ci: Use cosign to sign container images.

This commit adds cosign to the CI pipeline. cosign is an open-source
tool developed by Chainguard that signs container images, allowing
other users to cryptographically verify the origin of container
images. [1]

cosign has different operating modes. This commit utilizes Chainguard's
signing infrastructure via "keyless signing". [2] Keyless signing makes
image signing easy for open-source projects because Chainguard operates
the signing infrastructure on behalf of others.

Note: This commit is based on work by Chris Nesbitt-Smith, who published
an example GitHub Actions workflow for running cosign. [3]

References

1. https://docs.sigstore.dev/signing/quickstart
2. https://edu.chainguard.dev/open-source/sigstore/cosign/an-introduction-to-cosign/#keyless-signing
3. https://github.com/chrisns/cosign-keyless-demo/blob/f35f6c776f/.github/workflows/ci.yml

.github/workflows/release.yml

@@ -1,13 +1,11 @@
 
 name: Create and publish a api image
 
-on:
-  push:
-    tags:
-      - v**
+on: push
+
 env:
   REGISTRY: ghcr.io/metal-toolbox
-  API_IMAGE_NAME: audito-maldito/audito-maldito
+  APP_IMAGE_NAME: audito-maldito/audito-maldito
 
 jobs:
   auto-release:
@@ -29,6 +27,7 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write # needed for signing the images with GitHub OIDC Token
 
     steps:
       - name: Checkout repository
@@ -41,29 +40,51 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - uses: sigstore/[email protected]
+        with:
+          cosign-release: "v2.2.1"
+
       - name: Get current date
         id: date
         run: echo "::set-output name=date::$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
 
-      - name: Extract metadata (tags, labels) for Docker
-        id: meta-api
-        uses: docker/metadata-action@62339db73c56dd749060f65a6ebb93a6e056b755
+      - name: Extract am metadata (tags, labels) for Docker
+        id: am-metadata
+        uses: docker/metadata-action@v5.3.0
         with:
-          images: ${{ env.REGISTRY }}/${{ env.API_IMAGE_NAME }}
+          images: ${{ env.REGISTRY }}/${{ env.APP_IMAGE_NAME }}
+
+      - name: Extract rsyslog metadata (tags, labels) for Docker
+        id: rsyslog-metadata
+        uses: docker/[email protected]
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.APP_IMAGE_NAME }}-rsyslog
 
       - name: Build rsyslog and push Docker image
-        uses: docker/build-push-action@fdf7f43ecf7c1a5c7afe936410233728a8c2d9c2
+        id: rsyslog-build-push
+        uses: docker/[email protected]
         with:
           context: "./contrib/rsyslog"
           push: true
           file: ./contrib/rsyslog/Dockerfile.ubuntu
-          tags: ${{ env.REGISTRY }}/${{ env.API_IMAGE_NAME }}:${{ github.ref_name }}-rsyslog
-          labels: ${{ steps.meta-api.outputs.labels }}
+          tags: ${{ env.REGISTRY }}/${{ env.APP_IMAGE_NAME }}:${{ github.ref_name }}-rsyslog
+          labels: ${{ steps.am-metadata.outputs.labels }}
+
+      - run: cosign sign -y -r "${TAGS}@${DIGEST}"
+        env:
+          DIGEST: ${{ steps.rsyslog-build-push.outputs.digest }}
+          TAGS: ${{ steps.rsyslog-metadata.outputs.tags }}
 
       - name: Build and push Docker image
-        uses: docker/build-push-action@fdf7f43ecf7c1a5c7afe936410233728a8c2d9c2
+        id: am-build-push
+        uses: docker/[email protected]
         with:
           push: true
           file: Dockerfile
-          tags: ${{ env.REGISTRY }}/${{ env.API_IMAGE_NAME }}:${{ github.ref_name }}
-          labels: ${{ steps.meta-api.outputs.labels }}
+          tags: ${{ env.REGISTRY }}/${{ env.APP_IMAGE_NAME }}:${{ github.ref_name }}
+          labels: ${{ steps.metadata.outputs.labels }}
+
+      - run: cosign sign -y -r "${TAGS}@${DIGEST}"
+        env:
+          DIGEST: ${{ steps.am-build-push.outputs.digest }}
+          TAGS: ${{ steps.am-metadata.outputs.tags }}