feat(ci): Verify base/Chainguard image(s) with cosign before building (…

…#754)
ublue-os · Dec 24, 2023 · b0703f9 · b0703f9
1 parent e48a816
commit b0703f9
Showing 1 changed file with 17 additions and 3 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -40,13 +40,27 @@ jobs:
             is_stable_version: true
             is_gts_version: false
     steps:
-      - name: Maximize build space
-        uses: ublue-os/remove-unwanted-software@v6
-
       # Checkout push-to-registry action GitHub repository
       - name: Checkout Push to Registry action
         uses: actions/checkout@v4
 
+      - name: Verify base image
+        uses: EyeCantCU/cosign-action/verify@v0.2.1
+        with:
+          containers: silverblue-${{ matrix.image_flavor }}:${{ matrix.major_version }}
+
+      - name: Verify Chainguard images
+        if: matrix.base_name != 'bluefin'
+        uses: EyeCantCU/cosign-action/verify@v0.2.1
+        with:
+          containers: flux, helm, ko, minio, kubectl
+          cert-identity: https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main
+          oidc-issuer: https://token.actions.githubusercontent.com
+          registry: cgr.dev/chainguard
+
+      - name: Maximize build space
+        uses: ublue-os/remove-unwanted-software@v6
+
       - name: Check just syntax
         uses: ublue-os/just-action@v1