sign images in ci

.gitea/workflows/build.yml

@@ -21,6 +21,11 @@ jobs:
           lfs: true
           submodules: true
 
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3
+      - name: Check cosign install
+        run: cosign version
+
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5
@@ -56,4 +61,10 @@ jobs:
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=registry,ref=harbor.pollinger.dev/build-cache/latex-build-container
-          cache-to: mode=max,image-manifest=true,oci-mediatypes=true,type=registry,ref=harbor.pollinger.dev/build-cache/latex-build-container
+          cache-to: mode=max,image-manifest=true,oci-mediatypes=true,type=registry,ref=harbor.pollinger.dev/build-cache/latex-build-container
+
+      - name: Sign the published server image
+        env:
+          TAGS: ${{ steps.meta.outputs.tags }}
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+        run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}