fix(docs): update cosign verification regex to support tag-triggered workflows

[bedatty]

GitHub Actions Shared Workflows

---

Description

Fixes cosign verification regex in documentation to support both branch and tag-triggered workflows.

The previous regex @refs/heads/.* only matched branch-triggered workflow certificates. Since builds are triggered by tag pushes (on: push: tags), the cosign keyless signing embeds refs/tags/<tag> in the certificate identity, causing verification to fail with the documented command.

Updated to @refs/(heads|tags)/.+ across all 4 doc files:

• docs/build-workflow.md
• docs/go-release-workflow.md
• docs/typescript-build.md
• src/security/cosign-sign/README.md

Also escaped the . in github.com to github\.com for regex correctness.

Type of Change

• docs: Documentation only (README, docs/, inline comments)

Breaking Changes

None.

Testing

• YAML syntax validated locally
• Verified regex matches both refs/heads/main and refs/tags/v1.0.0 patterns
• Checked that unrelated workflows are not affected

Related Issues

Related to #203

Summary by CodeRabbit

Documentation

• Updated signature verification documentation examples across build workflow configuration, release automation procedures, and security verification guides. The changes now support container image verification for both branch-based (refs/heads) and tag-based (refs/tags) Git workflow references, providing enhanced flexibility for diverse CI/CD and deployment scenarios.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 78fc6a26-3611-460f-bccf-1e77954747ab

📥 Commits

Reviewing files that changed from the base of the PR and between f63bad1 and ce70f96.

📒 Files selected for processing (4)

• docs/build-workflow.md
• docs/go-release-workflow.md
• docs/typescript-build.md
• src/security/cosign-sign/README.md

---

Walkthrough

Four documentation files updated cosign verify command examples with revised --certificate-identity-regexp patterns: escaped github.com, constrained path segments from .* to .+, and expanded Git reference matching from refs/heads only to both refs/heads and refs/tags.

Changes

Cohort / File(s)	Summary
cosign verify regex pattern updates docs/build-workflow.md, docs/go-release-workflow.md, docs/typescript-build.md, src/security/cosign-sign/README.md	Updated --certificate-identity-regexp patterns to escape github.com, replace permissive .* with constrained .+ segments, and expand Git reference matching from @refs/heads/.* to @refs/(heads|tags)/.+.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: updating cosign verification regex documentation to support tag-triggered workflows alongside branch-triggered workflows.
Description check	✅ Passed	The description covers all critical sections: problem statement, solution details across affected files, regex changes, testing approach, and related issue. Properly formatted with completed type of change checkbox.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/docs-cosign-regex-and-mdc-exceptions

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[lerian-studio]

🔍 Lint Analysis

Check	Files Scanned	Status
YAML Lint	no changes	⏭️ skipped
Action Lint	no changes	⏭️ skipped
Pinned Actions	no changes	⏭️ skipped
Markdown Link Check	4 file(s)	✅ success
Spelling Check	4 file(s)	✅ success
Shell Check	no changes	⏭️ skipped
README Check	no changes	⏭️ skipped
Composite Schema	no changes	⏭️ skipped

---

_{🔍 View full scan logs}