chore(ci): sign container images with ddsign (#1065)

## Summary

- Sign the image for ci image jobs per [instruction](https://datadoghq.atlassian.net/wiki/spaces/SECENG/pages/2744681107/Image+Integrity+User+Guide)

Fixes: https://datadoghq.atlassian.net/browse/SVLS-8644

Co-authored-by: tianning.li <tianning.li@datadoghq.com>

Author: litianningdatadog

.gitlab-ci.yml

@@ -23,10 +23,15 @@ ci image:
       changes:
         - .gitlab/Dockerfile
       when: on_success
+  id_tokens:
+    DDSIGN_ID_TOKEN:
+      aud: image-integrity
   variables:
     DOCKER_TARGET: ${DOCKER_TARGET_IMAGE}:${DOCKER_TARGET_VERSION}
   script:
-    - docker buildx build --platform linux/amd64,linux/arm64 --no-cache --pull --push --tag ${DOCKER_TARGET} -f .gitlab/Dockerfile .
+    - METADATA_FILE=$(mktemp)
+    - docker buildx build --platform linux/amd64,linux/arm64 --no-cache --pull --push --tag ${DOCKER_TARGET} --metadata-file ${METADATA_FILE} -f .gitlab/Dockerfile .
+    - ddsign sign ${DOCKER_TARGET} --docker-metadata-file ${METADATA_FILE}
 
 .go-cache: &go-cache
   key: datadog-lambda-extension-go-cache