feat: support dry-run

Support `dry-run` to skip signing images.

Signed-off-by: Noel Georgi <[email protected]>

Author: frezbo

.github/workflows/ci.yaml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-10-20T11:04:55Z by kres 46e133d.
+# Generated on 2025-10-20T13:39:45Z by kres 46e133d.
 
 concurrency:
   group: ${{ github.head_ref || github.run_id }}
@@ -212,10 +212,3 @@ jobs:
       - name: unit-tests-race
         run: |
           make unit-tests-race
-      - name: coverage
-        uses: codecov/codecov-action@v5
-        with:
-          files: _out/coverage-unit-tests.txt
-          flags: unit-tests
-          token: ${{ secrets.CODECOV_TOKEN }}
-        timeout-minutes: 3

.kres.yaml

@@ -18,3 +18,7 @@ spec:
     linux-arm64:
       GOOS: linux
       GOARCH: arm64
+---
+kind: service.CodeCov
+spec:
+  enabled: false

cmd/image-signer/cmd/sign.go

@@ -42,6 +42,7 @@ var signOptions struct {
 	Timeout                   time.Duration
 
 	DeviceFlow bool
+	DryRun     bool
 }
 
 func signImages(images []string) error {
@@ -67,6 +68,20 @@ func signImages(images []string) error {
 			continue
 		}
 
+		if signOptions.DryRun {
+			fmt.Println("Dry run enabled, skipping signing.")
+
+			if !signatureInfo.LegacySignature {
+				fmt.Println("Would sign legacy signature.")
+			}
+
+			if !signatureInfo.BundleSignature {
+				fmt.Println("Would sign bundle signature.")
+			}
+
+			continue
+		}
+
 		if err := signer.SignImage(image, signatureInfo.LegacySignature, signatureInfo.BundleSignature, signOptions.OIDCProvider, signOptions.DeviceFlow, signOptions.Timeout); err != nil {
 			return fmt.Errorf("failed to sign image %s: %w", image, err)
 		}
@@ -79,6 +94,7 @@ func signImages(images []string) error {
 
 func init() {
 	signCmd.Flags().BoolVarP(&signOptions.DeviceFlow, "device-flow", "d", false, "Use device flow for authentication")
+	signCmd.Flags().BoolVarP(&signOptions.DryRun, "dry-run", "", false, "Perform a dry run without actually signing the images")
 	signCmd.Flags().StringVarP(&signOptions.CertificateIdentityRegexp, "certificate-identity-regexp", "i", "@siderolabs\\.com$", "The identity regular expression to use for certificate verification")
 	signCmd.Flags().StringVarP(&signOptions.CertificateOIDCIssuer, "certificate-oidc-issuer", "o", "https://accounts.google.com", "The OIDC issuer URL to use for certificate verification")
 	signCmd.Flags().StringVarP(&signOptions.OIDCProvider, "oidc-provider", "p", "google", "The OIDC provider to use for authentication, supported values are: google, github, microsoft, Set to empty string to use the default HTML page for selection") //nolint:lll