feat(ci): Verify base image with cosign before building (#184)

Validate the integrity of base image being built from via cosign before continuing to build. Ensures we only build from signed images
ublue-os · Dec 27, 2023 · d50d598 · d50d598
1 parent 6a8d7e1
commit d50d598
Showing 1 changed file with 8 additions and 3 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -49,13 +49,18 @@ jobs:
           - image_name: lazurite
             major_version: 38
     steps:
-      - name: Maximize build space
-        uses: ublue-os/remove-unwanted-software@v6
-
       # Checkout push-to-registry action GitHub repository
       - name: Checkout Push to Registry action
         uses: actions/checkout@v4
 
+      - name: Verify base image
+        uses: EyeCantCU/cosign-action/verify@v0.2.1
+        with:
+          containers: ${{ matrix.image_name }}-main:${{ matrix.major_version }}
+
+      - name: Maximize build space
+        uses: ublue-os/remove-unwanted-software@v6
+
       - name: Matrix Variables
         run: |
             REPO=${{ github.repository }}