ci: sign published images with cosign keyless

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: gugu

.github/workflows/build.yaml

@@ -14,6 +14,7 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -91,6 +92,7 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ github.token }}
       - name: Build and Push
+        id: build
         uses: docker/build-push-action@v6
         with:
           context: .
@@ -106,3 +108,14 @@ jobs:
             TIMESCALE_TOOLKIT_VERSION=${{ steps.versions.outputs.timescale_toolkit }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
+      - name: Install Cosign
+        if: github.ref_name == 'main'
+        uses: sigstore/cosign-installer@v3
+      - name: Sign image with Cosign
+        if: github.ref_name == 'main'
+        env:
+          TAGS: ${{ steps.meta.outputs.tags }}
+          DIGEST: ${{ steps.build.outputs.digest }}
+        run: |
+          set -euo pipefail
+          printf '%s\n' "$TAGS" | xargs -I {} cosign sign --yes "{}@${DIGEST}"