Test attestation

zabbix · May 30, 2024 · 65ba544 · 65ba544
1 parent fc13382
commit 65ba544
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml
@@ -525,6 +525,22 @@ jobs:
 
             echo "base_build_image=${IMAGE_NAME}@${IMAGE_DIGEST}" >> $GITHUB_OUTPUT
 
+      - name: Verify ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} attestation
+        if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
+        env:
+         BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }}
+         REPOSITORY: ${{ github.repository }}
+         DOCKER_REGISTRY: ${{ env.DOCKER_REGISTRY }}
+         GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+            echo "::group::Image sign data"
+            echo "Image to verify=$BASE_IMAGE"
+            echo "::endgroup::"
+
+            echo "::group::Verify signature"
+            gh attestation verify oci://$DOCKER_REGISTRY/$BASE_IMAGE -R $REPOSITORY
+            echo "::endgroup::"
+
       - name: Prepare cache data
         id: cache_data
         env: