ci: sign images + return to zuul
diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml
index ce5ddc5..b5c87b8 100644
--- a/zuul.d/jobs.yaml
+++ b/zuul.d/jobs.yaml
@@ -23,6 +23,7 @@
     run: zuul.d/playbooks/build-images/run.yml
     secrets:
       - registry_credentials
+      - cosign_key
 
 - job:
     name: atmosphere-molecule
diff --git a/zuul.d/playbooks/build-images/pre.yml b/zuul.d/playbooks/build-images/pre.yml
index ab0c6e1..6b51ca1 100644
--- a/zuul.d/playbooks/build-images/pre.yml
+++ b/zuul.d/playbooks/build-images/pre.yml
@@ -12,7 +12,7 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
-- name: Prepare host for Keycloak tests
+- name: Prepare host for building images
   hosts: all
   roles:
     - ensure-docker
diff --git a/zuul.d/playbooks/build-images/run.yml b/zuul.d/playbooks/build-images/run.yml
index 854af95..ed89687 100644
--- a/zuul.d/playbooks/build-images/run.yml
+++ b/zuul.d/playbooks/build-images/run.yml
@@ -32,3 +32,48 @@
         chdir: "{{ zuul.project.src_dir }}"
       environment:
         PUSH_TO_CACHE: "{{ zuul.pipeline == 'post' }}"
+
+    - name: Get list of images built
+      ansible.builtin.shell: docker buildx bake --print
+      register: images_built_json
+
+    - name: Set fact with list of images
+      set_fact:
+        images_built: "{{ images_built_json.stdout | from_json | json_query('target.*.tags[?@] | []') }}"
+      
+    - name: Sign images
+      when: zuul.pipeline == 'post'
+      block:
+        - name: Download cosign binary
+          ansible.builtin.get_url:
+            url: https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64
+            dest: /usr/local/bin/cosign
+            mode: 0755
+
+        - name: Copy the cosign private key
+          copy:
+            content: "{{ cosign_key.private }}"
+            dest: cosign.key
+
+        - name: Sign images
+          ansible.builtin.shell: |
+            cosign sign -y --recursive --key cosign.key {{ item }}
+          loop: "{{ images_built }}"
+
+        - name: Delete the cosign private key
+          file:
+            path: cosign.key
+            state: absent
+
+    - name: Return Zuul artifacts for images
+      zuul_return:
+        data:
+          zuul:
+            artifacts:
+              - name: "{{ item }}"
+                url: "docker://{{ item }}"
+                metadata:
+                  type: container_image
+                  repository: "{{ item.split(':')[0] }}"
+                  tag: "{{ item.split(':')[1] }}"
+      loop: "{{ images_built }}"
diff --git a/zuul.d/secrets.yaml b/zuul.d/secrets.yaml
index 232d7d5..9cbc362 100644
--- a/zuul.d/secrets.yaml
+++ b/zuul.d/secrets.yaml
@@ -27,3 +27,33 @@
           M7zDXnorUFyv9dUIB2rOZrp7o0OC2thujjDTKXb4qfmfXGOwlkNmtCLo6BaDo9pSdRN8p
           k0YnUAItZ64qUR7paEUKGy4rzsZjDYvIj7DrCFvLL2CXcyjPGcmcblpSHe5vJ15CFVH8X
           o39FIIhSmehvrYJziGYUgf4JY1B6ktBtFc9l78WeoJRHNce+viSSkBj1fhbUaI=
+
+- secret:
+    name: cosign_key
+    data:
+      public: |
+        -----BEGIN PUBLIC KEY-----
+        MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEf5DzGuQLAvNIfiv/b7JULemWZcpU
+        4uCefCqflA7wpypGLM+1lBo0pjBc/9QJAj+lG61ZNwpDx8Zk1jFGJUUl9A==
+        -----END PUBLIC KEY-----
+      private: !encrypted/pkcs1-oaep
+        - lHcfMc85t12hzas/feMTOr1+pZVMZfQdxTMJouKIvSHpHjSQt6EwyMmWIhc+q03HUBGb5
+          setWiSl1YNZIprZLyqCNCq8NjZlcBWVnw9zkkMdwN2Q6JkAe78mPHRLmVUdNqKuOVHmmr
+          ThCUkQHxbieKW7ZGzAtUSouSWhfjLdx9poUf5wJx2ujotcNcCQ2Bkb7PPzWNBdzBJjRlE
+          2PXW+Ni99wNZisEcjxan7QhrhFxcS+sou0R9FPds66zO9GgAYYD+4SRwF7dSUM2BXA7AZ
+          0zeU6w+e2qd09eHUbHVYXeWDhYKx7FlsUetVHWzyVFg4LfnHCFC/tIWTvJnzyJIfbXziP
+          KLSuv3wGlNCRZOPI7xgB0oeky++xzuTfnX2Ra9pNVZ9eAzpBArJRTOCCgltXjfWNS3QiZ
+          LR3cmizPL53BUHX92MBBXPXqaEYfbkUcbcAlYYgnjYUT8rak4NW7R5qZMI0d8IWGAnC7w
+          z0MGuT61LWhaPq63TusWpXPbh1GK6n8RxSAQeV9W69KSrbgirRKET2/HyW/WnDwrvYiCY
+          866xxq/vtqkfB5ck/YtW6UCE5pVPzqnGBLKd+3/t9tu1j0UY/tuegi+3tLbm18E1hPg/T
+          XDvEm7qkl8QerJFfI3XX8YVUcgc1/tzRHFslNXGsUFkgl6BxS9FIu5hXOIv3hQ=
+        - CwAHQQkYQwM2uc4rDihEw+2jJQ0c/FxsutON5u/D48hRBxeUAzj8fTnAar+Co7jWkNHYV
+          +dI/LvhT7y++gzi4kG41B2L+FJELnh2TI3+hz7XorUALHuei5aYsyIFFzVow2fP0t6nW+
+          mBAYFlbO8stkDg9veIiBxv0RXaISQVNOfzOo428zt0EPJYSqno4FJ9by6plO/jY3A5h8j
+          ElEs/J35vrDbWcWy80htZNKuLo6nBOaDPM1Esfd6uBsMVxxaPzUSa6yaov4pS8WV172CW
+          98IaCSYY1+GGkpm+69nQmi6Ik9qILhn3yu3XqfnF/8rlrXXzhN2bDevMyPiWh/KXL4mAq
+          UMWyNyXdNNY2g+5s3dCB/qoZVIdiilsDX9tvP7pQvKW4tNqLXm9+8RVbfPxVaWfKpb3JD
+          02RZtvB0W+jpCk/tC3JNKpW3JVnlOGidYyLMsrMqDoKlohorq/LZ/hM4qDyYCoXr5NzJv
+          Wq1JuqYu3+/gpx/PE+RI17lCKbA0vYI86L1qMkoQMK0rvShurWanz8/q7slDorWcfgHW8
+          UbB4Rqd9xgk8jtHnxHNlafZrfjIJbE5W5PddzH5Q5Aw7l4sPlJ4V2hnF+mhVegCwhc7s7
+          D/tlTTxjnHrQBLw9+vwDhkk/RADQbLExTIXFt6TH0No94zdTiUrTPg90s+rn6A=