From 13deafcb7943acfb2689f64a643090f09248869f Mon Sep 17 00:00:00 2001
From: Javier Rodriguez <javier@chainloop.dev>
Date: Wed, 14 Jan 2026 14:14:06 +0100
Subject: [PATCH] feat(source-commit): Update source-commit to enforce
 signature verification

Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
---
 .github/workflows/codeql.yml                                 | 3 +++
 .github/workflows/contracts/chainloop-vault-codeql.yml       | 1 +
 .github/workflows/contracts/chainloop-vault-helm-package.yml | 1 +
 .github/workflows/contracts/chainloop-vault-release.yml      | 1 +
 .github/workflows/package_chart.yaml                         | 2 ++
 .github/workflows/release.yaml                               | 2 ++
 6 files changed, 10 insertions(+)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index a68cf2db1..2cbd6a3fc 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -44,6 +44,9 @@ jobs:
         if: ${{ github.event_name != 'pull_request' }}
         run: |
           chainloop attestation init --workflow $CHAINLOOP_WORKFLOW_NAME --project $CHAINLOOP_PROJECT
+        env:
+          # Needed for commit signature verification: https://docs.chainloop.dev/concepts/attestations#commit-verification
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Set up Go
         uses: actions/setup-go@be3c94b385c4f180051c996d336f57a34c397495 # v3.6.1
diff --git a/.github/workflows/contracts/chainloop-vault-codeql.yml b/.github/workflows/contracts/chainloop-vault-codeql.yml
index e3f58fd22..0dadc0ad7 100644
--- a/.github/workflows/contracts/chainloop-vault-codeql.yml
+++ b/.github/workflows/contracts/chainloop-vault-codeql.yml
@@ -16,6 +16,7 @@ spec:
       - ref: source-commit
         with:
           check_signature: yes
+          check_author_verified: yes
         requirements:
           - chainloop-best-practices/commit-signed
   policyGroups:
diff --git a/.github/workflows/contracts/chainloop-vault-helm-package.yml b/.github/workflows/contracts/chainloop-vault-helm-package.yml
index 0698425a3..724d2e5ba 100644
--- a/.github/workflows/contracts/chainloop-vault-helm-package.yml
+++ b/.github/workflows/contracts/chainloop-vault-helm-package.yml
@@ -22,6 +22,7 @@ spec:
       - ref: source-commit
         with:
           check_signature: yes
+          check_author_verified: yes
         requirements:
           - chainloop-best-practices/commit-signed
     materials:
diff --git a/.github/workflows/contracts/chainloop-vault-release.yml b/.github/workflows/contracts/chainloop-vault-release.yml
index a0c5497d0..d6085c456 100644
--- a/.github/workflows/contracts/chainloop-vault-release.yml
+++ b/.github/workflows/contracts/chainloop-vault-release.yml
@@ -10,6 +10,7 @@ spec:
       - ref: source-commit
         with:
           check_signature: yes
+          check_author_verified: yes
         requirements:
           - chainloop-best-practices/commit-signed
       - ref: containers-with-sbom
diff --git a/.github/workflows/package_chart.yaml b/.github/workflows/package_chart.yaml
index c30b20979..9b9e623fd 100644
--- a/.github/workflows/package_chart.yaml
+++ b/.github/workflows/package_chart.yaml
@@ -90,6 +90,8 @@ jobs:
         env:
           COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_KEY}}
           COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
+          # Needed for commit signature verification: https://docs.chainloop.dev/concepts/attestations#commit-verification
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Finish and Record Attestation
         if: ${{ success() }}
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 9b7047dbb..4806a5a82 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -37,6 +37,8 @@ jobs:
           CHAINLOOP_TOKEN: ${{ secrets.CHAINLOOP_TOKEN }}
           CHAINLOOP_WORKFLOW_NAME: "release"
           CHAINLOOP_PROJECT_NAME: "chainloop"
+          # Needed for commit signature verification: https://docs.chainloop.dev/concepts/attestations#commit-verification
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   release:
     name: Release CLI and control-plane/artifact-cas container images