Sign published image manifests with cosign

Add keyless cosign signing for the published multi-arch manifests, including the canonical version tags and latest. The workflow now requests the OIDC token permission needed for GitHub-backed signing and signs the final manifest digests after publication.

Author: Wuodan

.github/workflows/build.yaml

@@ -21,6 +21,10 @@ on:
 env:
   IMAGE_NAME: ${{ inputs.image_name || vars.IMAGE_NAME || 'nikolaik/python-nodejs' }}
 
+permissions:
+  contents: write
+  id-token: write
+
 jobs:
   generate-matrix:
     name: Generate build matrix
@@ -112,15 +116,21 @@ jobs:
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Push multi-arch manifest
-        run: docker manifest push "${IMAGE_NAME}:${{ matrix.key }}"
+        id: push-manifest
+        run: |
+          digest="$(docker manifest push "${IMAGE_NAME}:${{ matrix.key }}" | tail -n1)"
+          echo "digest=${digest}" >> "$GITHUB_OUTPUT"
 
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v4.0.0
+
+      - name: Sign multi-arch manifest
+        run: cosign sign --yes "${IMAGE_NAME}@${{ steps.push-manifest.outputs.digest }}"
 
       - name: Add digest to build context
         run: |
           mkdir builds/
-          digest="$(docker buildx imagetools inspect "${IMAGE_NAME}:${{ matrix.key }}" | awk '/^Digest:/ {print $2}')"
+          digest="${{ steps.push-manifest.outputs.digest }}"
           echo '${{ toJSON(matrix) }}' | jq --arg digest "$digest" '. +={"digest": $digest}' >> "builds/${{ matrix.key }}.json"
 
       - name: Upload build context