Sign pushed images with cosign

After the Harbor push, install cosign and sign each image's digest with
a key stored in COSIGN_PRIVATE_KEY / COSIGN_PASSWORD secrets. Cosign
resolves the SHA tag to the underlying digest, so a single signature
covers every tag (version, sha, latest) pointing at the same image.
Harbor looks up signatures by digest and will display "signed" status
once the signature artifact lands alongside the image.

Cosign is curl-installed at v2.4.1 and uses the existing docker login
for registry auth — no extra credentials needed beyond the cosign key.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.gitea/workflows/ci.yml

@@ -367,6 +367,28 @@ jobs:
           docker push ${REPO}:${SHA_SHORT}
           docker push ${REPO}:latest
 
+      - name: Install cosign
+        run: |
+          curl -fsSL "https://github.com/sigstore/cosign/releases/download/v2.4.1/cosign-linux-amd64" \
+            -o /usr/local/bin/cosign
+          chmod +x /usr/local/bin/cosign
+          cosign version
+
+      - name: Sign images with cosign
+        env:
+          COSIGN_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+        run: |
+          set -eu
+          # Sign by SHA tag — cosign resolves to the underlying digest, so a
+          # single signature covers every tag pointing at the same digest
+          # (version, sha, latest). Harbor looks up signatures by digest.
+          # Reuses the docker login from earlier in this job for registry auth.
+          cosign sign --key env://COSIGN_KEY --yes \
+            "${HARBOR_HOST}/${HARBOR_PROJECT}/backend:${SHA_SHORT}"
+          cosign sign --key env://COSIGN_KEY --yes \
+            "${HARBOR_HOST}/${HARBOR_PROJECT}/frontend:${SHA_SHORT}"
+
       - name: Push back per-package git tags
         env:
           # Auto-injected per-run token; has push permission to this repo.