fix: Use WithSecretVariable in Sign() for consistent credential handling

[Sypher845]

Description

Makes Sign() follow the same WithSecretVariable + shell expansion pattern already used by AttestSBOM().

• Fixes Sign() uses Plaintext(ctx) instead of WithSecretVariable for registry password #951

Before

In the Job push-latest-images -> Publish and Sign Snapshot Image

After

same as the Attest:

Type of Change

• Bug fix
• New feature
• Refactor
• Documentation update
• Chore / maintenance

Changes

• Replaced Plaintext(ctx) extraction with WithSecretVariable("REGISTRY_PASSWORD", registryPassword)
• Pass password via $REGISTRY_PASSWORD shell variable instead of direct CLI argument
• Fixed fmt.Errorf format verb (%s → %v for a pointer nil-check)

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 9.27%. Comparing base (60ad0bd) to head (ced8586).
⚠️ Report is 163 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff            @@
##             main    #952      +/-   ##
=========================================
- Coverage   10.99%   9.27%   -1.72%     
=========================================
  Files         173     290     +117     
  Lines        8671   14597    +5926     
=========================================
+ Hits          953    1354     +401     
- Misses       7612   13117    +5505     
- Partials      106     126      +20     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[qcserestipy]

@Sypher845 Thank you for taking up that issue. Can you please add some screen shots or screen recordings that demonstrate the new behavior

[Sypher845]

@qcserestipy i have attached the screenshots, please have a look

[bupd]

/lgtm