Many companies use multiple repositories in their registry to store images at different stages of the application life cycle. The simplest example would be a nerd-dinner-test/web repository for images that are going through various phases of testing, and a nerd-dinner-prod/web repository for images that have been approved for production.

DTR provides image promotion policies for automatically copying images from one repository to another if they meet the criteria you specify. This adds an important link to the secure software supply chain. The CI process can push images to the test repository from every build, and then DTR can check the image and promote it to the production repository.

You can configure promotion rules based on the number of vulnerabilities found in the scan, the contents of the image tag, and the software licenses used in open source components in the image. I've configured some sensible policies for promoting images from nerd-dinner-test/web to nerd-dinner-prod/web:

When I push an image to the test repository that meets all the criteria, it gets automatically promoted by DTR to the production repository:

Configuring your production repositories so that no end users can push to them directly means that images can only get there through an automated process, such as through promotion by DTR.

Docker Trusted Registry gives you all the pieces you need to build a secure delivery pipeline, but it doesn't mandate any particular process or technology. Events from DTR can trigger webhooks, which means that you can integrate your registry with pretty much any CI system. One event that triggers a webhook is image promotion, which you could use to trigger the automated signing of the new image.