Sign agent bundle stage images (#6001)

Author: pjanotti

.gitlab-ci.yml

@@ -395,7 +395,9 @@ agent-bundle-linux:
     - $TAG
   id_tokens:  # http://go/gitlab-17
     CI_JOB_JWT:
-      aud: $CICD_VAULT_ADDR
+      aud:
+        - $CICD_VAULT_ADDR
+        - $SIGNING_PRD_URL
   script:
     - *docker-reader-role
     - docker login -u $CIRCLECI_QUAY_USERNAME -p $CIRCLECI_QUAY_PASSWORD quay.io

packaging/bundle/scripts/build.sh

@@ -59,6 +59,9 @@ if [[ "$PUSH_CACHE" = "yes" ]]; then
             --push \
             --cache-to=type=inline \
             $DOCKER_OPTS
+        # This command is only available internally, but the image is
+        # pushed only from internal CI, so it's safe to leave it here.
+        artifact-ci sign docker $stage_image
     done
 else
     if [[ -d "$CACHE_DIR" ]]; then