From 4f072f25abc8280f439945b6c19b5fa31133e484 Mon Sep 17 00:00:00 2001
From: "K.B.Dharun Krishna" <kbdharunkrishna@gmail.com>
Date: Tue, 2 Jul 2024 21:41:33 +0530
Subject: [PATCH] feat/ci: verify base image integrity before build

---
 .github/workflows/vib-build.yml | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/vib-build.yml b/.github/workflows/vib-build.yml
index 98d7121..105a690 100644
--- a/.github/workflows/vib-build.yml
+++ b/.github/workflows/vib-build.yml
@@ -15,6 +15,16 @@ env:
   BUILDX_NO_DEFAULT_ATTESTATIONS: 1
 
 jobs:
+  verify_image:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Verify Base Image Integrity
+      run:
+        gh attestation verify oci://ghcr.io/vanilla-os/desktop:main --owner Vanilla-OS
+      env:
+        GH_TOKEN: ${{ github.token }}
+
   check_update:
     runs-on: ubuntu-latest
 
@@ -91,7 +101,7 @@ jobs:
 
   build:
     runs-on: ubuntu-latest
-    needs: check_update
+    needs: [check_update, verify_image]
     if: ${{ needs.check_update.outputs.has_updates == 'true' }}
 
     permissions: