Sign with the new keys

.github/workflows/build.yaml

@@ -23,6 +23,12 @@ jobs:
       - name: Checkout
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
 
+      - name: Install cosign
+        if: ${{ github.event_name != 'pull_request' }}
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
+        with:
+          cosign-release: 'v2.4.1'
+
       - name: Build image
         id: build
         uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2.13
@@ -58,7 +64,19 @@ jobs:
           subject-name: ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ steps.build.outputs.image }}
           subject-digest: ${{ steps.push.outputs.digest }}
           push-to-registry: true
-
+
+      - name: Sign the published OCI image
+        if: ${{ github.event_name != 'pull_request' }}
+        env:
+          digest: ${{ steps.push.outputs.digest }}
+          fully_qualified_image_names_json: ${{ steps.push.outputs.registry-paths }} 
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+        run: >
+          echo "${fully_qualified_image_names_json}" 
+          | jq -r '.[]' 
+          | xargs -I {} cosign sign --key=env://COSIGN_PRIVATE_KEY "{}@${digest}"
+      
       - name: Echo outputs for auditing
         if: github.event_name != 'pull_request'
         run: |