add match to ClusterImagePolicy

[nissessenap]

This enables users to only trigger to specific resources. For more info see: https://docs.sigstore.dev/policy-controller/overview/#policies-matching-specific-resource-types-and-labels

You could argue that we should add the same for github-exempt-policy, but since it exempt, it's probably easier to just skip it.

[nissessenap]

There is some auto formatting stuff done in the value file, if you think that is an issue I can revert it

[Copilot]

Pull request overview

This PR adds support for the match field in ClusterImagePolicy resources, enabling users to specify additional matching criteria to target specific Kubernetes resource types and labels. This enhancement allows for more granular control over which resources the image verification policy applies to, as documented in the Sigstore policy-controller documentation.

Key changes:

• Added match field configuration to values.yaml with commented examples showing how to match specific resources like jobs and pods
• Updated the github-policy template to conditionally include the match field when configured
• Standardized quote style from single to double quotes for string values in values.yaml

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
charts/trust-policies/values.yaml	Adds match field configuration with commented examples for resource matching; standardizes string quotes to double quotes
charts/trust-policies/templates/clusterimagepolicy-github.yaml	Adds conditional template logic to include the match field in the ClusterImagePolicy spec when configured

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.