add OIDC token permissions and cosign steps for Docker image signing

Author: argentinaluiz

.github/workflows/ci.yaml

@@ -22,6 +22,7 @@ jobs:
       packages: write # Permitir publicar pacotes no GitHub Packages
       pull-requests: write # Permitir criar e atualizar pull requests
       security-events: write # Enviar eventos de segurança para o Github Security
+      id-token: write # Permitir emitir tokens OIDC para autenticação com provedores externos
 
     steps:
       - name: Checkout repository
@@ -101,7 +102,7 @@ jobs:
 
       - name: Extract Docker metadata
         id: meta
-        if: ${{ github.event_name != 'pull_request' }}
+        if: github.event_name != 'pull_request'
         uses: docker/[email protected]
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
@@ -114,7 +115,7 @@ jobs:
       
       - name: Build final
         id: build-final
-        if: ${{ github.event_name != 'pull_request' }}
+        if: github.event_name != 'pull_request'
         uses: docker/[email protected]
         with:
           context: ./src/ci/nestjs-project
@@ -128,3 +129,17 @@ jobs:
           sbom: true
           secrets: |
             github_token=${{ secrets.MY_GITHUB_TOKEN }}
+      
+      - name: Install cosign
+        if: github.event_name != 'pull_request'
+        uses: sigstore/[email protected]
+        with:
+          cosign-release: 'v2.2.4'
+      
+      - name: Sign the published Docker image
+        if: github.event_name != 'pull_request'
+        env:
+          TAGS: ${{ steps.meta.outputs.tags }} docker metadata tag1,tag2,tag3
+          DIGEST: ${{ steps.build-final.outputs.digest }}
+        run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
+