chore(ci): push docker images

Signed-off-by: Thibault NORMAND <[email protected]>

.github/workflows/docker.yml

@@ -47,7 +47,6 @@ jobs:
         uses: docker/metadata-action@v3
         with:
           images: |
-            elastic/harp
             ghcr.io/elastic/harp
       -
         id: build-and-push
@@ -56,8 +55,32 @@ jobs:
         with:
           context: .
           platforms: linux/amd64,linux/arm64
+          push: true
           build-args: VERSION=${{ github.event.inputs.release }}
           tags: |
-            ghcr.io/${{ github.repository }}/harp:latest
-            ghcr.io/${{ github.repository }}/harp:v${{ github.event.inputs.release }}
+            ghcr.io/${{ github.repository }}:latest
+            ghcr.io/${{ github.repository }}:v${{ github.event.inputs.release }}
           labels: ${{ steps.meta.outputs.labels }}
+      -
+        name: Create SBOM
+        uses: anchore/sbom-action@v0
+        with:
+          image: ghcr.io/${{ github.repository }}:latest
+          registry-username: ${{ github.actor }}
+          registry-password: ${{ github.token }}
+          artifact-name: sbom.spdx
+          format: spdx
+      -
+        name: Sign image and add attestations
+        run: |
+          echo -n "${COSIGN_PASSWORD}" | \
+          cosign sign --key <(echo -n "${COSIGN_KEY}") \
+            -a "repo=${{ github.repository }}" \
+            -a "workflow=${{ github.workflow }}" \
+            -a "ref=${{ github.sha }}" \
+            ghcr.io/${{ github.repository }}:v${{ github.event.inputs.release }}
+          cosign attach sbom --sbom sbom.spdx ghcr.io/${{ github.repository }}:v${{ github.event.inputs.release }}
+      -
+        name: Verify the signature
+        run: |
+          cosign verify --key build/artifact/cosign.pub ghcr.io/${{ github.repository }}:v${{ github.event.inputs.release }}