Verify sbom attachment in images

prabhu · prabhu · commit 46534fc6375b · 2025-05-15T00:00:33.000+01:00
Signed-off-by: Prabhu Subramanian &lt;prabhu@appthreat.com&gt;
diff --git a/.github/workflows/image-build.yml b/.github/workflows/image-build.yml
@@ -99,6 +99,7 @@ jobs:
           node bin/verify.js -i sbom-oci-base-image.cdx.json --public-key contrib/bom-signer/public.key
           oras attach --artifact-type sbom/cyclonedx ${{ fromJSON(steps.base-metadata.outputs.json).tags[0] }} ./sbom-oci-base-image.cdx.json:application/json
           oras discover --format tree ${{ fromJSON(steps.base-metadata.outputs.json).tags[0] }}
+          node bin/verify.js -i ${{ fromJSON(steps.base-metadata.outputs.json).tags[0] }} --public-key contrib/bom-signer/public.key
         continue-on-error: true
         if: github.ref == 'refs/heads/master'
         env:
@@ -113,6 +114,7 @@ jobs:
           node bin/verify.js -i sbom-oci-image.cdx.json --public-key contrib/bom-signer/public.key
           oras attach --artifact-type sbom/cyclonedx ${{ fromJSON(steps.cdxgen-metadata.outputs.json).tags[0] }} ./sbom-oci-image.cdx.json:application/json
           oras discover --format tree ${{ fromJSON(steps.cdxgen-metadata.outputs.json).tags[0] }}
+          node bin/verify.js -i ${{ fromJSON(steps.cdxgen-metadata.outputs.json).tags[0] }} --public-key contrib/bom-signer/public.key
         continue-on-error: true
         if: ${{ startsWith(github.ref, 'refs/tags/') && ! fromJSON(inputs.image).cdxgen-image.skip-tags }}
         env:
