Merge branch 'template' into live

* template:
  build(deps): bump sigstore/cosign-installer from 3.2.0 to 3.3.0 (blue-build#208)
  build(deps): bump mikefarah/yq from 4.40.4 to 4.40.5 (blue-build#207)
  feat: Check that cosign.pub matches private key (blue-build#193)
  fix: do not format just files in CI (blue-build#205)

.github/workflows/build.yml

@@ -54,11 +54,30 @@ jobs:
       - name: Checkout Push to Registry action
         uses: actions/checkout@v4
 
-      - name: Check just syntax
-        uses: ublue-os/just-action@v1
+      # Confirm that cosign.pub matches SIGNING_SECRET
+      - uses: sigstore/[email protected]
+        if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
+
+      - name: Check SIGNING_SECRET matches cosign.pub
+        if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
+        env:
+          COSIGN_EXPERIMENTAL: false
+          COSIGN_PASSWORD: ""
+          COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
+        shell: bash
+        run: |
+          echo "Checking for difference between public key from SIGNING_SECRET and cosign.pub"
+          delta=$(diff -u <(cosign public-key --key env://COSIGN_PRIVATE_KEY) cosign.pub)
+          if [ -z "$delta" ]; then
+            echo "cosign.pub matches SIGNING_SECRET"
+          else
+            echo "cosign.pub does not match SIGNING_SECRET"
+            echo "$delta"
+            exit 1
+          fi
 
       - name: Add yq (for reading recipe.yml)
-        uses: mikefarah/[email protected].4
+        uses: mikefarah/[email protected].5
 
       - name: Gather image data from recipe
         run: |
@@ -183,9 +202,6 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       # Sign container
-      - uses: sigstore/[email protected]
-        if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
-
       - name: Sign container image
         if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
         run: |