From d50d59816a2c7ca9434aa8cc498d27f8503f51a9 Mon Sep 17 00:00:00 2001
From: RJ Trujillo <eyecantcu@pm.me>
Date: Wed, 27 Dec 2023 09:21:37 -0700
Subject: [PATCH] feat(ci): Verify base image with cosign before building
 (#184)

Validate the integrity of base image being built from via cosign before
continuing to build. Ensures we only build from signed images
---
 .github/workflows/build.yml | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 7c1bec87..124453e1 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -49,13 +49,18 @@ jobs:
           - image_name: lazurite
             major_version: 38
     steps:
-      - name: Maximize build space
-        uses: ublue-os/remove-unwanted-software@v6
-
       # Checkout push-to-registry action GitHub repository
       - name: Checkout Push to Registry action
         uses: actions/checkout@v4
 
+      - name: Verify base image
+        uses: EyeCantCU/cosign-action/verify@v0.2.1
+        with:
+          containers: ${{ matrix.image_name }}-main:${{ matrix.major_version }}
+
+      - name: Maximize build space
+        uses: ublue-os/remove-unwanted-software@v6
+
       - name: Matrix Variables
         run: |
             REPO=${{ github.repository }}