Add SBOM and sign image

Sign the image with cosign.
Add Software Bill of Materials with trivy as signed cosign attestations.

This informatin is needed for securing the supply chain.

You can verify the image with cosign.
You can get the SBOM from the attestations and then use trivy to check
for vulnerabilities.

Signed-off-by: Jordi Massaguer Pla <jmassaguerpla@suse.com>

Author: jordimassaguerpla

.github/workflows/build_and_push_models.yml

@@ -108,6 +108,22 @@ jobs:
         run: docker tag $DOCKER_IMAGE_NAME_SHORT:$DOCKER_IMAGE_TAG $REGISTRY/$IMAGE_NAME/$DOCKER_IMAGE_NAME_SHORT:$DOCKER_IMAGE_TAG
       - name: Push Docker image
         run: docker push $REGISTRY/$IMAGE_NAME/$DOCKER_IMAGE_NAME_SHORT:$DOCKER_IMAGE_TAG 
+      - name: Build SBOM
+        uses: aquasecurity/trivy-action@v0.14.0
+        with:
+          image-ref: $REGISTRY/$IMAGE_NAME/$DOCKER_IMAGE_NAME_SHORT:$DOCKER_IMAGE_TAG
+          format: 'spdx-json'
+          output: 'sbom.spdx.json'
+      - name: Install sigstore cosign
+        uses: sigstore/cosign-installer@main
+      - name: Write signing key to disk (only needed for `cosign sign --key`)
+        run: echo "${{ secrets.SIGNING_SECRET }}" > cosign.key
+      - name: Sign image
+        run: cosign sign --key cosign.key $REGISTRY/$IMAGE_NAME/$DOCKER_IMAGE_NAME_SHORT:$DOCKER_IMAGE_TAG
+        env:
+          COSING_PASSWORD: ""
+      - name: Sign attestations
+        run: cosign attest --key cosign.key --type spdx --predicate sbom.spdx.json $REGISTRY/$IMAGE_NAME/$DOCKER_IMAGE_NAME_SHORT:$DOCKER_IMAGE_TAG
       - name: Terraform Destroy
         if: ${{ always() }}
         run: terraform destroy -auto-approve