docs: tfsec link #7

	name: "Build Images"

	on:
	push:
	branches:
	- main
	- develop
	release:
	types:
	- published

	env:
	REGISTRY: ghcr.io
	IMAGE_NAME: ${{ github.repository }}

	jobs:
	build:
	runs-on: ubuntu-latest
	permissions:
	contents: read
	packages: write
	id-token: write
	steps:
	- name: Checkout
	uses: actions/checkout@v2

	- name: Install cosign
	uses: sigstore/[email protected]

	# Set up QEMU to be able to build to multiple architectures
	- name: Set up QEMU
	uses: docker/setup-qemu-action@v1

	- name: Setup Docker buildx
	uses: docker/[email protected]

	- name: Log into registry ${{ env.REGISTRY }}
	uses: docker/[email protected]
	with:
	registry: ${{ env.REGISTRY }}
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Extract Docker metadata
	id: meta
	uses: docker/[email protected]
	with:
	images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
	tags: \|
	type=ref,event=branch
	type=semver,pattern={{version}}
	type=edge,branch=develop
	type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}

	- name: Build and push Docker image
	id: build-and-push
	uses: docker/[email protected]
	with:
	context: .
	push: true
	pull: true
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	no-cache: true
	platforms: "linux/amd64,linux/arm64"

	- name: Sign the published Docker image
	env:
	COSIGN_EXPERIMENTAL: "true"
	run: echo "${{ steps.meta.outputs.tags }}" \| xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}

Provide feedback