feat: verify base image integrity before build

.github/workflows/image.yml

@@ -12,10 +12,21 @@ env:
   BUILDX_NO_DEFAULT_ATTESTATIONS: 1
 
 jobs:
-  image:
+  verify-image:
     runs-on: ubuntu-latest
+
+    steps:
+    - name: Verify Base Image Integrity
+      run:
+        gh attestation verify oci://ghcr.io/vanilla-os/pico:main --owner Vanilla-OS
+      env:
+        GH_TOKEN: ${{ github.token }}
+
+  build-image:
+    runs-on: ubuntu-latest
+    needs: verify-image
     permissions:
-      contents: write # Allow actions to write contents
+      contents: write # Allow actions to create release
       packages: write # Allow pushing images to GHCR
       attestations: write # To create and write attestations
       id-token: write # Additional permissions for the persistence of the attestations
@@ -38,14 +49,14 @@ jobs:
       run: |
         REPO_OWNER_LOWERCASE="$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')"
         echo "REPO_OWNER_LOWERCASE=$REPO_OWNER_LOWERCASE" >> "$GITHUB_ENV"
-        echo "IMAGE_NAME=ghcr.io/$REPO_OWNER_LOWERCASE/chronos" >> "$GITHUB_ENV"
+        echo "IMAGE_URL=ghcr.io/$REPO_OWNER_LOWERCASE/chronos" >> "$GITHUB_ENV"
 
     - name: Docker meta
       id: docker_meta
       uses: docker/metadata-action@v5
       with:
         images: |
-          ${{ env. IMAGE_NAME }}
+          ${{ env. IMAGE_URL }}
         tags: |
           type=semver,pattern={{version}}
           type=semver,pattern={{major}}.{{minor}}
@@ -83,6 +94,6 @@ jobs:
       id: attest
       if: ${{ github.event_name != 'pull_request' }}
       with:
-        subject-name: ${{ env.IMAGE_NAME }}
+        subject-name: ${{ env.IMAGE_URL }}
         subject-digest: ${{ steps.push.outputs.digest }}
         push-to-registry: false