Update push-docker.yml with cosign

.github/workflows/push-docker.yml

@@ -7,7 +7,10 @@ on:
       - master
       - main
 
-permissions: read-all
+permissions:
+  contents: read
+  packages: write
+  id-token: write
 
 jobs:
   push:
@@ -37,6 +40,11 @@ jobs:
         env:
           DOCKER_ENABLE_SECURITY: false
 
+      - name: Install cosign
+        uses: sigstore/[email protected]
+        with:
+          cosign-release: 'v2.4.1'
+
       - name: Set up Docker Buildx
         id: buildx
         uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
@@ -80,6 +88,7 @@ jobs:
             type=raw,value=alpha,enable=${{ github.ref == 'refs/heads/main' }}
 
       - name: Build and push main Dockerfile
+        id: build-push-regular
         uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
         with:
           builder: ${{ steps.buildx.outputs.name }}
@@ -92,6 +101,28 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           build-args: VERSION_TAG=${{ steps.versionNumber.outputs.versionNumber }}
           platforms: linux/amd64,linux/arm64/v8
+          provenance: true
+          sbom: true
+
+      - name: Sign regular images
+        env:
+          DIGEST: ${{ steps.build-push-regular.outputs.digest }}
+          TAGS: ${{ steps.meta.outputs.tags }}
+        run: |
+          # Always sign images regardless of branch
+          echo "$TAGS" | tr ',' '\n' | while read -r tag; do
+            cosign sign --yes "${tag}@${DIGEST}"
+          done
+
+          # For alpha builds specifically, we want to ensure they're marked as development builds
+          if [[ "${{ github.ref }}" == "refs/heads/main" ]]; then
+            echo "Signing alpha build with development attestation"
+            echo "$TAGS" | tr ',' '\n' | while read -r tag; do
+              if [[ $tag == *":alpha" ]]; then
+                cosign attest --predicate <(echo '{"type":"development"}') --yes "${tag}@${DIGEST}"
+              fi
+            done
+          fi
 
       - name: Generate tags ultra-lite
         id: meta2
@@ -108,6 +139,7 @@ jobs:
             type=raw,value=latest-ultra-lite,enable=${{ github.ref == 'refs/heads/master' }}
 
       - name: Build and push Dockerfile-ultra-lite
+        id: build-push-lite
         uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
         if: github.ref != 'refs/heads/main'
         with:
@@ -120,6 +152,18 @@ jobs:
           labels: ${{ steps.meta2.outputs.labels }}
           build-args: VERSION_TAG=${{ steps.versionNumber.outputs.versionNumber }}
           platforms: linux/amd64,linux/arm64/v8
+          provenance: true
+          sbom: true
+
+      - name: Sign ultra-lite images
+        if: github.ref != 'refs/heads/main'
+        env:
+          DIGEST: ${{ steps.build-push-lite.outputs.digest }}
+          TAGS: ${{ steps.meta2.outputs.tags }}
+        run: |
+          echo "$TAGS" | tr ',' '\n' | while read -r tag; do
+            cosign sign --yes "${tag}@${DIGEST}"
+          done
 
       - name: Generate tags fat
         id: meta3
@@ -136,6 +180,7 @@ jobs:
             type=raw,value=latest-fat,enable=${{ github.ref == 'refs/heads/master' }}
 
       - name: Build and push main Dockerfile fat
+        id: build-push-fat
         uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
         if: github.ref != 'refs/heads/main'
         with:
@@ -149,3 +194,15 @@ jobs:
           labels: ${{ steps.meta3.outputs.labels }}
           build-args: VERSION_TAG=${{ steps.versionNumber.outputs.versionNumber }}
           platforms: linux/amd64,linux/arm64/v8
+          provenance: true
+          sbom: true
+
+      - name: Sign fat images
+        if: github.ref != 'refs/heads/main'
+        env:
+          DIGEST: ${{ steps.build-push-fat.outputs.digest }}
+          TAGS: ${{ steps.meta3.outputs.tags }}
+        run: |
+          echo "$TAGS" | tr ',' '\n' | while read -r tag; do
+            cosign sign --yes "${tag}@${DIGEST}"
+          done