORMATED_LABEL=${{ steps.labels.outputs.FORMATED_LABELS }} make sign-keyless-ci
+          KO_PREFIX=gcr.io/projectsigstore/fulcio/ci/fulcio FORMATED_LABEL=${{ steps.labels.outputs.FORMATED_LABELS }} RUN_NUMBER=${{ github.run_number }} make sign-keyless-ci
diff --git a/Makefile b/Makefile
index 3ec20f744..4ebd67950 100644
--- a/Makefile
+++ b/Makefile
@@ -47,7 +47,11 @@ GHCR_PREFIX ?= ghcr.io/sigstore
 FULCIO_YAML ?= fulcio-$(GIT_TAG).yaml
 
 # It should be blank for default builds
-FORMATED_LABEL =
+FORMATED_LABEL ?=
+
+RUN_NUMBER ?= "local"
+
+FULL_TAG := "0.$(shell date +%Y%m%d).$(RUN_NUMBER)+ref.$(GIT_HASH)"
 
 # Binaries
 PROTOC-GEN-GO := $(TOOLS_BIN_DIR)/protoc-gen-go
@@ -126,7 +130,7 @@ ko:
 	# fulcio
 	LDFLAGS="$(LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \
 	KO_DOCKER_REPO=$(KO_PREFIX)/fulcio ko resolve $(FORMATED_LABEL) --bare \
-		--platform=linux/amd64 --tags $(GIT_VERSION) --tags $(GIT_HASH) \
+		--platform=linux/amd64 --tags $(GIT_VERSION) --tags $(GIT_HASH) --tags $(FULL_TAG) \
 		--image-refs fulcioImagerefs --filename config/ > $(FULCIO_YAML)
 
 .PHONY: ko-local