From 721d1ca5aeb3ffb03db14869b22900b23246a529 Mon Sep 17 00:00:00 2001
From: "K.B.Dharun Krishna" <kbdharunkrishna@gmail.com>
Date: Mon, 1 Jul 2024 22:06:46 +0530
Subject: [PATCH] feat: update workflow, attest image, verify base image

---
 .github/workflows/vib-build.yml | 37 ++++++++++++++++++++++++++-------
 1 file changed, 29 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/vib-build.yml b/.github/workflows/vib-build.yml
index 3bab428..7e3a591 100644
--- a/.github/workflows/vib-build.yml
+++ b/.github/workflows/vib-build.yml
@@ -12,18 +12,30 @@ on:
 env:
   BUILDX_NO_DEFAULT_ATTESTATIONS: 1
 
-permissions:
-    contents: write # Allow actions to create release
-    packages: write # Allow pushing images to GHCR
-
 jobs:
+  verify-image:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Verify Base Image Integrity
+      run:
+        gh attestation verify oci://ghcr.io/vanilla-os/pico:main --owner Vanilla-OS
+      env:
+        GH_TOKEN: ${{ github.token }}
+
   build:
     runs-on: ubuntu-latest
+    needs: verify-image
+    permissions:
+      contents: write # Allow actions to create release
+      packages: write # Allow pushing images to GHCR
+      attestations: write # To create and write attestations
+      id-token: write # Additional permissions for the persistence of the attestations
 
     steps:
     - uses: actions/checkout@v4
 
-    - uses: vanilla-os/vib-gh-action@v0.7.0
+    - uses: vanilla-os/vib-gh-action@v0.7.2
 
     - uses: actions/upload-artifact@v4
       with:
@@ -34,14 +46,14 @@ jobs:
       run: |
         REPO_OWNER_LOWERCASE="$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')"
         echo "REPO_OWNER_LOWERCASE=$REPO_OWNER_LOWERCASE" >> "$GITHUB_ENV"
-        echo "IMAGE_NAME=ghcr.io/$REPO_OWNER_LOWERCASE/waydroid" >> "$GITHUB_ENV"
+        echo "IMAGE_URL=ghcr.io/$REPO_OWNER_LOWERCASE/waydroid" >> "$GITHUB_ENV"
 
     - name: Docker meta
       id: docker_meta
       uses: docker/metadata-action@v5
       with:
         images: |
-          ${{ env. IMAGE_NAME }}
+          ${{ env. IMAGE_URL }}
         tags: |
           type=semver,pattern={{version}}
           type=semver,pattern={{major}}.{{minor}}
@@ -62,7 +74,7 @@ jobs:
 
     - name: Build and Push the Docker image
       id: push
-      uses: docker/build-push-action@v5
+      uses: docker/build-push-action@v6
       with:
         context: .
         file: Containerfile
@@ -73,3 +85,12 @@ jobs:
         cache-to: type=gha,mode=max
         platforms: linux/amd64
         provenance: false
+
+    - name: Attest pushed image
+      uses: actions/attest-build-provenance@v1
+      id: attest
+      if: ${{ github.event_name != 'pull_request' }}
+      with:
+        subject-name: ${{ env.IMAGE_URL }}
+        subject-digest: ${{ steps.push.outputs.digest }}
+        push-to-registry: false