fix: attestation verification for repos that re-use amp-devcontainer workflows

[rjaegers]

🚀 Hey, I have created a Pull Request

Description of changes

This pull request updates the attestation verification step in the .github/workflows/wc-build-push.yml workflow to improve security and traceability.

Security and attestation verification:

• The Verify attestation step now explicitly specifies the --signer-workflow parameter, referencing the philips-software/amp-devcontainer/.github/workflows/wc-build-push.yml workflow for signer verification. This ensures that attestations are only accepted from trusted workflows and enhances the provenance of built images.

✔️ Checklist

• I have followed the contribution guidelines for this repository
• I have added tests for new behavior, and have not broken any existing tests
• I have added or updated relevant documentation
• I have verified that all added components are accounted for in the SBOM

[Copilot]

Pull Request Overview

Adds explicit signer workflow reference to attestation verification so downstream repositories using the reusable build/push workflow can successfully verify image attestations.

• Introduces --signer-workflow flag to gh attestation verify command.
• Targets canonical workflow path to align verification with reusable workflow origin.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

📦 Container Size Analysis

Note

Comparing ghcr.io/philips-software/amp-devcontainer-rust:edge ➔ ghcr.io/philips-software/amp-devcontainer-rust:pr-987

📈 Size Comparison Table

OS/Platform	Previous	Current	Change	Trend
linux/amd64	536.91 MB	536.91 MB	+177 B (+0%)	🔼
linux/arm64	493.59 MB	493.59 MB	+532 B (+0%)	🔼

[github-actions]

✅MegaLinter analysis: Success

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	22		0	0	0.59s
✅ DOCKERFILE	hadolint	2		0	0	0.89s
✅ GHERKIN	gherkin-lint	6		0	0	2.48s
✅ JSON	npm-package-json-lint	yes		no	no	0.63s
✅ JSON	prettier	15	2	0	0	0.56s
✅ JSON	v8r	15		0	0	6.85s
✅ MARKDOWN	markdownlint	11	0	0	0	0.96s
✅ MARKDOWN	markdown-table-formatter	11	0	0	0	0.28s
✅ REPOSITORY	gitleaks	yes		no	no	1.1s
✅ REPOSITORY	git_diff	yes		no	no	0.01s
✅ REPOSITORY	grype	yes		no	no	28.68s
✅ REPOSITORY	secretlint	yes		no	no	0.96s
✅ REPOSITORY	syft	yes		no	no	1.83s
✅ REPOSITORY	trivy	yes		no	no	7.11s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.23s
✅ REPOSITORY	trufflehog	yes		no	no	3.38s
✅ SPELL	lychee	73		0	0	43.45s
✅ YAML	prettier	28	0	0	0	1.22s
✅ YAML	v8r	28		0	0	8.24s
✅ YAML	yamllint	28		0	0	1.01s

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx [email protected] --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,DOCKERFILE_HADOLINT,GHERKIN_GHERKIN_LINT,JSON_V8R,JSON_PRETTIER,JSON_NPM_PACKAGE_JSON_LINT,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,SPELL_LYCHEE,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

[github-actions]

📦 Container Size Analysis

Note

Comparing ghcr.io/philips-software/amp-devcontainer-cpp:edge ➔ ghcr.io/philips-software/amp-devcontainer-cpp:pr-987

📈 Size Comparison Table

OS/Platform	Previous	Current	Change	Trend
linux/amd64	691.11 MB	691.11 MB	1.69 kB (0%)	🔽
linux/arm64	674.32 MB	674.32 MB	235 B (0%)	🔽

[github-actions]

Test Results

 5 files  ±0   5 suites  ±0   3m 40s ⏱️ +12s
31 tests ±0  31 ✅ ±0  0 💤 ±0  0 ❌ ±0 
65 runs  ±0  65 ✅ ±0  0 💤 ±0  0 ❌ ±0 

Results for commit 9fe02f7. ± Comparison against base commit c9efa53.

[github-actions]

Pull Request Report (#987)

Static measures

Description	Value
Number of added lines	1
Number of deleted lines	1
Number of changed files	1
Number of commits	1
Number of reviews	3
Number of comments (w/o review comments)	5
Number of reviews that contains a comment to resolve	2
Number of reviews that requested a change from the author	0
Number of reviews that approved the Pull Request	1
Get the total number of participants of a Pull Request	6

Time related measures

Description	Value
PR lead time (from creation to close of PR)	1.9 Days
Time that was spend on the branch before the PR was created	36 Sec
Time that was spend on the branch before the PR was merged	1.9 Days
Time to merge after last review	1.1 Days

Status check related measures

Description	Value
Total runtime for last status check run (Workflow for PR)	43.6 Min
Total time spend in last status check run on PR	1.9 Days

[github-actions]

🎉 Hooray! The changes in this pull request went live with the release of v6.5.2 🎉