Sign agentk images
We do this as standard across all images built in Infrastructure, using a common docker build task (https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/docker.md#signing-and-verification)
This ensures that we can guarantee the provenance of all images built. Using keyless signing is fairly low-overhead, since we don't need to worry about managing any keys, but ensures that images are build in the tag pipelines in CI, which can prevent tampering.
GitLab offers a tutorial on how to add keyless signing, here: https://docs.gitlab.com/ee/ci/yaml/signing_examples.html