Tekton task to sign with gcloud credentials

sign-with-gcloud.yaml

apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  name: sign-with-gcloud
spec:
  params:
    - name: digest
      description: The digest to sign

  steps:
    - name: sign-result
      image: ko://github.com/sigstore/cosign/cmd/cosign
      env:
      # Enable keyless signing using the identity token for OIDC
      - name: COSIGN_EXPERIMENTAL
        value: "1"
      command: ["/bin/sh"]
      args:
      - "-c"
      - |
        # Use gcloud as the credential helper, since it is here.
        gcloud auth configure-docker --quiet

        # Generate an identity token.
        IDENTITY_TOKEN=$(gcloud auth print-identity-token --audiences=sigstore)

        # Use the identity token to sign the image.
        /ko-app/cosign sign -f -upload \
          -identity-token $IDENTITY_TOKEN \
          $(params.digest)

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: kaniko
  annotations:
    # Allow the workloads run as kaniko to impersonate this robot, created with:
    #   gcloud iam service-accounts create kaniko-workload
    #   gcloud iam service-accounts add-iam-policy-binding --role roles/iam.workloadIdentityUser --member "serviceAccount:mattmoor-credit.svc.id.goog[default/kaniko]" kaniko-workload@mattmoor-credit.iam.gserviceaccount.com
    #   gcloud projects add-iam-policy-binding mattmoor-credit --member=serviceAccount:kaniko-workload@mattmoor-credit.iam.gserviceaccount.com --role=roles/storage.admin
    iam.gke.io/gcp-service-account: kaniko-workload@mattmoor-credit.iam.gserviceaccount.com