fix: update the verification steps to add identity regexp and issuer

Adds a regular expression so a consumer can verify that image was published from the expected repository. Signed-off-by: Jennifer Power <barnabei.jennifer@gmail.com>
complytime · Dec 6, 2023 · 27088c1 · 27088c1
1 parent ae9ad1a
commit 27088c1
Showing 1 changed file with 7 additions and 4 deletions.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -106,12 +106,14 @@ jobs:
           IMAGE: ${{ steps.set_image_repo.outputs.image_repo }}
 
       - name: Verify image
-        run: cosign verify "$IMAGE@$DIGEST"
+        run: |
+          cosign verify "$IMAGE@$DIGEST" --certificate-identity-regexp="$SUBJECT" \
+          --certificate-oidc-issuer=https://token.actions.githubusercontent.com
         env:
-          IMAGE: ${{ steps.set_image_repo.outputs.image_repo }}}
+          SUBJECT: https://github\.com/${{ github.repository_owner }}/trestle-bot/\.github/.+
+          IMAGE: ${{ steps.set_image_repo.outputs.image_repo }}
           DIGEST: ${{ steps.build-and-push.outputs.digest }}
 
-
   test:
     permissions:
         contents: read
@@ -121,4 +123,5 @@ jobs:
     with:
       image: ${{ needs.publish-image.outputs.image }}
 
-
+
+