add source and workflow origin policy for gha cache verification

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>

Author: crazy-max

.github/workflows/bake.yml

@@ -375,8 +375,10 @@ jobs:
                     timestampThreshold = 1
                     tlogThreshold = ${{ matrix.privateRepo == 'true' && '0' || '1' }}
                     subjectAlternativeName = "https://github.com/docker/github-builder-experimental/.github/workflows/bake.yml*"
+                    githubWorkflowRepository = "docker/github-builder-experimental"
                     issuer = "https://token.actions.githubusercontent.com"
                     runnerEnvironment = "github-hosted"
+                    sourceRepositoryURI = "${{ github.server_url }}/${{ github.repository }}"
       -
         name: Install Cosign
         if: ${{ needs.prepare.outputs.sign == 'true' || inputs.cache }}

.github/workflows/build.yml

@@ -336,8 +336,10 @@ jobs:
                     timestampThreshold = 1
                     tlogThreshold = ${{ matrix.privateRepo == 'true' && '0' || '1' }}
                     subjectAlternativeName = "https://github.com/docker/github-builder-experimental/.github/workflows/build.yml*"
+                    githubWorkflowRepository = "docker/github-builder-experimental"
                     issuer = "https://token.actions.githubusercontent.com"
                     runnerEnvironment = "github-hosted"
+                    sourceRepositoryURI = "${{ github.server_url }}/${{ github.repository }}"
       -
         name: Install Cosign
         if: ${{ needs.prepare.outputs.sign == 'true' || inputs.cache }}