sign release binaries via cosign

Author: netops2devops

.github/workflows/ci.yml

@@ -198,6 +198,7 @@ jobs:
     if: startsWith(github.ref, 'refs/tags/v')
     permissions:
       contents: write
+      id-token: write   # required for keyless cosign signing via OIDC
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -209,8 +210,14 @@ jobs:
           pattern: step-ca_*
           merge-multiple: true
 
-      - name: List artifacts
-        run: ls -la dist/
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3
+
+      - name: Sign binaries
+        run: |
+          for bin in dist/step-ca_*; do
+            cosign sign-blob --yes --bundle="${bin}.bundle" "$bin"
+          done
 
       - name: Get version
         id: version