[CI] Use cosign to sign release binaries

Author: KornevNikita

.github/workflows/sycl-rel-nightly.yml

@@ -180,3 +180,9 @@ jobs:
 
       sycl_windows_artifact: sycl_windows_release
       sycl_windows_archive: ${{ needs.build-win.outputs.artifact_archive_name }}
+
+  sign-release-builds:
+    needs: [ubuntu2204_build, build-win]
+    uses: ./.github/workflows/sycl-sign-release-builds.yml
+    permissions:
+      id-token: write

.github/workflows/sycl-sign-release-builds.yml

@@ -0,0 +1,29 @@
+name: Sign Release Artifacts
+
+on:
+  workflow_call:
+
+permissions:
+  id-token: write
+
+jobs:
+  sign-artifact:
+    runs-on: ubuntu-latest
+    env:
+      GH_TOKEN: ${{ github.token }}
+    steps:
+      - name: Download artifact
+        run: |
+          gh run download ${{ github.run_id }} -R ${{ github.repository }} -n sycl_linux_release
+          gh run download ${{ github.run_id }} -R ${{ github.repository }} -n sycl_windows_release
+
+      - name: Sign with Sigstore
+        uses: sigstore/[email protected]
+        with:
+          inputs: sycl_linux.tar.gz sycl_windows.tar.gz
+
+      - name: Upload signature
+        uses: actions/upload-artifact@v4
+        with:
+          name: sigstore_signatures
+          path: "*.sigstore.json"