Currently, Pubgrade uses Kaniko to build container images, which are then stored in a temporary container registry. These images are signed using DCT (Docker Content Trust) keys, which are stored in GitHub Actions secrets. Finally, the signed images from github-actions (triggered from pubgrade) are pushed to the final container registry. The current approach requires storing and managing DCT keys for each container registry repository manually.
This poses several challenges:

1. We need to upload separate DCT keys for each repository.
2. Managing secrets across multiple repositories increases exposure risk.
3. Manually updating or rotating keys is cumbersome.

We need a centralized and secure approach to store and access DCT keys for signing images.