ci: update publish ci

Author: thangved

.github/workflows/publish.yml

@@ -3,6 +3,7 @@ name: Publish
 on:
     push:
         branches: [main]
+        tags: [v*]
     pull_request:
 
 env:
@@ -21,6 +22,8 @@ jobs:
             attestations: write
             id-token: write
         steps:
+            - name: Install Cosign
+              uses: sigstore/[email protected]
             - name: Checkout
               uses: actions/checkout@v4
               with:
@@ -36,12 +39,25 @@ jobs:
               id: meta
               with:
                   images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+                  tags: |
+                      type=ref,event=branch
+                      type=ref,event=pr
+                      type=semver,pattern={{version}}
+                      type=semver,pattern={{major}}.{{minor}}
+                      type=sha
             - name: Build and push
               uses: docker/build-push-action@v4
+              id: build-and-push
               with:
                   context: .
                   push: ${{ github.event_name != 'pull_request' }}
                   tags: ${{ steps.meta.outputs.tags }}
                   labels: ${{ steps.meta.outputs.labels }}
                   cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
                   cache-to: type=inline
+            - name: Sign the published Docker image
+              if: ${{ github.event_name != 'pull_request' }}
+              env:
+                  TAGS: ${{ steps.meta.outputs.tags }}
+                  DIGEST: ${{ steps.build-and-push.outputs.digest }}
+              run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}