Fix release workflow: cosign-installer upgrade and re-run support

[amirejaz]

Summary

The release workflow was failing due to (1) cosign-installer v3.10.1 using an older cosign that did not meet the >= 2.6.0 requirement, and (2) re-runs failing with "assets already exist" when GoReleaser tried to upload to a release that already had assets from a partial run.

Fix:

• Upgrade cosign-installer from v3.10.1 to v4.1.0 in helm-publish.yml and the proxyrunner job in image-build-and-publish.yml. v4.1.0 defaults to cosign v3.0.3, which satisfies >= 2.6.0.
• Add a step in releaser.yml that removes existing release assets before GoReleaser runs, so re-runs succeed after partial failures (e.g., after fixing WINGET_GITHUB_TOKEN).
• Update WORKFLOW-REFERENCE.md with a note about re-run support.

Files changed:

• .github/workflows/releaser.yml — Add asset removal step.
• .github/workflows/helm-publish.yml — Upgrade cosign-installer from v3.10.1 to v4.1.0.
• .github/workflows/image-build-and-publish.yml — Upgrade cosign-installer from v3.10.1 to v4.1.0 in proxyrunner job.
• .claude/skills/toolhive-release/references/WORKFLOW-REFERENCE.md — Add re-run troubleshooting note.

Fixes #

Type of change

• Bug fix

Test plan

• Linting (task lint-fix)
• Manual testing — Reviewed workflow YAML and asset removal logic.

Changes

File	Change
.github/workflows/releaser.yml	Add step to remove existing release assets before GoReleaser
.github/workflows/helm-publish.yml	Upgrade cosign-installer v3.10.1 → v4.1.0
.github/workflows/image-build-and-publish.yml	Upgrade cosign-installer v3.10.1 → v4.1.0 in proxyrunner job
.claude/skills/toolhive-release/references/WORKFLOW-REFERENCE.md	Add re-run troubleshooting note

Does this introduce a user-facing change?

No.

Special notes for reviewers

The asset removal step only deletes assets when they exist (e.g., on re-runs). On first run it is effectively a no-op. continue-on-error is not used so the step fails if gh commands are misconfigured.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.12%. Comparing base (41c7474) to head (8f26813).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #4244   +/-   ##
=======================================
  Coverage   69.11%   69.12%           
=======================================
  Files         470      470           
  Lines       47387    47387           
=======================================
+ Hits        32752    32754    +2     
+ Misses      12091    12090    -1     
+ Partials     2544     2543    -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.