From bf1739dcfa5e34a700913de7f1ddb357d4df05ef Mon Sep 17 00:00:00 2001
From: andros21 <andrea.ros21@murena.io>
Date: Mon, 25 Sep 2023 14:33:25 +0200
Subject: [PATCH] ci(build.yml): verify all images inside Dockerfile

using `cosign dockerfile verify`
---
 .github/workflows/build.yml | 14 +++-----------
 1 file changed, 3 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index a145bd6..ddb9abc 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -23,7 +23,6 @@ permissions:
 env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}
-  BASE_IMAGE: cgr.dev/chainguard/python
 
 jobs:
   build:
@@ -32,13 +31,6 @@ jobs:
     steps:
       - name: checkout project
         uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
-      - name: get base image
-        id: base
-        run: |
-          set -x
-          DIGEST="$(awk -F '@' '/latest@/ {print $2}' Dockerfile)"
-          echo "Base image: ${BASE_IMAGE}:latest@${DIGEST}"
-          echo "image=${BASE_IMAGE}:latest@${DIGEST}" >> "$GITHUB_OUTPUT"
       - name: setup python
         uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1
         with:
@@ -52,13 +44,13 @@ jobs:
           poetry export -o requirements.txt
       - name: install cosign
         uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19
-      - name: verify base image signature
+      - name: verify base images
         run: |
-          cosign verify \
+          cosign dockerfile verify \
             --certificate-identity \
             'https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main' \
             --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
-            "${{ steps.base.outputs.image }}" | jq .
+            Dockerfile | jq .
       - name: docker buildx
         id: buildx
         uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226