From 6066471a12839af4f2efde3bd047ec6eebc2f57e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?V=C3=ADctor=20Cuadrado=20Juan?= <vcuadradojuan@suse.de>
Date: Tue, 8 Oct 2024 12:21:53 +0200
Subject: [PATCH] ci: Verify image at time of signing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Víctor Cuadrado Juan <vcuadradojuan@suse.de>
Co-authored-by: José Guilherme Vanz <jguilhermevanz@suse.com>
---
 .github/workflows/sign-image.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/sign-image.yml b/.github/workflows/sign-image.yml
index ee08e514..ff3b9d61 100644
--- a/.github/workflows/sign-image.yml
+++ b/.github/workflows/sign-image.yml
@@ -30,3 +30,8 @@ jobs:
         run: |
           cosign sign --yes \
             ghcr.io/${{github.repository_owner}}/kubewarden-controller@${{ inputs.image-digest }}
+
+          cosign verify \
+            --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+            --certificate-identity-regexp="https://github.com/${{github.repository_owner}}/kubewarden-controller*" \
+            ghcr.io/${{github.repository_owner}}/kubewarden-controller@${{ inputs.image-digest }}