From 7fa3636efe59630eb0c65eb34e2878e928c99ba1 Mon Sep 17 00:00:00 2001
From: "K.B.Dharun Krishna" <kbdharunkrishna@gmail.com>
Date: Tue, 2 Jul 2024 19:00:12 +0530
Subject: [PATCH] feat: attest image, verify base image

Signed-off-by: K.B.Dharun Krishna <kbdharunkrishna@gmail.com>
---
 .github/workflows/vib-build.yml | 33 +++++++++++++++++++++++++++------
 1 file changed, 27 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/vib-build.yml b/.github/workflows/vib-build.yml
index 6c11caf..cdc014a 100644
--- a/.github/workflows/vib-build.yml
+++ b/.github/workflows/vib-build.yml
@@ -12,13 +12,25 @@ on:
 env:
   BUILDX_NO_DEFAULT_ATTESTATIONS: 1
 
-permissions:
-    contents: write # Allow actions to create release
-    packages: write # Allow pushing images to GHCR
-
 jobs:
+  verify-image:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Verify Base Image Integrity
+      run:
+        gh attestation verify oci://ghcr.io/vanilla-os/core:main --owner Vanilla-OS
+      env:
+        GH_TOKEN: ${{ github.token }}
+
   build:
     runs-on: ubuntu-latest
+    needs: verify-image
+    permissions:
+      contents: write # Allow actions to create release
+      packages: write # Allow pushing images to GHCR
+      attestations: write # To create and write attestations
+      id-token: write # Additional permissions for the persistence of the attestations
 
     steps:
     - uses: actions/checkout@v4
@@ -37,14 +49,14 @@ jobs:
       run: |
         REPO_OWNER_LOWERCASE="$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')"
         echo "REPO_OWNER_LOWERCASE=$REPO_OWNER_LOWERCASE" >> "$GITHUB_ENV"
-        echo "IMAGE_NAME=ghcr.io/$REPO_OWNER_LOWERCASE/desktop" >> "$GITHUB_ENV"
+        echo "IMAGE_URL=ghcr.io/$REPO_OWNER_LOWERCASE/desktop" >> "$GITHUB_ENV"
 
     - name: Docker meta
       id: docker_meta
       uses: docker/metadata-action@v5
       with:
         images: |
-          ${{ env. IMAGE_NAME }}
+          ${{ env. IMAGE_URL }}
         tags: |
           type=semver,pattern={{version}}
           type=semver,pattern={{major}}.{{minor}}
@@ -76,3 +88,12 @@ jobs:
         cache-to: type=gha,mode=max
         platforms: linux/amd64
         provenance: false
+
+    - name: Attest pushed image
+      uses: actions/attest-build-provenance@v1
+      id: attest
+      if: ${{ github.event_name != 'pull_request' }}
+      with:
+        subject-name: ${{ env.IMAGE_URL }}
+        subject-digest: ${{ steps.push.outputs.digest }}
+        push-to-registry: false