Docker image signing (#31)

.github/workflows/dockerimage.yml

@@ -21,6 +21,11 @@ jobs:
         with:
           fetch-depth: 0
           fetch-tags: true
+      - name: Install cosign
+        if: github.ref == 'refs/heads/main'
+        uses: sigstore/cosign-installer@v3
+        with:
+          cosign-release: 'v2.1.1'
       - uses: docker/setup-qemu-action@v3
       - uses: docker/setup-buildx-action@v3
       - uses: docker/metadata-action@v5
@@ -49,6 +54,16 @@ jobs:
           sbom: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+      - name: Sign the published Docker image
+        if: ${{ github.ref == 'refs/heads/main' }}
+        env:
+          TAGS: ${{ steps.meta.outputs.tags }}
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+        run: \echo "${TAGS}" | \xargs -I {} cosign sign --yes {}@${DIGEST} \
+            -a "workflow=${{ github.workflow }}" \
+            -a "repo=${{ github.repository }}" \
+            -a "branch=${{ github.ref_name }}" \
+            -a "ref=${{ github.sha }}"
       - name: Test the Docker image
         working-directory: ${{ env.IMAGE }}
         run: docker compose -f docker-compose.test.yml run sut