fix: stupid chris forgot to give id-token perms

- cosign wasn't working because the github_token didn't have the
  permissions to write to the id-token. silly me!

Signed-off-by: ChrisJBurns <[email protected]>

Author: ChrisJBurns

.github/workflows/image-build-and-publish.yml

@@ -12,6 +12,8 @@ jobs:
     permissions:
       contents: write
       packages: write
+      id-token: write
+
     env:
       BASE_REPO: "ghcr.io/stacklok/vibetool"
 
@@ -62,14 +64,4 @@ jobs:
         run: |
           TAG=$(echo "${{ steps.version-string.outputs.tag }}" | sed 's/+/_/g')
           # Sign the ko image
-          # cosign sign -y $BASE_REPO:$TAG
-          cosign version
-          echo "${BASE_REPO}:${TAG}" | xargs -I {} cosign sign --yes {}
-
-      # - name: Sign the published Docker image
-      #   env:
-      #     TAGS: ${{ steps.meta.outputs.tags }}
-      #     DIGEST: ${{ steps.build-and-push.outputs.digest }}
-      #   run: |
-      #     cosign version
-      #     echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
+          cosign sign -y $BASE_REPO:$TAG