[DEVOPS-4325] ci: add cosign and provenance to docker image

.github/workflows/build-image.yml

@@ -32,7 +32,7 @@ jobs:
             VERSION=$(gh release view --json tagName --jq .tagName --repo devolutions/prux)
           fi
 
-          gh release download $VERSION --repo devolutions/prux --pattern '*.tar.gz'
+          gh release download "$VERSION" --repo devolutions/prux --pattern '*.tar.gz'
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
@@ -46,6 +46,9 @@ jobs:
         if: ${{ inputs.is_workflow_call }}
         uses: actions/download-artifact@v4
 
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
       - name: Login to DockerHub
         uses: docker/login-action@v3
         with:
@@ -54,14 +57,29 @@ jobs:
 
       - name: Build and push image
         id: docker_build
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
           file: dockerfile/Dockerfile.GH
+          provenance: mode=max
           push: true
+          sbom: true
           tags: |
             devolutions/prux:${{ inputs.tag }}
 
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.8.0
+        with:
+          cosign-release: v2.4.1
+
+      - name: Sign image with Cosign
+        run: |
+          cosign sign --yes --recursive --key env://COSIGN_PRIVATE_KEY \
+            devolutions/prux@${{ steps.docker_build.outputs.digest }}
+        env:
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+
       - name: Docker Scout
         uses: docker/scout-action@v1
         with: