feat: Sign Docker image on build action

Author: alecron

.github/workflows/publish.yaml

@@ -21,6 +21,7 @@ jobs:
     permissions:
       contents: read # required for actions/checkout
       packages: write # required for pushing to ghcr.io
+      id-token: write # required for signing with cosign
     steps:
       - name: Check out the repo
         uses: actions/checkout@v4
@@ -38,11 +39,25 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Install cosign
+        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
+        with:
+          cosign-release: 'v2.2.4'
+
       - name: Build and push Docker image
+        id: build-and-push
         uses: docker/build-push-action@v5
         with:
           context: .
           push: true
           tags: |
             ghcr.io/sysdiglabs/sysdig-mcp-server:latest
             ghcr.io/sysdiglabs/sysdig-mcp-server:v${{ steps.extract_version.outputs.VERSION }}
+
+      - name: Sign the published Docker image
+        env:
+          TAGS: |
+            ghcr.io/sysdiglabs/sysdig-mcp-server:latest
+            ghcr.io/sysdiglabs/sysdig-mcp-server:v${{ steps.extract_version.outputs.VERSION }}
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+        run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}