From a78c637e7fdef38b32a79c012ad3d0f4b832f797 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 1 Jul 2024 01:06:35 +0000
Subject: [PATCH 1/3] chore(deps): bump vanilla-os/vib-gh-action from 0.7.0 to
 0.7.2

Bumps [vanilla-os/vib-gh-action](https://github.com/vanilla-os/vib-gh-action) from 0.7.0 to 0.7.2.
- [Release notes](https://github.com/vanilla-os/vib-gh-action/releases)
- [Commits](https://github.com/vanilla-os/vib-gh-action/compare/v0.7.0...v0.7.2)

---
updated-dependencies:
- dependency-name: vanilla-os/vib-gh-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/vib-build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/vib-build.yml b/.github/workflows/vib-build.yml
index 9258ca9..8dfcb58 100644
--- a/.github/workflows/vib-build.yml
+++ b/.github/workflows/vib-build.yml
@@ -23,7 +23,7 @@ jobs:
     steps:
     - uses: actions/checkout@v4
 
-    - uses: vanilla-os/vib-gh-action@v0.7.0
+    - uses: vanilla-os/vib-gh-action@v0.7.2
 
     - uses: actions/upload-artifact@v4
       with:

From 8827b77a051ccee1ed7ba02acd776e0ad9f0791b Mon Sep 17 00:00:00 2001
From: "K.B.Dharun Krishna" <kbdharunkrishna@gmail.com>
Date: Mon, 1 Jul 2024 15:51:40 +0530
Subject: [PATCH 2/3] fix: tar sources in module

---
 recipe.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/recipe.yml b/recipe.yml
index ea4d906..9eb9899 100644
--- a/recipe.yml
+++ b/recipe.yml
@@ -109,9 +109,9 @@ stages:
         url: https://github.com/Vanilla-OS/vanilla-tools/releases/download/continuous/vanilla-tools.tar.gz
       commands:
       - mkdir -p /usr/bin
-      - cp /sources/vanilla-tools/nrun /usr/bin/nrun
+      - cp /sources/vanilla-tools/vanilla-tools/nrun /usr/bin/nrun
       - chmod +x /usr/bin/nrun
-      - cp /sources/vanilla-tools/cur-gpu /usr/bin/cur-gpu
+      - cp /sources/vanilla-tools/vanilla-tools/cur-gpu /usr/bin/cur-gpu
       - chmod +x /usr/bin/cur-gpu
 
     - name: host-aliases

From f93373c8bd7acc6d9efda96d355d39a99e01b26d Mon Sep 17 00:00:00 2001
From: "K.B.Dharun Krishna" <kbdharunkrishna@gmail.com>
Date: Mon, 1 Jul 2024 21:39:30 +0530
Subject: [PATCH 3/3] feat: attest image, verify base image

Signed-off-by: K.B.Dharun Krishna <kbdharunkrishna@gmail.com>
---
 .github/workflows/vib-build.yml | 33 +++++++++++++++++++++++++++------
 1 file changed, 27 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/vib-build.yml b/.github/workflows/vib-build.yml
index 8dfcb58..7ca5176 100644
--- a/.github/workflows/vib-build.yml
+++ b/.github/workflows/vib-build.yml
@@ -12,13 +12,25 @@ on:
 env:
   BUILDX_NO_DEFAULT_ATTESTATIONS: 1
 
-permissions:
-    contents: write # Allow actions to create release
-    packages: write # Allow pushing images to GHCR
-
 jobs:
+  verify-image:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Verify Base Image Integrity
+      run:
+        gh attestation verify oci://ghcr.io/vanilla-os/pico:main --owner Vanilla-OS
+      env:
+        GH_TOKEN: ${{ github.token }}
+
   build:
     runs-on: ubuntu-latest
+    needs: verify-image
+    permissions:
+      contents: write # Allow actions to create release
+      packages: write # Allow pushing images to GHCR
+      attestations: write # To create and write attestations
+      id-token: write # Additional permissions for the persistence of the attestations
 
     steps:
     - uses: actions/checkout@v4
@@ -34,14 +46,14 @@ jobs:
       run: |
         REPO_OWNER_LOWERCASE="$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')"
         echo "REPO_OWNER_LOWERCASE=$REPO_OWNER_LOWERCASE" >> "$GITHUB_ENV"
-        echo "IMAGE_NAME=ghcr.io/$REPO_OWNER_LOWERCASE/vso" >> "$GITHUB_ENV"
+        echo "IMAGE_URL=ghcr.io/$REPO_OWNER_LOWERCASE/vso" >> "$GITHUB_ENV"
 
     - name: Docker meta
       id: docker_meta
       uses: docker/metadata-action@v5
       with:
         images: |
-          ${{ env. IMAGE_NAME }}
+          ${{ env. IMAGE_URL }}
         tags: |
           type=semver,pattern={{version}}
           type=semver,pattern={{major}}.{{minor}}
@@ -73,3 +85,12 @@ jobs:
         cache-to: type=gha,mode=max
         platforms: linux/amd64
         provenance: false
+
+    - name: Attest pushed image
+      uses: actions/attest-build-provenance@v1
+      id: attest
+      if: ${{ github.event_name != 'pull_request' }}
+      with:
+        subject-name: ${{ env.IMAGE_URL }}
+        subject-digest: ${{ steps.push.outputs.digest }}
+        push-to-registry: false