diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 14eb89ae..e4ad4b2c 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -106,12 +106,14 @@ jobs:
           IMAGE: ${{ steps.set_image_repo.outputs.image_repo }}
 
       - name: Verify image
-        run: cosign verify "$IMAGE@$DIGEST"
+        run: |
+          cosign verify "$IMAGE@$DIGEST" --certificate-identity-regexp="$SUBJECT" \
+          --certificate-oidc-issuer=https://token.actions.githubusercontent.com
         env:
-          IMAGE: ${{ steps.set_image_repo.outputs.image_repo }}}
+          SUBJECT: https://github\.com/${{ github.repository_owner }}/trestle-bot/\.github/.+
+          IMAGE: ${{ steps.set_image_repo.outputs.image_repo }}
           DIGEST: ${{ steps.build-and-push.outputs.digest }}
 
-
   test:
     permissions:
         contents: read
@@ -121,4 +123,5 @@ jobs:
     with:
       image: ${{ needs.publish-image.outputs.image }}
       
-  
\ No newline at end of file
+  
+