feat: enable sbom and provenance (#11)

Author: insider89

.github/workflows/branch.yml

@@ -53,6 +53,9 @@ jobs:
             out
             ~/.foundry
 
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3
+
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
         with:
@@ -83,7 +86,7 @@ jobs:
         id: test
 
       - name: Docker meta
-        id: meta
+        id: docker_meta
         uses: docker/metadata-action@v5
         with:
           # list of Docker images to use as base name for tags
@@ -101,10 +104,24 @@ jobs:
 
       - name: Build and push
         uses: docker/build-push-action@v5
+        id: build-and-push
         with:
           load: false
+          provenance: true
+          sbom: true
           push: true
           platforms: linux/amd64,linux/arm64
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
+          tags: ${{ steps.docker_meta.outputs.tags }}
+          labels: ${{ steps.docker_meta.outputs.labels }}
           no-cache: true
+
+      - name: Sign the images with GitHub OIDC Token
+        env:
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+          TAGS: ${{ steps.docker_meta.outputs.tags }}
+        run: |
+          images=""
+          for tag in ${TAGS}; do
+            images+="${tag}@${DIGEST} "
+          done
+          cosign sign --yes ${images}