Fix permissions and verify sigantures (#2723)

josvazg · web-flow · commit 7490186291da · 2025-09-24T17:07:38.000+02:00
Signed-off-by: jose.vazquez &lt;jose.vazquez@mongodb.com&gt;
diff --git a/.github/workflows/release-image.yml b/.github/workflows/release-image.yml
@@ -26,6 +26,7 @@ on:
 permissions:
   contents: write
   pull-requests: write
+  workflows: write
 
 jobs:
   # Image2commit: Creates a mapping between the image_sha given as input and the actual git commit
@@ -246,6 +247,18 @@ jobs:
           PKCS11_URI: ${{ secrets.PKCS11_URI }}
           GRS_USERNAME: ${{ secrets.GRS_USERNAME }}
           GRS_PASSWORD: ${{ secrets.GRS_PASSWORD }}
+      
+      - name: Self-verify released image signatures
+        run: |
+          devbox run -- make verify IMG="${{ env.DOCKER_IMAGE_URL }}"         SIGNATURE_REPO="${{ env.DOCKER_RELEASE_REPO }}"
+          devbox run -- make verify IMG="${{ env.QUAY_IMAGE_URL }}"           SIGNATURE_REPO="${{ env.QUAY_RELEASE_REPO }}"
+          devbox run -- make verify IMG="${{ env.DOCKER_IMAGE_URL }}"         SIGNATURE_REPO="${{ env.DOCKER_SIGNATURE_REPO }}"
+          devbox run -- make verify IMG="${{ env.QUAY_CERTIFIED_IMAGE_URL }}" SIGNATURE_REPO="${{ env.QUAY_RELEASE_REPO }}"
+          devbox run -- make verify IMG="${{ env.QUAY_CERTIFIED_IMAGE_URL }}" SIGNATURE_REPO="${{ env.DOCKER_SIGNATURE_REPO }}"
+        env:
+          PKCS11_URI: ${{ secrets.PKCS11_URI }}
+          GRS_USERNAME: ${{ secrets.GRS_USERNAME }}
+          GRS_PASSWORD: ${{ secrets.GRS_PASSWORD }}
 
       - name: Generate SBOMs
         run: devbox run -- make generate-sboms RELEASED_OPERATOR_IMAGE="${{ env.DOCKER_RELEASE_REPO }}"
