feat(cosign): add variable for annotations

| `cosign-opts` / `DOCKER_COSIGN_OPTS`                      | Options for [`cosign sign`](https://docs.sigstore.dev/cosign/signing/signing_with_containers/) command | `--tlog-upload=false --recursive` |

| `cosign-attest-opts` / `DOCKER_COSIGN_ATTEST_OPTS`        | Options for [`cosign attest`](https://docs.sigstore.dev/cosign/verifying/attestation/) command

 | `--tlog-upload=false` |

| `cosign-annotations` / `DOCKER_COSIGN_ANNOTATIONS`        | Additional annotations to add to the signature | GitLab build provenance data |

| `cosign-dist-url` / `DOCKER_COSIGN_DIST_URL`              | Url to the `linux-amd64` binary of Cosign to use (ex: `https://github.com/sigstore/cosign/releases/download/v2.5.0/cosign-linux-amd64`)<br/>_When unset, the latest version will be used_ | _none_ |

| :lock: `cosign-private-key` / `DOCKER_COSIGN_PRIVATE_KEY` | Private key used for signing the Docker image and the attestation | _none_ |

| :lock: `cosign-password` / `COSIGN_PASSWORD`              | Password of the private key | _none_ |

          "default": "--tlog-upload=false",

          "advanced": true

        },

        {

          "name": "DOCKER_COSIGN_ANNOTATIONS",

          "description": "Additional annotations to add to the signature",

          "default": "--annotations \"com.gitlab.ci.project.path=$CI_PROJECT_URL\" --annotations \"com.gitlab.ci.user.name=$GITLAB_USER_NAME\" --annotations \"com.gitlab.ci.pipeline.id=$CI_PIPELINE_ID\" --annotations \"com.gitlab.ci.pipeline.url=$CI_PIPELINE_URL\" --annotations \"com.gitlab.ci.job.id=$CI_JOB_ID\" --annotations \"com.gitlab.ci.job.url=$CI_JOB_URL\" --annotations \"com.gitlab.ci.commit.sha=$CI_COMMIT_SHA\" --annotations \"com.gitlab.ci.commit.ref.name=$CI_COMMIT_REF_NAME\" --annotations \"com.gitlab.ci.runner.id=$CI_RUNNER_ID\" --annotations \"com.gitlab.ci.runner.version=$CI_RUNNER_VERSION\" --annotations \"com.gitlab.ci.job.started-at=$CI_JOB_STARTED_AT\" --annotations \"com.gitlab.ci.registry.image=$docker_image\" --annotations \"org.opencontainers.image.source=$CI_PROJECT_URL\" --annotations \"org.opencontainers.image.revision=$CI_COMMIT_SHA\" --annotations \"tag=$docker_tag\"",

          "advanced": true

        },

        {

          "name": "DOCKER_COSIGN_DIST_URL",

          "description": "Url to the `linux-amd64` binary of Cosign to use\n\n_When unset, the latest version will be used_",

    cosign-attest-opts:

      description: Options for [`cosign attest`](https://docs.sigstore.dev/cosign/verifying/attestation/) command

      default: --tlog-upload=false

    cosign-annotations:

      description: Additional annotations to add to the signature

      default: >-

        --annotations "com.gitlab.ci.project.path=$CI_PROJECT_URL"

        --annotations "com.gitlab.ci.user.name=$GITLAB_USER_NAME"

        --annotations "com.gitlab.ci.pipeline.id=$CI_PIPELINE_ID"

        --annotations "com.gitlab.ci.pipeline.url=$CI_PIPELINE_URL"

        --annotations "com.gitlab.ci.job.id=$CI_JOB_ID"

        --annotations "com.gitlab.ci.job.url=$CI_JOB_URL"

        --annotations "com.gitlab.ci.commit.sha=$CI_COMMIT_SHA"

        --annotations "com.gitlab.ci.commit.ref.name=$CI_COMMIT_REF_NAME"

        --annotations "com.gitlab.ci.runner.id=$CI_RUNNER_ID"

        --annotations "com.gitlab.ci.runner.version=$CI_RUNNER_VERSION"

        --annotations "com.gitlab.ci.job.started-at=$CI_JOB_STARTED_AT"

        --annotations "com.gitlab.ci.registry.image=$docker_image"

        --annotations "org.opencontainers.image.source=$CI_PROJECT_URL"

        --annotations "org.opencontainers.image.revision=$CI_COMMIT_SHA"

        --annotations "tag=$docker_tag"

    cosign-dist-url:

      description: |-

        Url to the `linux-amd64` binary of Cosign to use (ex: `https://github.com/sigstore/cosign/releases/download/v2.5.0/cosign-linux-amd64`)

  COSIGN_YES: "true" # skip confirmation prompts for non-destructive operations

  DOCKER_COSIGN_STRATEGY: $[[ inputs.cosign-strategy ]]

  DOCKER_COSIGN_OPTS: $[[ inputs.cosign-opts ]]

  DOCKER_COSIGN_ANNOTATIONS: $[[ inputs.cosign-annotations ]]

  DOCKER_COSIGN_ATTEST_OPTS: $[[ inputs.cosign-attest-opts ]]

  DOCKER_COSIGN_DIST_URL: $[[ inputs.cosign-dist-url ]]

    # shellcheck disable=SC2154

    log_info "Sign image ${docker_image_digest}"

    # shellcheck disable=SC2154,SC2086

    $docker_cosign sign $DOCKER_COSIGN_OPTS --key ${docker_cosign_private_key} \

      --annotations "gitlab.ci.project.path=https://$CI_SERVER_HOST/$CI_PROJECT_PATH" \

      --annotations "gitlab.ci.user.name=$GITLAB_USER_NAME" \

      --annotations "gitlab.ci.pipeline.name=$CI_PIPELINE_NAME" \

      --annotations "gitlab.ci.pipeline.id=$CI_PIPELINE_ID" \

      --annotations "gitlab.ci.pipeline.url=$CI_PIPELINE_URL" \

      --annotations "gitlab.ci.job.id=$CI_JOB_ID" \

      --annotations "gitlab.ci.job.url=$CI_JOB_URL" \

      --annotations "gitlab.ci.commit.sha=$CI_COMMIT_SHA" \

      --annotations "gitlab.ci.commit.ref.name=$CI_COMMIT_REF_NAME" \

      --annotations "gitlab.ci.runner.id=$CI_RUNNER_ID" \

      --annotations "gitlab.ci.runner.version=$CI_RUNNER_VERSION" \

      --annotations "gitlab.ci.time.startedOn=$CI_JOB_STARTED_AT" \

      --annotations "gitlab.ci.registry.image=$docker_image" \

      --annotations "tag=$docker_tag" \

      ${docker_image_digest}

    echo $DOCKER_COSIGN_ANNOTATIONS | xargs $docker_cosign sign $DOCKER_COSIGN_OPTS --key ${docker_cosign_private_key} ${docker_image_digest}

  }

  # Used by containers tools like buildah, skopeo.