Summary

Ports the release-branch signing fixes back to main so the next tag release builds helper images with cosign signatures before release E2E gates run.

Also ports the release-tag retry target used for failed draft-release retries, and updates the default operator image verification subject regexp to trust reusable-build.yml when it runs from release tags.

Related Issues

Related to #395.
Ports the release-critical fixes from #446 and #448.

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Refactor (code improvement/cleanup)
• CI, release, or build tooling
• Other maintenance

Risk and Compatibility

Low runtime API risk. The security-default change broadens trusted keyless subjects only for this repository's reusable-build.yml workflow when invoked from release tags. Release CI now signs build image digests before downstream verification gates consume them. The manual release-tag retry input is constrained to either the merged release PR commit or the current branch head, and branch-head retries must descend from the release PR merge commit while keeping release files aligned.

Verification

• git diff --check
• bash -n hack/ci/create-release-tag-and-draft.sh
• ./bin/actionlint .github/workflows/reusable-build.yml .github/workflows/release.yml .github/workflows/release-tag.yml
• go test ./internal/port/security ./internal/adapter/security
• GH_READ_TOKEN="$(gh auth token)" DRY_RUN=1 REPO=dc-tec/openbao-operator BASE_BRANCH=main TAG_TARGET=release-pr-merge bash hack/ci/create-release-tag-and-draft.sh
• Hermetic dry-run fixture for TAG_TARGET=branch-head
• make lint-ci
• pre-push make lint-ci

Reviewer Notes

This intentionally keeps the newer action pins already present on main while porting the behavior from release-0.2. The branch-head tag target is only intended for retrying a failed draft release after landing a release-branch fix before the tag exists.

Checklist

• My code follows the project style guide.
• I have performed a self-review of my own code.
• I have added or updated tests, or explained why tests are not needed.
• I have updated documentation, or explained why docs are not needed.
• I have updated generated artifacts, or confirmed none are affected.
• I have checked that this change does not log or expose secrets, tokens, credentials, keys, or raw Secret data.
• I have run the relevant local checks, or documented why they were not run.
• Any dependent changes have been merged, published, or clearly called out.