ci: Sign image on container--image workflow

Signed-off-by: Víctor Cuadrado Juan <[email protected]>

.github/workflows/container-build.yml

@@ -20,15 +20,6 @@ jobs:
     with:
       push-image: true
 
-  sign:
-    needs: build
-    uses: ./.github/workflows/sign-image.yml
-    permissions:
-      packages: write
-      id-token: write
-    with:
-      image-digest: ${{ needs.build.outputs.digest }}
-
   sbom:
     needs: build
     uses: ./.github/workflows/attestation.yml

.github/workflows/container-image.yml

@@ -34,6 +34,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+      - name: Install cosign
+        uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
       - name: Set up QEMU
         uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
       - name: Set up Docker Buildx
@@ -69,6 +71,16 @@ jobs:
           provenance: mode=max
           tags: |
             ghcr.io/${{github.repository_owner}}/kubewarden-controller:${{ env.TAG_NAME }}
+      - name: Sign container image
+        run: |
+          cosign sign --yes \
+            ghcr.io/${{github.repository_owner}}/kubewarden-controller:@${{ steps.build-image.outputs.digest }}
+
+          cosign verify \
+            --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+            --certificate-identity-regexp="https://github.com/${{github.repository_owner}}/kubewarden-controller/.github/workflows/container-image.yml:${{ github.ref }}" \
+            ghcr.io/${{github.repository_owner}}/kubewarden-controller:@${{ steps.build-image.outputs.digest }}
+
       - # Only build amd64 because buildx does not allow multiple platforms when
         # exporting the image to a tarball. As we use this only for end-to-end tests
         # and they run on amd64 arch, let's skip the arm64 build for now.