feat(ci): Verify base image with cosign before building (#211)

* feat(ci): Verify base image with cosign before building

Validates the integrity of the base image being built from via cosign
before continuing to build. Ensures we only build with signed images

* fix(ci): Extract base image name from base image URL for verification

.github/workflows/build.yml

@@ -43,13 +43,6 @@ jobs:
 # !!!
 
     steps:
-      - name: Maximize build space
-        uses: AdityaGarg8/remove-unwanted-software@v1
-        with:
-          remove-dotnet: 'true'
-          remove-android: 'true'
-          remove-haskell: 'true'
-
       # Checkout push-to-registry action GitHub repository
       - name: Checkout Push to Registry action
         uses: actions/checkout@v4
@@ -84,7 +77,14 @@ jobs:
           echo "IMAGE_NAME=$(yq '.name' ./config/${{ matrix.recipe }})" >> $GITHUB_ENV
           echo "IMAGE_DESCRIPTION=$(yq '.description' ./config/${{ matrix.recipe }})" >> $GITHUB_ENV
           echo "IMAGE_MAJOR_VERSION=$(yq '.image-version' ./config/${{ matrix.recipe }})" >> $GITHUB_ENV
-          echo "BASE_IMAGE_URL=$(yq '.base-image' ./config/${{ matrix.recipe }})" >> $GITHUB_ENV
+          BASE_IMAGE=$(yq '.base-image' ./config/${{ matrix.recipe }})
+          echo "BASE_IMAGE_URL=$BASE_IMAGE" >> $GITHUB_ENV
+          echo "BASE_IMAGE_NAME=$(echo $BASE_IMAGE | sed 's/.*\/.*\///')" >> $GITHUB_ENV
+
+      - name: Verify base image
+        uses: EyeCantCU/cosign-action/[email protected]
+        with:
+          containers: ${{ env.BASE_IMAGE_NAME }}:${{ env.IMAGE_MAJOR_VERSION }}
 
       - name: Get current version
         id: labels
@@ -158,6 +158,13 @@ jobs:
         with:
           string: ${{ env.IMAGE_NAME }}
 
+      - name: Maximize build space
+        uses: AdityaGarg8/remove-unwanted-software@v1
+        with:
+          remove-dotnet: 'true'
+          remove-android: 'true'
+          remove-haskell: 'true'
+
       # Build image using Buildah action
       - name: Build Image
         id: build_image