Sign published image manifests with cosign

Add keyless cosign signing for the published multi-arch manifests, including the canonical version tags and latest. The workflow now requests the OIDC token permission needed for GitHub-backed signing and signs the final manifest digests after publication.

Author: Wuodan

.github/workflows/build.yaml

@@ -21,6 +21,10 @@ on:
 env:
   IMAGE_NAME: ${{ inputs.image_name || vars.IMAGE_NAME || 'nikolaik/python-nodejs' }}
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   generate-matrix:
     name: Generate build matrix
@@ -116,6 +120,13 @@ jobs:
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v4.0.0
+
+      - name: Sign multi-arch manifest
+        run: |
+          digest="$(docker buildx imagetools inspect "${IMAGE_NAME}:${{ matrix.key }}" | awk '/^Digest:/ {print $2}')"
+          cosign sign --yes "${IMAGE_NAME}@${digest}"
 
       - name: Add digest to build context
         run: |
@@ -148,6 +159,8 @@ jobs:
           merge-multiple: true
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v4.0.0
       - name: Login to Docker Hub
         uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4
         with:
@@ -157,6 +170,10 @@ jobs:
         run: |
           latest_tag="$(uv run dpn latest-key --builds-dir builds/)"
           docker buildx imagetools create --tag "${IMAGE_NAME}:latest" "${IMAGE_NAME}:${latest_tag}"
+      - name: Sign latest manifest
+        run: |
+          digest="$(docker buildx imagetools inspect "${IMAGE_NAME}:latest" | awk '/^Digest:/ {print $2}')"
+          cosign sign --yes "${IMAGE_NAME}@${digest}"
 
   release:
     name: Update versions.json and README.md