Add cosign signing for Docker images

[Copilot]

Overview

This PR implements cryptographic signing for all Docker images built in the platformio.yml workflow using Cosign with keyless signing.

What Changed

Workflow Updates (.github/workflows/platformio.yml)

• Added id-token: write permission to enable GitHub OIDC token access for keyless signing
• Installed Cosign using the official sigstore/cosign-installer@v3.5.0 action
• Added image signing step that signs all published Docker images after the build-and-push step
• Images are signed by digest to ensure all tags (latest, stable, versioned, etc.) point to verified content

Documentation Updates

Updated README.md and images/platformio/README.md to:

• Inform users that all published images are cryptographically signed
• Provide verification instructions for users to validate image signatures

How It Works

This implementation uses keyless signing with GitHub OIDC, which means:

• ✅ No private keys to manage or store in secrets
• ✅ GitHub issues short-lived certificates via OIDC tokens
• ✅ Signatures are published to the public Sigstore transparency log
• ✅ Full supply chain transparency and verification

Verification

Users can verify image signatures using:

cosign verify ghcr.io/jethome-iot/jethome-dev-platformio:latest \
  --certificate-identity-regexp=https://github.com/jethome-iot/jethome-dev \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

Security Benefits

• Supply Chain Security: Ensures images haven't been tampered with
• Provenance: Links images to their source repository and workflow
• Transparency: All signatures are publicly verifiable via Sigstore

Notes

• Signing only occurs on push events (not pull requests)
• Compatible with existing multi-platform builds (linux/amd64, linux/arm64)
• All generated tags are signed using the same image digest

Closes issue about adding cosign signing for Docker images built in platformio.yml workflow.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Add cosign signing for docker images</issue_title>
<issue_description>Add cosign signing fot docker images builded inside workflow platformio.yml</issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #1

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[Copilot]

Pull Request Overview

This PR implements cryptographic signing for Docker images in the platformio.yml workflow using Cosign with keyless signing to enhance supply chain security and provide image provenance verification.

• Added Cosign integration to the GitHub Actions workflow for automatic image signing
• Updated documentation to inform users about signed images and provide verification instructions
• Configured OIDC permissions for keyless signing without managing private keys

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
.github/workflows/platformio.yml	Added Cosign installation, image signing step, and OIDC permissions for keyless signing
README.md	Added brief mention of Cosign signing for all published images
images/platformio/README.md	Added detailed documentation on image signing and verification instructions

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

The shell parameter expansion ${TAGS//,/ } may not handle edge cases like empty tags or tags with spaces correctly. Consider using a more robust approach like echo $TAGS | tr ',' ' ' or proper array handling to ensure reliable tag parsing.

Suggested change

	for tag in ${TAGS//,/ }; do
	for tag in $(echo "$TAGS" | tr ',' ' '); do