fix: update the verification steps to add indentity regexp and issuer

Adds a regular expression so a consumer can verify that image was published from the expected repository. Signed-off-by: Jennifer Power <barnabei.jennifer@gmail.com>
complytime · Nov 21, 2023 · c8bc89a · c8bc89a
1 parent 0e742dd
commit c8bc89a
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -75,7 +75,9 @@ jobs:
 
       - name: Verify image
         run: |
-          cosign verify "$IMAGE@$DIGEST"
+          cosign verify "$IMAGE@$DIGEST" --certificate-identity-regexp="$SUBJECT" \
+          --certificate-oidc-issuer=https://token.actions.githubusercontent.com
         env:
+          SUBJECT: https://github\.com/${{ vars.QUAY_ORG }}/trestle-bot/\.github/.+
           IMAGE: ${{ env.IMAGE_REGISTRY }}/${{ vars.QUAY_ORG }}/${{ env.IMAGE_NAME }}
           DIGEST: ${{ steps.build-and-push.outputs.digest }}