feat(release-container): cosign-base-image-only input

.github/workflows/release-container.yaml

@@ -34,6 +34,11 @@ on:
         required: false
         default: 'https://github.com/radiorabe/.*'
         type: string
+      cosign-base-image-only:
+        description: 'pass --base-image-only arg to cosign dockerfile verify'
+        required: false
+        default: false
+        type: boolean
 
 jobs:
   docker:
@@ -97,7 +102,7 @@ jobs:
         uses: docker/setup-buildx-action@v2
 
       - name: Verify Dockerfile using cosign
-        run: cosign dockerfile verify --certificate-oidc-issuer ${{ inputs.cosign-certificate-oidc-issuer }} --certificate-identity-regexp ${{ inputs.cosign-certificate-identity-regexp }} Dockerfile > /dev/null
+        run: cosign dockerfile verify --certificate-oidc-issuer ${{ inputs.cosign-certificate-oidc-issuer }} --certificate-identity-regexp ${{ inputs.cosign-certificate-identity-regexp }} ${{ inputs.cosign-base-image-only && '--base-image-only' }} Dockerfile > /dev/null
         if: inputs.cosign-verify
 
       - name: Build Container Image

README.md

@@ -95,8 +95,9 @@ jobs:
       display-name: <display-name> # (3)
       tags: <tags> # (4)
       cosign-verify: true # (5)
-      cosign-certificate-oidc-issuer: <issues> # (6)
-      cosign-certificate-identity-regexp: <regexp> # (7)
+      cosign-certificate-oidc-issuer: [issues] # (6)
+      cosign-certificate-identity-regexp: [regexp] # (7)
+      cosign-base-image-only: [true] # (8)
 ```
 
 1. Replace this with the actual name of the image, usually something like the
@@ -110,6 +111,8 @@ jobs:
 6. Defaults to GitHub as an issuer and only needs tuning in special cases.
 7. The default `https://github.com/radiorabe/.*` allows signatures from all
    of our orga, add a more specific regexp if you feel the need.
+8. Pass `--base-image-only` to cosign if you are copying binaries from a
+   source image that isn't signed with cosign.
 
 #### Container Images: Schedule