Sign docker image

.github/workflows/build_addon.yml

@@ -101,6 +101,9 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.6.0
+
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
 
@@ -148,6 +151,7 @@ jobs:
 
       - name: Build and push ${{matrix.arch}}
         uses: docker/build-push-action@v6
+        id: build-and-push
         with:
           push: ${{ github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || github.event_name == 'release') }}
           tags: ${{ steps.meta.outputs.tags }}
@@ -162,6 +166,18 @@ jobs:
           context: ./${{env.TARGET}}/
           platforms: ${{ matrix.arch_value }}
 
+      - name: Sign the images with GitHub OIDC Token
+        if: ${{ github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || github.event_name == 'release') }}
+        env:
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+          TAGS: ${{ steps.meta.outputs.tags }}
+        run: |
+          images=""
+          for tag in ${TAGS}; do
+            images+="${tag}@${DIGEST} "
+          done
+          cosign sign --yes ${images}
+
   update_main_ha_repository:
     name: Update HA addon repository
     runs-on: ubuntu-latest