Add cosign checks #26
Description
It would be great to add an optional extra step to verify provenance.
This could work by using cosign and taking issuer and identity arguments. (I'm not sure if issuer/identity regexps would also need to be supported). If these arguments are present and a new image is found, it should be verified with cosign. It's not clear what should happen after the failed verification; either open the PR and make the failure clear or don't open and log the error somehow?