Add cosign image signing to release workflow

## Summary
Add cosign-based image signing and verification to the release workflow for supply chain security.
## Requirements
- Install cosign in the release workflow
- Sign the multi-arch container image after push
- Generate and attach SBOM attestation using cosign
- Add verification instructions to `docs/security.md`
- Add a `make verify-image` target that runs cosign verify
## Implementation
```yaml
- uses: sigstore/cosign-installer@v3
- run: cosign sign --yes ghcr.io/kitstream/initium:${{ steps.version.outputs.VERSION }}
- run: cosign attest --yes --predicate sbom.json --type spdx ghcr.io/kitstream/initium:${{ steps.version.outputs.VERSION }}
```
## Acceptance Criteria
- [ ] Release workflow includes cosign signing step
- [ ] `docs/security.md` updated with verification commands
- [ ] `Makefile` has `verify-image` target
- [ ] `CHANGELOG.md` updated

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add cosign image signing to release workflow #10

Summary

Requirements

Implementation

Acceptance Criteria

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Add cosign image signing to release workflow #10

Description

Summary

Requirements

Implementation

Acceptance Criteria

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions