build: set cosign version and verify commands as outputs

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>

Author: crazy-max

.github/workflows/build.yml

@@ -108,6 +108,13 @@ on:
       github-token:
         description: "GitHub Token used to authenticate against a repository for Git context"
         required: false
+    outputs:
+      cosign-version:
+        description: Cosign version used for verification
+        value: ${{ jobs.build.outputs.cosign-version }}
+      cosign-verify-commands:
+        description: Cosign verify commands
+        value: ${{ jobs.build.outputs.cosign-verify-commands }}
 
 env:
   DOCKER_ACTIONS_TOOLKIT_MODULE: "@docker/actions-toolkit@0.67.0"
@@ -117,6 +124,9 @@ env:
 jobs:
   build:
     runs-on: ubuntu-latest
+    outputs:
+      cosign-version: ${{ env.COSIGN_VERSION }}
+      cosign-verify-commands: ${{ steps.signing-attestation-manifests.outputs.verify-commands || steps.signing-local-artifacts.outputs.verify-commands }}
     permissions:
       contents: read
       id-token: write # needed for signing the images with GitHub OIDC Token
@@ -266,6 +276,7 @@ jobs:
             await cosign.printVersion();
       -
         name: Signing attestation manifests
+        id: signing-attestation-manifests
         if: ${{ inputs.output == 'registry' }}
         uses: actions/github-script@v8
         env:
@@ -288,8 +299,19 @@ jobs:
               { certificateIdentityRegexp: `^https://github.com/docker/github-builder-experimental/.github/workflows/build.yml.*$` },
               signResults
             );
+            
+            await core.group(`Verify commands`, async () => {
+              const verifyCommands = [];
+              for (const [attestationRef, verifyResult] of Object.entries(verifyResults)) {
+                const cmd = `cosign ${verifyResult.cosignArgs.join(' ')} ${attestationRef}`;
+                core.info(cmd);
+                verifyCommands.push(cmd);
+              }
+              core.setOutput('verify-commands', verifyCommands.join('\n'));
+            });
       -
         name: Signing local artifacts
+        id: signing-local-artifacts
         if: ${{ inputs.output == 'local' }}
         uses: actions/github-script@v8
         env:
@@ -309,6 +331,16 @@ jobs:
               { certificateIdentityRegexp: `^https://github.com/docker/github-builder-experimental/.github/workflows/build.yml.*$` },
               signResults
             );
+            
+            await core.group(`Verify commands`, async () => {
+              const verifyCommands = [];
+              for (const [artifactPath, verifyResult] of Object.entries(verifyResults)) {
+                const cmd = `cosign ${verifyResult.cosignArgs.join(' ')} --bundle ${path.relative(inplocalExportDir, verifyResult.bundlePath)} ${path.relative(inplocalExportDir, artifactPath)}`;
+                core.info(cmd);
+                verifyCommands.push(cmd);
+              }
+              core.setOutput('verify-commands', verifyCommands.join('\n'));
+            });
       -
         name: Create manifest
         if: ${{ inputs.output == 'registry' }}