fix(release): bump cosign v2.4.1 → v2.6.3 so goreleaser-action can verify its download bundle (#31)

The v0.3.0 release run (27300066093) failed before goreleaser even
started: goreleaser-action verifies the downloaded goreleaser binary
against checksums.txt.sigstore.json, and cosign v2.4.1 cannot read the
new-style protobuf sigstore bundle goreleaser v2.16.0 publishes
('bundle does not contain cert for verification, please provide public
key'). v2.6.3 (latest v2 line) reads the new bundle format while
keeping our signs: invocation (sign-blob --output-signature
--output-certificate --yes) contract-identical.

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>

Author: mastermanas805

.github/workflows/release.yml

@@ -53,7 +53,15 @@ jobs:
         # pinned: tag v3.7.0
         uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6
         with:
-          cosign-release: 'v2.4.1'
+          # v2.6.3 (latest v2 line). The v0.3.0 release run failed BEFORE
+          # goreleaser even started: goreleaser-action verifies its own
+          # download against checksums.txt.sigstore.json, and cosign v2.4.1
+          # cannot read the new-style protobuf sigstore bundle goreleaser
+          # v2.16.0 ships ("bundle does not contain cert for verification").
+          # Staying on the v2 line keeps our signs: invocation
+          # (sign-blob --output-signature/--output-certificate --yes)
+          # contract-identical.
+          cosign-release: 'v2.6.3'
 
       - name: Install syft (SBOM)
         # pinned: tag v0.20.0