feat: sign Docker images

Configures signing Docker images with Cosign keyless algorithm.

Author: kop

.github/workflows/release.yaml

@@ -31,18 +31,22 @@ jobs:
       contents: write
       packages: write
       id-token: write
+      attestations: write
     steps:
 
       - name: Checkout
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
-      - name: Set up Go
+      - name: Install Go
         uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
 
+      - name: Install Cosign
+        uses: sigstore/[email protected]
+
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
         with:

.goreleaser.yaml

@@ -74,6 +74,13 @@ docker_manifests:
       - ghcr.io/firebolt-db/mcp-server:{{ .Version }}-amd64
       - ghcr.io/firebolt-db/mcp-server:{{ .Version }}-arm64v8
 
+docker_signs:
+  - artifacts: all
+    args:
+      - "sign"
+      - "${artifact}@${digest}"
+      - "--yes"
+
 release:
   replace_existing_artifacts: true
   mode: keep-existing