chore(ci): add a workflow to allow maintainers to sign an image with Cosign on-demand (#1320)

.github/workflows/sign_image.yml

@@ -0,0 +1,48 @@
+name: Sign Image
+
+# A workflow to sign an image on demand
+
+on:
+  workflow_dispatch:
+    inputs:
+      image:
+        description: 'Image to sign, including the tag'
+        required: true
+
+jobs:
+  sign:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Login to GHCR
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Get digest
+        id: get-digest
+        env:
+          IMAGE_TO_SIGN: ${{ inputs.image }}
+        run: |
+          digest=$(skopeo inspect docker://$IMAGE_TO_SIGN --format '{{.Digest}}')
+          name=$(skopeo inspect docker://$IMAGE_TO_SIGN --format '{{.Name}}')
+          echo "DIGEST=$digest" >> $GITHUB_OUTPUT
+          echo "NAME=$name" >> $GITHUB_OUTPUT
+
+      - name: Setup Cosign
+        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
+
+      - name: Sign Image
+        env:
+          SIGNING_KEY: ${{ secrets.SIGNING_SECRET }}
+          IMAGE_NAME: ${{ steps.get-digest.outputs.NAME }}
+          IMAGE_DIGEST: ${{ steps.get-digest.outputs.DIGEST }}
+        run: |
+          cosign sign -y --key env://SIGNING_KEY $IMAGE_NAME@$IMAGE_DIGEST