Update build.yml (#16)

.github/workflows/build.yml

@@ -16,6 +16,10 @@ jobs:
   push-ghcr:
     name: Build and push image
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
     strategy:
       fail-fast: false
       matrix:
@@ -90,7 +94,21 @@ jobs:
           password: ${{ env.REGISTRY_PASSWORD }}
           extra-args: |
             --disable-content-trust
-
+      # Sign container
+      - uses: sigstore/cosign-installer@main
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Sign container image
+        run: |
+          cosign sign ${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}@${TAGS}
+        env:
+          TAGS: ${{ steps.push.outputs.digest }}
+          COSIGN_PRIVATE_KEY: ${{secrets.SIGNING_SECRET}}
+          COSIGN_EXPERIMENTAL: true
       - name: Echo outputs
         run: |
           echo "${{ toJSON(steps.push.outputs) }}"