ci: sign images

Signed-off-by: Moritz Wanzenböck <moritz.wanzenboeck@linbit.com>

Author: WanzenBug

.github/workflows/build-docker.yaml

@@ -14,6 +14,8 @@ on:
 jobs:
   build-and-push:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     steps:
       - uses: actions/checkout@v5
       - name: Set up QEMU
@@ -23,6 +25,9 @@ jobs:
       - name: Set up Docker Buildx
         id: buildx
         uses: docker/setup-buildx-action@v3
+      - name: Set up cosign
+        if: ${{ github.event_name != 'pull_request' }}
+        uses: sigstore/cosign-installer@v3
       - name: login to Docker Hub
         if: ${{ github.event_name != 'pull_request' }}
         uses: docker/login-action@v3
@@ -38,6 +43,7 @@ jobs:
           password: ${{ secrets.QUAYIO_PASSWORD }}
       - name: Build and push
         uses: docker/bake-action@v6
+        id: bake
         with:
           builder: ${{ steps.buildx.outputs.name }}
           source: .
@@ -48,3 +54,8 @@ jobs:
         env:
           GIT_COMMIT: ${{ github.sha }}
           CACHE: true
+      - name: Sign images
+        if: ${{ github.event_name != 'pull_request' }}
+        run: |
+          jq '.[] | select(type=="object") | select(."containerimage.digest") | ."containerimage.digest" as $DIGEST | ."image.name" | split(":")[0] | "\(.)@\($DIGEST)"' -r <<<'${{ steps.bake.outputs.metadata }}' \
+            | xargs --no-run-if-emtpy cosign sign --yes