I am trying to do the CI/CD with GCP cloudbuild.

1. I have a k8s cluster ready in GCP. check the deployment manifest bellow.
2. I have a cloudbuild.yaml ready to build new image and push it to registry and command to change the deployment image. check the cloudbuild yaml bellow.

Previously, I used to push the image using the TAG latest for the docker image and use the same tag in deployment but it didn't pull the latest image so Now I have changed it to use the TAG $COMMIT_SHA. Now, I am not able to figure out the way to pass the new image with TAG based on commit_sha to the deployment.

nginx-deployment.yaml

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: mynginx
spec:
  replicas: 3
  minReadySeconds: 50
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 1
      maxSurge: 1
  selector:
    matchLabels:
      app: nginx

  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
        - image: gcr.io/foods-io/cloudbuildtest-image:latest
          name: nginx
          ports:
            - containerPort: 80

cloudbuild.yaml

steps:
  #step1      
- name: 'gcr.io/cloud-builders/docker'
  args: [ 'build', '-t', 'gcr.io/$PROJECT_ID/cloudbuildtest-image:$COMMIT_SHA', '.' ]
  #step 2
- name: 'gcr.io/cloud-builders/docker'
  args: ['push', 'gcr.io/$PROJECT_ID/cloudbuildtest-image:$COMMIT_SHA']
  #STEP-3
- name: 'gcr.io/cloud-builders/kubectl'
  args: ['set', 'image', 'deployment/mynginx', 'nginx=gcr.io/foods-io/cloudbuildtest-image:$COMMIT_SHA']
  env:
  - 'CLOUDSDK_COMPUTE_ZONE=us-central1-a'
  - 'CLOUDSDK_CONTAINER_CLUSTER=cloudbuild-test'
images:
- 'gcr.io/$PROJECT_ID/cloudbuildtest-image'

Note: I repeat previously I was using the latest tag to the image and as is the same in deployment I expected to pull the new image with my 3rd steps in cloudbuild but that didn't so I made the above changes in TAG but now wondering how do I make changes to deployment manifest. Is using the helm only solution here?