Address mdtro feedback

spalmurray · spalmurray · commit cbf5bcdc9c7d · 2025-08-26T14:23:01.000-04:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -182,7 +182,7 @@ jobs:
           for file in sentry-prevent-cli_*/sentry-prevent-cli_*; do
             cosign sign-blob $file --bundle "$file.bundle" --yes;
             # Test verification because why not
-            cosign verify-blob $file --bundle "$file.bundle" --certificate-identity-regexp=^https://github.com/getsentry/prevent-cli/ --certificate-oidc-issuer=https://token.actions.githubusercontent.com
+            cosign verify-blob $file --bundle "$file.bundle" --certificate-identity-regexp="^https://github\.com/getsentry/prevent-cli/\.github/workflows/build\.yml@refs/heads/release/[0-9]+\.[0-9]+\.[0-9]+" --certificate-oidc-issuer=https://token.actions.githubusercontent.com
           done
 
       - name: Upload release artifact
diff --git a/README.md b/README.md
@@ -39,7 +39,7 @@ Then, use `cosign` to verify the binary:
 ```
 cosign verify-blob sentry-prevent-cli \
     --bundle sentry-prevent-cli_macos.bundle \
-    --certificate-identity-regexp=^https://github.com/getsentry/prevent-cli \
+    --certificate-identity-regexp="^https://github\.com/getsentry/prevent-cli/\.github/workflows/build\.yml@refs/heads/release/[0-9]+\.[0-9]+\.[0-9]+" \
     --certificate-oidc-issuer=https://token.actions.githubusercontent.com
 ```
 The OIDC identity here is associated with the specific workflow run that signs the binary. If the verification succeeds, you can trust you've recieved the same binary we built in our GitHub Actions workflow.
