ci(release): sign build images before e2e gates (#448)

Signed-off-by: Roel de Cort <roel.decort@adfinis.com>

Author: dc-tec

.github/workflows/release.yml

@@ -115,6 +115,7 @@ jobs:
       ref: ${{ github.ref }}
       source_date_epoch: ${{ needs.prepare.outputs.source_date_epoch }}
       cache-scope: ${{ needs.prepare.outputs.build_tag }}
+      sign_images: true
     secrets: inherit
 
   rebuild:

.github/workflows/reusable-build.yml

@@ -21,6 +21,11 @@ on:
         required: false
         default: trusted
         type: string
+      sign_images:
+        description: "Sign pushed image digests with keyless cosign before returning build outputs"
+        required: false
+        default: false
+        type: boolean
     outputs:
       manager_digest:
         description: "Digest of the manager image"
@@ -134,6 +139,20 @@ jobs:
           subject-digest: ${{ steps.build.outputs.digest }}
           push-to-registry: true
 
+      - name: Install cosign
+        if: ${{ inputs.sign_images }}
+        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
+        with:
+          cosign-release: v3.0.4
+
+      - name: Sign image (keyless)
+        if: ${{ inputs.sign_images }}
+        env:
+          IMAGE_REF: ghcr.io/${{ github.repository_owner }}/${{ matrix.image }}@${{ steps.build.outputs.digest }}
+        run: |
+          set -euo pipefail
+          cosign sign --yes --new-bundle-format=true "${IMAGE_REF}"
+
   collect-digests:
     name: Collect Image Digests
     runs-on: *runner