build: sign container

Signed-off-by: Jakob Borg <jakob@kastelo.net>

Author: calmh

.github/workflows/build-publish.yaml

@@ -4,8 +4,9 @@ on:
   push:
 
 permissions:
+  contents: read
+  id-token: write
   packages: write
-  contents: write
 
 jobs:
   build-and-push-docker-image:
@@ -26,6 +27,9 @@ jobs:
       - name: Setup ko
         uses: ko-build/setup-ko@v0.6
 
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
+
       - name: Login to Github Packages
         uses: docker/login-action@v3
         with:
@@ -37,6 +41,7 @@ jobs:
         run: |
           descr=$(git describe)
           export version="${descr#v}"
-          ko build --bare --sbom=none -t latest -t "$version" .
+          ko build --bare --sbom=none -t latest -t "$version" . \
+          | xargs cosign sign --yes --recursive
         env:
           KO_DOCKER_REPO: ghcr.io/syncthing/infra/roadmap-votes