feat(ci): add release artifact provenance and signed checksums (#246)

[vikas-6]

📝 Description

This PR implements a production-grade Release Provenance and Artifact Cryptographic Signing system in CI/CD using Sigstore's OIDC keyless signing flow (resolves #246).

It ensures release integrity, provides developers with manual dry-run workflow executions, introduces a cross-platform local verification script, and documents software supply chain security safeguards.

---

🚀 Key Features & Changes

1. Automated Release & Signing Workflow (.github/workflows/release.yml)

• Asset Assembly: Bundles backend source archives (omitting development caches and databases) and compiled frontend production distributions into standard .tar.gz releases.
• Baseline Checksums: Generates a standard SHA256SUMS verification manifest for all release artifacts.
• Sigstore Keyless OIDC Signing: Requests ephemeral certificates from Fulcio CA using the GitHub Action runner's token identity and signs all assets, publishing records to the public Rekor transparency ledger.
• Manual & Dry-run Triggers: Supports manual triggering (workflow_dispatch) with a dry_run: true input to build, sign, and test assets as workflow run artifacts without publishing them to GitHub Releases.

2. Cross-Platform Local verification Script (scripts/verify-release.sh)

Introduces a helper utility to simplify release audits on macOS and Linux:

• Queries downloaded files against SHA256SUMS automatically using system sha256sum or shasum.
• Displays clear, copy-paste terminal instructions to verify the OIDC cryptographic signatures using the python sigstore CLI client.

3. Supply Chain Security Guide (docs/release-integrity.md)

Created a comprehensive security guide covering:

• Supply chain threat vectors (asset tampering, build hijacking, and MITM).
• Sigstore OIDC keyless verification mechanics (Ledger transparent auditing).
• Documented offline GPG/OpenSSL based signing workflows for custom distributions.

---

🧪 Verification & Formatting Hygiene

• Formatting Hygiene: The new assets have been cleaned of all trailing whitespaces. Verified locally with git diff --check, resulting in a completely clean pass:

  $ git diff --check upstream/main
  # (Clean - No formatting issues detected)

• Test Suite Verification: Confirmed that all 336 existing unit and integration tests continue to pass with absolute success.

---

📋 Checklist

• GitHub Actions release workflow implemented with OIDC keyless Sigstore signing.
• Backend and frontend building stages automated.
• Manual dry-run triggers and artifact retention set up.
• Cross-platform release checksum auditor script (verify-release.sh) created.
• Supply chain security and verification guide completed.
• Staged, committed, and pushed clean code without unrelated lockfile/doc churn.

[vikas-6]

Hi @utksh1!

I have resolved this issue by implementing the GitHub Actions release workflow with Sigstore OIDC keyless signing, a cross-platform verification script, and a supply chain security guide.

Here is the PR: #291

Please review and merge it when you can. Thank you!